Security Week 13: crypto-lockers parade, FBI hacked iPhone without Apple help, more details about Badlock

    The six-week saga of confrontation between Apple and the Federal Bureau of Investigation has ended . On March 28, the FBI officially announced that they were able to hack a terrorist-owned iPhone 5c without the help of a manufacturer. Apple no longer requires a tool to hack this phone. The story ended, perhaps, in the most profitable way for both the vendor and the consumer, the stock uncle from the picture will not let you lie. But this does not mean that the topic is closed.

    If we ignore the details, the smartphone manufacturer and (in some way) the government argued about who is obliged to provide access to the user's protected data, if necessary for the investigation of the crime. Perhaps for the first time on such a scale, the question was discussed: what should government agencies do if the protection in the form of data encryption is so good that it is impossible to crack it without the help of the manufacturer? As a result, it turned out that the FBI hurried - if you really need to, there are other ways.

    But sooner or later (rather sooner) this issue will be raised again, in court proceedings or even under the new legislation. The problem will have to be solved, and this decision can seriously affect the security of any encrypted (no matter from whom!) Data, that is, it will affect everyone. Therefore, we continue to observe. All digest editions are available by tag .

    Crypto Locker Parade
    Three of the five most popular news of the past week are dedicated to ransomware Trojans. I can’t say that the newly discovered attacks are very different from the previous ones, although the researchers found a couple of interesting tricks. Still, the vast majority of crypto-lockers are detected proactively by a good protective solution. Attention to this topic was provided not by attack technologies, but by their growth, by serious incidents in companies that store important information - primarily in hospitals. Let's go through the main events.

    File-free cryptolocker attacks medical centers
    News . Study Carbon Black.

    Investigating the attack (not the first) for an unnamed company working in the field of healthcare, Carbon Black specialists revealed the activities of minimalist cybercriminals. Office documents are sent to potential victims, upon opening of which it is proposed to enable macros, after which the data is encrypted using a script in Windows PowerShell. That is (with some reservations) we are dealing with a very simple Trojan “on batch files”, with primitive communication with a command server without encryption, and the result in the form of a loss of either data or a $ 500-1000 ransom. As you can see, the attack method with a 20-year history continues to work, and with the support of the bash shell in Windows , it opens up new perspectives.

    Targeted cryptoclocker attack on hospitals using vulnerabilities in server software
    The news . A study of Cisco Talos.

    But the SamSam ransomware uses quite non-trivial methods to attack. It’s not the computers of employees that are being attacked, but the JBoss application servers (aka WildFly). The motivation for the attackers is understandable: instead of not always working social engineering, vulnerabilities are used in the server configuration, which, unlike employees, work not from 8 to 5, but around the clock. Researchers claim that the organizers of the attack choose hospitals as victims. In the last issue, I suggestedthat behind such an increased interest in medical centers lies a desire to attack the most sensitive infrastructure and data. If a small “traditional” business, comparable in size of infrastructure, stops its work for a couple of days, nobody will suffer much, and then there’s no time to figure it out - people need to be treated. Researchers at Cisco Talos give a different motivation: the fact is that hospital IT infrastructure from the point of view of security is very often just in a deplorable state. Perhaps: IT is not a core business in medicine, but if so, then it's time to do something about it.

    Troyan Petya ( pictured ) requires a ransom for the entire disk encryption
    News . A study by Bleeping Computer.



    In professional terms, most crypto-lockers use file level encryption - when individual files are encrypted, while the operating system remains operational. The Petya Trojan, which was discovered during a study of narrowly targeted spam mailings to German companies, instead encrypts the entire drive, making system booting and access to any data impossible until the ransom is paid ($ 380). Researchers from the Bleeping Computer resource showed the work of the trojan here in this video:



    In short, the trojan causes a forced reboot of the system, after which, by showing the user a fake “disk check”, it encrypts the data. The link to the study can be seen in all details and with pictures the process of infection and ransom. Here we are dealing with another fairly ancient attack method, which, thanks to the advent of Tor and bitcoins, began to be used in a new way. A very interesting example, although dubious in terms of scale: unlike traditional trojans, encryption at the disk level requires a serious study of the attack and provides a lot of possibilities when something goes wrong.

    Samba Badlock Vulnerability: Specialists are trying to understand if an exploit will appear before the
    News patch .

    I wrote about the Badlock vulnerability at the beginningprevious digest. Over the past week, nothing has changed: we are still waiting for the details of the vulnerability to be disclosed on April 12 - on Tuesday, after the release of the next set of patches from Microsoft. Their own implementation of the network file sharing protocol turned out to be affected just like free Samba. There is ongoing discussion of the ethical side of the early announcement by SerNet researchers, who are also Samba maintainers. SerNet's motivation is understandable - they (officially) want administrators of a huge number of potentially vulnerable servers and developers of dependent software to prepare in advance and (unofficially) do not mind the additional attention of the media and potential clients to their cybersecurity company.

    The arguments of the opponents of this approach are as follows:
    “They turn safety into a booth.” We will not discuss this argument as clearly unconstructive.
    - Early disclosure of vulnerability information provides enough information for attackers to write an exploit and use it before the patch is available.

    This is a reasonable argument, and this week there have been arguments in support of it. One of the SerNet employees and at the same time the Samba contributor is Stefan Metzmaher, and naturally his commits to the Samba code immediately became the focus of attention. Among them, in the lock.c module (note the correspondence between the name of the vulnerability and the purpose of the module), the following comment was found:

    / * this is quite bizarre - the spec says we must lie about the length! * /

    And when something happens wrong with determining the size of something, the next step could well be to overflow the buffer and run arbitrary code. However, there is no evidence yet that the bug is there (those interested can follow the link to the github).

    - Prepare for such an announcement will not work. This was indirectly confirmed in an interview with Threatpost by SANS Institute researcher Johann Ulrich. In his opinion, the disclosure of information to a large extent can really help exploit writers. But the information on the sitevulnerabilities in their current form also do not allow training. Preparation is to write a scanner for specific ports, take an inventory of the infrastructure for vulnerable versions of Samba, estimate the scale, knowing that only servers are vulnerable, but not clients (or vice versa). To wait and be afraid is not preparation.

    At the same time, the SANS Institute specialist believes in the effectiveness of early announcements: after the release of the patch, they positively affect the dynamics of its implementation. True, according to Ulrich, “branding” is worth only really serious vulnerabilities - otherwise the method will not work. Conclusion: so far, in the approach to disclosing the Badlock vulnerability there is more benefit than harm. But it would be nice to improve the technique.

    Antiquities:
    The Tula Family

    Resident and non-hazardous viruses. The start-up .COM and .EXE files are standardly affected. Reduce the size of DOS memory (word at 0000: 0413). Intercept int 8, int 13h, int 21h. “Tula-417, -593” periodically reports “Fuck you!”. "Tula-419" - is very dangerous, it is written to the beginning of COM files that are launched for execution. On Saturday, the 14th, he tries to format the disks. Intercepts interrupt 21h, contains the text: "Tula 1990.Sat".

    “Tula-635” displays a message: “Formatting Drive ...” and reads sectors from the disk, although it is very likely that by changing one byte of the virus code it is possible to make the disk really format.

    “Tula-1480” with every 50th launch of the file for a fun little music tells the popular English poem among teenagers.

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 48.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: