Ready to Start Your Career?
June 16, 2017
UNM4SK3D: NSA, Hidden Cobra, and Power Grids
June 16, 2017
#wikileaks (drip, drip, drip)The Cherry Blossoms that bloom around Washington D.C. have since died, but the 'Cherry Blossom' Wireless Router Hacking System is alive and well. This is the latest of the Vault 7 leaks, released June 15th. Someone with a green thumb must have named 'Cherry Blossom,' a framework being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices. Apparently developed alongside the Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project, 'Cherry Blossom' is a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs). Using 'Cherry Blossom, you can exploit router vulnerabilities to gain unauthorized access and then replace firmware with custom 'Cherry Blossom' firmware. Once the firmware is in place, an implanted device, 'Flytrap,' can then be used to monitor the internet activity of and deliver software exploits to targets of interest.According to Wikileaks, "CIA hackers use Cherry Blossom hacking tool to hijack wireless networking devices on the targeted networks and then perform man-in-the-middle attacks to monitor and manipulate the Internet traffic of connected users." After you've gained control of the wireless device, 'Cherry Blossom' reports back to CIA controlled command-and-control server referred as 'Cherry Tree,' where it receives instructions and performs malicious tasks including: monitoring network traffic to collect email addresses, chat user names, MAC addresses, and VoIP numbers, redirecting connected users to malicious websites, setting up VPN tunnels to access clients connected to Flytrap's WLAN/LAN for further exploitation, and copying of the full network traffic of a targeted device. In a list from the Hacker News, they state: "'Cherry Blossom' has the ability to exploit vulnerabilities in hundreds of Wi-Fi devices manufactured by the following vendors: Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com."
The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection. -WikileaksFor a full perspective on all sides of the Wikileaks debate read, 'Wikileaks: The Good, The Bad, & The Ugly!'
#deltacharlieAccording to a recent report from the FBI and U.S. Department of Homeland Security (DHS), there is a new warning about an ongoing, eight-year-long North Korean state-sponsored hacking operation 'Hidden Cobra 'by the malicious hacking group, the Lazarus Group. The group is strongly suspected to have a malware variant 'DeltaCharlie' which could infect hundreds of thousands of computers globally as part of its DDoS botnet network as part of 'Hidden Cobra', the report warns. And that's not the worse part, 'Lazarus Group' also known as 'Guardians of Peace,' is believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. They have previously been involved with the 2013 DarkSeoul operation, the devastating 2014 Sony Pictures Hack, and may have been involved in WannaCry.In the new report, the agencies identified IP addresses with "high confidence" associated with 'DeltaCharlie,' which can launch a variety of DDoS attacks on its targets, including Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol (CGP) attacks. "The botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks." Somewhat surprisingly, it is not new. 'DeltaCharlie' was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report. However, researchers at Kaspersky Lab, recently detected one 'Hidden Cobra' malware sample contained a hard-coded IP that belongs to a major U.S. financial institution.The DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine if the malicious activity has occurred on their network.
If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation. -official alert statementTo learn more about the Lazarus Group, read this previous issue of UNM4SK3D.
#malwareSecurity researchers have discovered the culprit behind cyber attacks on the Ukrainian industrial control systems in December 2015, and this discovery has other countries worried over what could happen if the malware puts 'lights out' again. The power outage in the northern part of Kiev, the capital of Ukraine, leading to a blackout for tens of thousands of citizens is believed to be caused by a dangerous piece of malware in the wild that targets critical industrial control systems. Discovered by Slovakia-based security software maker ESET and US critical infrastructure security firm Dragos Inc., this malware, dubbed 'Industroyer' or 'CrashOverRide,' is the biggest threat designed to disrupt industrial control systems since Stuxnet. You may remember Stuxnet as "the first malware allegedly developed by the US and Israel to sabotage the Iranian nuclear facilities in 2009." Unlike Stuxnet, 'CrashOverRide' relies on four industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems.'CrashOverRide' can control electricity substation switches and circuit breakers, allowing an attacker to simply turning off power distribution, cascading failures and causing more severe damage to equipment, partially because these systems were designed so long ago. In the opinion of Dragos CEO Robert M. Lee, "the 'CrashOverRide' malware is capable of causing power outages that can last up to a few days in portions of a country's electric grid, but it is not capable enough to bring down the entire grid of a nation." Further, "'CrashOverRide' is not unique to any particular vendor or configuration and instead leverages knowledge of grid operations and network communications to cause impact; in that way, it can be immediately re-purposed in Europe and portions of the Middle East and Asia." Likewise, the malware can be modified to target other types of critical infrastructure, like transportation, gas lines, or water facilities, as well with additional protocol modules.
The malware contains a few more features that are designed to enable it to remain under the radar, to ensure the malware's persistence, and to wipe all traces of itself after it has done its job. -ESET researchersDespite the danger of this new malware, there are still best practices. Read more: 'How to Approach Cyber Security for Industrial Control Systems.'