Exploits Exposed to the World

 

The year started quite calm, but obviously, this calm period was not about to last, it was only the calm before the storm. The first major incident to occur happened in March, when the now famous website Wikileaks decided to leak classified documents from the US intelligence service CIA. The leak, Vault 7, consists of multiple parts, 24 in total, released to the public throughout the year, and it included documents on cyber warfare, electronic surveillance[1]. More precisely the contents of the vault were:

 

  • CIA Malware Creation framework called Grasshopper
  • Malware obfuscation program called Marble – A tool to make it hard for antivirus to analyse and pinpoint the behaviour of the malware
  • Multiple source code files connected to surveillance on everything from cell phones to embedded systems

 

One month later, the Shadow Brokers appeared again, now releasing the exploits. Last time, summer 2016, they claimed being the masterminds behind the hacking of the Tailored Access Operations unit in NSA, also called the Equation group which has developed many advanced tools and zero-day exploits. After several failed attempts to sell the exploits, in April 2017, they released them to the public. It was now only a matter of time before a major attack. And it came not even one month later, when a new ransomware was unleashed to the world.

Ransomware, Ransomware Everywhere

 

WannaCry hit the internet on May 12, 2017 and infected more than 200 000 computers in 150 countries. The ransomware encrypted the victim’s computers and demanded ransom payments via bitcoin. It uses two exploits from the Shadow Brokers release, EternalBlue and DoublePulsar. The first is used as a way to gain access throughout the network using a vulnerability in the SMB protocol(CVE-2017-0144), and the latter exploit to copy itself to the victim system. Because WannaCry not only encrypts the victims’ assets, but also spreads itself it is classified both as a ransomware and a worm. Incidents and attacks like these raise an important question: How can companies and their IT-security teams prevent ransomware attacks like this?

Microsoft released a security patch for EternalBlue two months earlier. However, as many companies were unpatched, WannaCry could easily spread and infect systems. Later, researchers found ways to mitigate the spread, having noticed that a hard-coded kill switch resided in the WannaCry malware. By using a DNS sinkhole, the spread got slower. But even though a way to partially counteract the intentions of WannaCry had been found, the fight against it did not stop there. A French researcher developed a tool called WannaKey, which uses the fact that the encryption key API used by WannaCry did not clear the prime numbers used to generate each private encryption key from memory, making it possible to retrieve it and decrypt files, without paying ransom[2].

 

WannaCry spread widely as both countries and companies across the globe were affected, with Ukraine, India, Taiwan and Russia topping the list of the most affected countries. National Health Service in the UK, Nissan Motors in Japan and Renault in France were some companies whose systems got infected, making the two latter ones stop their production to prevent further spread of the malware. WannaCry hit the world hard and fast, but the challenges of 2017 were not about to end there…

 

In June 2017 a new variant of the 2016 ransomware Petya surfaced, named NotPetya. Like WannaCry NotPetya used the EternalBlue propagation mechanisms to spread via the SMB protocol and was designed to destroy target systems. It targeted power grids, bus stations, gas stations, airports, banks etc mostly in Ukraine. Via hijacking update servers of de facto tax preparation software, the attackers could spread the malware via a software update. When a victim got infected, the ransomware infected the MBR (Master Boot Record) and overwrote the bootloader (Small program that initiates the launch of the OS), as well as it triggered a restart of the Windows system. On the next restart, it encrypted the MFT (Master File Table) and demanded ransom. The peculiar thing with NotPetya was that it used the same bitcoin address for each of its targets to which the ransom should be paid to. It also modified its encryption mechanism so even though the ransom was paid, the encryption remained intact and irreversible. Combined with the relatively low ransom, $300 USD, made researchers even more sure that this was a targeted attack against Ukrainian systems with its only goal to destroy the infected machines.[3]

 

Why Change a Winning Concept?

 

How about other security issues during the year, like breaches that have been a “winning concept” for the dark web? On the 7th of September, Equifax, a part of the big-three credit bureaus in the U.S., reported a breach in their systems. Identities and personal information such as social security numbers, full names, birth dates etc of around 200 million customers were leaked, potentially making it the most severe leak in modern history. Although the breach was announced in September, Equifax stated that the attack started around May, but was not noticed until the end of July. The breach was possible due to a vulnerability in the Apache Struts (CVE-2017-5638) web application framework. This vulnerability combined with no network compartmentalization (limitation sensitive information for the people who it may concern) and bad encryption implementation on personal data were the prominent mishaps that enabled the attack. The patch for the vulnerability was issued two months earlier, which Equifax failed to implement[4].

 

When it comes to cryptography, humans are always the problem

 

2017 had a lot more to offer than just ransomware and breaches. A flaw that affected the whole world was the KRACK (Key Reinstallation Attack)  against WPA2 protected Wi-Fi networks. It was announced in October and used an implementation flaw in the so called four-way handshake (a part of the authentication process) of the WPA2 protocol. The third handshake in the WPA2 protocol uses a nonce, a random number that can only be used once. This would normally not cause any problems, but since WPA2 also allows reuse of the nonce, to reconnect quickly if a disconnect happens, as well as for stable uplink, it made the protocol vulnerable to the KRACK. An attacker could resend the third handshake over and over, reading a bit of the encryption key each time until the whole key was known. The attacker could then read the victim’s traffic. Vendors however, were hereafter quick to implement patches[5] and therefore limit the damages.

 

Similarly, another implementation flaw were found in the SSL/TLS protocol, or more precisely encryption algorithm in use. A slight modification to the old Bleichenbacher’s Oracle Attack, which is an attack on the RSA encryption standard (PKCS#1 version 1.5) from 1998, called ROBOT has made 27 of the top 100 domains (ranked by Alexa) vulnerable. The old fix for the RSA attack was to simply suppress the vulnerable error messages, which no longer proves to be sufficient [6].

 

The Cloud is not always the answer

 

Unfortunately, navigating the Internet is not a walk in the park. Named Cloudbleed by the public, Google’s project zero researcher Travis Ormandy reported a problem in February with Cloudflare’s HTML parser (named Ragel) on their edge-servers. When introducing the new parser, it slightly changed how buffers were handled, making the edge-servers over run the buffer. Therefore, it started leaking sensitive information such as authentication cookies and other sensitive data[7]. However, Cloudflare was quick on a fix and by using their global “kill-switch” on the edge-servers and issued a patch within just eight hours. But (and yes there is a big but), search engines could have cached the leaked data on their servers, which could have caused Cloudflare some real issues.

Final words

 

Some more security related issues worth mentioning is the breach of Verizon, which resulted in a leak of data associated of around 14 million customers. Two other leaks during 2017 with considerable significance is the leak involving the new president of France and the newly leaked Vault 8 (by WikiLeaks). 2017 has been a quite interesting year and with the upcoming of GDPR, 2018 will become just as interesting..

 

Contributors

  • Adam Björkman
  • Christian Yng
  • Max Kardos
  • Viktor Uppströmer
  • Henning Råberg

References

[1] Anon (2017). Vault 7 – CIA Hacking Tools. [online] Available at: https://wikileaks.org/ciav7p1/ [Accessed 20 Dec. 2017].

[2] Mohit, Kumar (2017). WannaCry Ransomware: Everything you need to know. [online] Available at: https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html [Accessed 20 Dec. 2017].

[3] Brian, Krebs (2017). Petya Ransomware Outbreak goes Global. [online] Available at: https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/ [Accessed 21 Dec. 2017].

[4] Bruce, Schneier (2017). Me on te Equifax Breach. [online] Available at: https://www.schneier.com/blog/archives/2017/11/me_on_the_equif.html [Accessed on 18 Dec 2017]

[5] Anon (2017). Key Reinstallation Attacks. [online] Available at: https://www.krackattacks.com/ [Accessed on 18 Dec. 2017]

[6] Hanno, Böck et al. Return Of Bleichenbacher’s Oracle Threat. [online] Available at: https://robotattack.org/ [Accessed on 18. Dec 2017]

[7] John, Graham-Cumming (2017). Incident report on memory leak caused by Cloudflare parser bug.
[online] Available at: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ [Accessed on 19 Dec. 2017]