Russian Turla Group Attacks at Governments and Diplomats

Definition

Russian Advanced Persistence Threat group called “Turla” has been using special espionage attacks against Governmental agencies and Embassies for past year. The backdoor software has been recently detected and “Gazer or Whitebear.” It is very clandestine malware trying to be as unnoticeable and undetectable as possible. The backdoor software collects information from the target and sends it to the controller.

Brief description of scenario

Gazer is distributed via spearphishing email that infects the target with first stage backdoor such as “Skipper.” Skipper downloads Gazer as the primary payload. Gazer uses 3DES and RSA encryption and stores its configuration within the Windows Registry. Gazer wipes files, changes code strings and looks like a video game to remain secret.

Mitigation

The following are some security measures recommended to lower the probability of Gazer type attack: 

• Security architecture should include several layers to create depth for cyber defence
• The security operations should be able to monitor 24/7 the traffic flow from and to defended domain
• There should be more than one layer of virus detection using different detection applications
• End users should be trained for awareness against phishing attempts

References

1. https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
2. https://threatpost.com/turla-apt-used-whitebear-espionage-tools-against-defense-industry-embassies/127737/
3. https://www.scmagazine.com/turla-apt-group-linked-to-gazer-backdoor-that-spies-on-embassies/article/685230/
4. http://securityaffairs.co/wordpress/55915/apt/turla-javascript-malware.html
5. https://www.cyberscoop.com/kaspersky-whitebear-turla-russia/

Wireless Local Area Network Man in the Middle Attacks

Definition

Open wireless local area network (Wi-Fi or WLAN), connections in café's, hotels, malls, airports, airplanes and other public places, provide easy and free access to the Internet with a wider bandwidth. Unfortunately, an open and unsecured wireless local area network allows anyone to receive victims traffic and launch a Man in the Middle attack (MitM). Even if the victim is securing the communications for essential services, unsecured communications may reveal the victim's password if they are reused in several services.

Brief scenarios

A hacker creates an “evil twin” Wi-Fi access point in the same premises that open Wi-Fi is expected. Once a victim launches unsecured sessions, a hacker can capture all traffic. Another way is to listen to the public Wi-Fi traffic over unsecured access and sniffing “session cookies” to acquire passwords. If the victim further allows file sharing over the Wi-fi, hacker plants software into the targetted device to execute malicious deeds.
Even if the Wi-Fi access is secured, but the password given to the public is simple, seldom changed or easily cracked, a hacker can obtain the traffic.

Protection

There are the following ways to prevent a probable Man in the Middle attack:

• Use Virtual Private Network but acknowledging that researchers have studied 283 free VPN apps on Google Play and found that 50% of them store client’s traffic for their use, 38% of them injected malware or malvertising. About 18% of them did not encrypt the traffic. So, use only professionally provided VPN services (Ikram et al., 2016).
• Use Secure Sockets Layer (SSL), i.e., sessions using https.
• Turn off sharing by choosing ‘Public’ option from Operating System
• Keep Wi-Fi off when not using it.

References

1. https://usa.kaspersky.com/resource-center/preemptive-safety/public-wifi-risks
2. http://www.huffingtonpost.com/michael-gregg/six-ways-you-could-become_b_8545674.html
3. http://www.npr.org/sections/alltechconsidered/2017/08/17/543716811/turning-to-vpns-for-online-privacy-you-might-be-putting-your-data-at-risk
4. http://www.icir.org/vern/papers/vpn-apps-imc16.pdf

Controller Area Network (CAN) standard ISO 11898 data link vulnerability

Description

The Controller Area Network, CAN is the most common (in US the only legal) intravehicular databus standard ISO 11898-1993 for road vehicles. It allows all “Things” within the vehicle to communicate with each other. A university level research (Palanca and Zanero, 2016) has found that normal protocol at CAN link layer intended to handle malfunctioning nodes can be manipulated. 

Since the MILCAN (Open standard for military vectronics) is based on same ISO 11898, although rugged, there might be similar vulnerability within military vehicles (Majoewsky and Davies).

Case of exploitation

An attacker couples into CAN bus, receives the error frames, multiplies and forwards them further causing a Bus Off State to targeted subsystem. This means that targeted system is not listened anymore within the CAN bus i.e. the vehicle does not function as system of systems anymore. 

The coupling is easiest accomplished by connecting additional device into vehicle CAN bus. There is also possibility to use some wireless devices attached to CAN bus. In civilian vehicles, this may happen through Infotainment devices (radio, mobile phone) as happened in Chrysler Jeep hacking 2015 (Miller and Valasek). In military vehicles the vectronics is used more widely to connect sensors, weapons and C3 systems to vehicle. Thus, direct ways to effect the bus are available. Would there be one worm that can take down the fleets of military vehicles when they are dearly needed?

Mitigation

There are no software updates available and since the vulnerability is in the standard protocol itself, it requires to be changed. There may be some technical mitigation measures as follows:

• Network segmentation or topology alteration
• OBD-II diagnostic port access
• Encryption

Universal Serial Bus (USB) communications crosstalk vulnerability

Description of vulnerability

The Universal Serial Bus, is a straightforward way to connect peripheral devices to each other and computer.  The USB is asymmetrical in its topology, consisting of a host, a multitude of downstream USB ports, and multiple peripheral devices connected in a tiered-star topology. A USB host may implement multiple host controllers and each host controller may provide one or more USB ports connecting up to 127 devices. Some of those devices send sensitive information (passwords from keyboards, fingerprint readers, card readers, etc.). 

According to research in University of Adelaide, Australia, over 90% of tested 50 different computers and external USB hubs are leaking information to other ports within the hub/device (Su, Genkin, Ranasinghe and Yarom, 2017).

Exploitation case

An attacker: 

1. manufactures cheap USB devices and includes USB receiver and communications means. Personnel buy these devices and plug them into their computers or USB hubs. 
2. Manipulates USB memory appliances and leaves them to be found by targeted people. Studies show that 75 % of found memory sticks dropped on the ground were picked and plugged into a computer.

The acquired USB device receives all data that is transferred through the channel between other devices; recognises important data as passwords, ID’s, profiles; and sends them to the adversary.

Mitigation

There are no software updates available to mitigate the problem. The USB standard needs to be redesigned. Meanwhile, the following measures may help to restrict the exploitation:

• End users should be trained not to plug any unknown or unauthorised USB device to their systems
• Armed Forces should ensure that the USB devices provided to them are coming from audited manufacturers, are supplied through controlled supply chains, and are tested before distributed to use.
• Encrypt all traffic that is send over USB