These days, apart from reading about major incidents like the SolarWinds one, I keep hearing directly from people I know about malware incidents, ransomware incidents and so on. My personal statistics have never been so high. I do not know if this is a personal unlucky end of an unlucky year or a very bad end of an already bad year. I wish to everybody a pandemic-free (in all senses) 2021!
In principle Ransomware is among the simplest malware possible: in its simplest form it does not require zero-day or other vulnerabilities, erroneous security configurations or absence of advanced security measures. It is enough to execute on the target machine some code, with the user’s privileges, which encrypts all user’s data.
All of us continuosly download data on our PCs, smartphones etc. by “surfing” the Web, receiving emails, interacting in social media etc. So spam campaigns, malvertising, drive-by downloads can easily deliver to any PC some Ransomware.
Whereas anti-malware, and in particular anti-ransomware, is often effective against it, the common security mantra of “patch, patch and again patch!” is not said to be that effective since ransomware in principle can avoid to exploit unpatched vulnerabilities.
But most important what is the target of Ransomware attacks?
Ransomware attacks remind us that computers manage primarily information, and the main purpose of the attack is to take hostage this information. What is it good for a computer system if all information it manages is removed and we remain only with the Operating System and the applications? Without a valid backup of the users’ information, most of the value of a computer system is lost, and thus the ransom is paid…
Hardware enclaves, such as Intel Software Guard Extension (SGX), are hardware security features of recent CPUs which allow the isolated execution of critical code. The typical threat model of hardware enclaves includes the totally isolated execution of trusted code in the enclave, considering all the rest of the code and data, operating system included, un-trusted. Software running in a hardware enclave has limited access to all data outside the enclave, whereas everything else does not have any access to what is inside the enclave, hypervisor, operating system and anti-virus included. Hardware enclaves can manage with very high security applications as password and secret-key managers, crypto-currency wallets, DRM etc.
But what could happen if a malware, for example a ransomware, is loaded in a hardware enclave?
First of all, a malware hidden in a hardware enclave cannot be detected since neither the hypervisor, operating system nor any kind of anti-virus can access it. The software to be loaded in a hardware enclave must be signed by a trusted entity, for example for SGX by Intel itself or by a trusted developer. This makes it more difficult to distribute hardware enclave malware, but not completely impossible. Finally, applications running inside a hardware enclave have very constrained access to the outside resources and it was believed that malware could use a hardware enclave (that is part of it could run in a hardware enclave) but that it was not possible for a malware to fully run inside an enclave without any component outside it.
M. Schwarz, S. Weiser and D. Gruss have instead recently shown in this paper that, at least theoretically, it is possible to create a super-malware run entirely from within a hardware enclave. This super-malware would be undetectable and could act as a normal malware on the rest of the system. At the moment countermeasures are not available, but similarly to the case of Spectre and Meltdown they could require hardware modification and/or have impact on the speed of the CPUs.
Recently I have paid some attention to AutoCAD and similar software. Not that I use them or that know much about them, but it definitively striked me both the complexity and the amazing features that some of these applications have. But with complexity, large number of features and dimension of code, come also vulnerabilities, even security vulnerabilities.
A few days ago I noticed this article (here a less technical summary) about AutoCAD malware, which has been around for more than 10 years. The purpose of this malware can be twofold: just another malware infecting channel, or more likely, a very targeted attack channel. Indeed CAD software is used for designing buildings, bridges, tunnels, roads etc., and some blueprints can be worth millions. Companies have taken notice of this, and security features have been introduced in the applications.
But the issue which does not seem to be appreciated enough (I have no statistics though, so I can be wrong on this) is the patching process (and this is not limited to CAD software but applies to other specialised software as for example digital audio or gaming). It seems to me that some of these applications are seldom updated (one needs to download/buy a new version) or that security patches are bundled together with new functionalities which can come at a cost, at least after the initial few years of support.
In my opinion, in an ideal world security patches should be provided for free to anyone until the program is supported. Obviously this can have economical impacts on the company producing the software and could require changes in the way software is built, sold and distributed (costs again).
In my opinion this article “Data breaches, phishing, or malware? Understanding the risks of stolen credentials” by researchers from Google et al., is impressive: hard data which should make all of us (IT security practitioners) think and help improve the security of IT services, now.
It is spring again, and it is time for reports on IT Security or in-Security in 2016.
One thing caught my eye this year, and I am not sure if it is a trend, just a coincidence or my susceptibility: I noticed a comeback of fileless malware, also called counter-intuitively “non-malware”. This is malware which does not install itself on the filesystem of the target machine but instead can load part of itself in memory (RAM), uses tools of the Operating System (PowerShell, WMI etc.) and local applications, hides parameters and data for example in the Widows Registry.
Actually there is nothing really new here, the very old “macros viruses” were of this type. What has changed is that today personal computers and servers run for very long time (very few people switch completely off their computers daily, usually personal computers are just set to “sleep”), which gives a much longer persistence to this type of malware. Obviously fileless malware is more difficult to write and to maintain, but it is also more difficult to identify, that is it has more chances to escape detection by anti-malware and anti-virus programs. Moreover also pure behavioural analysis can be fooled by this type of malware, since it can use standard tools of the machine performing tasks just a little bit out of the ordinary. On the other side, in case of infection the malware is anyway present on the machine, so anti-malware tools have just to look better to find it.
Since at least the ’70s, the time of Multics (see eg. this old document on the vulnerability analysis of Multics security), the Orange Books, Military IT security etc., the role of hardware in IT security has been discussed, evaluated and implemented.
In the last years the discussion has risen again in particular about the possibility of hardware backdoors and malicious hardware. For example, since the publication of the Snowden documents there have been rumors about possible hardware backdoors in Intel, AMD and Cisco products.
A few days ago at the 2016 IEEE Symposium on Security and Privacy has been presented this paper (see eg. also here for a summary) describing how to implement a Hardware Backdoor called Analog Malicious Hardware which, as of today, seems practically impossible to detect. The researchers were able to add a tiny circuit composed by a capacitor and a few transistors wrapped up in a single gate, out of the millions or billions in a modern chip, which acts as the hardware Trojan horse.
How difficult could it be to add a single, almost undetectable gate to the blue prints of a chip at the chip factory? How can be verified that similar gates are not present on a chip?
PS. 10 years ago I gave a couple of seminars in Italian about some aspects of history of IT security and I looked into some issues of how hardware must support the security features of Operating Systems; if interested some slides and a paper (in Italian) can be found here and here.
Monitoring outgoing traffic to detect intrusions in IT systems is not a new concept but often it does not seem to be enough appreciated, understood and implemented.
IT security defences cannot guarantee us against every possibile attack, so we must be prepared to the event of an intrusion and to manage the associated incident.
The first step in incident management is to detect an intrusion. Traditional tools like Anti-Virus, Intrusion Detection/Prevention Systems (IDS/IPS) etc. do their job but they can be bypassed. But intrusions can also be detected by monitoring the outgoing traffic.
In my recent personal experience, some intrusions have been detected and stopped because the outgoing traffic was monitored and blocked. Since the deployed malware was not able to call back home, it did not do anything and there was no damage; and since the outgoing traffic was monitored, the intrusion was immediately detected.
But monitoring the outgoing traffic to detect intrusions is becoming more and more difficult. For example attackers are adopting more often stealth techniques like using fake DNS queries. An interesting example has been recently described by FireEye in “MULTIGRAIN – POINT OF SALE ATTACKERS MAKE AN UNHEALTHY ADDITION TO THE PANTRY” . In this case, malware is exfiltrating data by making DNS calls to domains with names like log.<encoded data to exfiltrate>.evildomain.com . Obviously the DNS query fails, but in the logs of the receiving DNS server it is written the name of the requested domain, that is the data that the malware is exfiltrating.
As attackers are getting more creative to hide the back communication between malware and their Command & Control services, IT Security will need to devise more proactive approaches to monitoring and blocking outgoing traffic.
It is worth reading this script “Hacking Your Phone” from CBS 60 Minutes aired on April 17, 2016.
SS7 vulnerabilities are not new and should be known to the carriers. As usual the problem is on patching and implementing security measures to prevent illegal access to the network (in this demonstration they were legally granted access to SS7).
Malware and what it can do on phones, tablets, PCs etc. should be well known, at least to those who care about IT security.
This describes a new kind of IT ransom which should be much more professional and profitable.
The attacker manages to access some company’s servers, then encrypts the data in the databases but he modifies the DBs access routines to encrypt/decrypt on the fly all data with his own encryption key. In this way for the company all continues to work. He then waits a few months so that all DB backups are encrypted with his keys and at this point deletes the encryption keys from the company’s systems and asks for a ransom to give it back.Notice that backups are unusable because they too are encrypted with the attacker key.
Obviously, strong IT security procedures should prevent and detect this, from off-line testing of backups to intrusion detection.