Notes from the networks beyond · 13.05.2014 Cybercrime Insights 15 Heartbleed Story 0x01 (Admin)...

13.05.2014 Cybercrime Insights

1

Cybercrime Insights

Notes from the networks beyond


2

Introduction - Curesec GmbH

● Technical IT security

● Security Audits

● Tiger Team Audits

● Mobile Phone Audits (Android/iOS)

● Trainings


3

Curesec GmbH

● Tools:

● For Security Audits● hbad – Heartbleed Client check

● Vulnerabilities published for instance:

● WhatsApp● Android

● Guidelines for instance:

● Banking Security


4

Curesec GmbH

● Office in Berlin

● 7 specialists in different fields

● International projects


5

Agenda

● Introduction

● Noteworthy security bugs and scenarios

● APT and Cyberespionage

● Conclusion


6

Heartbleed

● Who has not heard of Heartbleed?

● 7th of April

● Major security flaw in the spine of the internet

● Affected versions 1.0.1[abcdef]

● Patched version 1.0.1g or old 0.9.8

● Sleepless nights for admins, security officers and hackers


7

What happened?

● Heartbeat -> Extension

● Keeping a session alive

● Process memory data can be dumped from client or server

● Top Ten Internet Sites also affected

● Google, Facebook, Yahoo ...


8

Who is affected?

Everyone using the vulnerable software version plus the extension is enabled.


9

What is affected?

● Serverside

● Webserver● Databaseserver● Emailserver● VoIP-Systems● VPN● Custom software


10

Webserver Example


11

What is affected?

● Clientside software:

● Browser● Email clients● VoIP clients● VPN clients● Chat clients ● Custom software linked with openssl vuln version


12

w3m Example


13

Interesting Data?

● Private keys (Certificates)

● Usernames and passwords

● Sessionkeys and SessionIDs (e.g. Cookies)

● Video- und Voice communication

● VPN keys

● Emails

● Forms of the sites, e.g. banking forms, creditcard forms


14

Heartbleed Story 0x01

● Vulnerability is known, admin patches relevant systems.

● During a security check some days later it is found that core systems to the internet are still vulnerable.

● What happened?


15

Heartbleed Story 0x01 (Admin)

● The systems were brought to a recent patchlevel. But the patch for the appliance was from April 4th while the vulnerability was from the 7th and there wasn't a newer version until April 11th.

● As a result the vulnerability was brought into the systems as the older/unpatched version were still running with 0.9.8.


16

Heartbleed Story 0x01 (Admin)

● 4 Days open attack surface until recognized

● Affected: VPN gateway


17

Heartbleed Story 0x02 (Scam)

● Some criminals offering an exploit for HB in version 1.0.1g

● From the style and setup it could be the same guys offering a fake openssh memory leak

● <pastebin>

● Interesting: Scammer is really sending a hb dump back, however, its gained from a different site.


18

Heartbleed Story 0x03 (invisible)

● Shortly after the vuln was published, it was rumoured and partly spreaded even through the news that this bug is also that powerful because its invisible.

● Of course this is not true.

● Most probably those statements were made as the bug was not understood completely.


19

Heartbleed Story 0x03 (invisble)

● As a result from this wrong assumption and probably some others a 19-year-old canadian student was arrested.

● He successfully hacked the tax office and stole / manipulated 900 entries.


20

Industrial Devices aka SCADA

● What happens if our light, water and power supply is disabled?

● We have reached a level of networking devices at which the question rises whether we should go on with networking them.

● This is not anti-technology, this is pro-surviving.


21

Industrial Devices aka SCADA

● What is the attack surface?

● Energysector (nuclear, coal, wind, water, sun …)● Water and sanitation● Industrial lines and factories


22

Medical Devices

● While working in the industry...

● Medical devices are stillstill dangerous to attach to the network.

● If you run a hospital or something similar:

● Seperate networks● Dont let patients enter the net● Dont use weak wireless crypto


23

Agenda

● Introduction



● Finish


24

APT and Cyberespionage

● Who does remember Stuxnet?

● Ok.

● But do you know:

● Flame (US)● Uroburos (RU)● Careto - The Mask (ES)


25

Story behind Stuxnet

● Remember my note about scada security? Well...

● Stuxnet vs. Iranian Nuclear Energy/bomb program

● Fine grained bug which quietly destroyed devices for uranium enrichment

● It not only changed the speed of the devices it also showed the control terminal that everything is normal – sabotage was the goal.


26

What is an APT?

● Targeted attack

● Goals:

● Retrieving information (e.g. economic, military)● Espionage● Sabotage● Information isis used for further action


27

What is it not?

● It is not internet noise.

● Like SSH brute force● It is not random hacking

● It is not conducted by cybercriminals – backed by .gov


28

APT

● So – an APT (Advanced Persistent Threat) is:

● Executed by someone with an agenda● Usually (well) funded● Not compareable with an anonymous or active hacker

group● Attackers:

● Goverments● Freelancers working for goverments


29

How do you know it happened?!

● From time to time it is uncovered.

● Flame for instance ranges back to 2004

● More recent APTs:

● „Uroburos“ - 2011● „Careto“ - 2007


30

How do you know it was country xyz?

● Of course no country confirms official involvement

● Samples/information in the code

● Artifacts in the code

● Traces on infected systems

● Analysis of the attack's origin


31


● What countries are infected most?

● Actions conducted by the software:

● Analysing what it is doing, you find common points in the agenda of countries.

● For instance the Iranian nuclear program's most opposing global players are Israel and the US


32


● RedFlag operations

● Yeah...no. There is no gain in not being able to blame someone.

● So traces to goverments exist but it cannot be proven easily.


33

Uroburos● Coming from Russia

● Suspected to be related to Agent.BTZ used to attack US Goverment

● Agent.BTZ was used to infect the Department of Defense (DoD) back in 2008

● US said they strongly believe it was conducted by Russia

● We are sure it is a government driven software


34

Uroburos

● System infection vector is still unknown

● But, like Agent.BTZ we have several possible ways

● Leave an interesting device(USB Stick, Tablet …)● Social Engineer someone

– Put one of your hot female agents on the target.● Well it is a spy game, pay someone internally to do it● Classic hack conducted through 0day vulnerabilities


35

Uroburos

● List of supported files:

● Powerpoint● Excel● Word● Pictures● */*


36

Features

● Encrypted Filesystem (vfat / ntfs)

● Hiding activities

● Post-Exploitation Tools

● Tools for network surveilance

● Exfiltrating data via

● HTTP (Browser emulation, with proxy support)● ICMP (Ping payload)● SMTP (Email emulation)

● Peer to Peer Communication – wait what?!


37

Peer to Peer

● Peer to Peer Communication

● Between clients in the internal network● Named Pipes are used (RPC)● Gain access to the outerworld


38

Uroburos

Exfiltrate data from not internet connected devices


39

Careto

● Coming from probably Spain

● Spanish slang for „Ugly Face“ or „Mask“

● Yay, another player joined the field.


40

Careto Targets

● Government institutions

● Diplomatics / embassies

● Energy, oil and gas

● Private companies

● Research institutions

● Private equity firms

● Activists


41

Careto

● 380 victims

● 31 countries


42

Careto

● Spear fishing is the basic infection vector

● Several domains involved

● Trying to look legit

● Infect user by a vulnerable browser

● Public known vuln or zero-day


43

Careto

Spear fishing attack


44

Protection?

Protection is hard to accomplish


45

Agenda

● Introduction



● Finish


46

The End

„Hope you liked our little journey through the dark side of the networked world.“


47

Contact

Notes from the networks beyond · 13.05.2014 Cybercrime Insights 15 Heartbleed Story 0x01 (Admin)...

Documents

Transcript of Notes from the networks beyond · 13.05.2014 Cybercrime Insights 15 Heartbleed Story 0x01 (Admin)...