Welcome to Cyber Security Today. This is the Week in Review edition for Friday November 19th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Cyology Labs in Montreal, to discuss a couple of stories from the week. But first a quick look back at some of what happened in the last seven days:
The compromise of an FBI email server to send out 100,000 pieces of spam made headlines. Terry and I will discuss how it likely happened and how IT departments can prevent being victimized the same way.
We’ll also look into a report that the RAM in personal computers, servers and cellphones can be more easily compromised by hackers for data theft than has been thought.
And we’ll also look at a report that some ransomware groups are making so much money they are now bidding on million-dollar zero-day vulnerabilities.
Elsewhere, news emerged that the gang behind the Emotet malware and botnet is back. Its infrastructure was taken down in January by law enforcement agencies. But security researchers noted that the TrickBot botnet is now distributing emails with attachments laced with malware similar to Emotet. This is another example of how cybercrooks knocked out of business are able to rise again if they keep their code, or their knowledge of how to create malicious code.
The province of Newfoundland and Labrador continues dealing with the cyber attack on the healthcare system that started 20 days ago. Canadian privacy expert Ann Cavoukian told me it’s appalling that years of data was accessed by the attackers.
Meanwhile a health clinic in Ottawa is still trying to restore services after it was hit by a cyber attack last weekend.
Here’s an update on the data theft I reported last week from the Robinhood stock trading platform: A threat actor claiming to be the attacker has put the data up for sale on the dark web. That includes a list of 5 million email addresses and a list of 2 million email addresses with the users’ names. The attacker isn’t yet selling detailed data on 310 customers that were copied.
Another warning has been issued by government security agencies to IT departments about the dangers of not promptly applying security patches to products. The U.S., U.K. and Australia said an Iranian-backed group is exploiting vulnerabilities in certain Fortinet network devices and Microsoft Exchange. These vulnerabilities have been patched. In fact one dates back to 2018, another to 2019.
A warning has also gone out to WordPress administrators to better secure their systems. This comes after a cybersecurity company found a number of compromised sites suddenly displaying fake claims of a ransomware attack. How was it done? Somehow an attacker was able to break into the WordPress site and tamper with a plug-in called Directorist, which lets administrators build contact directories for their sites. It’s imperative that all WordPress administrators tighten security, including making sure their passwords are strong and protected with multifactor authentication. They should also be familiar with other ways of protecting their sites.
(The following is an edited version of my talk with Terry Cutler. To hear the full version play the podcast);
Howard: I want to bring in Terry Cutler now. We’ll start with the FBI hack last Friday night about 100,000 emails went out from an FBI email address. It’s used for communications with law enforcement agencies and prosecutors. The email warned recipients that their systems had been hacked by a threat actor but it was a hoax. In fact, the so-called threat actor blamed is really a cyber security expert who has been the victim of several hacks. Regardless of that, it was embarrassing to the FBI. From what we know publicly, how was this done?
Terry: There’s a web page at the FBI called the Law Enforcement Enterprise Portal, or LEEP. This portal allows an account to interact with various law enforcement agencies and use FBI resources. On that page was an ‘Apply now’ button, and when you apply you’d fill out information and it would say okay at the end. But there was a flaw and the threat actor was able to inject code that allowed them to interact with the webserver on the backend and send out over 100 thousand emails.
Howard: So applicants were to get a confirmation email, but that portal was compromised. In fact, the website leaked the one-time passcode that was needed for confirmation. And that allowed the attacker to compromise the email server that sent out the confirmation notice. Have you heard about anything like this before?
Terry: I haven’t come across this. But what we found out also is that the one-time password was the same for everyone. There are some mitigation steps they can put in place to stop this. One of the things is having what’s called an SPF record. This checks to make sure that emails are not being spoofed along the way before they get sent out, but in this specific case. all the emails came from internal FBI systems. So there was no way to stop it in this particular case. Another mitigation step is to limit the number of systems that a message talks to before an email gets sent out.
The biggest thing is to get an audit done. Have a web application penetration test to see if there are any flaws in the mechanisms of the website. You want to look at the OWASP (Open Web Application Security Project) Top 10 Vulnerabilities to see where flaws could be. A lot of lot of what we’re seeing right now with poor application development is that the developers are not coding with security in mind. They want to get a website up and running as quickly as possible and fix it along the way, instead of building it with Privacy by Design all the way up.
Howard: Let’s move on to the DRAM vulnerability report. DRAM is the memory in computers. It’s a juicy target for attackers because it can temporarily hold sensitive data like passwords and software tokens that are used to verify identity. As I understand it, a few years years ago researchers discovered a technique called Rowhammer that could allow an attacker to siphon off data from memory. But this week researchers said a newer technique they call Blacksmith is even more effective. Tell us about this.
Terry: Rowhammer has been around for a couple of years. In fact, it was announced in 2014. It’s basically a physical hacking technique that allows and the attacker to manipulate the electronic charge in computer memory chips. It’s going to corrupt or possibly allow you to exfiltrate data from that memory space. It allows the same program to run repeatedly on different rows of the chip. So they can actually access other people’s memory space on the same system if it’s a cloud system.
Howard: My understanding from the research paper was two years ago or a year ago there was a test of 40 devices on whether the Rowhammer attack would work. And they found that it it worked me on 30 percent of the devices. The new attack method they call Blacksmith was tried on the same devices and it worked 100 hundred per cent of the time. So. That sounds like it’s possible that this vulnerability could be easily exploited.
Terry: Yes. It looks like it’s going across all [memory] manufacturers, because back in a day we used to be able to mix and match RAM manufacturers. But then we’ve seen sometimes where, like in an operating system, it could result in a blue screen or crash because the memory chips were not the same. There is some stuff chip manufacturers can implement, which is called target role refresh. But what we’re seeing right now is that it’s only available on the latest chipsets. So what do you do if you got older hardware?
Howard: I fired off an email with a question to Johannes Ullrich, dean of research at the SANS Institute because of a comment he had made in a SANS briefing note. And he says cloud environments may be riskier places now for certain data because they share infrastructure. He said that that physically separating certain sensitive data to run on separate servers may now be necessary because of this discovery.
Terry: This is going to be tough because the whole point of the cloud is to make it more affordable, more efficient and and and easily managed. So if this attack gains more traction that means that everybody’s going to have their own physical server, which is which going to defeat the purpose [of cloud computing]. It’s going to be more costly and it’s not gonna run well. It’s going to be a mess. I mean there was a similar thing a few years ago. You may have heard of the Meltdown and Spector vulnerabilities in CPUs. I think we’re going to start seeing more and more hardware-level attacks which might be able to bypass software controls.
Howard: So if you’re an IT department head and now you’ve heard about this Blacksmith memory attack technique, what can you do?
Terry: I think you’re at the mercy of the [memory] manufacturers. If you have equipment that is not set up to protect you against the latest threats you’re gonna have to rip and replace that hardware, because some of these attacks are only mitigated on DDR4 RAM. If you’ve got DDR3 you don’t have that capability. So you’ve got make sure you do your [security] audits make sure you protect against as many vulnerabilities as possible.
Howard: The final item I want to take a look at is ransomware, again. It seems no Week in Review can be done without talking about ransomware. And that’s because it’s a lucrative tactic that threat groups can employ. In fact, it’s so lucrative that according to a report this week from the threat intelligence firm called Digital Shadows, some ransomware gangs can now afford to bid on zero-day vulnerabilities. A zero-day is a vulnerability that’s discovered by a threat actor that’s unknown to product developers. They’re being sold on criminal websites to the highest bidder. It used to be that the cyber divisions of countries or threat groups that are backed by countries were the only ones who could afford to buy these. But apparently, now ransomware groups are bidding on them as well. What does this mean for an IT defender?
Terry: This means it’s a real mess because, again, the attackers just need one way into your environment. But as a defender you’re dealing with patch problems, compliance problems, whose got multifactor dedication turned on, who’s got too much access, who’s not protected against phishing attacks, have my passwords leaked onto the dark web, I’ve got old outdated operating systems that I can’t get rid of because it’s required to run my operations because it maybe it doesn’t run on newer hardware, I can’t afford EDR …
Howard: For those who don’t know I’m going to mention some famous — or infamous — zero-day attacks. You of course have heard about the SolarWinds supply chain compromise. Separately, there was a zero-day vulnerability that was found. There have been zero-day vulnerabilities exploited in Linkedin, Facebook, and a couple of years one in the Starwoods hotel chain that led to ah a big data theft. In fact, coincidentally last in last week’s podcast Dinah Davis mentioned an MIT report that said so far this year 66-day exploits have been found — and the year isn’t over yet.
Terry: I think that’s because when there was an attack earlier this year source code was accessed. The attackers have taken that code back home, ripped it apart and they said ‘Oh, we can create all these extra exploits from here.’ And I think there’s also been a group of crowdsourced vulnerability experts who’ve come together to help look at the code. So, for example, they’ll go on a website where [an application] is crowdsourced and somebody can post a comment and ask ‘How do I protect myself against this flaw?’ and next think people say you need to do this, do this, do this. But in reality, they’re actually telling the attacker how to take advantage of that exploit.
Howard: One of the things that this report says is that while zero-day vulnerabilities are very serious, these were only a small number of the weapons used by most attackers. Most of them are exploiting older vulnerabilities that security teams haven’t patched yet. And as I mentioned in the news summary, intelligence agencies have put out a warning that one threat group has recently been seen exploiting unpached vulnerabilities that were fixed in 2018 and 2019. We’ve talked about this before the importance of patching quickly.
Terry: To be honest I still come across these types of exploits during penetration tests. In fact, I still come across one from 2015 which is the [Windows] Eternal Blue. I can use that vulnerability to can gain access to the Active Directory rip down all of the user names and passwords, and use a pass the hash attack and get access to other stuff … Everybody was supposed to have patched that, but sometimes that these patches don’t come down via Automatic Update. You have to manually go and apply them. That’s the problem we’re seeing right now, is that organizations don’t have a proper patch management system in place and patches are not applied in as quickly as possible.
Howard: Also one of the things that this report makes clear is that patching has to be done in a more disciplined way. Every IT department has to decide what its priorities are and then patch the applications that affect the most valuable data. Would you agree with that?
Terry: I do. What we’re seeing, though, is that the IT departments are seen as a cost center. Corporations are working with a budget that doesn’t have the proper resources to have a consultant come in and properly assess the environment. Patching is key. But you have to properly test patches in a test environment before making them live. Most companies don’t have a test environment, so they’re hoping nothing’s going to break.