Thursday, 24 November 2016

Open Source Honeypot for Mirai Detection

Cymmetria Research is releasing an open source honeypot for Mirai detection, a specific tool built to match what Mirai expects, based on its source code. MTPot was developed by Dean Sysman, Co-Founder & CTO; Itamar Sher, Head of Research; and Imri Goldberg, Co-Founder & VP R&D; Cymmetria.
Mirai has hit the news recently with the huge DDoS attack (“DynDOS”) that occurred in October, which has overwhelmed Internet service providers and caused multiple disruptions, making DDoS one of the key concerns of security as well as businesses worldwide.
According to the company, a need arose for a very lightweight honeypot with which one could collect verified Mirai Indicators of Compromise (IoCs) – specifically IP addresses trying to compromise IoT systems – and the malware samples they infect them with.
In addition to the DDoS component, Mirai first compromises IoT devices, building an infrastructure from which the DDoS can be launched. The infection attempt is what Cymmetria aims to detect.
The Mirai honeypot functionality includes the ability to:
·         Detect incoming connections on any port using telnet (equivalent to listening on that port).
·         Specifically ID the Mirai version we researched (the one which is open source), based on the commands requested from the service.
·         Alter parameters to ID Mirai (port and commands).
·         Report to a Syslog server.
·         Collect the malware samples Mirai tried to infect the user with (will currently crash Mirai instead, see below note).
The company says that there was a limit as to how much debugging time they could invest in Mirai and this last functionality (collecting samples) is not currently working. Instead, Mirai crashes when it receives the input it expects.
Usage of the tool is simple, but much like any other low interaction honeypot, it has limitations by its nature of emulating a service. This is shown through the requests Mirai sends via its telnet connection, based on the mirai source code available on GitHub, here. Thus, it can be fingerprinted if anyone puts their mind to it.
To download the mirai honeypot from Cymmetria's Git, click here. The company also offers the MazeRunner Community Edition, a free version of Cymmetria’s enterprise cyber deception platform

The Threat of Connected Devices to the Internet

At least three consecutive waves of complex online attacks were directed at Domain Name System (DNS) servers operated by Dyn, a US internet infrastructure provider. The attack on October 21, 2016 consisted of a Distributed Denial of Service (DDoS) attack, and blocked access to thousands of websites, including Netflix, Amazon, Twitter, Airbnb, the New York Times, PayPal, and more. Immediately, suspicions centered on Russia and China as having both the motivation and the ability to plan and execute such an attack. Yet as of this writing, it is not at all clear if the attack was state-motivated. After the attack, it was reported that the Chinese and Russian hacker group known as New World Hackers assumed responsibility and claimed it was a sophisticated attack using botnets at higher-speed traffic than ever know before – 1.2 terabytes per second (Tbps).
The attack exploited vast numbers of connected devices (in an announcement to the media, Dyn stated that some 100,000 devices were involved). These devices, also known as the Internet of Things (IoT), include webcams, alarm systems, baby monitors, internet-based security cameras, DVRs, printers, and routers – all connected to the internet. The attackers managed to plant a software component in these devices that could receive commands from a control server so that the masses of devices all sought out the target in a synchronized manner and paralyzed the attacked servers’ ability to function by flooding it with traffic. The vast majority of these devices lack any kind of significant defenses; access to most of the systems is ensured through default usernames and passwords installed by the manufacturer. In fact, there is no current effective concept to respond to this type of threat.
The threat inherent in the swarm of connected devices is not new. As early as 2013, Symantec reported the existence of a worm called Linux.Darlloz that according to estimates, infected some 50,000 IoT connected devices, such as routers and Set Top Box devices or computers based on Intel’s X86 architecture. The goal was to install software allowing attackers to mine crypto currencies. In 2015, Symantec issued a detailed report about simplifications that make it possible to break into 50 different kinds of smart home devices. In its April 2016 report, the company stated that medical devices (such as insulin pumps, X-ray systems, and CT scanners) are also exposed to attack, as well as smart TV systems and dozens of other devices of all types.
Even though the ability to penetrate these devices and carry out extensive DDoS attacks through them was not surprising, the intensity of the attacks demonstrated the destructive capability of using a large number of synchronized simple devices. The attack broke the record for the largest DDoS attack ever, which occurred in September 2016, targeting the French company OVH, at a scope of 1 Tbps; it used bots (software agents) that exploited the widespread CCTV cameras. In many respects, this is a dangerous escalation and sets a new threshold for a cyber threat that on a few levels so far has no satisfactory response.
The first aspect is connected to the proliferation of these devices. In the US, there are about 25 connected devices per every 100 people, and this is just the beginning of the trend. Gartner Inc. estimates that in 2016 the world will have 6.4 billion connected devices, and that by 2020 that number will approach 21 billion. Such a vast number of devices creates a significant weakness for the web and allows attackers of various sorts to use them for any number of goals. The new twist in the most recent attack was the simplicity with which it was carried out. Millions of devices can serve as the potential means for DDoS cyberattacks whose execution is relatively simple, because the devices create new entrance points to the internet, making the scope of the threat enormous. The threat grows even greater because end devices, such as smartphones and computers, are used to control the connected devices.
The second aspect concerns the weakness of the defense. Most IoT devices lack appropriate means of security, making it easy for attacks to exploit the weaknesses of the systems operating the devices. The majority of manufacturers have yet to adopt a framework of standards and security; they generally use publicly available open code to make it possible for their devices to communicate with other similar devices in the area, and this itself generates severe security soft spots. Important corrective steps have been initiated in the United States, as security companies, manufacturer associations, and even government agencies have begun to cooperate, but these steps are far from constituting a sufficient defensive response.
The third aspect regards the scope and depth of the damage. The attack on Dyn was a clear warning sign: while the offensive capabilities displayed in the attacks did not require anything particularly sophisticated, the impact was significant. The fact that the malicious code was made public prepared the ground for other attacks that will make use of this or similar code, and raises the specter that the writers of the code already possess an improved version. Thus the use of similar methods of attack will presumably be seen again, perhaps even in more powerful versions.
Finally, there is privacy. One of the key problems with connected devices is securing user privacy. Connected devices are constantly collecting information about their users’ parameters, at home and in the office, including the nature of use of equipment and electrical appliances as well as wearable devices, whose use is becoming more widespread. The inherent defensive weaknesses of these devices means that all that information could be available to various attackers intent on subversion.
The weakness shown in the last attack is not the burden of the private sector alone. The use of armies of connected devices is a challenge for the state, because it has the capability to harm the routine performance of governments and, worse still, disrupt performance during emergencies and in wartime. Because the risk is real, defending connected devices is an enormous challenge. In response to the attack on Dyn, the United States government was called on to enact regulation on the security of IoT products. Indeed, this seems precisely where efforts should be focused, with measures similar to the steps taken in the financial sector. Although the problem is global, Israeli entities charged with cyber security must fully understand the risk of exposure to such attacks and take action by partnering with international efforts on the issue, while at the same time taking steps to enhance the relevant defensive mechanisms and their continued performance in order to cope with this type of attack.

NITA committed to strict cyber security

He explained that with an oversight responsibility over the Electronic transaction ACT (ACT 772); used to cure cybercrime, NITA with support from stakeholders such as the law enforcement agencies and the judiciary, was empowered to ensure that the ACT was implemented to the letter.
Mr Atta-Boateng made these remarks, in a speech read on his behalf in Accra, at a Computer Security Incident Response Team training workshop.
He said the recent security governance initiative with the United States Government and the GLACY+capacity building with the Council of Europe, which NITA was fully involved, would bring Ghana the needed capacity to implement the recently approved Cyber Security Policy and Strategy to improve on the fight against cybercrime.
He said NITA had been mandated to lead in the development and implementation of cyber security policy and strategy to make Ghana a safe place in cyberspace.
“NITA was actively involved in the development of the national policy on cyber security and would be a principal player in the implementation,” he said.
“NITA is the Government’s ICT service player and it has rolled out an elaborate wireless and fibre optics network across the country.
“It has also developed and is managing the National Datacentre Infrastructure currently being used by both public and private sectors entities,” Mr Atta-Boateng added.
He said NITA, as a manager of the huge ICT Infrastructure, was very mindful of the security of the network and must ensure that the network was always up to ensure that the government’s business was not impeded.
He said in view of this NITA had set up the NITACERT in 2012, the first computer security incidents Response Team(CSIRT) in Ghana, to manage incidents that occurred on the network.
With the establishment of the National CSIRT, CERT-GH, in 2014 by the Ministry of Communication, NITACERT now worked closely with CERT-GH to secure its network elements.
Mr Atta-Boateng said NITA currently hosted CERT-GH and supported its operation in the light of its commitment to ensure that the Ghana Cyber was safe.
“It is on this note that NITA has partnered with other stakeholder in the private sector and civil society to promote awareness of cyber security by organising the cyber security initiative this year,” he said.
He said under the security governance initiative, more capacity building and awareness creation activities would begin next year.
The training workshop, which is part of the 2016 National Cyber Security Week Celebration, is to create awareness to participants on computer security incident response teams and their role in ensuring cyber security.
Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programmes and data from attack, damage or unauthorised access.
Mr Eric Akumiah, CERT-GH Manager, Ministry of Communication, said the best way of ensuring cybersecurity was through creating awareness on it.
He noted that 70 per cent of cyber security could be attributed to awareness creation and 30 per cent to technical; adding that, an awareness creation would allow the country to have a firm grip and know what to do.
He said the workshop was to create high a level of cyber security awareness and how to be more responsive towards it.
Mr Kenneth Adu-Amanfoh of the National Communication Authority, said the Authority in collaboration with NITA, would ensure that the National Cyber Space was free from criminals.
He said as regulators of the telecommunications sector, the Authority would ensure that consumers got the best services from the operators.
Mr Marcus Adomey, the Chief Operations Manager, AfricaCERT, in his presentation, noted that the internet had no respect for national borders; hence, there was the need for an appropriate structure to deal with cyber crime

How Israel Built One Of The World’s Most Powerful Cyber Armies

In the last few years, along with the United States, UK, China and Russia, Israel has become a superpower in the world of government hacking and cyber espionage.
Israeli cyberspies are believed to have worked with NSA hackers to develop Stuxnet, the world’s first cyberweapon. And many of its cyberspies and warriors have moved to the private sector to launch companies worth hundreds of millions of dollars that have a footprint all over the globe, such as Cellebrite or the NSO Group. How did such a small country become such a big player in the world hacking stage?
At the core of Israel’s success in cyberspace is a military intelligence corps named Unit 8200, which specializes in sophisticated hacking and espionage operations. Young Israeli geeks vie to get into Unit 8200 to have a chance to work within a team tasked with carrying out cutting-edge missions, and the license to hack and spy on almost anyone.
“You get 18 or 19-year-olds to deal with the most exciting stuff that anyone can deal with, espionage!” said Ronen Bergman, an investigative journalist at Yedioth Ahronoth.
After they leave service, they can leverage the experience and prestige of Unit 8200 to get practically any cybersecurity job or get funding to launch a company. That’s why kids in high school dream about joining Unit 8200, and that’s why the Israeli government has set up a program to nurture and recruit high school kids interested in computers.
A zero-day vulnerability in InPage publishing software used primarily in Urdu, Pashto and Arabic-speaking nations has been publicly exploited in attacks against financial institutions and government agencies in the region. While there are more than 10 million InPage users in Pakistan and India alone, there are a significant number of users in the U.S., U.K. and across Europe as well. Related Posts IBM Opens Attack Simulation Test Center November 16, 2016 , 6:04 pm CrySis Ransomware Master Decryption Keys Released November 14, 2016 , 2:20 pm Microsoft Patches Zero Day Disclosed by Google November 8, 2016 , 2:57 pm Researchers at Kaspersky Lab today disclosed the vulnerability after a number of attempts to privately report the bug to InPage were ignored. “We have informed the vendor of the affected software of the existence of the vulnerability, but have received no reply, while the attacks continue,” Kaspersky Lab said in a statement. “We have also informed the Indian CERT and received the reply that the organization’s specialists are looking into the issue.” Kaspersky Lab said it’s possible a number of criminal or nation-state actors are using this exploit since it has recorded several different attacks against banks in Asia and Africa, as well as others targeting government agencies. The exploit is spreading via phishing campaigns, and was discovered during a separate investigation in September. It was then when Kaspersky Lab researchers found a file with a .inp extension that was analyzed and found to contain shellcode inside a Microsoft OLE file, a file format that has been used in a number of Office exploits dating back to 2009. The researchers detected a number of different payloads and command and control servers used in the respective attacks. A list of C2 servers and indicators of compromised has been published as well. Kaspersky Lab’s analysis of some of the emails shows that the attackers used other exploits using .rtf and .doc files in conjunction with the InPage exploit. The attacks dropped different versions of particular keyloggers and backdoors on victims’ machines. The vulnerability in question is in a parser in the main InPage module. “The parser in the software’s main module ‘inpage.exe’ contains a vulnerability when parsing certain fields,” Kaspersky Lab said. “By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution.” The shellcode found in the document first looks for certain patterns in virtual memory space before launching a decoder that obtains an instruction pointer and decrypts the next stage of the attack. At that point, a downloader grabs and executes the payload. Kaspersky Lab researchers said the attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea. Researchers at FireEye last year found such an attack and linked the payloads and command and control infrastructure used to North Korea. “Despite our attempts, we haven’t been able to get in touch with the InPage developers,” Kaspersky Lab said. “By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems.”

See more at: InPage Zero Day Used in Attacks Against Banks

Attackers use ancient zero-day to pop Asian banks, govts

Attackers are compromising government and banks across Asia by exploiting a years-old zero day vulnerability in desktop publishing application InPage, which targets users working in Urdu or Arabic.
Kaspersky Labs analyst Denis Legezo found the attacks and reported the zero-day to InPage, which he says ignored his disclosures.
Legezo says InPage has some 19 million users, 10 million in Pakistan, six million in India, two million in the UK, and one million in the US.
If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.
"We don’t observe any public mentions of [the InPage] exploit so we consider it a zero day.
Lengezo found live attacks, likely from multiple groups, utilising the zero day vulnerabilities against unnamed banks and governments in Myanmar, Sri-Lanka and Uganda.
Criminals are attaching multiple InPage files and also exploiting old bugs through attached .rtfs and xxx.doc files.
The analyst found several keyloggers and backdoors within the phishing emails used to attack InPage users.
He says the parser within the proprietary InPage file format contained a vulnerability that allowed attackers to gain control of instruction flow and then remote code execution.
"By all appearances, this newly discovered exploit has been in the wild for several years," Lengezo says.
Hackers have previously targeted regionally-specific software. Several exploits have been found in the Hangul Word Processor almost exclusively used in South Korea in what Lengezo says are attacks against Korean interests.