Category Archives: Vulnerabilities

WannaCry Ransomware : What is it and How to Protect against it

 

The WannaCry ransomware burst into the spotlight over the weekend as reports of infections streamed in from around the globe. This has affected systems in more than 150 countries with more than 230,000 computers infected.

What is Ransomware?

Ransomware is a type of malicious software(computer virus) that encrypts and blocks access to data until a ransom is paid. It usually spreads via spam emails and malicious download links and displays a message requesting payment to decrypt it.

 

The WannaCry ransomware A.K.A. Wanna Decryptor, uses a leaked NSA exploit Eternal Blue that targets Windows SMB service which can be used to hijack computers running unpatched, vulnerable Microsoft Windows operating system.

The ransomware that has affected systems in more than 150 countries recently. It leverages Social Engineering/Spear Phishing as their attack vector by sending some malicious links or a PDF file, which when clicked, installs the ransomware. Once installed, it scans the entire network for other vulnerable devices and spreads.

Follow these steps to prevent infection:

  • Update your system.
  • Upgrade to windows 10 if you are using older versions. Keep it updated.
  • If you are using older versions of windows , apply these patches immediately.
  • Enable Firewall, block access to SMB ports – TCP – 137,139 and 445 and UDP – 137 and 138.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

  • SMB is enabled by default on Windows. Disable SMB service –

https://support.microsoft.com/en-in/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

  • Have a pop-up blocker running on your web browser.
  • Update your antivirus.
  • Backup your data regularly.
  • Do not open any attachments from any Unknown sources.

 

WHAT IF YOU ARE INFECTED?

Never Pay ransom.

Its upto you whether to pay the ransom or not. There is no guarantee that you will get your files back.

Social Networking Threats

SECURITY IS ALL ABOUT KNOWING WHO AND WHAT TO TRUST

 

 

Social networking service (also social networking site, SNS or social media) is an online platform that is used by people to build social networks or social relations with other people who share similar personal or career interests, activities, backgrounds or real-life connections.

Social Network Sites such as Twitter, Facebook, Google+ , Pinterest, Instagram have attracted millions of users, many have integrated these sites into their daily practices. There are many sites, with various technological features which support a wide range of interests and practices. Most of them can be linked to their pre-existing social networks which help strangers connect and interact based on shared interests or activities.

This interaction reveals a lot of information, often including personal information visible to anyone who wants to view it. Hence privacy is often a key concern by the users.

Since millions of people are willing to interact with others, it is also a new attack ground for malware authors. They can spread malicious code and send spam messages by taking advantage of the user’s inherent trust in their relationship network.

Here are some of the threats targeting different social networks today.

  • Social engineering:

Social engineering refers to the method of influencing and persuading people to reveal sensitive information in order to perform some malicious action. It is easier to fool someone than to find vulnerabilities to hack a system.

An attacker chats with someone and then try to elicit information. By using a fascinating picture while chatting, the attacker can try to lure the victim. Then, slowly the attacker can ask certain questions by which the target can elicit information. They ask different questions to get the target’s email and password. Attackers first create deep trust with the target and then make the final attack. Gaining Trust is one of the phases in social engineering.

Common attacks:

Email with a link or an attachment that has malicious code embedded. Clicking or Downloading it will run the code and infect the target system.

This is one serious problem people face online today. Do not trust anyone online. Avoid sharing personal information.

 

  • Identity Theft:

It Is easy to access an account when the attacker has some personal information. For example, a common technique used is by clicking on “forgot password” and trying to recover the information through email or security questions. Once they have access to your email account, they then have access to all information on your social networking sites.

This can be prevented using 2FA (Two Factor Authentication).

Never share your personal information online.

 

  • Phishing bait :

Phishing is the attempt to obtain sensitive information such as usernames, passwords, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Phishing is an example of social engineering techniques used to deceive users.

Attacker could create a clone of a website that is infected with malware and tell you to enter personal information. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Always make sure the URL’s are legitimate  before opening them.

 

  • Shortened links / URLs:    

Always be careful while opening a shortened URL.

URL shortening services such as bit.ly ,tinyurl, goo.gl are used to fit long URLs into tight spaces. They also do a nice job of obfuscating the link so it isn’t immediately apparent to victims that they’re clicking on a malicious link. These shortened links are easy to share.

 

Only click on links from trusted sources. This may not always protect you, but helps lower the risk.

Update browsers and operating systems regularly with the latest security updates.

 

 

  • Apps :

Try not to use apps like :

  • Facebook color changer
  • Celebrity Face Match
  • Who viewed your facebook profile
  • NSFW videos
  • Twitter instant followers
  • Pinterest bogus pins
  • Instagram free likes

These things asks you to post it on your profile or share it with your friends or watch a video tutorial. And some provide those functions. But what it actually does is allow attacker to obtain access to your profile and spam. Which can also infect mobile devices.

Change your passwords regularly. Delete unnecessary apps. Do not trust third party notifications. Be cautious about giving unverified apps or services access/permission to your account. Download apps from trusted source.

 

  • CSRF – cross site request forgery:

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

When you click on a link on a webpage, your browser sends a request to the Web server. These requests can broadly be categorized into two types: GET and POST.  A GET request is simply a request for a page, e.g. When you browse www.google.com. A POST request is sent when you send data to the server, e.g. if you search anything on Google, this would be sent as a POST request.

But what if it were possible to send a request from a user’s browser without the user’s consent?

It’s possible.

It’s simple and it’s called Cross Site Request Forgery.

Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.

The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.

PREVENTING CSRF :
The most common method to prevent Cross-Site Request Forgery attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session. Tokens should be unique per user session, but it can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from a source other than the user.

 

  • Clickjacking :

Clickjacking (UI redress attack) is a malicious technique of tricking a user into clicking on something different from what the user perceives they are clicking on, thus taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

For example, imagine an attacker who builds a web site that has a button on it that says “click here for a free iPod”. However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the “delete all messages” button directly on top of the “free iPod” button. The victim tries to click on the “free iPod” button but instead actually clicked on the invisible “delete all messages” button.

To prevent, keep your browser updated.

Malicious Image files on Facebook spreading Locky Ransomware

 

Security researchers have discovered ransomwares being spread by forcibly exploiting vulnerabilities in  social networking sites including Facebook and LinkedIn. It is found that the malware is being spread through Scalable Vector Graphics (.SVG) files on Facebook Messenger. SVG is XML-based file. So it can embed content such as JavaScript. This malware manages to bypass Facebook’s file extension filter. The malware being distributed is the locky ransomware.

In the case of the Locky ransomware, all files on the affected computer are encrypted until a ransom is paid.

When the file is opened, users were prompted to install an extension. This extension downloads the Nemucod downloader which can spread the malware, which then encrypts the files.

Users should never download attachments from people they don’t know, or open those attachments with unusual file extension such as svg, js or hta. If the extension is downloaded, do not open them.

Video Demonstration of the Attack

AT&T and BellSouth Passing Out Routers that enable DDoS Attacks

One of the more interesting TCP-IP vulnerabilities is its ability to guarantee the location of where a packet is coming from.  RIP is an essential component of a TCP/IP network.  RIP is the Routing Information Protocol which is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network, (CHAMBERS, DOLSKE, & IYER, n.d.).  The flaw in RIP is that it doesn’t have built in authentication much like TCP/IP.  This attack is significant because RIP attacks change where the data may go to unlike common attacks that change where data has come from. When an attacker is able to compromise RIP addresses and send them from anywhere in the world this poses a huge security flaw.  Attackers can forge RIP packets claiming that they are another host and they have the fastest route or path out of the network.  This is troubling as there is a higher level DDOS attack that uses the RIPv1 protocol called Reflection Amplification Attacks. (Mimoso, 2015) says, “Reflection attacks happen when an attacker forges its victim’s IP addresses in order to establish the victim’s systems as the source of requests sent to a massive number of machines.”  Because the attacker is in control of the RIP it can send many requests on behalf of a network.  The recipients of the request issue an overwhelming flood of responses back to the victim’s network thus crashing that network, (Mimoso, 2015).

I chose this vulnerability because it’s very current in the landscape of DDOS attacks and Threat post by Kapersky Labs suggest that this is only going to grow into the coming years.  The easiest way to stop this is to use routers with RIPv2 and above.  Unfortunately, a large number of the routers that have been compromised using this deprecated technology comes from AT&T and BellSouth and they are regularly distributed in the United States.

References

CHAMBERS, C., DOLSKE, J., & IYER, J. (n.d.). tcp/ip security – department of computer and information science. Retrieved from http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html

Mimoso, M. (2015, July 1). ripv1 reflection amplification ddos attacks | threatpost | the first stop for security news. Retrieved from https://threatpost.com/attackers-revive-deprecated-ripv1-routing-protocol-in-ddos-attacks/113582/

The latest development in Router Attacks. – What you need to know about people attacking your router.

Router Attacks – DNS Redirect

Routers are vulnerable to different types of attacks.  The first attack is the DNS Rebinding and Cross-Site Request Forgery attack.  This attack was demonstrated at the 2010 DEFCON as a modern attack against home routers.  The attack is fairly intricate in that it uses multiple parts in the actual attack.  The attack works in three parts.  The first part of the attack the attacker needs to be able to modify the DNS records.  Next the attacker must be able to create various pages on the target domain and link these with DNS.  The attack happens when the victim visits the malicious site.  Where the attacker obtains a user’s public IP address.  Then the attacker quickly creates a subdomain on the attack domain with two “A records”.  With one a record pointing to the server and the other points to the public IP address of the victim’s router, the web server redirects the victim’s browser to a page with JavaScript code that will execute the CSRF portion of the attack, (Trend Labs Security, 2010).   After both these steps are done the attacker has control of the Web Server meaning the attacker can send TCP reset (RST) commands on demand.  Finally, the browser begins to execute the JavaScript code which tries to connect to the temp subdomain, the attacking server will reply with an RST command and end the session.  The user’s system will try the other IP address that it knows about for the hostname, which happens to be the external IP address of the victim’s router, (Trend Labs Security, 2010).  Results are then channeled to the attacking server via a portal.  The attacker can then try different credential until they have success and fully connects.

 

DNS Redirect Prevention

There are a few ways to protect a router from this flavor of attack.  The first and foremost make sure one uses HTTPS and disable the HTTP console if this is a configuration setting.  Always use strong passwords for routers.  Remove factory default passwords always.  Also adding a firewall rule preventing devices on the local network from sending packets to the IP block that your public IP address is a member of.  Also keeping your firmware up to date is a huge help.  Using a No Script plugin can also protect against malicious JavaScript since this is a part of the attack.

 

CDP Attacks

Another attack happens to be in the Cisco Discovery Protocol which can be used by default with all cisco devices.  First off this protocol is enabled by default.  CDP contains information about the network device such as the software version, IP address, platform, capabilities, and the native VLAN, (Popeskic, 2011).  This information is also sent in complete clear text.  When this information is sniffed off of the VLAN internet traffic an attacker can use this to find other exploits to orchestrate an attack such as Denial of Service (DoS) attack.  CDP is also unauthenticated meaning an attacker can craft fraudulent CDP packets and have them received by the attacker’s directly connected Cisco device.  If an attacker can get access to the router via SNMP or Telnet an attacker can find the entire topology of a network at Layer 2 and Layer 3.  Which also includes IOS levels, router and switch model types, and IP addressing schema.

 

CDP Prevention

The way of preventing against the CDP attack is to simply disable the default configuration which allows this on the router.  Most administrators need to not just focus on disabling on a single interface which allows the CDP table to stay populated, but to disable on the entire device.  (Redscan, 2013) says, “CDP can be useful and, if it can be isolated by not allowing it on user ports, then it can help make the network run more smoothly.”

 

router

Figure 1. Warning message displayed on HTTP website from infected router.

 

References

Popeskic, V. (2011, December 16). cdp attacks – cisco discovery protocol attack. Retrieved from https://howdoesinternetwork.com/2011/cdp-attack

Redscan. (2013, December 19). Ten top threats to vlan security – redscan. Retrieved from https://www.redscan.com/news/ten-top-threats-to-vlan-security/

TrendLabs Security. (2010, August 10). trend labs security intelligence blog protecting your router against possible dns rebinding attacks – trend labs security intelligence blog. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dns-rebinding-attacks/

TrendLabs Security. (2015, May 20). trend labs security intelligence blog new router attack displays fake warning messages – trend labs security intelligence blog. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/new-router-attack-displays-fake-warning-messages/

TeslaCrypt

 

TeslaCrypt also know as EccKrypt is one of the ransomwares that is widely seen . It encrypts certain files and demands ransom to decrypt the files. TeslaCrypt uses AES symmetric algorithm to encrypt files. Teslacrypt 4 features RSA algorithm for encrypting data.

 

TeslaCrypt evolved from a ransomware targeting gamers, but this is not only a  severe threat, but also one that is capable of far wider data leakage.

 

The first version of TeslaCrypt emerged in March 2015, then TeslaCrypt2.0 was launched in November 2015.They launched TeslaCrypt 3.0 in January 2016, and now the fourth version is out.

TeslaCrypt is spread using exploit kits such as Angler exploit kit, Neutrino exploit kit.

 

Using Angler, Adobe flash is exploited then it downloads TeslaCrypt as a payload.

 

Using Neutrino, it redirects users to malicious pages that hosts exploit files targeting various vulnerabilities. Once exploited, it delivers a Trojan downloader and executes it on the victim’s machine. Then the payload starts generating random domain names and connects to a remote server. The target machine then receives 404 error page along with a download link that delivers TeslaCrypt variant from the remote server. After execution, TeslaCrypt encrypt the files.

After encrypting the files, it renames them. Below are some of the extensions we have seen so far:

  • .encrypted
  • .ecc
  • .ezz
  • .exx
  • .ccc
  • .ttt
  • .micro

 

Apart from having your antivirus, following things help prevent ransomware infections.

  1. Back up your files.
  2. Apply windows and other software updates regularly.
  3. Avoid clicking untrusted email links or opening unsolicited email attachments.
  4. Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
  5. Install a firewall, block Tor and I2P, and restrict to specific ports.
  6. Disable remote desktop connections
  7. Block binaries running from %APPDATA% and %TEMP% paths.