Category Archives: Hacks

Security News for the Week Ending January 14, 2022

Hackers Sending Malware Filled USB Sticks in the Mail

Old, tried and true techniques continue to work as hackers have been sending malware-filled USB sticks in the mail and UPS to defense, transportation and insurance companies, hoping someone did not do their security awareness training and plugs the drive into their computer. It just shows that hackers do not need to keep inventing new tricks; the old ones continue to work. Credit: Gizmodo

Norton Installs Cryptomining Software on Users’ Computers

Norton and its sister company Avira, both owned by the same parent, are installing cryptomining software as part of the default install. Norton turns it on automatically since they get 15% of anything you earn, Avira has it off by default. If Norton was still on your approved list (it went off our list years ago), you should probably remove it. Credit: Brian Krebs

White House Hosts Open Source Security Summit

In the wake of the Log4j and other open source software attacks, the White House hosted a summit this week with the likes of Akamai, Amazon, Apache, Apple, Cloudflare, Facebook, Google, IBM and others to discuss how to improve open source security. While no “results” have been announced yet, the fact that the summit was called and led by Anne Neuberger is an acknowledgement that “Houston, we have a problem”. With open source used throughout the IT world including critical infrastructure and many times that software is either not maintained at all or maintained by volunteers – there is no easy solution as there are millions of open source packages. Stay tuned; we might be able to do something for a few of the larger, more important packages. Ultimately, it is both the responsibility and liability for the companies that use open source and that should not be much comfort to anyone. Credit: Data Breach Today

Canon’s Printer DRM Comes Back to Haunt Them

Consumer printer makers make most of their money selling you toner and ink, so years ago they came up with the idea of putting chips in the cartridges to try and stop you from using low cost supplies. But now they can’t get chips so they are making cartridges without the chips, causing their customers’ printers to alarm. As a result, Canon is telling their customers how to break their own DRM. Not to worry though, Canon says they will go back to trying to hurt their competitors when the chip market eases up. Credit: Gizmodo

Car Makers Say Giving Owners Data From Their Cars Will Embolden Sexual Predators

Car owners have been trying for years to force car makers to give them the tools they need to repair their own cars. One of those tools is the data that their cars generate. If car owners could repair their own cars, car makers would lose billions of dollars in revenue. Massachusetts voters overwhelmingly voted in a right to repair law in 2020, even though car makers spent $26 million explaining why letting people repair their own cars was bad, even claiming it would embolden sexual predators. Now they are saying the law is unconstitutional. Anything to try and stop the revenue drain. Credit: Vice

Researcher Demonstrates How to Melt Power Lines in New York

Actually, they just used New York as an example, but the researchers literally melted the copper power lines. Once the power lines were vaporized, well, there was no more power.

The good news is that this was just a demonstration, but definitely a scary one.

Worse yet. The device the team hacked – it was the overload protection device. So, the device that was added to the electric grid to protect it became a traitor and attacked the grid – or at least watched quietly while the attack took place.

Start by realizing that there is no such thing as hardware any more. Yes there are metal things, but to make them work requires software. This software is what the team at Red Balloon attacked.

Schneider Electric, which makes this protection relay, has now released a patch for the bug.

Of course, getting it installed; well that is a different story.

The researchers tested two other protection relays but did not find anything significant in those two.

Credit: Yahoo News

An engineer at cybersecurity firm Mandiant said that even if a relay like this failed, power could be back up and running to affected customers within hours. I think this guy should stick to software, because he clearly does not understand hardware (the guy, Chris Sistrunk, is a technical manager at Mandiant and focuses on industrial control systems).

Here is where his thinking breaks down.

**IF** all that happens is the hacker causes one relay to fail, then yes, you can replace that relay quickly and fire up the power to the network behind it.

But what if, as in the demonstration, the overload causes miles of wire to melt. Does he really think that they can replace that wire in a few hours? I don’t think so.

As always, the devil is in the details.

I see announcements from CISA every week – dozens of them – for patches to industrial control system software and firmware.

Likely, many of those systems will never be patched because system operators are scared that if they do patch them, they will not come back online. This is not a completely unreasonable concern.

We are not just talking about electric. Water, sewer, natural gas, chemical plants, refineries and on and on. We already saw this with the Colonial Pipeline attack. It does not take much.

Bottom line, critical infrastructure managers need to work hard to stay ahead of the hackers.

The Layers of Effective Endpoint Security

As hackers become smarter, generate more and more effective attacks and users continue to work from almost anywhere, IT teams have to get smarter about effective endpoint security. This is going to take a layered approach. This includes moving towards zero-trust. Here are some recommendations.

  1. Signature and heuristic-based detection – this is what most traditional endpoint protection solutions have used for years (AKA anti-virus and anti-malware). This is, historically, where endpoint protection stopped. Now it is where it starts.
  2. Contextual detection – this is where machine learning comes in. Even with unknown malware, ransomware and other bad stuff, looking at the context of what is being done can allow you to detect activity which is out of the ordinary.
  3. Anti-exploit technology – this is where you do continuous monitoring to block zero-days, fileless malware and more. This requires technology that can track all actions taken by all processes to look for anomolies.
  4. Add the cloud to the mix – Now that you have all of this data, across all of the endpoints of the enterprise, including the end users, servers, the corporate cloud and the public cloud, what do you do with that data. You need a set of tools that can analyze that data in real time, mix in threat intelligence from other sources and likely, even, throw in a pinch of human analysis and then feed that back into each endpoint so that it can adjust it’s protection techniques. (note that the referenced article at the end says that only one vendor does this. That is actually not true. I am sure that only one vendor does it in the very particular way they do it, but that doesn’t mean that many other vendors don’t do the same thing in their own way).
  5. Threat hunting service – this is where the humans come in and it takes specialized expertise. People who look at this data coming from the endpoints and making sense of it. It is certainly possible that you are the only company on the planet that is being hacked in a particular way – but I seriously doubt it. Even if that were true, the techniques used by hackers are often reused, allowing an experienced threat hunter to detect those patterns.

Doing this is not simple and, unfortunately, not cheap. We have reviewed a lot of tools and have found the best and the brightest. And the most cost effective. You can also do this incrementally, because you are going to have to integrate IT business processes to make this effective.

However, if you don’t start, you will never get there.

The hackers are not going to wait for you. Unfortunately.

Credit: CSO Online

Security News for the Week Ending January 7, 2022

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

New Attack Exploits Microsoft Software Signing Verification

Software released by Microsoft and other vendors is digitally signed so that users can validate that it really came from the vendor in question and that it has not been modified since the vendor created it.

However, hackers have figured out how to bypass the security provided by Microsoft’s digital signature verification process, allowing them to add malware while leaving the signature intact.

According to security firm Check Point, here is how the malware that they have detected works. The problem is, however, much bigger than this. Now that the technique is public, this could be used to modify any already signed software leaving the signature intact.

This particular attack begins by installing Atera software on a victim’s machine. Atera is a legitimate remote maintenance product (like Kasaya, which was compromised last year) used by Managed Service Providers (MSPs). In this case, the victim did not know that they were installing Atera; they thought they were installing a Java update.

Check Point is still trying to figure out exactly how the Atera software was deployed in this case, but in earlier cases, the hacker played a short click of adult content and then told the victim that they needed to install this Java update, which was really malware.

Once the Atera software is on the victim’s computer, the hacker tells Atera to download and run two batch files. One changes Window’s Defender’s preferences to not check certain folders and filetypes and the other installs the malware.

Next the attacker runs MSHTA with a particular DLL as the parameter. The catch is that the DLL had malicious scripts added to it. Due to an oversight by Microsoft, adding the script does not invalidate the signature.

Microsoft FIXED this bug in 2013 – that’s right, 9 years ago, but they changed it in 2014 after discovering that it broke some customer software. Microsoft, in its always effort to be customer friendly, decided to totally compromise their customers’ security rather than telling their customers to re-sign their software.

Now that decision is coming back to bite them in the ….. (fill in the blank).

It looks like the way their disabled it was to change the install of the fix (for CVE-2020-1599, CVE-2013-3900 and CVE-2012-0151) from mandatory to optional. As a result most users do not have it installed.

The fix is to install the update, understanding that it is possible that it might break some stuff: Microsoft Security Advisory 2915720 | Microsoft Docs .

Credit: MSN and Dark reading

Supply Chain Attacks Are Rampant

Today’s supply chain attack is interesting. I guess I can say that because it didn’t happen to a web site that I own and my information didn’t get stolen.

Here is the situation. Many web sites have embedded videos on them. In this case, most of the sites affected were real estate web sites and they often have virtual tour videos on the web page. In order to play a video, you need a video player. There are many video players that you can choose from, but what almost no one does is write their own video player.

Palo Alto Networks found over a hundred web sites, many or most of them (depending on which story you read) belong to the real estate firm Sotheby’s.

What happened? Some how a malicious version of the video player got loaded onto these web sites. When a visitor went to the site, the video player code was downloaded to the visitor’s computer. In this case, the malware was a data skimmer which steals information that the user provides to the website. It could be name and address information or it could be credit card information. The information can be used for social engineering or financial crimes.

The malware is polymorphic, meaning that no two copies of the malware are the same, making it difficult to detect and block. The code is also obfuscated, which makes it difficult to read and understand, so even if tried to figure out if it was malicious, it is unlikely that you could figure that out.

Now that this particular attack has become public, hackers all over the world are going to copy it. All it takes is a web site hosting the code with lax security. The hacker can then compromise the code and wait for a developer to use it.

This is not at all limited to video players, even though there are thousands of them. Any bit of shared code that is hosted in the cloud and linked to by developers is a valid target.

This means that you need to have a robust software supply chain risk management program in place, unless you want to be like these firms and dealing with a shattered reputation.

If you need help with this, please contact us.

Credit Threatpost and Bleeping Computer