It’s all about the vector Vernon

 In ITC's Threat of the Week

Warning! This is a bit of a long one, a holiday special, but there is a prize for the most eagle-eyed readers. Details below.

There we were post/during/pending holiday mode, rather hoping we would be resting on our laurels, when a wave of cyber breaches brought us to our senses just as we were trying to chill on the pebbled shore.

In fact there is so much news about cyber breaches of all types this week, not just single spies but whole battalions, farsands of them, that we are going to talk about them as if they were ordinary crimes (which of course they are, and need to be recognised as) and dealt with by Inspector Knacker of The Yard (thank you Private Eye).

Investigative techniques in the traditional crime world (not that we would know anything about that, oh no), as any avid fan of the wonderful Columbo or to a much lesser degree Inspector Clouseau and his manservant Young Cato, have ‘means, motivation and opportunity’ at the core.

The issues of applying this as a methodology to investigate cyber crime are manifest, even rightly applying them does little to whittle down the list of suspects, who could be anybody connected to the tangled Tinterwebs, which as you can see from any interaction you may have with teenagers, is in the beeellions.

The means. All you need is a Raspberry Pi (or something more shonky, The Pi rocks), an Internet connection, the ability to read tutorials and download, compile and run code. Even, perish the thought, you could develop code from the comfort of your bedroom as the Minions posters slowly fall off the walls and you are all set.

Obviously large criminal gangs like those Fancy Bears, or other Nation State actors (lolz) have more resources (we think!), which makes them more threatening, but not really that much more!

The motivation. Because you can, trade secrets or other intellectual property, basically money, filthy lucre.

The opportunity. It is there, every single microsecond of every day.

In addition, the attack vectors are many and varied. Insider or disgruntled employee, unpatched systems, un-patchable systems, systems that have been forgotten about, misconfiguration, zero-day issues with major applications or tiny pieces of code, general malaise on the part of system administrators. The list is endless.

The fact that the motivation to plunder is so much higher in the bad guys than the motivation to keep them out is with many sysadmins, often not listened to, overworked and of course underpaid (we feel your pain Brothers and Sisters, although that pain clearly pays the income).

So what has gone on this week, let’s start with the SNAFU at Capital One.

You will recall that last week Capital One came clean (after the perpetrator had been felt by the collar) about the loss of a cool 106 million sets of customer’s (and potential customers) details. It transpired that this was an ex-employee, many suspected the vector was inside knowledge. Well that might be the high level view but according to some ace research by The Grand Vizier Himself, B. Krebs Esq, the MO appears to have been via a misconfigured Web Application Firewall, which whilst hosted on Amazon had nothing to do with them security wise, although it is causing them more than one migraine, what a headache they have, it may even break into twenty pieces, which is but a small subset of the disparate systems that are used to build enterprise applications in the cloud, many of them not massively understood – in this case the authorisation system, or so it would seem.

Although what’s done is done, the Department of Justice are all over the situation not just on the case of the Hacker (remember her tag? ‘erratic’) who they suspect of further heinous crimes, mostly in the ‘because she could’ and might need some help department (the Author’s opinion, not that of ITC), but also of Capital One. Time will tell, fines will be served, life will go on, customers will pay the bill, golf will still be played.

Regular readers will be very bored about us whinging (and warning for that matter) about the complexities of modern containerised applications using modules developed elsewhere, poorly understood and rushed into production. It is a very scary world. This problem is going to get worse before it gets betterer(TM), especially in the fast and loose world of cloud services, the potential for misconfiguration and very muddy accountability waters.

It has been a fairly busy week in the wild west of crypto currency. Long time sufferers of this blog and our fun, informative events may recall that way back in 2017 we talked about North Korea using crypto currency heists to break the currency restrictions placed upon it. At the end of 2018 it was estimated that the bounty from this activity was $200 meeeeellion. Little surprise then that according to a confidential report by the United Nations and peeked at by the fine people at Reuters on Monday that this has risen to a fairly staggering $2 beeellion. A figure set only to rise exponentially.

A key vector in crypto attacks is either accidental or sometimes deliberate dodgy code in crypto wallets and processing systems. If you are in the crypto game be prepared for the value of your investment to go down (to zero) as well as up, as in part of a rocket funding exercise.

Hot on the heels of the Reuters story came an excellent but scary piece of work by Carbon Black which shows that a popular Monero mining malware has been somewhat extended with the addition of tooling like Mimikatz (credential scraping) and disturbingly the NSA tool for lateral infection via SMB EternalBlue. It seems that the criminals behind the attack are harvesting and selling access details on the dark web. This is now a potential disaster area.

We know that a lot of organisations are a little lacklustre at finding and eradicating nasty little crypto minings. We did warn in our 9th ever blog, back in April 2013 (week 9, bless) about this sort of malware being repurposed. Probably best get on top of it. Guess what? Carbon Black is pretty good at it and so are ITC (we said modestly) with our Endpoint Detection and Response managed service.

There are of course other ways for the bad guys to get into your stuff. Phishing has been the primary attack vector for some time, but it is being rapidly caught by bugs and misconfigurations in Internet of Ting Tings devices, being abused by both casual and highly organised hax0rs.

This week Microsoft (no less) published a very interesting report fingering those pesky Fancy Bears (aka STRONTIUM), almost certainly affiliated with Russia’s GRU, as using IOT devices to breach corporate systems. On top of last week’s announcement about the swathe of zero days in the Real Time Operating System VxWorks this is going to prove a massive problem in the very near future as the vector is abused by the more casual, less subtle (if that is possible) opportunists. It really is time to get a grip of your IOT estate and set some best practices for deployment thereof, item one being ‘how to tell if something is an Internet Of Things Thing’.

This week, Microsoft also patched the bug in RDP that it had previously said did not warrant a patch after finding that the very same bug could be used to compromise Hyper-V. At least Microsoft finally did the decent thing, even announcing the discovery at BlackHat, a bold move. You know what to do.

And finally (phew), a new variant of the Spectre side channel attack, nattily named SWAPGS has been outed. Our ace SOC team have written all about it, recommending that you patch when you can (Windows 10 has been sneakily updated by Microsoft already, Linux will be more tricky). Make sure you test thoroughly because this is low level kernel shizzle which can easily become a terminal condition.

Like we said at the start, means, motivation and opportunity are abundant in our cyber world. Our best hope is to identify, prioritise and restrict the vectors, both technically and through effective processes, something that ITC would love to talk to you about. Contact us at: [email protected] or call 020 7517 3900.

Here’s hoping you manage to enjoy your summer holidays, no matter what you are doing. Some of us are stirring the Athenian youth to merriment, others living like Princes in Denmark. The youthful amongst us are obviously spending their salad days being cool on some surf beach or other, or alone in their bedrooms ‘researching’.

Which brings us onto the prize.

Scattered throughout this piece are a number of references to Shakespeare quotes (possibly not verbatim), characters, and words he invented. Count them up make a note of them and send them back to us. Minus 3 points for wrong attribution! Author’s decision is final.

The two winners will each receive a brand new shiny Raspberry Pi4, in the packaging and sealed with no nasties on it, honest. You have to promise to give it a good home and not leave it in the third drawer down to feel sorry for itself.

Author: Kevin Whelan

Recent Posts
Comments

Leave a Comment

Tel:
+44 (0) 20 7517 3900