Sonic Boom

It has been an un-seasonably frenetic week in the Cyber Security coal mines this week, so much so that this week’s rant is going out a day early, for reasons obvious, as you will see below.

As ever we will try to cover off as much as we can but are always ready to help, especially if you are a user of SonicWall firewalls (and the Dell equivalents when SonicWall was part of the evil empire) or in fact any other technology with the Real Time Operating System (RTOS) VxWorks embedded, and we would bet that all of you have VxWorks running somewhere.

For those who are unsure about Real Time Operating Systems, they are used in exactly that way, to provide real time (or very near) execution on a wide range of platforms – hospital equipment, factory tooling and automation, the car industry, the aviation industry, they are pretty much everywhere.

The leading provider of RTOS is an outfit called Wind River which manufactures an OS called VxWorks. It is installed in millions and millions of devices around the world.

A trifle concerning then that Internet of Ting Tings (IoT) outfit Armis has uncovered 11 super critical bugs in numerous versions of VxWorks (with the exception of VxWorks 653 and VxWorks Cert edition, which are designed for safety certification, for transportation – Boeing, Ford etc.).

A quick look at Wind River’s showcase customers should be enough for even the least paranoid amongst you (and you know who you are) to get the message.

Let’s take a specific example, SonicWall firewalls. Our old friend Shodan will tell you that there are over 800,000 SonicWall firewalls connected to Tinterwebs right now. A large percentage of these can be compromised by sending a dodgy packet to them and then logging in with any old rubbish as the password (any string that is, not ‘anyoldrubbish’).

Here is an example of a SonicWall being jacked in seconds by the aforementioned Armis propeller heads. Please do watch it and consider that this same attack vector can also be used to access pretty much any online device running VxWorks. Are you getting twitchy yet?

Given that there are hundreds of millions of VxWorks devices out there, the potential for a really big, the biggest ever, botnet is very real. It is probably being engineered in a lair somewhere as we write. Mwahahaha.

Furthermore, since VxWorks is often white labelled (SonicOS for instance), it is often highly modified by the vendor so one patch will not fix all. The patches need to come from each vendor, obviously supported by a presumably twitchy army of Wind River engineers wondering where they will be working next week.

So what to do?

Try and establish what devices on your network are running VxWorks. You can do this using a number of scanning tools, funnily enough the aforementioned Armis have a very good one (strokes chin thoughtfully). Once you have even a vague idea, contact the vendors and obtain their official statement and patch timelines. Consider removing any device that is unpatched from your network, especially (obvs) if it connects the inside with the outside.

If you have industrial control and automation systems connected externally, you should really get a working team together ASAP, but you probably already have, and we are not in the business of egg sucking lectures.

With all this furore, it would be easy to overlook this week’s announcement that an ex-employee (AWS DevOps type) of Capital One, one Paige Thomson (aka in the hax0r world ‘erratic’, the clue is there for all to see) stole 106 million customers’ details and started publishing them on the Internet.

Erratic, left a trail that even Inspector Clouseau could follow blindfolded and was subsequently arrested when the US paramilitary police stormed her shared house. Whilst this may have seen overkill, it seems the landlord had a very shady past involving explosives and the Special Agents at Arms found weapons and other bad shizzle at the property (unrelated to the hacker).

Capital One stated “no credit-card account numbers or log-in credentials were compromised” and more than 99% of the Social Security numbers that the company has on file weren’t affected.

Onwards and upwards. Do you remember Marcus Hutchins, the WannaCry saviour (hmm, that chin is getting a good stroke today), who was arrested by the feds whilst attending Black Hat or some such in Vegas (outer circles of hell that these gigs are)?

Well he finally had his day in court, pleaded guilty and will not go to jail. He will not be able to visit The States again either unless, as the Judge bizarrely recommended, he seeks or obtains a presidential pardon. What strange times! Read all about it on none other than His Nibs, The Most Exalted Brian Krebs site.

Finally (phew), if you read last week’s blog, you will remember that it was about the US Government trying to force vendors to put backdoors in consumer stuff.

Well just having got the job of UK Home Secretary, Priti Patel has been banging on about the same. Those of you who read the link will see that there are inaccuracies (i.e. porkies) in the quotes used from the original ‘Five Eyes’ communiqué, trouble is nobody is in the slightest surprised about this sort of thing any more.

She, like Mr Barr (The USA Attorney General remember), is in favour of Capital punishment, presumably not for behaviour unbecoming of a Government Minister however.

We wish Priti all the best with these ambitions, good luck with that.

The VxWorks issue is going to run and run, if you need help, please contact us at: [email protected] or call 020 7517 3900.

Wishing the England cricket team all the best in The Ashes.