Positive Research Center

Syndikovat obsah
Positive Researchhttp://www.blogger.com/profile/12273696227623127095noreply@blogger.comBlogger20113
Aktualizace: 56 min 56 sek zpět

How hackers could negatively impact a country's entire economy

18 Září, 2017 - 16:04

Despite enormous efforts, security is always a work in progress because of technical vulnerabilities and the human factor. In the modern digital economy, criminals are becoming ever more creative in ways to make off with millions without having to leave home. And the actions of cybercriminals could actually negatively impact acountry's economy. Here are some scenarios of possible attacks.


Unchained malware 
We’ve already seen this with WannaCry-like epidemics. What is important here: even though later malware NotPetya looked like ransomware, our analysis shows that monetization through ransom wasn't the main motivation for its creators. This malware didn't plan to unlock victims' computers even if they pay. So it's possible that NotPetya was used as a "smoke screen" to cover some other local operation... but the impact was international. In future, such malware could really devastate some country's economy even if it wasn't planned.

Multi-stage bank attack 
The most infamous is the Bangladesh Bank robbery in 2016, when instructions to steal almost a billion of dollars from the central bank of Bangladesh were issued via the SWIFT network. A dangerous trend we’ve noticed recently is that hackers use multi-stage attacks though a number of organizations. It could start from a fishing letter sent to some organization that is not financial, but it works with some banks as a partner, so the bank could be attacked from the contractors' accounts after they are hacked.

As our investigation shows, 75% of companies targeted by the Cobalt hacking group are from the financial sector, while 25% are banks' partners (including government, telecom, entertainment and healthcare companies) used as a stepping stone for further attacks on financial sector.

Stock exchange attack 
We also see that financial companies being targeted by Cobalt group now include not only banks but financial exchanges, investment funds, and lenders. This widening range of targets suggests that attacks on diverse companies with major financial flows are underway. By attacking a financial exchange, a criminal group like Cobalt can "pump" or "dump" stocks, incentivizing purchase or sale of shares in certain companies in a way that causes rapid fluctuations in share price. Such stock manipulations can affect the economy of entire countries.

These methods were employed by the Corkow group in their 2016 attack on Russia's Energobank, which caused a 15-percent change in the exchange rate of the ruble and caused bank losses of RUB 244 million (over USD 4 million).

AI bots 
It's easy to blame hackers and criminals, but the fact is: the modern digital economy can be ruined "quite legally" with little human intervention. In 2013, the Nature magazine published a research paper called "Abrupt rise of new machine ecology beyond human response time", this paper explains how high frequency trading robots provoked the economic crisis of 2008.

Now, ten years later, bots have become cleverer and faster, while there is still no serious security rules and limitations on machine intelligence development. This could be a real danger. Human hackers usually don't want to shut down all the financial system, they need it running so they could still money from it. As to bots, they don't care about humans or their financial systems at all. And bots don't have to sleep.

Web Application Attack Statistics: Q2 2017

14 Září, 2017 - 14:00
This report provides statistics on attacks performed against web applications during the second quarter of 2017. Sources of data are pilot projects involving deployment of PT Application Firewall, as well as Positive Technologies’ own PT AF installations.

The report describes the most common types of attacks as well as the objectives, intensity, and time distribution of attacks. It also contains industry-by-industry statistics. With this up-to-date picture of attacks, companies and organizations can monitor trends in web application security, identify the most important threats, and focus their efforts during web application development and subsequent protection.

Automated vulnerability scanners (such as Acunetix) have been excluded from the data used here. The example attacks presented in this report have been manually verified to rule out false positives.

Protection data for Positive Technologies itself has been classified under the IT sector for reporting purposes.

Web application attacks: statistics
Attack typesIn Q2 2017, Cross-Site Scripting was the most common type of attack. SQL Injection, used to access sensitive information or run OS commands for further penetration of a system, represented almost one fourth of the total number of attacks, the same as in the first quarter of 2017. Going forward, we expect that Cross-Site Scripting and SQL Injection will continue to make up at least half of all web application attacks. In addition, our list of frequent attacks for Q2 includes Information Leak and XML Injection, both of which entail disclosure of information.



Figure 1. Top 10 web application attacks
An interesting picture appears if we separate the attacked companies by sector. Companies included government entities, financial services companies, IT companies, educational and healthcare institutions, as well as energy and manufacturing companies.

As in the first quarter, a large portion of attacks on government entities were aimed directly at gaining access to data. Personal data is the most critical resource possessed by government entities, due to which attacks tend to focus on either databases or application users directly. Although government websites are regarded by users as highly trustworthy, the users of these sites—more than in other sectors—are unlikely to know the basics of how to stay safe online. This fact makes government sites tempting targets for Cross-Site Scripting attacks, which can infect a user’s computer with malware. Another common type of attack in Q2 is Information Leak, which exploits various web application vulnerabilities in order to obtain additional data about users, the system itself, and other sensitive information.


Figure 2. Top 5 attacks on web applications of government institutions
Attacks on healthcare were also mostly driven by theft of information: more than half of attacks were aimed at gaining access to data. Medical organizations have recently suffered from several major data leaks: for example, in May, the Dark Overlord hacking group posted the medical records of around 180,000 patients from three medical centers. Another incident occurred at a Lithuanian plastic surgery clinic: over 25,000 photos, including naked before and after pictures, were made public. Initially, the hackers demanded a ransom from both the clinic (equaling EUR 344,000) and its clients (up to EUR 2,000 from each to delete the data). One more company that suffered in May due to a web application vulnerability was Molina Healthcare, with about 5 million patient records made public.

Nearly a quarter of all attacks were aimed at denial of service. Modern healthcare web applications frequently give patients the opportunity to learn more about a clinic and its services, schedule an appointment or house call, buy an insurance policy or service package, and get advice online. In the case of applications such as these, a successful DoS attack can damage not only a company’s reputation and cause inconvenience to patients, but cause financial losses for the company.


Figure 3. Top 5 attacks on web applications of healthcare institutions
The most common attacks on IT companies, as in the first quarter, are Cross-Site Scripting and SQL Injection. If successful, such attacks may trigger significant reputational losses for IT companies in particular. SQL Injection can be used to obtain information as well as for other purposes, such as defacing websites. Cross-Site Scripting can be used to infect user workstations with malware.


Figure 4. Top 5 attacks on web applications of IT companies
Attacks on educational institutions are generally intended to access data (such as exam materials) or modify it (such as exam results). In Q2, more than half of attacks aimed to obtain access to information, Path Traversal being the most common method. Almost one in six attacks was targeted at OS Commanding.


Figure 5. Top 5 attacks on web applications of educational institutions
By contrast, in the case of energy and manufacturing companies, attackers’ objective is to obtain full control over company infrastructure. Therefore the most common attacks attempt to run arbitrary OS commands and gain control over the server or obtain information about the system; attacks on users are few and far between. By launching attacks against the target company’s internal network, an attacker can gain access to critical system components and interfere with operations.


Figure 6. Top 5 attacks on web applications of energy and manufacturing companies
The following screenshot gives an example of detection of remote command execution. The attempt involved an exploit of the CVE-2017-5638 vulnerability in Apache Struts, a free open-source framework used for creating Java web applications. The vulnerability allows attackers to execute arbitrary code on a server by changing the Content-Type HTTP header. This vulnerability became known to the public in March 2017 and the first attempts to exploit it against the web applications included in this report were recorded on April 3.


Figure 7. Example of attack detection: OS Commanding
Another example of OS Commanding demonstrates attackers’ efforts to exploit vulnerabilities not only in web applications, but in networking device firmware as well. Vulnerability CVE-2017-8220 was published on April 25 and attacks on devices started soon after on April 28.


Figure 8. Example of attack detection: OS Commanding
As these cases indicate, it may take only a few days for attackers to “weaponize” a newly published vulnerability. (More time may be required for exploiting more complex vulnerabilities.) Attackers primarily try to exploit vulnerabilities that have been discovered recently, because targets are less likely to have installed the corresponding updates.

Use of outdated software facilitates attackers’ activities, because the Internet is full of information about all known vulnerabilities as well as ready-made exploits for them. Attackers have multiple ways to find out which versions are in use on a particular system, whether by obtaining information with the help of application misconfiguration or by exploiting version-specific vulnerabilities. At one company hosting a Positive Technologies pilot project, an out-of-date Joomla version was in use. One attacker planned to take advantage of that with an exploit for a vulnerability discovered in 2015 that allows executing arbitrary code (CVE-2015-8562).


Figure 9. Example of attack detection: OS Commanding
In contrast to such one-off attempts, a dedicated attacker may employ an entire chain consisting of several targeted attacks against a single target. To prevent incidents, it is extremely important to quickly identify such chains and prevent them from progressing. For this purpose, a web application firewall should cross-check all events for correlations in real time. Attackers can disguise their activities in a number of ways, such as by using diverse hacking techniques, taking breaks between attacks, and changing their IP address. The following screenshots from the PT AF interface show an example of a detected SQL Injection attack chain. The chain included 38 related attacks, each of which was classified as having a high degree of risk.


Figure 10. Example of detected attack chain: SQL Injection

Figure 11. SQL Injection attacks that have been correlated into a single attack chain
In terms of the average number of attacks per day, IT and government lead the pack. They were followed by healthcare, education, and energy and manufacturing companies. Compared to the previous quarters, the number of attacks on government web applications decreased. This trend is likely caused by the nature of the web applications included in this quarter’s research: most of the websites are intended to provide information and have no functionality of interest to attackers. Attacks on websites of manufacturing companies are generally targeted and are carried out by experienced hackers who act very carefully to escape notice. So despite the small number of attacks in this sector, these attacks are in fact the most dangerous ones.


Figure 12. Average number of attacks per day, by sector
In Q2, attackers showed more interest in attacks on application users. Most attacks were intended to access sensitive information.
As in Q1, hackers most frequently attacked the websites of government institutions and IT companies.
Attack trends
Let’s look at the distribution of attacks over time, specifically the number of attacks of each type encountered per day on average by a company. The following charts indicate the frequency and intensity of each web application attack method used by hackers. Information is also given on the most common attacks and which of them (based on the number of requests sent by attackers) dominate among malicious traffic.


Figure 13. Number of attacks per day, by type
Cross-Site Scripting attacks were consistently high throughout the quarter, with 100 to 250 of them recorded every day.

At 40 to 200 attacks per day, SQL Injection is highly visible on the chart as well. When looking for vulnerabilities caused by insufficient filtering of SQL query input, attackers tend to search intensively. The most powerful web application attack in Q2 was a search for SQL Injection vulnerabilities by bruteforcing all possible parameters, with a total of over 35,000 requests sent by the attacker.

Information Leak demonstrated an upward trend caused by abrupt spikes in the number of malicious requests on certain days.

Overall, the average amount of attacks of other types rarely exceeded 100 per day.

The following picture shows the overall intensity of attacks in Q2 for all industries, as measured by the average number of malicious requests per day directed at a company.

Figure 14. Distribution of attacks by day of week
Compared to the previous quarter, attackers became slightly less active. Web applications were hit by 300 to 800 attacks on average per day, dipping as low as 140 on the slowest day. The maximum number of attacks on a single company in a single day was 35,135, almost double the top value from the previous quarter. Practically all these attacks were from the same IP address. The attacker tried to find an SQL Injection vulnerability, apparently with the help of special scripts. The following figures show the number of attacks on this company on a timeline of three days, as well as the hour when the highest number of attacks was recorded.


Figure 15. High-intensity SQL Injection attack on May 3 (PT AF interface)

Figure 16. High-intensity SQL Injection attack during a single hour (PT AF interface)
The following chart shows the distribution of attacks by time of day, on average, for a single company. Data comes from all sectors, based on the local time of the company under attack.


Figure 17. Distribution of attacks by time of day: 0 = 12 a.m. (midnight), 12 = 12 p.m. (noon)
This picture resembles the one we had for the first quarter: the number of attacks is basically stable throughout the day, but increases during the afternoon and evening. As an example, below is a screenshot from the PT AF interface of one client company with data for April 17. We can see that attacks were mostly conducted in the afternoon, with the peaks corresponding to an increased number of requests.


Figure 18. Hour-by-hour graph of attacks on April 17, displayed in the PT AF interface
Such results, as in the previous quarter, are caused by the fact that users (who are the targets of around one third of attacks) are particularly active during these hours. Once again, we found that the intensity of attacks remains rather high both day and night.

One reason that may motivate attackers to strike at night is that the target’s security staff are less likely to notice, and therefore react to, an attack.

When designing corporate security measures, it is best to take into account the times during which attacker activity is at its peak. These times may be company- or sector-specific. While attack intensity was generally stable in Q2, certain time periods did see a rise in activity. Particularly when attacks are performed during non-working hours, timely reaction and prevention of incidents require smart web application protection tools, as well as qualified security incident reaction staff.

ConclusionsAttackers were consistently active throughout the entire period considered (Q2 2017). However, even these numbers, just as in the previous quarter, represent a slight drop compared to the number of attacks on web applications in 2016. Attempts to access sensitive information and attack web application users were the main techniques used. The websites of government institutions and IT companies are still the perennial “favorites" of attackers and we forecast that the situation will remain the same in the next quarter. Moreover, we expect to see an increase in the number of attacks triggered by publication of new vulnerabilities in popular content management systems (such as Joomla).

After vulnerabilities have been detected and made public, many web applications remain vulnerable due to failure to stay up to date with system updates and patches. Our report clearly shows that attackers are quick to make use of newly published vulnerabilities, weaponizing them within days. Effective protection requires both timely software updates and proactive measures, such as a web application firewall, to detect and prevent attacks on web applications.

New Apache Struts vulnerability allows remote code execution

14 Září, 2017 - 10:05

A new security flaw detected in Apache Struts allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.

Although the Apache Software Foundation classified it as a medium severity vulnerability, Cisco has outlined a long list of its products in the Security Advisory that are affected by this flaw.

Extent of the problem
The vulnerability is contained in the FreeMarker functionality of the Apache Struts 2 package. FreeMarker Template Language is widely used in Apache Struts and numerous Java-based projects. Developers can use it to bind parameter values sent from a user application to a server with internal declared variables of the application.

Incorrect performance makes it possible for attackers to send Object Graph Navigation Language (OGNL) expressions to the server, the processing of which can cause arbitrary code execution.

Currently, the vulnerability is confirmed in several Cisco products:

  • Cisco Digital Media Manager — no patch will be issued as the product support was officially ceased on August 19, 2016
  • Cisco Hosted Collaboration Solution for Contact Center
  • Cisco Unified Contact Center Enterprise
  • Cisco Unified Intelligent Contact Management Enterprise

Over 20 Cisco products are still under investigation to determine whether they have security flaws. Finalized information will be available in Security Advisory update.

Not only Cisco: breaking into Equifax
Apart from CVE-2017-12611 (S2-053), several similar security flaws, including CVE-2017-9805 (S2-052), CVE-2017-9791 (S2-048), and CVE-2017-5638 (S2-045), had already been detected in Apache Struts. The media informed that hackers exploited a vulnerability in Apache Struts to steal client records of credit reporting agency Equifax.  Exact details of the attack are still being confirmed.

According to Leigh-Anne Galloway, an expert at Positive Technologies, such attacks can be used to steal credit card data or use information about people having a good credit score to cheat banks and get loans.

Moreover, Equifax's website used to set up credit account monitoring also turned out to have a vulnerability hackers could exploit to steal users' data.

In the aftermath of Equifax's breach, the development team of Apache Struts issued a statement with a recommendation to all users of the framework advising usage of special tools to ensure infrastructure security. One of the tools to prevent attacks exploiting such vulnerabilities is WAF (we develop our own PT Application Firewall).

How to protect yourself
Although a number of Cisco products are vulnerable to CVE-2017-12611, it is likely this will not have large-scale consequences, because an application under attack needs to have a specific configuration for this vulnerability to be exploited successfully. If developers do not use FreeMarker Template Language structures or apply exclusively read-only entities to initialize attributes, it is impossible to exploit the fault.

Moreover, Positive Technologies recommends application developers install Apache Struts version 2.5.12 or 2.3.34, which contain more restricted FreeMarker configuration. This would also reduce the risk of a successful attack.

12 Great Technical Talks at SHA2017

31 Srpen, 2017 - 16:24

image credit Arron Dowdeswell @Arronandir
SHA2017 is a large outdoor hacker camp, which took place in the Netherlands on August 4th to 8th. Despite the intensive preparation of his own talk at this event, a Positive Technologies expert Alexander Popov attended a lot of interesting lectures. In this article Alexander shares his impressions and lists 12 great technical talks at SHA2017, which he liked the most.


1. How the NSA tracks you Bill Binney gave the keynote and described how NSA tracks us. On the one hand, the topic is no longer a sensation today. On the other hand, I would note that this man had a 34-year long career at NSA finally becoming the Technical Director of the organization. During his talk I was sitting in the front row and I was really impressed by the piercing gaze of the speaker.

The recording:



2. Mathematics and Video Games
An entertaining and funny talk about the applications of graph theory and topology in the nice old games like Pacman and Space Invaders.
The recording:



3. Automotive Microcontrollers. Safety != Security
A very interesting lecture about hacking automotive systems using fault injection: voltage or electromagnetic glitches, laser shooting and other cool hacks. The researchers described why meeting the ISO 26262 standard requirements of functional safety does not help against low-level attacks.

The recording:



4. DNA: The Code of Live
An excellent lecture by Bert Hubert about DNA from the information technologies perspective. Not only is he a charismatic speaker, but also his talk was well prepared for the hacker conference. So the hour flew by and I found myself fascinated by the way God encoded life with DNA.

The recording:



5. Improving Security with Fuzzing and Sanitizers
A cool talk on a highly relevant topic from a very famous German security researcher - Hanno Böck. I gained some new ideas about fuzzing methods and used the opportunity to ask Hanno some questions about Sanitizers.

The recording:



6. Race for Root: Analysis of the Linux Kernel Race Condition Exploit
A very good technical talk, let me recommend it ;) I described the CVE-2017-2636 vulnerability, which I found in the Linux kernel, explained my PoC exploit for it and showed the local privilege escalation demo.

The recording:



The slides.

I would like to note that the Linux kernel maintainers have accepted my patch which blocks similar exploits. More technical details are available at the Positive Technologies blog.


7. Flip Feng Shui
One of the most notable talks of SHA2017. Victor van der Veen and Kaveh Razavi are renowned information security researchers. They have just won the prestigious PWNIE award for exploiting the Rowhammer hardware bug to attack cloud and mobile platforms. The speakers effectively explained their exploits and showed nice demos.

The recording:



8. Computational Thinking
An interesting and entertaining lecture by Pauline Maas, who shared her successful experience of involving little children and teenagers into programming, DIY and computational thinking in general. Yes, it is fun!

The recording:



9. Bypassing Secure Boot using Fault Injection
An impressive technical talk about fault injection attacks. The audience, myself included, was impressed by the live demo of bypassing Secure Boot checks on ARM using voltage glitches.

The recording:



10. Rooting the MikroTik Routers
A high quality technical talk with live demos of hacking the MikroTik industrial routers. At the end Kirils Solovjovs made his router beep a nice tune. The audience liked it.

The recording:



11. Off Grid: Disclosing Your 0days in a Videogame Mod
A really cool talk about a really cool hacking videogame called Off Grid. You play for a hacker breaking systems in a huge building of some corporation. The software on desktops, smartphones, IoT devices, which you hack, actually runs on virtual machines. So it's real fun :) Moreover, the game allows you to practice social engineering and other tricks. Off Grid developers showed some live demos of the gameplay, and the audience appreciated that a lot.

The recording:



12. FaceDancer 2.0
A very interesting lecture by the developers of FaceDancer 2.0. It is an improved technology for fuzzing various USB software stacks. In fact, the Linux kernel and other OS have the wrong security policy regarding trust to the hardware. In particular, USB software stacks usually imply the accurate
behaviour of everything attached via USB. That wrong assumption makes "Bad USB" attacks so effective. FaceDancer 2.0 provides the reach capabilities of fuzzing USB hosts and making them more robust.

The recording:



Eh, SHA2017 is over... But Still Hacking Anyway!

Blocking double-free in Linux kernel

30 Srpen, 2017 - 16:01
On the 7-th of August the Positive Technologies expert Alexander Popov gave a talk at SHA2017. SHA stands for Still Hacking Anyway, it is a big outdoor hacker camp in Netherlands.

The slides and recording of Alexander's talk are available.



This short article describes some new aspects of Alexander's talk, which haven't been covered in our blog.

The general method of exploiting a double-free error is based on turning it into a use-after-free bug. That is usually achieved by allocating a memory region of the same size between double free() calls (see the diagram below). That technique is called heap spraying.



However, in case of CVE-2017-2636, which Alexander exploited, there are 13 buffers freed straightaway. Moreover, the double freeing happens at the beginning. So the usual heap spraying described above doesn't work for that vulnerability. Nevertheless, Alexander has managed to turn that state of the system into a use-after-free error. He abused the naive behaviour of SLUB, which is currently the main Linux kernel allocator.

It turned out that SLUB allows consecutive double freeing of the same memory region. In contrast, GNU C library allocator has a "fasttop" check against it, which introduces a relatively small performance penalty. The idea is simple: report an error on freeing a memory region if its address is similar to the last one on the allocator's "freelist".

A similar check in SLUB would block some double-free exploits in Linux kernel (including Alexander's PoC exploit for CVE-2017-2636). So Alexander modified set_freepointer() function in mm/slub.c and sent the patch to the Linux Kernel Mailing List (LKML). It provoked a lively discussion.

The SLUB maintainers didn't like that this check:

  1. introduces some performance penalty for the default SLUB functionality;
  2. duplicates some part of already existing slub_debug feature;
  3. causes a kernel oops in case of a double-free error.

Alexander replied with his arguments:

  1. slub_debug is not enabled in Linux distributions by default (due to the noticeable performance impact);
  2. when the allocator detects a double-free, some severe kernel error has already occurred on behalf of some process. So it might not be worth trusting that process (which might be an exploit).

Finally Kees Cook helped to negotiate adding Alexander's check behind CONFIG_SLAB_FREELIST_HARDENED kernel option. So currently the second version of
Alexander's patch is accepted and applied to the linux-next branch. It should get to the Linux kernel mainline in the nearest future.

We hope that in future some popular Linux distribution will provide the kernel
with the security hardening options (including CONFIG_SLAB_FREELIST_HARDENED)
enabled by default.