Cities are Likewise Ransomware Targets

Recent stories have focussed on ransomware, its implications, increased usage and complexity. With the usage, this is a natural progression. The digital organized crime groups have seen the potential profits involved with this. There is a vast number of new targets coming online weekly to be phished over and over. With each breach and compromise there are new lists of contacts. This is a simple, linear algorithm. The more targets in the pool represents a larger potential number of victims, and by extension revenue.

There is a positive correlation with the number of targets and the number of attacking entities in the market.  This revenue is a strong point of attraction. This also works in the inverse, as the smaller the market, the fewer number of attackers that would be in the market.

Ransomware also has been growing in complexity. This used to be a simple email with a link or attachment. The email body would have poor spelling and grammar, and most people would be able to note the email was phishing in nature. Time has provided guidance as to better methods to generate thes. Now, these emails have better wording, and grammar, and there may be the links or picture, or in the better organized phishing emails an illegible PDF with a link to follow. This last option has become in use more and has become more effective.

There is also an increase in the variety of industries being attacked. This used to be predominantly professional offices, with attorneys or accountants, or manufacturers. This has recently increased with robots in the manufacturing industries being reduced to an inoperable mass of metal, until the ransom is paid and the operating system released from the ransomware.

The latest iteration with ransomware is rather creative. The attackers had targeted a city. In this case, Atlanta was attacked successfully and certain services hampered or shut down. This rather large city was attacked with SamSam. The city leaders were unsure as of March 26th if the city was going to pay the ransom or not. This same tactic was successful previously in attacking the Colorado Department of Transportation.

As long as there will be a ransom to be paid, this attack is not going to slow down. This attack is also going to continue to be successful as long as training for the employees is lacking and senior management/leadership is not willing to fix issues. The city was notified months ago of the IT system vulnerabilities that needed to be addressed and if these were not, the city systems could easily be compromised. The city’s management was given the 41 page document last summer. From the report, there are many significant and severe vulnerabilities. These had been present for so long, it became clear the leadership had become lackadaisical.There were literally thousands of vulnerabilities noted. This attack was preventable.

The follow-up issue is whether the city should pay or not. By the status of their IT system, the city probably would not have back-ups which are viable. This limits the ratio of options. The issue however is with paying, is the attackers know the system now. In theory they could re-infect this in a week and collect the fee again.  

DDoS-Don't be targeted

Over the recent year, there have been a number of articles centered on hacking and attacks, intended to disrupt business and consumer behaviors. One area that has been discussed at length has been the DDoS attack. As the acronyms continue to be thrown about, some may not know about the details. Recently the largest DDoS attack at 1.7Tbps was recorded. In the work environment, this may affect the consumer’s and business ability to login for a web-oriented service, not allow for a secure method to share files or allow them to order supplies, among other various activities.

A DoS (denial of service) may be caused via too much data is present in memory. This may be due to some form of an accident or other activity with limited actors. A DDoS (distributed denial of service) on the other hand is rather intentional. These attacks have a malicious purpose of generally not allowing a business’ persons to connect with them to share data or files, or to not allow the consumer to purchase goods or services online. These generally work by the target being inundated by a mass amount of packets being sent to them from many sources located in various geographic locations. One of the latest attacks involved the attackers high-jacking internet connected consumer electronics (i.e. camera) and using these to send the vast number of packets. Another method is for the attacker to use a rather large number of botnets to send these packets. When this occurs, the business is not able to fully function.

This has the potential to be a nightmare for the business, cybersecurity researchers, and any other target. During the attack, the business transactions, be these retail or operations. There are a number of services to be contracted with in order to defend against this. With a portion of the largest attacks though, even this is tough.

Robots can be victims of ransomware

Ransomware and its effect on the targets are well-known. This is being used as an attack tool in nearly all the industries. The use of ransomware has been noted in the water processing utilities, manufacturers, banks, retail industry, to just name a few. This is partially due to its ease of use and applicability to many of the attacks. The attack vector typically has been with phishing or its variant, spear phishing, and is not that complex. To add to the issue, the encrypting does not take a substantial amount of time. If a user has an email address, they are potentially a target.

The attackers have changed and updated their focus. The increased use of technology has provided additional targets. One of the new targets are the robots. These, although don’t have an email address, they, however, are connected to the internet. IOActive Labs researched vulnerabilities with the Softbank Robotics NAO and Pepper robots. These robots are used in industry and education venues. The attack was able to disrupt the robot operations. The curious twist with this application is the ransomware usually encrypts data, files, servers, and other areas the business needs to operate. This new version, instead of targeting and encrypting these areas, to targeting the software used to operate the robots. The disruption continues until the ransom is paid.

Specifically, the attack operates to alter the default operations. This functions to disable all or a portion of the admin features. This also is able to elevate privileges, add or change the root password(s), and other options.

This new attack speaks to the need to secure access and connectivity, not only from the enterprise but also open IPs that are accessible.

DHS: Issues with security

The national government is entrusted with many aspects of our lives. The law enforcement departments are tasked with applying the laws to our daily lives and relationships. The Department of Defense (DoD) is responsible for defending the US. The Department of the Interior and other government agencies have their own duties also. These functions are spread across many areas and departments in the national government. One such area is the Department of Homeland Security (DHS). This agency is responsible for a massive amount of confidential and sensitive information. This is allegedly safeguarded within their system. Seemingly these systems would have the up-to-date InfoSec applications and use state of the art hardware to ensure unauthorized parties don’t access the systems.

The true nature of the situation is the data and systems are not as secure as thought. The Office of Inspector General (OIG) examined the DHS InfoSec practices. The OIG noted many of the systems were running outdated operating systems (OS). A portion of these had not updated their security features in five (5) years and the systems were no longer supported. This included three servers using Windows Server 2003. These servers had not uploaded any patches since 2015, when these became end-of-life (EOL). In total there were 64 vulnerable systems.  

This is not how the DHS, or any government unit is supposed to operate. This is not appropriate behavior and is potentially dangerous if these systems and servers were to be compromised. This may allow for a pivot point for attackers. This is not even remotely a prudent business practice. This left the DHS vulnerable to attacks, apparently from very unskilled attackers due to the level and number of vulnerabilities noted.

With the mission of the DHS, this is not acceptable and provides a lesson for the remainder of the industry. The sensitive data and systems should be protected and secured. It does not matter of these are at a small-, or medium-, or large-business, this needs to be done.

Still check the autofill!

Too many applications are focussed on convenience for the users over any other factor. This increases, in theory, productivity and the number of systems using the app. One of these options is the autofill. This has been noted and used by most users in one app or another. This may be used in Excel, Outlook, and many other well-used and widely accepted apps. Earlier this month, while in a meeting, I received an email title 2017 Bonus. This did not apply to me and the email notice was closed out. Post-meeting, the email was opened for curiosity’s sake. The email was intended for another person with the same first name, but a different last name. I responded back with “Uh oh” once I had noted the issue. The HR representative had just typed in the first letters of the first name. The HR representative promptly replied that he/she was “Truly sorry for sending” the email.The sensitive information contained therein was the other person’s bonus letter for 2017, which was $11,565.65.

As with most of life’s events, there is something to be learned. Convenience is not always the best alternative. When the user depends too much on the equipment without a quick sanity check, issues can fall through the cracks. Even with such a simple action, such as sending an email, can create significant and embarrassing issues.

Watch which assets you put on open WiFi

This St. Patrick’s Day proved to be rather interesting this year. As with years past, an Irish pub
was visited. This happened to be connected to a golf course. Granted there were the usual
characters present, however, this year was a bit different. As the waitresses were exceptionally
busy, there was a bit more time that was not occupied. Being curious and waiting for an exceptionally
long period, the WiFi was checked. This was labeled as ****** Golf and was totally insecure.
Anyone could connect to this from anyone the WiFi reached, including part of the parking lot,
with ease. There was no password or check-in place. Although not optimal, this is not necessarily
a fatal flaw. What made this interesting is the equipment on the WiFi, versus these being connected
to the other secure WiFi sources. On this WiFi were a number of client devices including several
phones (Amanda, Go Blue (a hapless UM fan), Stephann, Lisa, Kathleen, Jacob, & Sylvia) and
the DJ’s laptop (MacBook Pro). This is not that unusual, after all, if there is free WiFi, a number
of people will connect regardless. What made this interesting is the business devices that were
placed by the business on the completely open WiFi, instead of one of the other locked WiFis
requiring authentication. These were a printer (HP Office Jet Pro 6968) and the PC in the
pro shop, among other business devices.

The issue was not taken further (scanning or trying to connect) for obvious reasons, however,
there are several items requiring attention in this matter. Business assets, which can be connected
to the internet by unauthorized parties, should not be on an open WiFi accessible to anyone.
Having the printer on this versus one of the other WiFi networks requiring the simple login ID and
password is annoying and did not make an abundance of sense. Having a business printer and
Pro Shop PC on the WiFi is clearly an error.

The pub certainly should provide their patrons with the WiFi if this would be used appropriately.
This should, however, be used for the clients and not the business assets. There were three
other WiFi options, all locked, which could have been used. These options would not have
been over-burdened the other WiFi networks, especially in Michigan in mid-March. The pro
shop would be much busier in other, warmer locations. The business, small- or medium-sized,
truly need to think through what assets should be used placed in specific locations. Consumers
also need to understand by connecting to the open WiFi, the device is seen by everyone. Too
many people simply are apathetic to security in this instance, until there is a direct negative
consequence. There still needs to be more training on this topic.

New Ransomware Focus-Robots?

Ransomware and its effect on the targets is well-known. This is being used as an attack tool in nearly all
the industries. The use of ransomware has been noted in the water processing utilities, manufacturers, banks,
retail industry, to just name a few. This is partially due to its ease of use and applicability to many of the attacks.
The attack vector typically has been with phishing or its variant, spear phishing, and is not that complex.
To add to the issue, the encrypting does not take a substantial amount of time. If a user has an email address,
they are potentially a target.

The attackers have changed and updated their focus. The increased use of technology has provided
additional targets. One of the new targets are the robots. These, although don’t have an email address,
they, however, are connected to the internet. IOActive Labs researched vulnerabilities with the Softbank
Robotics NAO and Pepper robots. These robots are used in industry and education venues. The attack
was able to disrupt the robot operations. The curious twist with this application is the ransomware usually
encrypts data, files, servers, and other areas the business needs to operate. This new version, instead of
targeting and encrypting these areas, to targeting the software used to operate the robots. The disruption
continues until the ransom is paid.

Specifically, the attack operates to alter the default operations. This functions to disable all or a portion
of the admin features. This also is able to elevate privileges, add or change the root password(s), and other
options.

This new attack speaks to the need to secure access and connectivity, not only from the enterprise but
also open IPs that are accessible.

Mazda Hack

We need to learn, as an industry, from our mistakes. When these are identified, as part of the SDLC, the oversights should be addressed immediately, based on the criticality of the issue. InfoSec is no different. If there is a vulnerability noted, it should be remediated as soon as possible. This may take a bit of time to resolve and may need to be implemented in the next model year of a product or software release, depending on the circumstances. If the issue is noted and acknowledged by the company and is not resolved within a reasonable amount of time, there is a bigger, more systemic problem to be considered.

Mid-year 2017, there was a compromise published with the Mazda vehicles targeted. The PoC was titled the Bad Valet attack, which exploited the USB port as the attack vector. The targeted models began with the 2014 model year. The exploit worked by the user plugging in a malware-laden USB. The malware involved accessed the Linux OS in the infotainment system, and allowed for modifications. Per Mazda, this was patched.

Along comes 2018 and two new researchers, with a like attack. This also used the USB stick and requires 10 seconds for the USB to be inserted into the port. This malware collects data from the user's smartphone (e.g. text messages, call records, photos, contacts, GPS history, and emails), along with vehicle's geographic location. The malware exploits the autorun option that had been enabled with the infotainment system.

These attacks indicate there are issues with the development team tasked with the OS. The DevOps should incorporate InfoSec. The cost and time savings of SecDevOps have been documented and should be applied.

Dangers of Open WiFi

Recently there was a symposium focussed on connected and automated vehicles and infrastructure. One of the services provided by the venue was WiFi for the attendees. This was a welcomed and well-used service, which was beneficial. The issue, however, was with the WiFi itself. The WiFi that was available to be connected with was not secure in any fashion or form. This should have been red-flagged by the persons present prior to connecting. This should also have been noticeable for the persons as they connected to the WiFi, as it did not include any security. This was notable from the connection itself and the terms and conditions (T&C). As the presentations continued, there was one person located near the rear of the room with his laptop open. He happened to be running an app which monitors and captures packets. From simply looking across a table, anyone was able to watch the activity and note that he had been recording this for a longer amount of time than what was necessary. Others, not aware of him recording their activities, where logging into and reviewing their stock portfolio, work emails (possibly containing sensitive and confidential information), personal emails, and Facebook.

The issues associated with WiFi that had not been secured are well-known. This provides another example that may be used for training purposes for the general staff and others. Anyone in the audience that did not want to use their data plan for these activities unwittingly, as they logged in with their credentials, allowed an unauthorized third party access to their private information.

Universities are still targeted!

Universities have been targets for years. There have been Universities that have been compromised multiple times within a year. The attackers acknowledge there is a plethora of knowledge available to be exfiltrated and later sold or used in an unauthorized manner. This value may be rather substantial as this is sold on the dark web.

In late 2016, one of the latest targets was Michigan State University. The University was breached on November 13, 2016. The data exfiltrated included the social security number, MSU ID number, and employee’s date of birth. Fortunately, the database compromised did not contain other information, which would have made the situation must worse. This would have included passwords, or information regarding the persons financial, academic, contact, gift, or health data. The breach involved 449 records which were exfiltrated. These were only a portion of a database with over 400K records. The attacks sent MSU an email in an attempt to extract a payment from the University.

Post-Breach Actions

The University took this rather seriously, which is a good thing. Too often the affected party has a quick knee-jerk reaction. The University worked through the issue and did not pay the “requested” fee. After this decision, the University began to notify the affected parties, consisting of students, alumni, staff, and faculty. The University did post a website with the updated information regarding the compromise. The usual disclaimer was also published with this. The University, to their benefit, is providing two-years of identity theft protection, fraud recovery, and credit monitoring for free.

Lesson Learned

Data is pertinent and valuable to different persons, for different reasons. The attackers focused on this, naturally. The areas holding these need to be secured, and subnet the segments where possible. The dB with confidential data should be reviewed with regularity, along with the logs. This is used to limit exposure, from a time perspective. With checking the logs regularly, the authorized staff is able to note when a compromise would have occurred more sooner than later. An attacker with free reign for several months has a greater potential for creating issues, than someone who has been noticed within a week.

Resources

Mencarini, M. (2016, November 21). MSU: Names and social security numbers accessed in data breach. Retrieved from http://on.freep.com/2g6BwmR

Mencarini, M. (2016, November 22). Michigan state university confirms data breach of server containing 400,000 student, staff records. Retrieved from http://www.wxyz.com/news/michigan-state-university-confirming-data-breach-of-server-containing-400000-student-staff-records

Miller, F. (2016, November 18). Update: MSU spokesman says hack was an extortion attempt. Retrieved from http://www.wix.com/content/news/MSU-data-breach-exposes-records-of-current-and-former-students-employees-401946226.html

WXYZ. (2016, November 22). Michigan State University confirms data breach of server containing 400,000 student, staff records. Retrieved from http://www.wxyz.com/news/michigan-state-university-confirming-data-breach-of-server-containing-400000-student-staff-records

PDFs are still problematic

There are a number of documents used in the business setting. These include resumes in the Human Resources Department, budgets in Finance, and budget costs for projects. These documents have a commonality in their functionality. Years ago, and recently resurfacing, an attack was envisioned and implemented. Office documents include the function of macros, which by design were intended to assist the user. These began to be included to complete malicious acts by third parties. These were exceptionally useful for the attacks to the point where the macro functionality was turned off by default. As time passed, this attack passed out of vogue, as it became ineffective, but started to be used again as this function was used more frequently.

Another form of a document likewise used throughout the business is the PDF. This commonly is used to form a document from another form, e.g. a Word document, or other documents are scanned as a PDF. This is used without hesitation as these are seen in virtually every single office. Although seemingly mundane, this well-used type of document is still weaponized and used against targets. This has been used extensively due to the ease of use of engineering the malware. In addition, the users are receiving these regularly, which has assisted in the acceptance and usage without applying a sense of security to receive the source of this (e.g. which person was sending the email containing the PDF).

The users should, through various training opportunities, learn to still be vigilant, even with PDFs. The users should still monitor who the emails are from.