Millions of Connected Devices Have Exploitable TCP/IP Flaws

Jeremy Kirk (jeremy_kirk) • June 17, 2020    

Millions of Connected Devices Have Exploitable TCP/IP Flaws
Demonstration of the Ripple20 flaws being exploited to deactivate an uninterruptible power supply, and the resulting effect on an attached medical device (Source: JSOF)

Time for another internet of things update nightmare: Researchers have found that a little-known software library that’s been widely used for decades – by numerous companies and in many products – has serious vulnerabilities that need immediate fixing. 

This time, the flaws – dubbed “Ripple20” by researchers – involve TCP/IP code from Cincinnati-based Treck, which makes software for implementing various networking protocols. While Treck might be a low-profile company few have heard of, its code has nevertheless found its way into millions of connected devices, from medical pumps and office printers to utility grid systems and aviation components. 

That’s because Treck’s TCP/IP code stack – an embedded library – is known for its high performance and reliability. The code is apparently particularly well-suited for low-power IoT devices and real-time operating system usage. 

On Tuesday, however, Israeli cybersecurity consultancy JSOF disclosed 19 vulnerabilities in the TCP/IP code after previously reporting the flaws to Treck, which has prepared a fix. JSOF’s findings follow another large-scale problem affecting IoT devices coming to light, in that case in the Universal Plug and Play protocol (see: UpNp Vulnerability Could Affect Billions of IoT Devices). 

Information about the Ripple20 flaws has been circulating privately since last year, as researchers, vendors and security experts worked to coordinate fixes and alert relevant parties. JSOF notes that it reached out to agencies such as the CERT Coordination Center and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency once it realized how challenging it would be to identify all companies and products that utilize the vulnerable code from Treck. 

Companies that ship products affected by the flaws include CaterpillarIntelGreen Hills Software, Rockwell Automation, HP, Baxter and Schneider Electric, among many others. 

Experts say numerous organizations will need to issue updates or detail workarounds to mitigate the flaws. Already, medical device manufacturer B. Braun Medical, based in Pennsylvania, issued an advisory on Friday saying only one of its products, the Outlook 400ES infusion pump, is affected by the flaws. It says it is still analyzing four patches issued by Treck but that its customers do not need to take immediate action. 

B. Braun Medical Inc.’s Outlook 400ES infusion pump is one of millions of devices that have exploitable TCP/IP software. (Photo: B. Braun Medical Inc.)

JSOF says that Treck is reaching out directly to warn its clients, but it says that because of nondisclosure agreements, Treck hasn’t released a list of those clients.

“The software library spreads far and wide, to the point that tracking it down has been a major challenge,” JSOF says. “As we traced through the distribution trail of Treck’s TCP/IP library, we discovered that over the past two decades this basic piece of networking software has been spreading around the world, through both direct and indirect use.” 

Forescout Technologies, which worked with JSOF on disclosure, writes that more than 50 vendors may be affected, “exposing a very complex supply chain for IoT devices.” 

Forescout used the internet-connected device search engine Shodan to look for potentially vulnerable devices that are exposed to the internet and could be directly compromised. It found 15,000 such devices, including printers, IP cameras, video conferencing systems, networking equipment and industrial control system devices. 

If previous, widespread flaws and patching efforts are any guide, however, many products with vulnerable Treck code will never see fixes get issued by manufacturers. And even when fixes do get released, many of these patches never get installed by end users (see: Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).

Patches Available

In an advisory issued Tuesday, U.S. CERT says that high skill levels are needed to exploit the flaws, and that there are no known public exploits targeting the vulnerabilities, at least so far. 

Treck says in a statement that it has updated its TCP/IPv4/v6 software to fix the issues. JSOF notes that organizations should use Treck’s stack version 6.0.1.67 or higher. 

JSOF dubbed the flaws Ripple20 to reflect how a single vulnerable component can have a ripple effect on “a wide range of industries, applications, companies, and people.” The company is due to present its findings at Black Hat 2020, which will be a virtual event. 

Four of the flaws are rated critical, and two of them could be exploited to remotely take control of a device. Others require an attacker to be on the same network as the targeted device, which makes these flaws more difficult – but not impossible – to exploit. 

“The risks inherent in this situation are high,” JSOF says. “Just a few examples: Data could be stolen off of a printer, an infusion pump behavior changed, or industrial control devices could be made to malfunction. An attacker could hide malicious code within embedded devices for years.” 

In a brief video, JSOF CEO Shlomi Oberman shows how an exploit for the flaws can affect an uninterruptible power supply, which is connected to a medical infusion pump, an HP OfficeJet Pro 8720 printer and a module with an operating system and processor. Oberman found the flaws with his colleague, Moshe Kol. 

Their video shows the attack payload deactivating power to all of the connected devices, leading to the infusion pump issuing alarming beeps and displaying this warning: “Battery depleted. Pump will not run.” 

JSOF has published a white paper describing two of the vulnerabilities. The company also plans to release a second white paper solely focused on CVE-2020-11901 – a DNS vulnerability – and describing how it can affect a Schneider Electric APC UPS device. 

Mitigation Strategies

Experts say that devices that can be patched should be patched immediately. But if devices can’t be updated, organizations can take a series of steps to minimize their exposure. 

U.S. CERT says that administrators should ensure that vulnerable systems are not accessible from the internet and that control systems should be located behind firewalls and also not linked to any business networks. 

VPNs should be used for all remote access to vulnerable devices, with the caveat that VPN software may also have vulnerabilities, U.S. CERT says. Organizations should also use an internal DNS server that performs lookup using DNS-over-HTTPS, it says.

JSOF says organizations can also block anomalous IP traffic, as well as use deep packet inspection to block network attacks. 

Executive Editor Mathew Schwartz contributed to this report – source databreachtoday.com

CIA Finds It Failed to Secure Its Own Systems

Scott Ferguson (Ferguson_Writes) , Doug Olenick (DougOlenick) • June 16, 2020    

CIA Finds It Failed to Secure Its Own Systems
Photo: CIA

An internal CIA report released Tuesday found that the agency’s failure to secure its own systems led to the massive 2017 data breach that enabled classified information, including details on 35 CIA hacking tools, to be leaked to WikiLeaks.

A redacted version of the report, prepared by the CIA’s WikiLeaks Task Force in 2017, was released by Ron Wyden, D-Ore., a member of the Senate Intelligence Committee.

The report calls out the CIA’s Center for Cyber Intelligence for not prioritizing internal cybersecurity and focusing, instead, on developing offensive cyber weapons.

This lax attitude toward preventive cybersecurity measures within the CIA continued even after previous high-profile data breaches of the agency and other intelligence departments, the report states.

On Tuesday, Wyden wrote to John Ratcliffe, the director of national intelligence, demanding to know if the U.S. intelligence community planned to implement better cybersecurity practices and questioning why the CIA did not do more to protect its internal security operations from both outside attacks and internal threats.

“The lax cybersecurity practices documented in the CIA’s WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community,” Wyden writes. “The Office of the Inspector General of the Intelligence Community revealed in a public summary of a report it published last year that it found a number of deficiencies in the intelligence community’s cybersecurity practices.”

CIA Report

The WikiLeaks Task Force report was prepared after the leaking of the CIA hacking tools, which were referred to as “Vault 7” (see: WikiLeaks Dumps Alleged CIA Malware and Hacking Trove).

The theft of the hacking tools, which apparently happened sometime in 2016, was not discovered until WikiLeaks published the Vault 7 series in 2017. Later, the U.S. Justice Department brought charges against Joshua Schulte, a former CIA employee, who is suspected of stealing the CIA hacking tools and then giving them to WikiLeaks, according to the Washington Post, which first reported on the Wyden letter.

The WikiLeaks Task Force report is part of the Justice Department’s case against Schulte, who will be tried again for the Vault 7 leak later this year after his first trial ended in a hung jury in March, according to the Post.

In the report, investigators describe how an unnamed former CIA employee managed to take between 180 GB and 34 TB of highly classified agency information and data.

The report describes a CIA culture that only focused on developing offensive cyber weapons and ignored basic security procedures, which led to multiple breaches.

“Day-to-day security practices had become woefully lax. … Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” according to the CIA report.

The Vault 7 hacking tools came from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia, according to WikiLeaks.

Difficulties Preventing Leaks

Thomas Rid, a professor at the John Hopkins School of Advanced International Studies who has studied cybersecurity issues, wrote on Twitter that the U.S. intelligence community has had a difficult time stopping leaks, including Vault 7 as well as disclosures from former Army Private Chelsea Manning and former National Security Agency contractor Edward Snowden.Thomas Rid@RidT · Replying to @RidT

Imagine for a moment the logistics of physically getting that amount of data out 😶

View image on Twitter

Thomas Rid@RidT

Seven years after Manning.
Three years after Snowden.
About a year after Shadow Brokers.

View image on Twitter

Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former NSA staffer, noted that the Vault 7 disclosures, along with the release of NSA hacking tools in 2016 by the group known as the Shadow Brokers, show that the U.S. intelligence community did not take its cybersecurity responsibilities seriously.

“In at least two of these cases – Vault 7 and Shadow Brokers – there is no indication that there was any detection ahead of the data being posted publicly,” Williams told Information Security Media Group. “If you compare the intelligence community to a commercial organization that had three major breaches over a few years and didn’t discover two of them until someone leaked data publicly, I’d have a hard time taking their security seriously.”

Security Improvements Needed

In his letter to Ratcliffe, the director of national intelligence, Wyden asked why various agencies failed to heed security guidance. This included:

  • An Oct. 16, 2017 Cybersecurity and Infrastructure Security Agency notice requiring all federal agencies to protect their websites and email using encryption and domain-based message authentication as well as to conform with DMARC email authentication, policy and reporting protocols;
  • A Jan. 22, 2019 emergency directive from CISA requiring agencies to implement multifactor authentication within 10 days to protect their .gov domains.

Wyden also questions why the Joint Worldwide Intel Communications System, the intelligence community’s classified computer network that handles top secret information, still has not implemented multifactor authentication to align itself with National Institute of Standards and Technology Special Publication 800-63B, despite the August 2019 statement by the Defense Intelligence Agency’s cyber and enterprise operations chief that the DIA was looking into this upgrade. 

In the letter, Wyden asks Ratcliffe if he intends to implement numerous cybersecurity recommendations published by the office of the Intelligence Community Inspector General in November 2019.

“Do you intend to adopt each of the 22 cybersecurity recommendations of the Inspector General of the Intelligence Community?” Wyden asks. “If yes, please provide an estimate for when you expect to have implemented each of these recommendations. If no, please explain why.”

A CIA spokesperson told the Washington Post that the agency was not commenting on the 2017 report that Wyden released Tuesday.

Following Guidelines

Tim Wade, the technical director for the CTO team at security firm Vectra, and a former Air Force officer, notes that government agencies – and especially the intelligence community – need to follow cybersecurity guidelines.

“Accepting the risk of continuing to operate such systems in a vulnerable state mitigates the greater risks associated with jeopardizing mission success,” Wade says.

DoppelPaymer Ransomware Used to Steal Data from Supplier to SpaceX, Tesla

Elizabeth Montalbano

Cyber attack at Visser Precision, which builds custom parts for the aerospace and automotive industries, reveals sensitive company data.

A company that provides custom parts to aerospace giants Lockheed Martin, SpaceX and Boeing, has been the target of an attack by an emerging type of ransomware that can both encrypt files and exfiltrate data.

Colorado-based Visser Precision said it was targeted by a “cyber incident” that involved the attacker accessing and stealing company data after a security researcher found some of the company’s stolen files leaked online.

Visser makes what are called “precision” parts for several industries, including automotive and aeronautics, with some high-profile customers that typically require heavy security requirements due to the sensitive and competitive nature of their work

Brett Callow, a threat analyst at anti-malware security firm Emsisoft, discovered the documents—a series of nondisclosure agreements Visser has with companies including SpaceX, Tesla, Honeywell, General Dynamics and others–on a hacker website and began alerting news outlets, according to published reports in Forbes and TechCrunch.

Attackers also tweeted in an account using the name “DoppelPaymer” that more files were on the way, alerting researchers that attackers likely used the DoppelPaymer ransomware in the attack, according to reports.

DoppelPaymer is an emerging type of ransomware that not only locks companies out of their own computer systems by encrypting files—the hallmark of typical ransomware—but also can exfiltrate company data and use it as collateral.

I February report by BleepingComputer noted that DoppelPaymer had shifted its tactics to include not just stealing a victim’s data, but also threatening targets to publish or sell their data if the victim did not pay the ransom.

This new show of sophistication in ransomware makes the tough decision of whether to pay the hackers’ ransom even more difficult for companies, which typically are advised not to pay in such a scenario, said one security expert.

“The evolution of ransomware from simply keeping data unusable, to that plus threatening to release it, is insidious in its premise,” Mike Jordan, vice president of research, Shared Assessments, said in an email to Threatpost. “Deciding whether to pay a ransomware extortionist always involves a financial calculus where you determine whether paying is cheaper than recovering the data on your own.”

The new methods that malware like DoppelPaymer and Maze employ are raising the stakes for victims of ransomware and increases the potential for financial loss if sensitive or classified data is revealed by threat actors, he said.

“If data is regulated, such as personal information, fines get introduced,” Jordan said. “And when the victim is a third party supplier of other companies, the potential loss of revenue from customers that lose faith in their ability to manage cybersecurity threats is also a particularly expensive variable.”

Indeed, some of the companies that appear on the list of revealed documents, such as Lockheed Martin, Boeing, Honeywell and General Dynamics, also have defense contracts with the federal government–which means they also deal in highly classified information. The threat of the release of this type of data definitely raises the stakes for Visser when considering whether to pay attackers, experts noted.

Targeting customer contracts also was a clever tactic by the attackers, as it has the potential to cause long-term damage not only to Visser but the customers affected, Jordan observed.

“Revealing confidentiality agreements threatens the possibility of revealing the contracts behind those agreements,” he said. “Revealing pricing puts the victim at a disadvantage to its competitors now and in the future, as they are still bound to those agreements, whereas competitors could undercut them. Additionally, revealing contracts put victims at risk of breaking confidentiality agreements, allowing customers to lawfully break favorable agreements.”

Of the companies affected in the Visser attack, only officials at Lockheed Martin so far have  publicly acknowledged that they are aware of the situation, according to reports.Write a comment

Source: https://threatpost.com/doppelpaymer-ransomware-used-to-steal-data-from-supplier-to-spacex-tesla/153393/

‘Shark’ Gets Hooked for $380K in Email Phishing Scam

“Shark Tank” star Barbara Corcoran is missing nearly $400,000 Wednesday morning after her office was victimized by email scammers who used a tiny typo to gain the upper hand.

The scam started last week when an email chain was forwarded to Barbara’s bookkeeper, a woman named Christine. Folks on Barbara’s team tell us the email appeared to have been sent from Barbara’s executive assistant, Emily … and it informed Christine she had the green light to pay $388,700.11 to a company called FFH Concept GmbH in Germany.

The problem is that email didn’t really come from Emily.

The scammers changed Emily’s email address by removing one letter, so they were the ones actually communicating with Christine … who did ask the right questions. For instance, she asked what the money was for, and got an email back saying FFH was designing German apartment units in which Barbara had invested.

Great cover story because we’re told Barbara really does invest in real estate, and FFH is a real company in Germany. Plus, all of this looks even more legit because it appears to be coming from Barbara’s assistant.

Anyway, on Tuesday … the bookkeeper fires off the wire payment to the account listed in the original email. Afterward, she emails Barbara’s assistant, Emily — at her real address — and it’s only then that Emily uncovers the scam. She noticed her address was altered on the previous chain of emails.

Unfortunately, the money is gone, but we’re told Barbara’s IT folks traced the original scam emails back to a Chinese IP address, and her attorneys are figuring out their next move.

Yes, even a Shark can get hooked by a phishing scam.

Email us NOW for Phishing Training for you and your team – don’t be another headline! pst@midstatecyber.com

FDA Warns of Cybersecurity Vulnerabilities in Pacemakers, Blood Glucose Monitors

The US Food and Drug Administration (FDA) on Tuesday alerted health professionals and manufacturers to a family of 12 cybersecurity vulnerabilities known as “SweynTooth,” which can allow unauthorized users to potentially cause a device to stop working, stop it from working correctly and/or bypass security to access certain device functions.

Security researchers found the vulnerabilities are associated with a wireless communication technology known as Bluetooth Low Energy (BLE), which allows two devices to exchange information to perform their intended functions while preserving battery life.

FDA said it is not aware of any confirmed adverse events related to these vulnerabilities, but it is currently aware of several system-on-a-chip manufacturers that are affected by them, including Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.

According to the Department of Homeland Security, “The affected medical devices may include pacemakers, blood glucose monitors, and others using affected BLE SDKs [software development kits].”

As far as recommendations for manufacturers, FDA says that the vulnerabilities should be evaluated, and devices should be monitored for unusual behavior. Any mitigations should include compensating controls while developing software patches, FDA added.

“In general, compensating controls and patches made to address the SweynTooth vulnerabilities are not likely to significantly affect the safety or effectiveness of the device and thus would not likely need FDA premarket review prior to implementation. If the changes to the device needed to address the vulnerabilities could significantly affect the safety or effectiveness of the device, however, premarket review is required,” FDA added.

Jodi Scott, partner in the medical device and technology regulatory practice group with the law firm Hogan Lovells, discussed FDA’s work on cybersecurity in an interview with Focus, explaining that FDA seems to be targeting its efforts on higher-risk products.

She also noted that there’s room for more international harmonization on cybersecurity and that if FDA can provide more examples, the device industry could benefit them, beyond what they do in information sharing organizations.

But, Scott added, “One of the challenges is making sure you don’t flood the field with alerts, thereby decreasing what really matters.”

source – https://www.raps.org/news-and-articles/news-articles/2020/3/fda-warns-of-cybersecurity-vulnerabilities-in-pace

Mobile Attacks Outpace Desktop Assaults

For the first time in cybercrime’s history, more attacks have been waged against mobile devices than have been hurled at desktops.

This seminal shift in attack strategy was recorded by researchers at LexisNexis Risk Solutions during the creation of their latest cybercrime report, “Fraud Without Borders.”

The report is based on the analysis of 19 billion transactions that took place on LexisNexis’ Digital Identity Network between July and December last year. Among those transactions, researchers identified 401 million attacks, 264 million of which targeted mobile devices, while 137 million struck at desktops. 

Although criminals showed a marked preference for mobile in terms of the volume of attacks, the attack rates targeting transactions were virtually identical. While researchers noted a 56% rise in the mobile attack rate year on year and a 23% decline in the desktop attack rate, the rate of attacks targeting transactions was 2.7% and 2.5% for desktops and mobile devices, respectively.  

Commenting on the online crime world’s historic change of tack, researchers wrote: “Although this is heavily influenced by a key global bot attack, it nevertheless shows a shift in focus of global cybercrime towards targeting the mobile channel.

“These bots are vast, automated and come from multiple global geographies and were particularly targeting new account creation transactions during the second half of 2019.”

When comparing different types of attacks on mobile devices, researchers found that mobile browser transactions were attacked at a higher rate than mobile app transactions. However, attacks on mobile apps were observed to have grown at a rate of 171% year on year. 

In terms of the financial impact of cybercrime, researchers deduced from the data that during a one-month period alone, $40m was at risk from cross-organizational fraud exposure. 

The report portrays cybercrime as borderless, innovative, and highly sophisticated, with researchers noting that criminal networks now mirror legitimate enterprises in their organizational structure. 

Criminal “finance departments” deal with the laundering of money, while “procurement” enlists money mules and “engineering” develops cutting-edge attacks to bypass the latest advances in cyber defenses.

“Analysis in this report shows that cybercrime is operating on a global scale in vast, interconnected networks that are unrestricted by regional, country or industry borders,” wrote researchers. “It’s clear that cybercrime is a highly networked, complex and ever-evolving beast.”

source – https://www.infosecurity-magazine.com/news/mobile-attacks-outpace-desktop/

Top CyberSec issues for 2020

Phishing Scams

While phishing scams have often been considered one of the cheapest and easiest ways for hackers to access sensitive data, these scams are becoming more sophisticated than ever. These attacks include luring and engaging with potential victims. The intent is to persuade them to provide sensitive information including passwords, identifying information, payment information, and more. As the world becomes more connected than ever in 2020 the opportunities for these types of covert threats increase.

Third-Party & Supply Chain Attacks

Third-party and supply chain attacks refer to attacks through an outside partner or provider. The changing on-demand and SaaS landscape in business increase these types of threats in 2020. This makes the importance of choosing reliable providers and staying on top of software updates and patches more important.

Malware

The use of malware continues to be a threat to businesses. Malware encompasses a wide range of cybersecurity threats including backdoors, downloaders, worms, viruses, or trojans. In these attacks, information is stolen or destroyed while sensitive data like clients’ personal identification information, credit card data, and more are sold for profit on the open market. Not only can these types of attacks debilitate a business’s ability to operate while data backups are restored, but it can also seriously impact the company’s reputation and trust.

Metamorphic/Polymorphic Malware

While traditional malware is an ever-growing threat, polymorphic or metamorphic malware makes this cyber threat even more sophisticated in 2020. This type of malware adapts or changes completely with every iteration, making them more difficult to detect and eradicate.

Ransomware

In ransomware cybersecurity threats, hackers lock a company’s sensitive data or integral operations systems and demand ransom in order to unlock the data. In these types of attacks, not only is the cost of the ransom a cost to the company but so is lost operations while the system is under attack. Small businesses are particularly vulnerable to these attacks as they often do not invest in protections for these systems such as hiring a cybersecurity company to install and manage protections.

AI/ML Ransomware

In 2020, the cyberthreat of ransomware is becoming even more malicious with the addition of artificial intelligence (AI) and machine learning (ML) technology. As these tools become more prominently available, ransomware attacks become more efficient.

Mobile Malware

Mobile devices are coming increasingly under attack. This is especially true with Android devices that often run off of older versions of Android. Since these devices tend to be less secure and often overlooked by security protocols, this makes them an easier target for cyberthreats such as malware.

IoT-Related Threat

The internet of things (IoT) refers to the interconnectedness of infrastructure systems. The internet of things includes smart devices that make managing almost everything more convenient. However, it’s these systems’ convenience and accessibility most susceptible to risk.