IEEE Cipher --- Items from security-related news (E161)

  • File Transfer Appliance Leveraged for Fun and Profit

    Starting in December of 2020, a flaw in a file transfer system was widely exploited to cause havoc across the vendor's customer base.

    • Privacy vs. Criminal Extortion, The Two-Pronged Ransomware Dilemma
      Ransomware group targets universities in Maryland, California in new data leaks
      The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online.
      Publisher: ZDNET
      Date: March 30, 2021
      By: Charlie Osborne

      One of the many ransomware groups operating today is called "Clop". They have a double-threat attack that exfiltrates files and then encrypts them locally. An organization that can overcome the encryption problem with backups will still be subjected to extortion if any of the files contained sensitive information, such as names and social security numbers or passport data. The University of California Merced, University of Maryland, University of Miami, University of Colorado, and Shell seem to have endured the disclosures rather than pay the extortion demands.

    • File Server Vendor Responds to Exploitation of Legacy Product
      Press Release: Accellion Provides Update to FTA Security Incident Following Mandiant’s Preliminary Findings
      Mandiant Identifies Criminal Threat Actor and Mode of Attacks
      Publisher: Acellion
      Date: February 22, 2021

      Accellion published the patches needed to protect its legacy file transfer app from exploitation by ransomware actors. They emphasize that only a couple of dozen customers suffered significant consequences from the exploit.

      The four steps in the compromise of the application were:

      • SQL injection via a crafted Host header
      • OS command execution via a local web service call (takes advantage of improper parsing of commands that execute locally)
      • SSRF (server-side request forgery) via a crafted POST request
      • OS command execution via a crafted POST request

    • SQL Injection, the Root of All Evil
      Threat Research: Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

      Publisher: FireEye
      Date: February 22, 2021
      By: Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody

      This is a description from FireEye of the early results from their investigation of the compromise of the Accellion file transfer app. The core of the exploit involved installing a "web shell" that could run arbitrary commands locally. The shell had not been seen before, and the method of delivery was obscure.

      "... the DEWMODE web shell is written to the system. The timing of these requests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not indicate the exact mechanism used to write DEWMODE to disk."

    • Extorters Reveal Company's Intellectual Property
      Airplane maker Bombardier data posted on ransomware leak site following FTA hack

      Publisher: ZDNET
      Date: February 23, 2021
      By: Catalin Cimpanu

      One of the users of Accellion's FTA app was an airplane manufactorer, Bombardier. Although they carefully separated their network to isolate their operational resources from more outward-facing applications, like FTA, they were still subjected to exposure of their internal designs by the exploit. FTA is a web-based file sharing app that handles arbitrarily large files, and one might assume that they needed FTA to share information with engineering design partners. As the saying goes, "Trust but encrypt!".

  • Facebook's Neverending Privacy Failure

    • Major Privacy Compromise Strikes FB Users
      Half a billion Facebook users' information posted on hacking website, cyber experts say
      Publisher: , CNN Business
      Date: April 5, 2021
      By Donie O'Sullivan

      This isn't exactly news, but it is significant. Back in 2019, Facebook realized that its trusted partners had the ability to exfiltrate user's personal data, and a giant trove it turned up online ( Hundreds of millions of phone numbers once tied to Facebook accounts posted online). The data has since been usefully indexed and reposted, providing hackers with a more powerful tool for identity theft. Only about 1% of the US population is exposed in this database. Access to the information was being offered for bargain basement prices.

    • Your Information Was Probably Compromised ... Ho Hum
      Facebook does not plan to notify half-billion users affected by data leak
      Publisher: Reuters
      Date: April 7, 2021
      By: Elizabeth Culliford

      Facebook seems unconcerned about the recent posted database of users' personal information, dismissing the information as "old". It was current in 2019, and few people are likely to have changed all their identifying information in the past two year, but the company does not think that they are subject to past settlements requiring notifications to users in the event of a privacy breach. The US FTC and Ireland's Data Protection Commission are both seeking answers from the company.

  • Emissions Testing Hits 404
    Hackers shut down emissions tests in parts of 8 states, including Utah
    Publisher: KSL TV
    Date: April 8, 2021
    By: Dan Rascon

    Applus+ Technologies in Wisconsin seems like an innocuous player in the database game. However, when they were hit by ransomware, vehicle emissions testing companies across the US faced a week without income. Apparently the companies lost the ability to upload the testing results to the DMV sites. Owners who needed to get the test results to the DMV immediately were told to get 30 day temporary permits.

  • Fed Chair Looks Deep Into the Eyes of Cyber and Sees the Abyss
    Cyberattacks are the number-one threat to the global financial system, Fed chair says
    Publisher: CNN Business
    Date: April 12, 2021
    By: Brian Fung

    Federal Reserve Chairman Jerome Powell says that he fears a breakdown in liquidity if an attack should blockade money transfers for banks or payment processors. That could cause as much damage as any human-caused swings in investment. Powell also said that if the US gets involved in crypto currency, it will be "done right".

  • The FBI is Your Uninvited IT Staff
    FBI hacks vulnerable US computers to fix malicious malware
    US justice department says bureau hacked devices to remove malware from insecure software
    Publisher: The Guardian
    Date: 14 Apr 2021
    By: Alex Hern

    Some hundreds of privately owned US computer servers got an unrequested upgrade from the FBI. Although Microsoft published the critical patches quite a while ago, not all companies took the trouble to apply them. Because the vulnerabilty could be used to attack other systems, the FBI took the extraordindary step of applying the patches by first exploiting the vulnerability and then closing it from within.

  • Software Hacks Defeat Oil Infrastructure

    • Unctuous Ransomware Hackers
      Cyber attack shuts down U.S. fuel pipeline "jugular," Biden briefed

      Publisher: Reuters
      Date: May 7, 2021
      By: Christopher Bing and Stephanie Kelly

      Perhaps you'd never heard of Colonial Pipeline before it shutdown for a week. It's an important piece of infrastructure: "Colonial transports 2.5 million barrels per day of gasoline, and other fuels through 5,500 miles (8,850 km) of pipelines linking refiners on the Gulf Coast to the eastern and southern United States. It also serves some of the country's largest airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic." When it was crippled by a ransomware attack, it shut down delivery, turning off that 2.5 billion barrels per day and causing panic buying in the eastern US. "... investigators are looking at a group dubbed "DarkSide," known for deploying ransomware and extorting victims while avoiding targets in post-Soviet states."

    • Biden Acts on Cybersecurity
      Biden cybersecurity order mandates new rules for govt software
      Publisher: Reuters
      Date: May 12, 2021
      By: Christopher Bing and Nandita Bose

      Back in March, after the SolarWinds exploits, Biden drafted an order that was touted as requiring more cooperation from software vendors when their US government customers were affected by exploits (a href="" target="_">Reuters, March 25). The Colonial pipeline fiasco apparently spurred Biden to sign the draft, which also creates an organization to review major security failures. Furthermore, it mandates two-factor authentication and encryption for not just communication, but also stored data.

      More rules will be drawn up and enforced through government software acquisition contracts.

    • Advantage to RW
      How the Colonial Pipeline hack is part of a growing ransomware trend in the US
      Cybercriminals have attacked solar power firms, water treatment plants and police departments in attempts to extort money Motorists were faced with long lines and dry pumps after Colonial Pipeline was shut down following a ransomware attack.
      Publisher: The Guardian
      Date: 14 May 2021
      By: Adam Gabbatt

      This article is an overview of the scope of serious ransomware attacks against computer systems in the US. It notes that Colonial Pipeline's vulnerability stemmed from the need to protect the health of workers by letting them work remotely. The company allegedly paid $5M in ransom in order to bring back operations.

      The large number of attacks means that a lot of money is changing hands and sophisticated versions of ransomware are being promulgated widely. There are even tech support hotlines for attackers to consult. This has gone from a food truck movement to a major industry.

    • RW website vanishes
      Ransomware group's extortion website offline after cyberattack leads to shutdown of major fuel pipeline

      Publisher: CNN
      Date: May 14, 2021
      By: Geneva Sands and Natasha Bertrand

      The website used by the ransomware group that struck Colonial Pipeline went offline after posting the message "A couple of hours ago, we lost access to the public part of our infrastructure," including its blog and payment server. Security experts were divided as to whether or not law enforcement had taken down the website or if it was an "exit scam" by the hackers.

  • WiFi's Unfixable Insecurities
    Fragment and Forge: Breaking Wi-Fi ThroughFrame Aggregation and Fragmentation
    By: Mathy Vanhoef, New York University Abu Dhabi

    This research paper about some serious flaws in the WiFi protocol has raised a great deal of discomfort. Although it was known that there was some hand-waving in the WiFi specifications when it came to handling fragmented packets, no one had looked at the problem seriously until now. There is a hodge-podge of implementation variations, some of them quite insecure. The paper will be presented at USENIX Security in August, but

  • How Bad Crypto Machines Became Good Business
    Swiss cabinet blames intelligence community for Crypto AG affair

    Publisher: Reuters
    Date: May 28, 2021

    I think that most people with even a small amount of cryptography knowledge realized that the US government was collecting at least some intelligence information from intercepts of communication that was encrypted with insecure ciphers. However, the idea that the cryptography implementations were being sold surreptiously by the US government to unsuspecting users through a Swiss company seemed far-fetched. The reality of it was that the company Crypto AG, based in Switzerland, was doing just that because it was actually owned by the US CIA and German BND intelligence service. This came to light last year, and the Swiss were not amused.

    Bern's investigation into the matter revealed that a small number of people in the Swiss intelligence service chose to approve the operation to keep it a secret unto themselves. The secret "escaped political control." Changes to government rules are being enacted to prevent future escapdes.