Monday, April 30, 2018

Cyber kill chain - Oh what a fancy thing it is!

Lets say, I manage a network. My system was publicly accessible and someone has managed to exploit the vulnerability in the system using a MS17-010 (EternalBlue) exploit. I, as a network manager, I can see some egress traffic on my SMB port and now found that my system is communicating with an external IP address (possibly someones Command and Control server).

The question is, What do i do now?
Should I call the Incident response team that does not even exist? Should I shut down the whole network? Should I start to read my organizational policy so as to figure out what am I supposed to do or Should I  start to cry since the attacker could be planning to inject WannaCry or so into the network?

That's exactly when you would require a Cyber Kill chain.

So, What exactly is it?

Cyber kill chain is basically a framework that is part of the intelligence driven defense model for identifying and preventing the cyber intrusion activity. It is also commonly refered to as a cyber attack lifecycle that would help identify and prevent the intrusion. The actual model, the Cyber Kill Chain framework, was developed by Lockheed Martin and is commonly used for identification and prevention of cyber intrusions.

Should I even care about the Cyber kill chain?
If you are an organization/individual that maintains and manages the in and out flow of the data... In short, ya; sorta!

Lets get back to the thrill, the Insight of an attack:

Usually, every attack starts with passive recon, active recon and then the real attack happens then after, the attacker then expands the attack surface, exploits, starts the post exploitation phase, creates backdoor, exfiltrates the data and clears the track. Lockheed martin defines these phases as Reconnaissance, Weaponize, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.

Source: Lockheed Martin

As said earlier, in the imaginary network that I manage, as the successive events the attacker then creates a new backdoor, and is now scanning the internal network for their lateral movement. The attacker gets access to my internal database server or so, exfiltrates the data, tries cleaning the trace and run away fulfilling their need for now since they already have backdoor which they can now access at anytime they want.

This is just a simple idea of what could happen here, there could be hundreds or maybe thousands of possibilities on what the attacker might be doing or wanting to do depending on what information the organization/individual hold and as per the motive of an attacker.

At some cases, sophisticated attackers as in APT attacks, the attackers do not follow these steps, they sometime skip the steps or add their own steps making the real attack just a diversion and finding the real attacker information would be like a needle in a haystack. For example, a ddos attack could be used by attackers as a diversionary manoeuvre for creating immense amount of events in the log making the actual event harder to find.

The cyber kill chain helps to prevent and suggest preventive measures depending on these different stages. To break the chain, if there is an event or if there is anything that seems suspicious, start digging onto it. If you feel that it is a genuine attack that is happening then triage the incident. Figure out how the attacker got inside the system or maybe how the attacker is trying to get inside the system. To stop the possible future damage, gather the forensics investigation / incident report and try figuring out the way to stop these type of future attacks. There are certain technologies that help in killing the attack chain like antispam, web filtering, intrusion prevention and detection, antivirus, SIEM, DBAM, next generation firewalls, data loss prevention technologies and others such.

Again, my question to you; Should you care about the kill chain?
You may say: I do not own any information, I do not have any data as such, or I do not have anything at all. So, why should I care!

For example at most of the cases, the attackers might not be interested in a large scale data or high profile servers or anything as such. These small compromised resources can be used to commit advertisement fraud, spread misleading information/news or send out spam, extort the company for ransom or sell the data that they have acquired on the black market, or even rent out hijacked infrastructure to other criminals as in sell these servers for providing ransomware as service, DDOS as service or others such.

The goal here is not just to know the 'Cyber kill chain'. You know it, great! What are you waiting for? Implement it.. follow the kill chain model and gotta catch them all!

PS: To stop an attack, you need to think like an attacker.

A little bird once told, "Know the enemy and know yourself."

Monday, August 7, 2017

SMBloris is in the town and Microsoft won't provide a patch for it!


SMB is having a very hard time lately. NSA’s exploit under codename Eternalblue/Double pulsar, Wannacry Ransomware, Uiwix Ransomware, Adylkuzz and others were all taking advantage of the SMB exploit. The new exploit for SMB was released at this DEFCON25 by security researchers zerosum0x0 and JennaMagius as a zero day. This security vulnerability is named as SMBLoris which is named after the Apache Web server bug exploited by Slowloris in 2009. Both SMBloris and Slowloris attacks can use a single machine to crash or freeze a much more powerful server, however Slowloris unlike SMBloris targets webservers. As of now, Microsoft has refused to update any patch for this specific vulnerability saying that it was just a moderate issue and also would likely never be fixed. This bug allows an attacker to remotely crash Windows server with only about 20 lines of Python code and a portable system such as Raspberry Pi.

What exactly is the bug?

The vulnerability exists in the way SMB packets are processed and system allocates the memory for the process. SMBloris is basically a memory-handling bug which if exploited forces a server hosted on the Internet or at the local network to remotely allocate 128KiB of non-paged physical memory that has to be reserved and can't be swapped out for every connection to the service. An attacker execute this attack by sending three bytes to the SMB service with the 17-bit NetBIOS Session Service (NBSS) length field set to the maximum. The kernel keeps the connection open for 30 seconds and then gives up. So for every 30 seconds, 128KiB of memory is tied up for every connection attempted.

Although, the well known TCP port for NBSS traffic is 139 an attacker now execute a connection request for every single TCP port which are possible i.e. up to 65,535 ports and thus potentially consume up to 8GiB of non-paged RAM for half a minute which would then directly hamper the performance of the machine since the kernel is forced to clean the system for any free memory as more allocations arrive. Now, if an attacker launches this attack on IPv4 and IPv6, the memory burden rises to 16GiB, and if an attack then comes from just two IP addresses, it can fill upto 32GiB and so on. Eventually, the target system/server would not be able to allocate memory and hence would freeze and would needs a manual reboot. It would not even crash or show up the blue screen of death (BSOD) since it would have no resource left to show up the blue screen, therefore it will freeze and would never return back from the frozen state untill rebooted forcefully.

Which versions of Windows are affected?

The vulnerability exists in all modern versions of Windows. It exists in at least from Windows 2000 through Windows 10. No matter if all versions of SMB are disabled, all systems are still vulnerable.

Is Samba affected?

Samba is a free software which is re-implementation and an alternative to SMB for other operating systems. It is also vulnerable in a default installation however, it has a workaround.

Workaround: Setup 'max smbd processes = 1000' in smb.conf (normally found under /etc/samba).

What could go wrong?

Cyber criminals in the black market working to provide DDOSaaS (Distributed Denial of Service-as-a-Service) could benefit from this zeroday. Since, they would not even need a botnet or any such large scale resources. All they would require is about 20 lines of python code and a portable system to execute the code. However, no such devastating incident have been recorded or discovered yet.

Recommendation
For now, we highly recommend you to disable ports 445 and 139 in the Internet facing systems. If you are having a thought about using it on your internal LAN, make sure that your business critical systems have these two ports disabled.

Wednesday, July 26, 2017

My experience at npNOG-2 and SANOG-XXX

It all started with a thirst for knowledge and a will to learn new thing every single day!

While I started into networking and security I was always curious about breaking stuffs. I always wanted to learn more and more about this fascinating networks, how we communicate inside the network and of course the security thing. Untill now, I was just aware of the upper part of the iceberg but I never thought that there was such a huge amount of knowledgeable material deep down there.

To say the truth, I only knew about these type of community driven NOG's some months back. After finding out about them, I scratched the web, saw the past contents, presentation slides, learning materials provided by them and really thought that I had missed a lot. Long story short, I found about the fellowship programs, applied for it, got selected, went for these NOG's and now here I am sharing my experience.

So, basically Network Operators Groups (NOG’s) are usually an informal and more of open idea exchange platform. It is either country or region based where network operators come under a same roof to discuss topics of mutual interest and exchange their ideas as well as express their viewpoints for the betterment of operational, robust, secure and stable network. Usually these type of forums have their supporting members from Internet Service Provider (ISP), Internet Exchange Point (IXP), Regional Internet Registry (RIR), Internet Protocol version 6 (IPv6) operators, Domain Name System (DNS) and root zone operators, operational security communities and other network operations communities and discussion among these members are truly an influential one.

npNOG2 started (on 15th of June 2017) with three days of workshop on three different tracks which included: IPv4/6 Routing, Network Management and Monitoring and Optical Fiber Network and ended with a one day conference just after the three days of workshop. I attended the three days workshop on IPv4/IPv6 routing. The workshop gave an insight of IPv6, routing protocols like OSPF and BGP where we had intensive three days of hands on lab exercises. Apart from breaking the lab (Hint: Route Leak!) on the last day, everything went just fine! In fact, I was so curious that I simulated the lab environment and even tried some twists and tricks after getting back from the program. The four days journey was a knowledgeable one! Overall, it was truly a marvelous opportunity to become a part of the second edition of the npNOG (Nepal Network Operators Group), such a brilliant and knowledgeable folks in the community with great instructors. It was really a great learning and networking opportunity.

SANOG-XXX started (on 10th of July 2017) with two days of conference, two days tutorials and five days of workshop on three different tracks which included: IPv4/6 Routing, Network Security and DevOps 101 for Network Engineers. The talks on conference and tutorials were interesting and knowledgeable. I was actually thinking to attend IPv4/6 Routing since, this time it would cover IS-IS (The routing protocol!), BGP, multi-homing, traffic engineering and other cool stuffs but later I decided to attend Network Security.

Why Network Security? Well, Security stuffs got me on that! I thought, Why not utilize some of my Network Security knowledge and expand more knowledge on security stuffs too! So then I decided to attend Network Security. Indeed! Network Security Workshop was fun, Well! at least for me and I  hope others surely enjoyed it too. The workshop contained topics such as: Cryptography, Cryptographic applications such as SSH, VPN's, SSL/TLS, PGP and also DNS, DNSSEC, Network/Server hardening best practices and other cool stuffs. The instructors were truly amazing. Everything went fine this time, apart from some random hacks for fun and for knowledge of course! Such a knowledgeable and talented participants.

Overall, both the NOG's were great and knowledgeable one. All the Fellows were great! We had such a memorable, knowledgeable and great time with sharing of knowledge and ideas.

Final words

These kind of knowledge sharing communities are growing and should definitely keep on growing so that the experienced folks could share and transfer their knowledge, experiences and ideas to new startup engineers, students and networking enthusiast so that the new generation could benefit more.

I would highly recommend anyone working on Networking or Security domain to participate actively among such communities and share their ideas and experiences. Organizations working on these domains should also highly motivate, encourage and truly support their staff members to participate and contribute to such communities.

Finally, I would like to thank all the Instructors, Sponsors, my fellow Friends, Seniors and all the folks who were in touch with me on the event. Thanks to all the team, for making my first NOG's knowledgeable and amazing one! I hope that I would also get an opportunity to share some of my ideas and knowledge to the community in near future.

A note to remember: "Do not read books, read RFC's! That's where the beauty of a true knowledge is."

Friday, May 19, 2017

SMB in the limelight – WannaCry and more!

Days before WannaCry came into the spotlight, there were already some other ransomware and malware taking advantage of the SMB exploit (published under the codename ETERNALBLUE/DOUBLEPULSAR) following shadow brokers dump (NSA exploit targeting windows file sharing protocol). So far, WannaCry ransomware has infected more than 150 countries causing widespread panic. Although WannaCry distribution may have been stopped, the widespread of ransomware and similar malware distribution has not stopped yet.

Other Variants

UIWIX is an entirely new variant and has also been spotted in the wild. Like WannaCry, this ransomware program is also built under ETERNABLUE. It has ability to infect machines without writing files to permanent storage and hence, making it extremely harder to detect through conventional forensics. This ransomware renames files with ‘.uiwix’ extension and drops a text file called ’_DECODE_FILES.txt’ which contains requirements for decryption and payment address and mode of payment. Uiwix however poses an even bigger threat than WannaCry ransomware since it does not include any kill switch domains.
 
Another program using the same SMB vulnerability to exploit the system using EternalBlue and DoublePulsar is Adylkuzz. Adylkuzz exploits the SMB vulnerability to mine an obscure cryptocurrency called Monero.

Basically, Monero is a cryptocurrency similar to the Bitcoin but with enhanced anonymity capabilities. A major of underground website known to sell drugs, stolen credit cards and counterfeit items make use of monero. However, unlike WannaCry, Adylkuzz does not have the ability to self-propagate.

It has been found that Adylkuzz started exploiting the same vulnerability somewhere between 24th April and 2nd May i.e. weeks before WannaCry came into the scene. It infects the system taking an advantage of SMB vulnerability and shuts down SMB networking for further infection of the system with other malwares including WannaCry ransomware worm, detects the public IP address of the system, downloads the mining instructions, cryptominer and other cleaner tools. Therefore, we can easily predict that there are huge number of systems being infected with this very malware than that of WannaCry ransomware worm. Adylkuzz did not caused the same chaos as that of WannaCry since it was not shutting down computers or was not sending some ransom notes, all it did was perform Monero mining operation in the background. Although it is not catastrophic enough to raise an alarm and remained undected and hidden until the WannaCry came into the limelight gaining much more public attention.

Who is behind the current attack?
It has been found that WannaCry’s code shares some portion of the code to the Lazarus APT group who was responsible heavily for the Sony Wiper attack (Sony Pictures Entertainment being hacked using wiper malware), the Bangladesh bank heist ($81 million heist from SWIFT network using Dridex malware) and the DarkSeoul operations (Backdoor Trojan, dubbed as Duuzer, Brambul and Joanap malware targeting south Korean organizations, institutions and industries). Lazarus APT group was found to have conducted multiple attacks worldwide and was found to have a direct link between Bluenoroff and North Korea. So, there could be a possible clue that North Korea could probably be behind the current WannaCry attack. However, it is still too early to determine who exactly is behind this attack since, the repetition of the code could also be a false flag.

Final Words
It is therefore, highly recommended that you update your systems for MS17-010 and if you do not use SMB then it is also recommended that you disable the SMB version one.

To disable SMB follow the following steps:
  1. Open Control Panel.
  2. Click Programs.
  3. Click Turn Windows features on or off (under the Programs).
  4. Make sure that your ‘SMB 1.0/CIFS File Sharing Support’ is not ticked.

If you are a PowerShell user make sure that you disable SMB version one by typing the following command with administrator privilege:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 -Force

That's it, you are protected for now.

Monday, May 15, 2017

Oops! Your important files are encrypted. - Ransomware (WannaCry in Nepal?)

There was nothing new with these words. We have had heard a lot about ransomware like Cryptowall, Jigsaw, Cerber, Cryptolocker, Teslacrypt, Locky and more. Displaying a nasty message on a desktop, asking for ransom and encrypting almost all files on the system. But this very sentence (Oops! Your important files are encrypted.) and this variant of ransomware was a complete different than others. It was more of a ransomware worm. Cyber criminals had started a new sophisticated cyber-attacking campaign starting Friday (12th May 2017). I am sure, this Monday (15th May) was definitely, the most hectic day for most of the IT guys, fixing the infected systems and issuing the patch and maybe paying ransom ($300 or $600) was the last option too.

We have heard stories of Google docs phishing attack campaign spread like a worm about two weeks back. And now, the most deadly ransomware worm known as WannaCrypt, WannaCry, WannaCrypt0r, WCryptor or WCRY which started attack on the internet, infecting thousands of devices and affecting more than hundred countries. Russia, Ukraine, India were among the top victims of this recent attack as reported by Kaspersky.
Figure shows countries affected with WannyCry ransomware

The ransomware came out on Friday causing an extremely chaotic situation to the whole world where targets including extremely high profile organizations including government forces, railway stations, hospitals, universities and many public and private organizations including organizations like Russian Interior Ministry in Russia, German’s Deutsche Bahn in Germany, FedEx in US, National Health Service (NHS) in UK, Renault in France, Portugal Telecom in Portugal, Telefonica in Spain, Andhra Pradesh Police in India and others who were the serious victims of recent cyber-attack. This kind of large scale cyber-attacks could be the beginning of new trend for organized cyber criminals. As workdays started on Monday, the number of affected companies, communities and people could still rise. As seen today, reported by China’s news agency around thirty thousand companies have been hit on China and more than two thousand computers have been infected in Japan and the number is still on rise. 

NHS was protected with Sophos (Seems like technologies cannot be trusted? Since, Security is not a product, it's a continuous process)

While working around, I also came to know that, some high profile ISP’s and private organizations of Nepal could be the victims of this ransomware attack campaign. Organizations like Nepal Telecom, Subisu, Worldlink, OTEL, Kantipur Media Group and other more organizations were found to be highly vulnerable to WannaCry Ransomware attack or say, EternalBlue and DoublePulsar exploit attack.
All Windows versions before Windows 10 are vulnerable to ‘WannaCry’ if not patched for MS-17-010. The ransomware worm makes use of EternalBlue MS17-010 to propagate.

EternalBlue, sometimes stylized as ETERNALBLUE, is an exploit developed by the U.S. National Security Agency (NSA). It was released by the Shadow Brokers hacker group on April 14, 2017.

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. The attackers were able to take advantage of this very vulnerability, exploit and propagate around the globe in a form of ransomware worm.

After the chaotic spread of this ransomware worm, Microsoft also came with an update for Windows XP although End of Life (EOL) for Windows XP was on 8th of April 2014.

But, as of now, the ransomware worm is down, meaning that a researcher and also a blogger by the name MalwareTech has slowed down the cyber-attack by simply registering a domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, under a name of ‘Botnet Sinkhole’ which acted as a kill switch for the ransomware since the working mechanism of the ransomware was to search for the mentioned domain and if the domain was up, the attack would stop or else continue propagating. However, another researcher (Matthieu Suiche) has also confirmed that he found a new WannaCry variant with a different kill switch and registered new domain ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com However multiple security researches have claimed that there are more samples of the ransomware with different kill-swith and even without any kill-switch function.

As of 14th May, the total of $33,319.59 has been paid. Three bitcoin address were hardcoded into the ransomware itself
(13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94,12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn)

So far, these are the C&C centers found from various sources:

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

C&C IP address found from various sources:

188[.]166[.]23[.]127:443
193[.]23[.]244[.]244:443
2[.]3[.]69[.]209:9001
146[.]0[.]32[.]144:9001
50[.]7[.]161[.]218:9001
217[.]79[.]179[.]77
128[.]31[.]0[.]39
213[.]61[.]66[.]116
212[.]47[.]232[.]237
81[.]30[.]158[.]223
79[.]172[.]193[.]32
89[.]45[.]235[.]21
38[.]229[.]72[.]16
188[.]138[.]33[.]220

The filetypes that it looks to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der


How to be safe?
  • For now, ensure that all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
  • If your organization has SMB publicly accessible via the internet (ports 139, 445) should immediately be blocked for inbound traffics.
  • If your organization is using snort then apply snort 42329-42332, 42340, 41978 rules immediately

These kinds of attacks are also more likely to happen in future, it all starts with just one click of yours so stay safe, stay secure.

At least follow the bellow mentioned points:
  • First and foremost, be sure to back up your most important files on a regular basis.
  • Personalize your anti-spam settings the right way.
  • Refrain from opening attachments that look suspicious.
  • Think twice before clicking.
  • Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up-to-date.
  • In the event a suspicious process is spotted on your computer, instantly turn off the Internet connection.
  • Keep the Windows Firewall turned on and properly configured at all times.
  • Enhance your protection more by setting up additional Firewall protection.
  • Adjust your security software to scan compressed or archived files, if this feature is available.
  • Consider disabling Windows PowerShell, which is a task automation framework if you do not use it.
  • Disable Macros and ActiveX in Microsoft Office components.
  • Install a browser add-on to block popups as they can also pose an entry point for ransom Trojan attacks.
  • Deactivate AutoPlay.
  • Make sure you disable file sharing.
  • Disable Remote Service if not in use
  • Block known-malicious Tor IP addresses

Wednesday, May 3, 2017

Cyber Threat Intelligence

Threat Intelligence is also sometime known as Cyber Threat Intelligence which is an organized, analyzed and refined information of the potential attack or a way to build a defense in depth strategy for the current attacks that threaten an organization as a whole. Threat intelligence is the most critical component of modern cyber security. By integrating cyber threat intelligence into a security infrastructure, an organization can quickly assess risk, prioritize alters and threats that matters the most, minimize the exposure to attack and save time and money by increasing efficiency of the security operations. These days many companies provide threat intelligence service integrated in the form of Security Information and Event Management (SIEM) to provide real-time analysis of security alerts generated by network hardware and applications.

The use of threat intelligence and SIEM platforms helps organizations understand the risks of the most common and severe threats including internal and especially external threats such as zero day exploits and advanced persistent threats (APT) attacks. In a military, business or security context, intelligence is any information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a component of security intelligence and, like security intelligence, includes both the information relevant to protecting an organization from external and internal threats as well as the process, policies and tools designed to gather and analyze the information.

Threat intelligence is however divided into four parts as per the ‘Center for the Protection of National Infrastructure’ which include strategic threat intelligence, tactical threat intelligence, operational threat intelligence and technical threat intelligence.

Strategic Threat Intelligence consists of high-level information which is consumed by senior decision-makers. For example a report indicating that a particular government is believed to have hacked into foreign companies who have direct competitors within their own nation, hence a board might consider this fact when weighing up the benefits and risks of entering that competitive marketplace, and to help them allocate effort and budget to mitigate the expected attacks. Strategic threat intelligence is almost exclusively in the form of reports, briefings or conversations.

Tactical Threat Intelligence often consists of tactics, techniques, and procedures and is the information about how threat actors are conducting attacks. Tactical threat intelligence is gathered by defenders and incident response teams to ensure that their defense, alerting and investigation are prepared for current tactics. For example, the fact that attackers are using tools to obtain clear text credentials and then replaying those credentials is tactical intelligence which could prompt defenders to change policy and prevent interactive logins by admins, and to ensure that logging's do not get captured. Tactical threat intelligence is usually gained by reading white papers or technical press, communicating with peers in other organizations to learn what they are seeing attackers do, or purchasing service from a provider of such intelligence.

Operational Threat Intelligence is the information about specific impending attacks against the organization and is initially consumed by higher level security staff, such as security managers or heads of incident response. Any organization would love to know which groups are going to attack them, when and how, but such intelligence is very rare. In the majority of cases, only a government will have this sort of access to attack groups and their infrastructure necessary to collect this type of intelligence. For national and state threats, it is simply not possible for a private entity to legally gain access to relevant communication channels and hence good operational threat intelligence will not be an option for many organizations.

However, there are cases, where operational intelligence might be available, such as when an organization is targeted by more public actors which include hacktivist. It is advisable for organization to focus on these cases, where details of attacks can be found from open source intelligence or providers with access to closed chat forums. Another form of operational threat intelligence that might be available is that derived from activity based attacks where specific activities or events in the real world result in attacks in the cyber domain. In such instances, future attacks can sometimes be predicted following certain events and event patterns. This linking of attacks to real world events is common practice in physical security but less commonly seen in cyber security.

Technical Threat Intelligence is the information which often consists of data which is normally gathered through technical means. An example would be a feed of internet protocol (IP) addresses suspected of being malicious or implicated as command and control servers. Technical threat intelligence often has a short lifespan since attackers can easily change their IP addresse or modify sum hashes, hence the need to gather such intelligence automatically rises. Technical threat intelligence typically feeds the investigative or monitoring functions of a business, for example blocking attempted connections to suspect servers.

However, cyber threat intelligence is still a new topic and still requires some time to find more information and data regarding the topic. Targeted attacks, zero-day vulnerabilities and malware exploit such as ransom ware attacks are the area of concern for organizations these days, however, the organizations do not have required resources and expertise which is necessary to perform independent research and evaluate these threats. In most of these case threat intelligence services are often used as a form of outsourced capabilities to provide organizations with access to expertise and resources regarding advanced security topics as such, which they might not otherwise be able to afford.

Final Words

Cyber threat intelligence is a complex term and yet unclearly defined, having multifaceted approach to framing, thinking about, and reacting to cyber adversarial activity. Many discussions emphasize the complexity of the cyber operational domain, the speed in which activity and operations take place, in operational level hacktivist group may plan to deface the physical infrastructure as well as cyber infrastructure to support their objective as well as the supposed inherent advantage of the attacker. Threat intelligence should be implemented in every aspect, type and level including strategic level, operational level, tactical level and technical level. Moreover, every emerging threats should be published and should be shared with the global security community so as the threat intelligence can be make globally available and information should be reachable so as to share the knowledge of adversaries on possible cyber-attack.

The main motive behind any cyber-attack depends on type of attack and type of attacker who is attacking. By looking at the basic first steps of an attacker, the type of attack and the targeted point where an attacker is trying to infiltrate can be clearly known and now those information can be immediately put into a place to find out if the attacker will succeed or fail. Usually, honeypots (a decoy server to find out the attack pattern of a hacker) are deployed at such case and help in studying the patterns of an attacker and also help stop attacks. Other than honeypots, to cope against such cyber-attack, threat intelligence can be used as an option for gathering intelligence of an attack in this modern sophisticated cyber domain. Threat intelligence gathers intelligence from various online source, signatures, gathers knowledge of different attack patterns and then verify the original internal and external network traffic and discards the malicious traffic or at cases of zero day attacks gives an alarm to the administrators. Correlating different rule sets in case of SIEM and making a certain rule to gather intelligence about the attack pattern also helps in reducing the threat to some extent.

Tuesday, January 31, 2017

Bypassing eCos Embedded Devices Authentication (CVE-2017-1000020)

Disclaimer: Breaking into unauthorized systems and devices are completely illegal. The information provided here is solely for the purpose of sharing knowledge and all I present is my research materials so that the public can remain safe and benefit from my research.

We have heard a lot of stories about routers being vulnerable to hack attacks, routers being a part of botnet, distributing malwares or lately the story about mirai bot. Let's get into my story here...

Lately, I was working with some router setups on TOTOLINK SOHO router. I performed a router setup and updated my password for my administrator login. After some days I thought of changing some settings and was trying to log into the router but unfortunately I forgot my last password. Instead of pressing the reset button and erasing everything and starting with a fresh setup I thought of taking this issue to some extent and looking into it a bit more. I had heard some stories about public exploits being available for totolink routers. I thought of checking all of them for my benefit and for learning purpose but none of them were of my use. At some times, while I tried to access the router login page there was this one thing that would grab my attention. While trying to access the router login page, 'wizard.htm' (the router setup page) would show up for about 1/2 second or so and then would get redirected to 'login.htm' and if I try to access the 'wizard.htm' page the router would not show it and instead show up the login (login.htm) page again. Untill I clear my browser cache and start the same process again, the process would then show up the same results as before. I thought of looking into this issue and ways for possible login bypass in the authentication mechanism. Looking into the page source code in 'login.htm', showed a line with javascript file named 'language_en.js'. I looked inside it and found the internal page names like 'menu.htm', 'password.htm', 'upload.htm', 'route.htm', and all other pages with heavy information that an attacker would need. Okay, that could come handy later because accessing those pages now would return nothing but the login page again.
 
Main Login page for Totolink Router

If you have been into a bit of networking and stuffs, you probably would know about what a three way handshake is. Generally, Transmission Control Protocol (TCP) uses three way handshake to set up a TCP/IP connection over an Internet Protocol(IP) based network prior to its communication or say exchanging data. I won't be telling you an in-depth story of three way handshake and how that works for now. Let's get back into the story again...

"What if I could stop the process right at the 'wizard.htm' page or may be slow down the process and see what I could do around there?" was the question in my mind.
Okay that sounds fun! but how?

How about performing a slow Denial Of Service (DOS) attack with some play and pause with the device reply?

Wow that sounds much better!

Lets get started...

Hping3 came handy this time. If you don't know what it is then, hping3 is a network tool able to send custom TCP/IP packets and to display target replies just like ping program does with ICMP replies.

I then fired the device with SYN flood attack to execute my slow dos with the use of hping3. By the way SYN flood or FIN flood worked just fine and I never thought of trying other flooding options.

hping3 in FIN flood mode


FIN flood attack in action

So, a SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

Now, while the flooding is still taking place go back to your browser, clear your cache (required most of the times), enter the router ip followed by the page you want. Example: ip/reboot.htm or ip/menu.htm and so on. It could take some hit and trial as per the router's capability of resisting the attack but as time passes it would finally give us the page we want to be.

Conclusion: eCos Embedded Web Servers used by Multiple Routers, while sending SYN flood or FIN flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass.

Shodan Search Result

What could go wrong?
An attacker can take complete advantage of this bug and take over the device remotely or locally.
At the time of writing, there were 11,887 'eCos Embedded Web Servers' as reported by SHODAN but the numbers of internet users using totolink, greatek and other routers not shown by the shodan are likely higher in numbers than as shown in the result. Totolink and Greatek routers were tested and were found vulnerable.

Possibly changing the dns or changing the ip route or changing passwords or updating rogue firmwares or maybe more zombie devices teaming up with the mirai bot army could be the outcome of such vulnerability.

As always, updating the device to the latest firmware version is highly recommended in case of availability. If you find more information related to this bug then feel free to share or exchange ideas.