Zero-Day Attacks And Why Patching Means Catching Up

Another day another Zero-Day Attack:  From Sucuri Blog¹ which found a remote Code Execution attack on Joomla a CMS(Content Management System) software

The hackers are interested in these all the time:

blackhathacker

Because a Zero-day attack means that an attack on susceptible software can be easily taken over.

Zero day exploits are sought after in the darknet.  Check one of our old posts on Darknet.  The International Institute of Cybersecurity also has a good primer on Darknet² with actual places to try using Tor (The Onion Router) which is a browser that keeps you anonymous although has definite dangers when using it.

therealdealmarket

 

If you notice from above image (from an image at iicybersecurity.wordpress.com) there are 1day exploits as well. which means the fixes have been in the market for a single day already.

When your IT department asks you to install patches and reboot they are asking you to get a fix for a potential attack.

What kind of attack depends on the severity and danger of the software flaw.

There is a Common Vulnerability Scoring System discussed at first.org³

The severity is set from 0 – 10 (Zero through ten). With 10 a severe vulnerability which requires a fix As Soon As Practical.

 

Here are just some of the hundreds of vulnerabilities in cvedetails.com

cvedetails

 

The problem that we have is that software is not just the operating system, it is all the applications that run on top of the operating system.

cvssscoreaverages

You can see that over the years there have been 73 thousand plus vulnerabilities.

And most disturbing over ten thousand are in the 9-10 severity range.

 

This is why many in the Cybersecurity field claim that the offense is winning and the defense is always playing catch up.

 

As the exploits come out they are called Zero-days, the attackers attack sometimes by buying the exploit  from the Internet Darknet. There is a constant fight between the defense which is patching and fixing against potential attacks and the attacker which is always trying to infect your computer with new methods.

This dance between offense and defense will never change(unless we just don’t want to use our computers period). So all we can do is develop risk analysis and put most of our resources into ensuring the most important systems are patched.

 

Some time ago Microsoft decided to create a single day which would have most of their patches available. This is called Patch Tuesday, and this Month’s patch Tuesday was on December 8th.  Like krebsonsecurity discussed, Adobe and Microsoft plugged over 70 security issues.

Internet Explorer had 30 security flaws

Microsoft Edge had 15 (the new Internet Explorer)

Adobe Flash player had 78 vulnerabilities.

 

Are you running Windows Server DNS services? there is a patch for that as well which is dangerous, especially since it is on critical servers usually. Although the DNS patch is rated a 2 I am in the belief that the hacker will take any in to your network and then slowly move laterally to other weak systems until getting to the areas which are the true targets.

BCM_Institute_Risk_Ratings_and_Levels

How important is your server?

How important is your database information?

 

If you have a severity level 10 vulnerability and its impact is high(if your software fails) because of an important software on this machine then decision is easy patch as soon as practical. In fact don’t patch other systems, and you should patch the higher risk machine.

 

Are we going to run into a resource allocation problem?.  Sure the highest impact system will get patched sooner than others.

 

The other problem we have is sometimes the patch that is installed has problems so we now have to pick from either of two bad outcomes.

1 is an unpatched system that is susceptible to attacks

2 is a system that is patched but has some kind of bug which means the software will not work as advertised.

We also have a problem when the pace of patching is not fast enough, since tests have to be run before patching (to prevent catastrophic problems).

So the problem is between lack of resources of patching and the attackers finding an attack vector on your machines.

patchingvsattackers

Contact Us in Saint Louis Area to help you with risk analysis and more.

 

 

 

 

 

 

 

  1. https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html
  2. https://iicybersecurity.wordpress.com/2015/06/10/famous-dark-net-marketplaces-to-buy-exploits-0-day-vulnerabilities-malwares-for-research/
  3. https://www.first.org/cvss

 

 

NextGen Firewall Flaw Uncovered

nextgenfirewallflawdiagram

The recently added BugSec blog¹ on Security News Analyzed page at #30 is the source.

Apparently there are several NGFW (Next generation FireWalls) systems that allow the initial handshake to occur no matter the destination, including to destinations we would want to deny.  It is good to point out, that an actual connection is not made, as the firewall stops the connection.

Just by itself this problem would not have been an exploit, but the CTO Idan Cohen, was then able to develop a tool to create full tunneling with just this initial handshake.

 

BugSec has disclosed this flaw to all the vendors that are affected by it.

The manufacturers said:  “once their state machine proceeded beyond the TCP handshake, they would recognize the application, matching a subsequent rule that applied to application traffic.” And if as in this case it was ‘unknown-TCP’ it would be blocked only with an additional security policy lookup as to allow or block the traffic.

So essentially by default some NGFW are allowing ‘unknown-TCP’ traffic.

Obviously this can be rather dangerous.

 

  1. http://www.bugsec.com/news/firestorm/

 

Hackers Buy Christmas Presents Too

What is your weakest point in your security(People, Process & Technology)?

Safe to say that people are the weakest link.  And by that I mean social engineering your workforce to either click on something they should not, or do something like give out too much information (yes my boss is on vacation right now).  Email me at xyz.lastname@abc.com .

 

The hacker is always trying to piece together more information to do a better job spear phishing various levels of employees.

A good review of the potential Christmas schemes from Avast¹:

1. Shopping Invoices for Ghost Transactions.
2. Bogus Courier Receipts Delivering Trojans.
3. e-Commerce Phishing.
4. Mining Personal Data — Bogus Gift Card Promos
5. Compromised High-Traffic Websites.
6. Poisoned Christmas Shopping Search Results.
7. Malvertisements: Malicious Advertisements
8. Greeting Cards — Bringing Bad Tidings.
9. Fake Charity Sites.
10. Bargain-Hunter Scams.

 

We can figure out some of the scams in the above list…

But an interesting one is compromised high-traffic websites.

Especially if you are interested in that topic. So let’s say you are interested in toys for your kids at Christmas?  What happens if your favorite toy store is compromised? Then an email from your favorite toy store can cause a problem.

I waded into the spam folder and tried to find an appropriate email:

spamfromoverstock

Notice how it is a “Christmas Liquidation” of an Apple MacBook in the subject line, but then in the body it is an Asus Laptop.

 

My rule of thumb is to never click on a link from any email unless you know that domain name.  (for me).

For users I just tell them not to click on the link at all, instead to find the link by using Google. So if you want laptops cheap for Christmas shop on Google or Amazon or other vendors.

Never click on links.

That rule of thumb will save most people from going down the road of getting compromised

As far as taking calls from unknown people…

there is no more famous social engineer than Kevin Mitnick² who was caught in February 1995. He made his famous hacks by calling people and pretending to be tech support. It is amazing what the person that answers the phone will give out to a stranger without verifying who is actually calling.

Even 20 years later some of these tactics work with an accomplished liar, and quick thinking social engineer.

{ One Mitnick anecdote: The intrepid social engineer calls up the network operations center of a cell phone company during a snowstorm. After befriending the operators, he asks them: “I left my SecureID card on my desk. Will you fetch it for me?” he asks. }

 

My rule of thumb is to take their number and call them back before giving out anything beyond public information like what is on your website. Our hours are 7am – 6pm and until 9pm for the holidays.

 

Never give out information on specific people.

You would have to recognize the voice before giving out what weather there is out of your window if it was up to me.

Compromised sites during any holiday should make all of us wary of the potential phishing attacks.

Phishing is as I have wrote about before only useful on the days when we are at our weakest.

 

My blog post to train emotional detachment …

Defeat Phishing: Train Emotional Detachment to Scams

Contact Us to help you with anti-social engineering techniques

 

  1.  https://forum.avast.com/index.php?topic=40647.0
  2. http://www.csoonline.com/article/2113271/social-engineering/kevin-mitnick-and-anti-social-engineering.html

SmartTV Can Get Malware & Ransomware

Are you considering buying a SmartTV for the office?

 

Here is Symantec’s Blogpost discussing a Smart TV infection:

(Symantec Blog is #26 on our  Security News Analyzed page)

http://www.symantec.com/connect/blogs/how-my-tv-got-infected-ransomware-and-what-you-can-learn-it

 

smarttvwithinfection

Now your TV can get infected with Ransomware as well.

What Operating Systems can a smartTV have?

Tizen, WebOS 2.0, Firefox OS, or Android TV (which is a version of Android 5 Lollipop)

 

lg-smart-tv

 

So be aware of this and update any updates needed.

 

Why would a hacker want to attack a SmartTV? besides ransomware – and theoretical $$’s from the attack.

I think Symantec’s list is useful to keep in mind for all your devices that you may have:

  1. Click fraud — every time the device is used the criminal makes money
  2. Botnet — the criminal uses the processor and network for his own end
  3. Data theft — steal information
  4. Cryptocurrency mining — use the processor to mine for bitcoins
  5. Ransom —  as mentioned
  6. Access to other connected devices  — once behind router can connect to other devices.
  7. Privacy — steal your private information

 

If it isn’t obvious by now any device in your network can be used against you.

 

Are all your employees installing any devices without your knowledge? You must run vulnerability scans to find out…

Contact Us for help

Another Java Cybersecurity Mess

Foxglovesecurity has found a problem in Java(From 11/6):

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

 

And the interesting thing is that Oracle is trying to sell their products and services to everyone as cloud Applications.

oracleweblogsuite

What you don’t know is that there is no patch for a Java Library containing a vulnerability that has code to hack it for 9 months now. Any commercial products that have a connection to this Java library: Weblogic, Websphere,  JBoss, Jenkins, OpenNMS, and potentially your application with Java functions.

It looks like unserialized vulnerabilities are not an ‘easy’ or simple method to uncover and understand fully. But ‘simply’ it takes binary data and converts it to something that you can use. If you want to get into the details of what is exactly happening in Java’s unserialized vulnerability.

To me it means that if your programmer wrote a Weblogic, Websphere, JBoss, Jenkins, or OpenVMS application   Unless they avoided the following:

Java LOVES sending serialized objects all over the place. For example:

  • In HTTP requests – Parameters, ViewState, Cookies, you name it.
  • RMI – The extensively used Java RMI protocol is 100% based on serialization
  • RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects
  • JMX – Again, relies on serialized objects being shot over the wire
  • Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come

 

So if the above happens then a remote code execution can occur as

Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) gave a talk on 1/28/15 at AppSecCali to the “commons collection library”  Here are the slides from this presentation:  http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles

So the short story is its a complex Java vulnerability and if your website or other network application(s) are running Java with the common collection library you are susceptible to criminal hackers (only if your programmers used the common library in a specific manner).

This vulnerability also has a CVSS of a 10.0.

And as foxglovesecurity states this vulnerability does not have a sexy name (like POODLE, or Shell Shock.

 

This is why sometimes you have to let others check your website for potential vulnerabilities.

Contact Us for help with testing your websites.