In the run-up to Ars Frontiers, I had the opportunity to talk with Lesley Carhart, director of Incident Response at Dragos. Known on Twitter as @hacks4pancakes, Carhart is a veteran responder to cyber incidents affecting critical infrastructure and has been dealing with the challenges of securing industrial control systems and operational technology (OT) for years. So it seemed appropriate to get her take on what needs to be done to improve the security of critical infrastructure both in industry and government, particularly in the context of what’s going on in Ukraine.
Much of it is not new territory. “Something that we’ve noticed for years in the industrial cybersecurity space is that people from all different organizations, both military and terrorists around the world, have been pre-positioning to do things like sabotage and espionage via computers for years,” Carhart explained. But these sorts of things rarely get attention because they’re not flashy—and as a result, they don’t get attention from those holding the purse strings for investments that might correct them.
As a result, Carhart said, organizations aiming to benefit from the exploitation of industrial technology have spent years “trying to build their capacity so that when a geopolitical situation arose that it would be fruitful for them to do so, [they would] be able to attack infrastructure systems using cyber.”
An example of these capabilities is Pipedream, "a collection of tools that could be used to potentially intrude into industrial control systems and cause an impact to certain types of systems,” Carhart noted. Pipedream was uncovered by security professionals before it could be used to do damage, but it demonstrates that “people are pre-positioning to do things in the future,” Carhart said. “They have learned over the years, and certainly over the last couple of months, that sabotage, espionage, and information operations can be incredibly valuable as an element to traditional warfare… to demoralize enemies, sow confusion and dissent, and also impact the critical services that a civilian population uses while they're also dealing with an armed conflict.”
Much is being done by people trying to defend industrial networks, and there’s a great deal of work being done to improve the security of industrial systems and prepare for trouble. But, “some industries are much more well-resourced than others” for those tasks, Carhart noted. Municipally owned utilities aren’t on the same footing resource-wise as large corporations with vast cybersecurity resources. The US's Cybersecurity and Infrastructure Security Agency and other organizations are trying to help provide resources needed by municipal and other smaller utilities. But just how much CISA can do going forward to protect these organizations and other state and local providers of critical infrastructure is an open question.
Operational technology has a much longer life cycle than “normal” IT. We talked about what that means, both from the standpoint of securing existing OT and finding the people to do the critical work to establish and maintain that security. While some improvements are coming to security as Windows 10 makes its way into embedded systems and other OT, Carhart said, “we’ll probably be seeing Windows 10 for another 30 years in those environments”—and along with it, many of the security challenges IT has been facing down for years already.
On Ukraine’s battlefields, the simple act of powering up a cellphone can beckon a rain of deathly skyfall. Artillery radar and remote controls for unmanned aerial vehicles may also invite fiery shrapnel showers.
This is electronic warfare, a critical but largely invisible aspect of Russia’s war against Ukraine. Military commanders largely shun discussing it, fearing they’ll jeopardize operations by revealing secrets.
A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.
The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.
Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.
"We scanned NAS message handlers within a short period of time and found a vulnerability which can be used to disrupt the device's radio communication through a malformed packet," the researchers wrote in a detailed and fascinating advisory this week.
"A hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location." They stressed that the flaw was in the firmware of the UNISOC chipset and not the Android operating system.
UNISOC is a 21-year-old chip designer based in China that spent the first 17 years of life known as Spreadtrum Communications, and that by 2011 was supplying chips for more than half of the mobile phones in the country. In 2018, the company changed its name to UNISOC. The chips are found mostly in smartphones in Asia and Africa due to the low prices of its silicon.
According to market analyst firm Counterpoint, UNISOC is the fourth-largest smartphone chip house in the world, behind MediaTek, Qualcomm and Apple.
The notorious Conti ransomware gang has working proof-of-concept code to exploit low-level Intel firmware vulnerabilities, according to Eclypsium researchers.
Recently leaked Conti documents show the criminals developed the software more than nine months ago, and this is important because exploiting these kinds of weaknesses expands the extend and depth of an intrusion, the firmware security shop's analysis noted.
Specifically, we're told, Conti came up with code that targeted the Intel Management Engine (ME), a tiny hidden computer – with its own CPU, OS and software – within a processor chipset that runs independently from the main cores and provides various features including out-of-band management. The ME has total control over the box, so if you manage to compromise the ME, you'll be able to persistently infect and affect the machine below the operating system and its defenses.
The leaks show that the gang was fuzzing the ME to find undocumented commands and vulnerabilities. As a side note: although Conti engineers were looking for new ME vulns, the Eclypsium researchers have published a list of known ME flaws (plus related Intel advisories and CVEs) that enable remote code execution or privilege escalation. So it would be wise to take a quick break from reading this and make those fixes now if you haven't already.
Researchers have unearthed a discovery that doesn’t occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.
On Thursday, researchers from Intezer and The BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.
Researchers for Intezer and BlackBerry wrote:
What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.
With the help of LD_PRELOAD, Symbiote will load before any other shared objects. That allows the malware to tamper with other library files loaded for an application.
“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured,” the researchers wrote. “In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.”
For the last two months, Costa Rica has been under siege. Two major ransomware attacks have crippled many of the country’s essential services, plunging the government into chaos as it scrambles to respond. Officials say that international trade ground to a halt as the ransomware took hold and more than 30,000 medical appointments have been rescheduled, while tax payments have also been disrupted. Millions have been lost due to the attacks, and staff at affected organizations have turned to pen and paper to get things done.
Costa Rica’s government, which changed midway through the attacks after elections earlier this year, has declared a “national emergency” in response to the ransomware—marking the first time a country has done so in response to a cyberattack. Twenty-seven government bodies were targeted in the first attacks, which ran from mid-April until the start of May, according to new president Rodrigo Chaves. The second attack, at the end of May, has sent Costa Rica’s health care system into a spiral. Chaves has declared “war” on those responsible.
At the heart of the hacking spree is Conti, the notorious Russia-linked ransomware gang. Conti claimed responsibility for the first attack against Costa Rica’s government and is believed to have some links to the ransomware-as-a-service operation HIVE, which was responsible for the second attack impacting the health care system. Last year, Conti extorted more than $180 million from its victims, and it has a history of targeting health care organizations. However, in February thousands of the group’s internal messages and files were published online after it backed Russia’s war against Ukraine.
The vulnerability, called PACMAN, assumes that there is already a software bug in operation on the computer that can read and write to different memory addresses. It then exploits a detail of the M1 hardware architecture to give the bug the power to execute code and possibly take over the operating system. “We assume the bug is there and we make it into a more serious bug,” says Joseph Ravichandran a student of Yan’s who worked on the exploit with fellow students Weon Taek Na and Jay Lang.
To understand how the attack works you have to get a handle on what pointer authentication is and how a detail of processor architecture called speculative execution works. Pointer authentication is a way to guard against software attacks that try to corrupt data that holds memory addresses, or pointers. For example, malicious code might execute a buffer overflow attack, writing more data than expected into a part of memory, with the excess spilling over into a pointer’s address and overwriting it. That might then mean that instead of the computer’s software executing code stored at the original address, it is diverted to malware stored at the new one.
Pointer authentication appends a cryptographic signature to the end of the pointer. If there’s any malicious manipulation of the pointer, the signature will no longer match up with it. PACs are used to guard the core of the system’s operating system, the kernel. If an attacker got so far as to manipulate a kernel pointer, the mismatch between the pointer and its authentication code would produce what’s called an “exception,” and the system would crash, ending the malware’s attack. Malware would have to be extremely lucky to guess the right code, about 1 in 65,000.
PACMAN finds a way for malware to keep guessing over and over without any wrong guesses triggering a crash. How it does this goes to the heart of modern computing. For decades now, computers have been speeding up processing using what’s called speculative execution. In a typical program, which instruction should follow the next often depends on the outcome of the previous instruction (think if/then). Rather than wait around for the answer, modern CPUs will speculate—make an educated guess—about what comes next and start executing instructions along those lines. If the CPU guessed right, this speculative execution has saved a bunch of clock cycles. If it turns out to have guessed wrong, all the work is thrown out, and the processor begins along the correct sequence of instructions. Importantly, the mistakenly computed values are never visible to the software. There is no program you could write that would simply output the results of speculative execution.
The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to expose—or bleed out—data that's expected to remain private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.
The researchers said they successfully reproduced their attack on Intel CPUs from the 8th to the 11th generation of the Core microarchitecture. They also claimed that the technique would work on Intel Xeon CPUs and verified that AMD Ryzen processors are vulnerable and enabled the same SIKE attack used against Intel chips. The researchers believe chips from other manufacturers may also be affected.
In a blog post explaining the finding, research team members wrote:
Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.
Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.
Hertzbleed is a real, and practical, threat to the security of cryptographic software.
We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as “constant time”.
Police forces around the world have increasingly used hacking tools to identify and track protesters, expose political dissidents' secrets, and turn activists' computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets' computers that the same police then used as grounds to arrest and jail them.
More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have SentinelOne's researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.
Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.
The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.
On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.
The suspects are in police custody and will be extradited to Belgium. Dutch police haven't ruled out additional arrests.
According to law enforcement, a crime ring contacted victims via scam emails, text messages, and cellphone messaging apps. These messages included a phishing link that led to fake banking websites, which were used to harvest credentials.
"Thinking they were viewing their own bank accounts through this website, the victims were duped into providing their banking credentials to the suspects," Europol noted, adding that whoever was behind the scams used money mules to transfer funds from victims' accounts before cashing out their loot.
In addition to the millions of stolen euros, those fraudsters also trafficked drugs and possibly firearms, according to police.
An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.
So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.
The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.
"While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."