Chinese Cyberattacks Unrelenting And Will Not Stop

It is all part of the Chinese strategy to steal technology and information as they work on being the top country in the world.

There is an excellent article on the history of China and how it pertains to today’s world by Brandon J. Weichert at New English Review.

The “trade war” is part of a complex struggle by China to come to parity and overtake the United States.

 

The struggle with China is also pertinent in the Cyber world, as we know from Mandiant’s report the Chinese PLA (People’s Liberation Army) has a unit that actively attacks western companies and countries to steal technology and anything else that might be important.  this was the APT1 operational attack on the world.

China is actively attacking systems (as you will see below).

The PLA units are hundreds if not thousands of attackers.

In Mandiant’s report there is some history where the APT1 was first used in 2006.  So for the last 13 years the Chinese have been systematically trying to attack and steal relevant information from Western companies.

Every industry was attacked (just like it is easy to do as everyone is connected to everyone on the Internet).  Some industries are more important than others:

Above image is from Mandiant’s report linked above.

This is from a report in 2012 about an old attack, but today these items have not changed much.

 

Let’s go back to Mr Weichert’s article (“Much More Than a Trade War With China”)  where in the warring states period of Chinese history (771-475BC) was a unique time period.  In this era the Qin Dynasty was able to overcome a superior adversary in the Zhou dynasty, due to superior statecraft and mastery of strategy.

Mr Weichert brings up a quote by Jiang Zemin (Chinese leader  1995-2003) “there cannot be two suns in the sky”.  Because the history of China showed only one dynasty will eventually defeat the other and survive  to rule over all.

In here the “Barbarian-Handling” techniques are analyzed by Edward Luttwak:

  • Initially, concede all that must be conceded to the superior power, to avoid damage and obtain whatever benefits or at least forbearance that can be had from it;
  • Entangle the ruler and ruling class of the superior power in webs of material dependence that reduce its original vitality and strength, while preferring equality in a privileged bipolarity that excludes every other power;
  • Finally, when the formerly superior power has been weakened enough, withdraw all tokens of equality and impose subordination.

And then the Chinese culture assimilates the ‘Barbarian’ culture.   Such as when the Mongols invaded and eventually used Chinese methods which were eventually surpassed later.  There are many older cultures in Asia that have been completely swallowed up by China.

 

Whether this is a good methodology by China is not a question here (I believe it is not), we note that it is occurring and part of the “entanglement” strategy to steal technology. The technology advantage will not be significant or even an advantage over time with more and more tech thefts.

What is the easiest way to steal technology today? Over the internet!!

This is why the PLA is systematic in its actions. They attack everyone and then find the nuggets in the network stream. China’s strategy is deliberate and systematic.  In the 80s and 90s we had neighborhood kids who were trying to hack companies for the ‘fun’ of it. Today we have nation states with MASSIVE budgets and techniques.

If you do not think there is a serious Cyberattack happening you must wake up and smell the roses.  If you have something to protect, and even if you do not the wide swaths of Cyberattacks coming out out China will make your life more difficult.

The above image does not surprise me and is the number of attacks on this website in a week. And this website has no data beyond what you see on the blog (i.e. there is no customer data or other data hidden)

Contact us to review your Cyber defense strategy.

What We Can learn From Baltimore City Ransomware Attack

From WSJ article

On May 7th hackers were able to shut down a number of city of Baltimore computers. They demanded $100k worth of bitcoins to release their stranglehold. On this day that is about 13 Bitcoins (value of Bitcoins fluctuates).

So Baltimore is refusing to pay as they should. The ransomware the hackers used is called RobbinHood.

And apparently if no payment within 10 days the price goes up.  How did RobbinHood get access to the systems (and then corrupt them)?

Bleepingcomputer.com goes into some of the RobbinHood details.

Apparently this ransomware is not coming in through Spam (like many others). Arstechnica has some more details of the IT details in Baltimore City departments:

“Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface, with 113 subdomains—about a quarter of which are internally hosted—and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).”

Part of this problem seems to stem out of mismanagement of GRC (Governance, Risk, Compliance).  The IT department was underfunded, which seems obvious now, but was not earlier.  And now the decision is do we pay ransom to get back to normal?  Or suffer through a restore which is an unknown amount of time and resources. Will the restore work? If not, then we have to rebuild systems from scratch. Reinstall operating systems and applications, while also making sure this problem does not resurface (create proper procedures of installing and patching).  So all the things that were obvious in the past and had a long time to resolve, now must be done under the glare of the public eye, in a quick manner. There are plenty of stories of how real estate transactions are not closing without some department computers. So where the city wanted to be paperless, it has to reinstate paper based processes.

Needless to say Baltimore is the poster child of how not to do things.

There is a price to pay at some point for bad management decisions (underfunding IT updates or security initiatives). When you do not update systems in a sprawling campus of hundreds of systems, then it is inevitable that there will be a system that can get attacked. Hackers are ingenious and find ways in. Once they are in, the game is to elevate credentials (privileges).

Let me ask you a question: If it is relatively easy to come in and take a system (for the hacker) then elevating privileges will also be ‘easy’. As privilege escalation vulnerabilities are more numerous.

So now the hacker is in the network and can do pretty much as they please. Now the hacker will try and find the most important systems (email and file servers among others) to infect. This is  exactly what happened in the city of Baltimore campus.

Contact US to discuss GRC and prevent a disaster like this to your organization.

Internet Cameras Vulnerable to Attacks With No Fix

If there is no way to fix a vulnerability what do you do if you have a camera with a vulnerability?

Here is the quote on Threatpost (from the engineer that found the flaw):

“Over 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,” said Paul Marrapese, a security engineer who discovered the flaws  setup the hacked.camera website

So the key from Paul’s website is the following two CVE’s:

What is CVE-2019-11219?

CVE-2019-11219 refers to an enumeration vulnerability in iLnkP2P that allows attackers to rapidly discover devices that are online. Due to the nature of P2P, attackers are then able to directly connect to arbitrary devices while bypassing firewall restrictions.

What is CVE-2019-11220?

CVE-2019-11220 refers to an authentication vulnerability in iLnkP2P that allows attackers to intercept connections to devices and perform man-in-the-middle attacks. Attackers may use this vulnerability to steal the password to a device and take control of it.

So mostly iLnkP2P  with many companies potentially affected.

This problem has just been relesed to the public, with initial advisories to vendors by Mr. Marrapese  1/15/19.

 

so in theory the vendor should have been working on this issue, but they did not respond. So vulnerability sent to CERT/CC and then the 2 official CVEs were setup by MITRE:

CVE-2019-11219 and CVE-2019-11220

Devices that use the following Android apps may be vulnerable:

  • HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
  • VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
  • Wanscam: E View7
  • NEO: P2PIPCAM, COOLCAMOP
  • Sricam: APCamera
  • Various: P2PCam_HD

Time to start to make people aware and get their vendors on fixing these problems, because some vendors are foot draggers on security.

So real bad news is that the hackers now definitely  know the problems so attacks coming soon???

Coming back to original question… How can you protect cameras with this flaw? Have to put a New NGFW system in front of it to protect it.  Kind of like how one protects a WindowsXP machine, or a system that is no longer getting updates.

Here is my old post on NGFW : https://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/

 

Contact us to discus this with you.

SAML Attacks can break down Single Sign-On(SSO)

Area41 Defconswitzerland had an interesting video about attacking Single Sign-on technology SAML – Security Assertion Markup Language  (basic tutorial on SAML)

There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.

Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.

The image above is from auth0.com

So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .

check out the following from the defconswitzerland video:

SAML Attacks Certificate Tampering

  • Clones a certificate, generate a new key material
  • Use a certificate signed by other official CA

SAML Attacks XML

  • signature Exclusion(simply delete Signature)
  • XML signature Wrapping
    • Paper on breaking SAML(Be whoever you want to be 2012)

SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.

 

Contact Us to discuss auditing your network environment

You are Good, But Neighbor is not… Now What?

Let’s set this up…

You have paid attention to some Cyber security efforts, and have a number of defenses, maybe not “all of them” but your risk management matrix has shown you where to focus. What is impact on a device if having Cyber security problems?

Assuming you set up the probability matrix of all of your devices failure impact… Did you think of everything?

What about this:

Internet Storm center has  a story “More malspam pushing Lokibot”  

The post is about when an email attachment RTF(Rich Text Format) runs and then downloads an exploit for CVE-2017-11882 which installs Loki the information stealer.

Once Loki is on the machine it will contact home base and more.

Loki is an especially bad malware software, as it steals FTP credentials, SMTP credentials, Browser data, database information, and keylogger abilities.

So how do we defend against this malware? we need to deny the entry points. Because if once the malware is in one of your systems or one of your partners then it is a different game.

 

So what happens when  you think the neighbor is infected?  The firewall is no longer in play, as all internal machines are now open to attack. All it takes is another payload to be dropped into the infected machine that will take advantage of other machines with weak defenses.

So the problem is that any machine that you allow into your network (with vpn or otherwise) also can make your network systems weaker.

Coming back to our neighbor, if the neighbor does not have the same methods to security as you do, they are now a liability if you do not take the neighbor threat seriously.

I want to give an example in an apartment building that has been setup with a well known ISP internet service. So you get an apartment  and the service for internet is built-in to the price of your apartment(or at least is a minor add-on).

The Apartment people tell you to just plug into the wall and voila you have internet service.

So when i plug in, do i get my own router? Or am I connected within a switch with every other apartment first? So now I have to run a discovery scan, and check all other IP addresses first?

This is why one runs a discovery scan, to see all the machines that are on the network and that can see you. This is all part of the risk management of your company.

 

Contact Us to discuss Risk management and more.