Malware RSS Feed
We have selected the events from the first quarter of 2016 that, in our view, illustrate the main trends in the field of DDoS attacks and the tools used to perform them.A record-breaking reflection DDoS attack
DDoS attacks using amplification/reflection techniques are still popular and allow cybercriminals to break their peak power records. From a technical point of view, amplification methods are nothing new in DDoS attacks, but cybercriminals are discovering new ways and resources to enhance the capacity of their botnets. For example, according to a recently published report, 2015 saw the largest ever DDoS attack on record at 450-500 Gbps.DDoS attack on Trump
It’s possible that last year’s record didn’t last very long – at the very beginning of the year the official website of Donald Trump’s election campaign were subjected to DDoS attacks whose strength, according to unconfirmed sources, reached 602 Gbps. The hacktivist group New World Hacking claimed responsibility for both incidents.Use of the DNSSEC protocol
Criminals are increasingly using the DNSSEC protocol to carry out DDoS attacks. The protocol is intended to minimize DNS spoofing attacks, but besides the domain data a standard DNSSEC reply also contains additional authentication information. Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes. Attackers exploit this feature to perform amplification DDoS attacks. They usually use domains in the government zone .gov, because in the US such domains are required by law to maintain DNSSEC.Pingback attacks on WordPress
Web resources powered by the WordPress content management system (CMS) are still popular with cybercriminals carrying out DDoS attacks. Popular CMS-based resources often become targets of DDoS attacks exploiting the WordPress pingback function. The pingback function notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. If the administrator of the site running WordPress has enabled the function, all links leading to the materials published on a site can perform a so-called pingback, i.e. send a special XML-RPC request to the original site. A huge number of pingback requests sent to the original site can cause a “denial of service”. This feature continues to attract the attention of cybercriminals and helps them perform DDoS attacks at the application level.Linux Mint hacking
On 21 February 2016, the head of Linux Mint, Clement Lefebvre, reported that someone had managed to hack the project infrastructure including its official website and forum, and substituted the link to the legitimate ISO image of the Linux Mint 17.3 Cinnamon edition with their own URL. The hacker’s modified ISO contained malicious code that used infected machines to perform DDoS attacks.Attacks on security companies
Cybercriminals also target companies working in information security, with most of the major players – especially those offering anti-DDoS services – having to regularly combat DDoS attacks on their resources. These attacks can’t cause much damage because all these resources are well-protected, but that doesn’t stop the cybercriminals.
In Q1 2016, resources in 74 countries were targeted by #DDoS attacks #KLreportTweet
In general, cybercriminals don’t go all out to bring down an IT security company’s site. The attacks tend not to last long, and in most cases, they are terminated as soon as the source notices that protection systems are working. The cybercriminals don’t want to waste their botnet resources when they could be earning money elsewhere. Nevertheless, the attacks continue.
Analysis of the correspondence on underground forums suggests that the criminal fraternity uses the websites of IT security companies as test bed, i.e. to test new methods and tools. This approach is no worse than others, but it does give us some valuable information. If worldwide DDoS statistics show the current state of things, then attacks on IT security companies allow us to some extent to predict the future of DDoS.
Data on the tactics, strength and types of attacks targeting Kaspersky Lab sites also allows us to forecast the trends in the DDoS industry for the coming months.
Once again, we have had to deal with amplification attacks. Their number has declined slightly compared to last year, but their maximum strength has increased fourfold. This confirms the trend of a general strengthening of these attacks – the criminals have to increase the strength to overcome protection measures used by Internet providers and information security companies. In our case, none of these attacks led to our sites being unavailable.
In Q1 2016, 93.6% of resources targeted by #DDoS attacks, were located in 10 countries #KLreportTweet
Considering the number of attacks on Kaspersky Lab resources in the first quarter of 2016, the “cream” of the cybercriminal community has gone back to the good old methods of attacks at the application level. Already in the first quarter of this year, we combated several times more HTTP(s) attacks than we did in the whole of 2015. Interestingly, there were several application-layer attacks performed simultaneously against a number of Kaspersky Lab resources. The strength of the DDoS resources was spread between several targets, reducing the effect on each target. This is most probably because the aim was not to disrupt Kaspersky Lab’s sites but to test tools and to see how we responded. The longest attack of this type lasted less than six hours.
We can assume that the proportion of Data Link layer attacks will gradually decline, and application-layer and multi-layer attacks (a combination of hardware and application-layer attacks) will come to the fore.
Powerful UDP amplification attacks came into general use a few years ago and are still a favorite tool of cybercriminals. The reasons for their popularity are clear: they are relatively easy to perform, they can be very powerful with a relatively small botnet, they often involve a third party, and it is extremely difficult to detect the source of the attack.
Although in Q1 of 2016 our Kaspersky DDoS Prevention service continued to combat UDP amplification attacks, we believe that they will gradually disappear. The once daunting task of combining the efforts of Internet providers and IT security companies to effectively filter the junk traffic generated by UDP attacks is almost solved. Having faced the risk of their main channels being clogged up due to large volumes of UDP packets, providers have acquired the necessary equipment and skills and cut this traffic off at the root. This means amplification attacks on a Data Link Layer are becoming less effective and, as a result, less profitable.
In Q1 2016, the largest numbers of #DDoS attacks targeted victims in #China, the #USA & #SouthKorea #KLReportTweet
To execute application-layer attacks on web services, large botnets or several high-performance servers and a wide output channel are required, as well as thorough preparatory work to study the target and find its vulnerabilities. Without this, they are ineffective. If the application-layer attack is carried out properly, it is difficult to counter it without blocking access to legitimate users – malicious requests look authentic and every bot faithfully fulfills the connection procedure. The only anomaly is the high demand for the service. We registered these sorts of attempts in the first quarter. This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them.
Moreover, there is a real danger of these methods being used by cybercriminals en masse – the more popular the technique, the more tools are offered for it on the black market. And if application-layer attacks really do become widespread, we should expect to see a growth in the number of customers for this type of DDoS attack and more competent attackers.Statistics for botnet-assisted DDoS attacks Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the first quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The longest #DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) #KLreportTweet
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.Q1 Summary
- In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015).
- 93.6% of the targeted resources were located in 10 countries.
- China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. France and Germany were newcomers to the Top 10.
- The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
- SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter.
- Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably.
In Q1 2016, the geography of DDoS attacks narrowed to 74 countries.
93.6% of targeted resources were located in 10 countries.
Distribution of DDoS attacks by country, Q1 2016 vs. Q4 2015
The Top 3 most targeted countries remained unchanged. However, South Korea’s share grew from 18.4% to 20.4% while the US’s contribution dropped by 2.2 percentage points. Also of note is the fact that Q1 2016 saw an increase in the number of attacks targeting resources in Ukraine – from 0.3% to 2.0%.
The statistics show that 94.7% of all attacks had targets within the Top 10 most targeted countries:
Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q4 2015
The number of targets in South Korea increased by 3.4 percentage points. China’s share fell from 50.3% in Q4 2015 to 49.7% in the first three months of 2016. The percentage of DDoS attacks targeting resources in the United States also decreased (9.6% in Q1 2016 vs. 12.8% in Q4 2016). Despite the change in figures, South Korea, China and the US maintained their positions in the Top 3, coming well ahead of all other countries.
SYN #DDoS, TCP DDoS & HTTP DDoS remain the most common DDoS attack scenarios in Q1 2016 #KLreportTweet
The first quarter of 2016 saw Ukraine enter the Top 5 DDoS targets: its share grew from an insignificant 0.5% at the end of last year to 1.9% in Q1 2016.
Taiwan and the Netherlands’ share fell 0.8 and 0.7 percentage points respectively, meaning both dropped out of the Top 10 most attacked countries.Changes in DDoS attack numbers
In Q1 2016, DDoS activity was distributed more or less evenly, with the exception of one peak on 6 February. The peak number of attacks in one day was 1,272, recorded on 31 March.
Number of DDoS attacks over time* in Q1 2016.
* DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
As in the previous quarter, Monday (16.5% of attacks) was the most active day of the week for DDoS attacks. Thursday moved up to second (16.2%). Tuesday, which was in second place in Q4 2015 (from 16.4% to 13.4%), became the quietest day of the week in terms of DDoS attacks.
Distribution of DDoS attack numbers by day of the weekTypes and duration of DDoS attacks
The ranking of the most popular attack methods remained constant from quarter to quarter. Those used most often were the SYN DDoS method, although its share fell compared to the previous quarter (57.0% vs 54.9%), and TCP DDoS which fell by 0.7 percentage point. The proportion of ICMP DDoS attacks grew significantly, rising to 9%; however, it did not affect the order of the Top 5.
Distribution of DDoS attacks by type
Noticeably, the figure for UDP DDoS has fallen continually over the last year: from 11.1% in Q2 2015 to 1.5% in Q1 2016.
Like the previous quarter, about 70% of attacks lasted no more than 4 hours. At the same time, the maximum duration of attacks decreased considerably. The longest DDoS attack in the last quarter of 2015 lasted for 333 hours; in Q1 2016, the longest registered attack ended after 197 hours.
Distribution of DDoS attacks by duration (hours)C&C servers and botnet types
In Q1, South Korea remained the leader in terms of the number of C&C servers located on its territory, with its share growing from 59% in the previous quarter to 67.7% in the first quarter of 2016.
China came second; its share grew from 8.3% to 9.5%. As a result, China pushed the US down to third (6.8% vs 11.5% in Q4 of 2015). For the first time during the reporting period France appeared in the Top 10 countries hosting the most C&C servers. This correlates with the increased number of attacks in the country.
Distribution of botnet C&C servers by country in Q1 2016
99.73% of DDoS targets in Q1 2016 were attacked by bots belonging to one family. Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.25% of cases. In 0.01% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families.
Correlation between attacks launched from Windows and Linux botnets
When it came to the number of attacks launched from Windows and Linux botnets in Q1 2016, Windows-based botnets were the clear leader. For the third quarter in a row, the difference between the share of Windows- and Linux-based attacks was approximately 10 percentage points.Conclusion
The events of the first quarter of 2016 once again demonstrated that the attackers are not resting on their laurels and are increasing their computing resources to perform DDoS attacks. Amplification scenarios, which have de facto become the standard tool for carrying out a powerful attack, exploit vulnerabilities in new network protocols. The reasons for an attack can vary: from disrupting pre-election campaigns and attacking candidates’ resources to showdowns between competitors on the black market. There have been frequent incidents of DDoS attacks targeting the very organizations that specialize in countering them. With the spread of vulnerable devices and workstations and the abundance of configuration drawbacks at the application level, the cost of a significant attack is going down. Therefore, reliable protection is needed to ensure these attacks are financially unviable for the criminals.
This year’s DBIR release from Verizon exposes valuable and well organized data on global incidents this past year. Our contributions on targeted attack activity and other areas to a report like this one over the past several years is important to help to improve cyber-security awareness and education both in the security industry and the general public.
The report is well organized, offering trending information from Point of Sale incidents to cyber-espionage, web application hacking, cybercrime, and skimming. And it simplifies most of the data into nine categories for ease of discussion. The data demonstrates that intruders will use tried and true techniques before moving on to the newest and most expensive. Like most years in cybersecurity, “It’s like déjà vu, all over again.” —Yogi Berra
You can download the 2016 DBIR here, its 85 pages of data and diagrams can help provide informed discussion around these topics on a greater scale. We look forward to another great writeup in 2017 from the DBIR guys at Verizon.
BeEF Wrapped Up and Delivered in 2016
The embedded BeEF content appears not to be fully configured, and only partially implemented. Perhaps a limited data set was of interest for this attacker, or this was an early attempt at deploying BeEF.
This incident is interesting because at the same time and a bit earlier, another group was heavily relying on repackaging open source offensive security product in their toolset by deploying both BeEF and Metasploit-produced components across a select set of strategic web compromises. This particular APT has years of low-tech elaborate social engineering schemes and re-purposed open source efforts under its belt.
While we call them the NewsBeef APT, they have been reported in the past as Charming Kitten or Newscaster in 2014, social engineering their way into sensitive circles of trust with spoofed LinkedIn profiles and phony news media organizations.
They continue to be highly active, but this time, they are using a slightly more technical toolset. On one hand, they have developed skills or discovered tools to compromise select web applications and sites, supporting their watering hole campaigns. On the other hand, they have repackaged leaked bot source code and repackaged open source Metasploit and PowerSploit components to produce and administer backdoors and downloaders.
Newsbeef/Newscaster will find a way to compromise a web site, usually the vulnerability appears to be CMS related, in an outdated WordPress plugin, Joomla version, or Drupal version. Attackers usually perform one of two things, Newsbeef has been performing the first of the two:
- inject a src or iframe link into web pages or css sheets
The injected link will redirect visitors’ browsers to a BeEF server. Usually, the attackers deliver some of the tracking and system/browser identification and evercookie capabilities. Sometimes, it appears that they deliver the metasploit integration to exploit and deliver backdoors (we haven’t identified that exploitation activity in our ksn data related to this group just yet). Sometimes, it is used to pop up spoofed login input fields to steal social networking site credentials. We also haven’t detected that in ksn, but some partners have privately reported it about various incidents. But we have identified that attackers will redirect specific targets to laced Adobe Flash and other installers from websites that they operate.
So, the watering hole activity isn’t always and usually isn’t delivering backdoors. Most of the time, the watering hole injections are used to identify and track visitors or steal their browser history. Then, they deliver the backdoors to the right targets.
In addition to the University site and the NewsBeef APT, in the past couple of months, we identified a variety of compromised sites around the world serving the BeEF. Most are cleaned up. Deployments to interesting and strategic web sites and their true reach on a global scale appears to be on the increase:
- Middle eastern embassy in the Russian Federation
- Indian military technology school
- High conflict regional presidency
- Ukrainian ICS Scanner mirror
- European Union education diversification support agency
- Russian foreign trade management organization
- Progressive Kazakh news and politics media
- Turkish news organization
- Specialized German music school
- Japanese textile manufacturing inspection corporate division
- Middle Eastern social responsibility and philanthropy
- surprisingly popular British “lifestyle” blog
- Algerian University’s online course platform
- Chinese construction group
- Russian overseas business development and holding company
- Russian gaming developer forum
- Romanian Steam gaming developer
- Chinese online gaming virtual gold seller
- Brazilian music instrument retailer
Key to these incidents are the development, distribution, and ease of use of toolkits like BeEF.
BeEF itself is an open source collection of tools and tricks, some years old, that combined together can effectively hook a visiting web browser for evaluation and full exploitation. Because of its capabilities, we have seen increased adoption of the framework for the past year or so.
- Browser enumeration and reporting
- Plugin enumeration and reporting
- Retrieve visited domains (based on an old browser cache fetch timing trick)
- Social engineering via live sessions and phishing within the browser
- Network exploration, discovery, and exfiltration tunneling
- Metasploit exploit integration and autopwning
- Evercookie deployment for persistent tracking – multiple platforms
- XSS evaluation and exploitation
At the same time, many of the techniques implemented are very old and public. The kit is extensible, customizable, and integrates with metasploit for autopwnage. Some of the techniques were discussed during Jeremiah Grossman’s 2006 Black Hat conference presentation. The delay in deployment for techniques of this type indicates that some teams are dependent on open source tool packaging and ease of use. We have seen this sort of reliance on both open source offensive toolkits and legitimate software in the past from APT like Crouching Yeti, TeamSpy, and now the Newsbeef.
Preventing the social engineering sessions for credential theft and Metasploit exploit integration makes immediate sense and can be incorporated at the network and more effectively at the host level. AntiAPT can help wipe out most of an operation on the network at scale, but these measures can be evaded as well. In other words, dealing with a determined attacker using tools like this one is difficult.
Cash machines have been part of our lives since 1967 when a London branch of Barclays Bank unveiled the first ATM. Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. When using ATMs people give little or no thought to the hardware, software or security of the machines. Unfortunately, ATM manufacturers and their primary customers – banks – don’t pay much attention to the security of cash machines either. This is confirmed by the increasing number of thefts from ATMs using non-destructive methods, i.e. without the use of metal cutting tools or explosives.
To understand why this is happening, let’s first look at what exactly a cash machine is.Hardware
An ATM is basically a construction kit. The manufacturer builds them from a dispenser, a card reader and other units produced by different companies. The units are placed in a housing which usually consists of two parts: the top box called the cabinet, or the servicezone, and the lower section called thesafe.
The cabinet includes units such as the system unit (yes, a standard system unit, which sometimes even has the same housing as a typical home computer), the EPP (Encrypting PIN Pad) the card reader, and so on. The service zone, according to ATM manufacturers, contains everything that makes it impossible to access the money. Probably for this reason the cabinet cover is made of plastic and the service zone is protected from unauthorized access by just a simple lock. By the way, a set of locks and separate keys can both easily be purchased online as the manufacturers install the same locks on their devices, and most banks usually don’t bother to replace them.
The safe has much better protection: it is a ‘sandwich’ of steel and concrete with two types of locks – one coded (electronic or limb, sometimes electro-mechanical) and the other a key lock (usually a lever tumbler lock). The safe contains the devices directly related to the money – a dispenser from which cash is withdrawn, and a cash-in module.
All devices are connected to the system unit, which in this case performs the function of the host (as we shall refer to it) via the USB or RS232 ports (often referred to as a COM port). Sometimes these ports are located directly on the system unit; if there aren’t enough ports, a USB/COM hub is used. Older ATM models can still be found that are connected via the SDC bus.Software
The software used on almost every ATM is straightforward:
- operating system
- ATM units management software
- software used to interact with the user (ATM consumer or operator)
- software used to communicate with the processing center (which provides the information and technological sides of the transaction)
- anti-virus software, or integrity control software.
This is sufficient for the ATM to carry out its immediate functions, but for some reason certain banks also install Acrobat Reader 6.0, Radmin, TeamViewer and other unnecessary and in some cases even dangerous software.
When it comes to the operating system, the vast majority of ATMs still use … Windows XP! Despite the fact that Microsoft stopped issuing security updates for it in April 2014. Of course, 0-day vulnerabilities for this system will remain unpatched. The engineers servicing ATMs often think that if the ATM is working, it is better “not to touch” (read: “not to update”) it. As a consequence, some cash machines still have the unpatched critical vulnerability MS08-067 which allows remote code execution.
ATM units are implemented on microcontrollers based on real-time operating systems (RTOS), which is particularly irksome for the guys with IDA Pro because static analysis is almost unheard for such systems.
That’s basically all the information cybercriminals need to start hacking.Malware
In 2009, the appearance of Trojan Backdoor.Win32.Skimer caught the world’s attention: it was the first malicious program targeting ATMs. Skimer attacked ATMs from a particular manufacturer – one of the market leaders. Using this malicious program the criminals emptied the cash dispensers and also skimmed the data from bank cards processed in infected ATMs. Since then, ATMs of different manufacturers have been repeatedly exposed to malware infection.
The process of stealing money from ATMs using malware consists of four stages:
- The attacker gains local/remote access to the machine.
- Malicious code is injected into the ATM system.
- As a rule, infection is followed by rebooting of the ATM. The system seems to reboot in standard mode but at the same time comes under the control of a malicious program, i.e. cybercriminals.
- The final stage, i.e. the main aim of the process, is the theft of money.
Getting access to the inside of an ATM is not a particularly difficult task, as the experts at the Positive Hack Days, the international forum on practical information security, demonstrated. The process of infecting is also fairly clear – arbitrary code can be executed on an insecure (or insufficiently secure) system. There seems to be no problem with withdrawing money either – the malware interface is usually opened by using a specific key combination on the PIN pad or by inserting a “special card”, and then all you need to do is stuff your pockets full of cash.
Here we will focus on how a malicious program can gain control of an ATM.The XFS standard
So the attackers have infected the ATM system unit. What next?
Here again, a short explanation is required. As already mentioned, the ATM is managed by a Windows-based application. Its task is to organize interaction between the user (client or services), the processing center which sends commands to the ATM and the equipment that executes these commands. The message exchange with the processing center occurs via direct connect protocols (NDC or DDC): users communicate with the GUI while service providers are responsible for the operation of each ATM unit (gateways to these units). To send commands to the service providers and on to the equipment as well as to receive status messages, a level called XFS Manager is used in accordance with WOSA.
ATM operations in the context of the XFS standard
XFS (CEN/XFS, and earlier WOSA/XFS), or the eXtensions for Financial Services, is a standard that provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATMs. XFS is intended to standardize software so that it can work on any equipment regardless of the manufacturer, and provides a common API for this purpose.
Thus, any application that is developed with the XFS standard in mind can control low-level objects by using only the logic described in this standard. And that application could well be the Tyupkin backdoor or any other malicious program.
What opportunities does XFS offer?
For example, the dispenser, which is the most interesting part for the attackers, can give out money without authorization. Or use of XFS on some ATM models means cybercriminals can manipulate the code to open the safe and unlock the ATM cassettes.
Exploitation of the MS08_067 vulnerability allowing execution of arbitrary code. The video was shot by experts at BlackHat Europe 2014
With regard to the card reader, XFS allows the reading and recording of data from the bank card magnetic stripe and even retrieval of the transaction history stored on the EMV card chip.
Of special note is the Encrypting PIN Pad (EPP). It is believed that the PIN cannot be intercepted because it is entered on the ATM PIN pad and is converted directly inside the encryption module into a PIN block (EPP contains keys to do this, two of which are in the bank’s Hardware Security Module). However, XFS allows the PIN pad to be used in two modes:
- Open Mode – for entering different numeric values, such as the sum to be withdrawn;
- Secure Mode, which EPP switches to in order to enter a PIN and encryption keys.
This allows cybercriminals to implement a “man-in-the-middle” (MiTM) attack. They only have to intercept the command sent from the host to the EPP to switch to Secure Mode and then to inform the device that work is continuing in Open Mode. In the reply message, the EPP will send the keystrokes as plain text – exactly what the attacker needs.
But what about authentication and exclusive access? And surely the standard’s specifications are inaccessible?
Unfortunately, this is not the case with XFS. The standard does not provide any authentication, and exclusive access to service providers is implemented, but not for security reasons. This is just a single-threaded command sending function to avoid accidentally breaking delicate hardware by simultaneously sending two identical commands.
Surprisingly, although it is a standard for financial applications, it doesn’t even mention security. Where can you find the specifications to check if this is true? Just try entering “ATM XFS” in any search engine and you’ll find the answer among the first few results.Integrity control software
Banks sometimes use integrity control software on their ATMs that supposedly prevents the execution of unauthorized code based on a whitelist, controls connected devices and drives, as well as providing other useful methods which should, in theory, counter attacks.
But we shouldn’t forget that first of all it is software, and just like any other software, it’s not perfect. It may be vulnerable to attacks as such kiosk mode bypassing, whitelist bypassing, buffer overflow, privileges escalation to SYSTEM user, etc. As you know, existing vulnerabilities often allow cybercriminals to gain access to the operating system and to do their dirty work.Undocumented features
The bad guys may use modified utilities that were originally provided by ATM developers or manufacturers to test a machine’s operability. One of the functions of these utilities is to test the dispenser function, including the dispensing of cash. In order to carry out a test, the engineer has to confirm his legitimacy by opening the safe door or performing actions with the dispenser cassettes. The logic is simple: if you can open the safe, you have the key, i.e. you are a licensed engineer or a cash-in-transit guard. But by simply replacing a couple of bytes in the utility, the “right” people can “test” cash withdrawals without any checks.
Yet another way criminals have of lining their pockets is to change the denomination of banknotes dispensed by the ATM using a diagnostic utility. As a result, the attacker receives banknotes with the largest nominal value (e.g., a 100 dollar/euro banknote) while the ATM “thinks” it is dispensing the smallest of the available denominations (five or ten). It means several hundred thousand can be withdrawn from a card with a balance of just a few hundred.Black box
So-called black box attacks are another type of attack that is getting increased coverage in the news. On surveillance camera videos the following occurs: someone opens the service zone, connects a magic box to the ATM, closes the cabinet and leaves. A little later several people who appear to be customers approach the ATM and withdraw huge sums of money. Of course, the criminals retrieve their little device from the ATM once they have achieved their goal. Usually, these black box attacks are only discovered a few days later when the empty cassettes and the withdrawal logs don’t tally, leaving the bank employees scratching their heads.
However, there is no magic involved – the attackers connect a specially programmed microcomputer to the dispenser in such a way that it bypasses the security measures implemented on the host (antivirus, integrity control, full disk encryption, etc.).Communications insecurity
As mentioned above, USB, RS232, or SDC can be used as a data transmission channel between the system unit and the devices. It’s likely that nothing will prevent the attackers from sending the necessary commands directly to the device port bypassing its service provider. The standard interfaces often do not require any specific drivers. Authorization is not required either, which basically makes these insecure proprietary protocols an easy target – just sniff and replay. The result is direct control over ATM units, the use of undocumented functions (e.g., changing the unit firmware). The criminals may also use a software or hardware traffic analyzer, installing it directly on the port of a particular device such as a card reader in order to obtain the transmitted data. And this analyzer will be difficult to detect.
Direct control over the dispenser means the ATM cassettes can be emptied without any entries being made in the ATM software logs.
A typical packet – the command to dispense a banknote from the first cassette of the dispenser
For those who are unaware, it may look like magic. Every great magic trick consists of three parts or acts. There are dispensing money from the cassette, opening the shutter, and presenting money to the client.
A black box attack on an ATM. Video was prepared by experts for demonstration purposes at BlackHat Europe 2014
Hardware skimmers are ‘so yesterday’. Direct connection makes it possible to read and record the magnetic strip of a credit card. Traffic analyzers, which are freely available on the Internet, can also be used as a direct connection. Rumor has it that in one fairly large bank all the ATMs were used as skimmers: the attackers had found vulnerabilities in the bank’s network and installed a USB sniffer on the ATMs, allowing them to collect bank card data in plain text for five years! Who knows, maybe your card was among those affected.
The intercepted data of a Track2 cardThe network
The connection between ATMs and the processing center can be protected in various ways. For example, using a hardware or software VPN, SSL/TLS encryption, a firewall or MAC-authentication, implemented in xDC protocols. However, all these measures often appear to be so complex for banks that they don’t bother using any network protection at all.
In such cases, a MiTM attack can be launched that will result in the attacker getting both bank card data and all the money in the ATM. This requires remote access to the device, which is usually obtained by using vulnerable services that can be accessed from the Internet, as well as social engineering techniques. Physical access to the network hardware, including the ATM Ethernet-cable will also suffice.
On the way to the real processing center a fake one pops up; it sends commands to the ATM software to dispense banknotes. Withdrawing money is possible with any card, even one that has expired or has a zero balance, as long as the fake processing center “recognizes” it. A fake processing center can be either “homemade” software that supports communication with the ATM via the xDC-protocol, or a processing center simulator originally designed to check network settings (yet another “gift” from the vendors to the cybercriminals).
The commands for giving out 40 banknotes from the fourth cassette sent from a fake processing center and stored in the ATM software logs. They look almost like the real thing.
Where do the criminals find ATMs that can be attacked via the network? Do they scan all the nearby networks or buy the information on underground forums?
It turns out that you just need to enter the correct request in a search engine – https://www.shodan.io/ (this Internet of Things scanner is well-known by the experts). The data collected by this scanner is usually enough to launch such attacks.
— Eugene Kaspersky (@e_kaspersky) 9 февраля 2016 г.
Or you could just take a closer look at the ATMs in retail and business centers.
Sometimes the ATM system can be accessed without even opening it – all the communications are located on the outsideWho’s to blame and what can be done
This part is usually the most depressing, and here’s why.
When we detect a vulnerability while analyzing ATM security, we send a notification to the vendor with a description of the problem and ways to solve it. And often the answers are bewildering:
“The vulnerabilities are essentially normal specifications of the card readers and not unexpected. As long as the ATM is running within normal parameters, these problems cannot possibly occur.”
“However this vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.”
“We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
Indeed, why should vendors bother about ATMs with expired warranties that are still used by banks around the world, and whose physical security often leaves much to be desired? Unfortunately, reality shows that manufacturers are only interested in selling new products and not in eliminating the shortcomings of existing systems, while banks lack the necessary skills to cope with the problems on their own.
Fortunately, some manufacturers understand the dangers of unauthorized ATM use, and release security updates. To prevent attacks on dispensers, two-way authentication and cryptography are used. It should be noted, however, that not all cryptography is correctly implemented cryptography.
While the existing countermeasures can protect ATMs from malware, they are powerless against black box or network attacks. A huge number of security flaws and vulnerabilities that can be exploited with minimum expertise make cash machines a prime target for those desperate to get rich illegally.So. Is everything lost?
ATM manufacturers can reduce the risk of attack on cash machines.
- Firstly, it is necessary to revise the XFS standard with an emphasis on safety, and introduce two-way authentication between devices and legitimate software. This will help reduce the likelihood of unauthorized money withdrawals using Trojans and attackers gaining direct control over ATM units.
- Secondly, it is necessary to implement “authenticated dispensing” to exclude the possibility of attacks via fake processing centers.
- Thirdly, it is necessary to implement cryptographic protection and integrity control over the data transmitted between all hardware units and PC inside ATM.
And what should banks do? They need to take action!
Encourage those who sell ATMs and software to make them secure. The manufacturer must eliminate vulnerabilities as soon as possible; it is necessary to tell them about it as often as possible. To prevent hacking of ATMs it is necessary to make use of all the available protection tools. A completed PCI DSS Self-Assessment Questionnaire is not a silver bullet and won’t protect ATMs from attacks, or banks from financial and reputational losses. Proactive protection, including regular ATM security assessment and penetration testing, is better (and often much cheaper) than security incident and the subsequent investigation.
Bad guys are watching.
PS: No cash machines were harmed in the preparation of this material.
PPS: This overview of the security issues in cash machines is not intended as a hacking guide.
Major football tournaments such as the World Cup and the European Championship, traditionally attract a lot of spammer activity. Euro 2016 will be held this summer in France, and it’s not only the fans and players who are getting ready but also Internet fraudsters. The latter have started sending out fake notifications about lottery wins dedicated to the upcoming tournament. Their emails often contain attachments adorned with graphic elements including official emblems, the Euro 2016 logo and those of its sponsors.
The contents of the attachments are the standard stuff: the lottery was held by an authorized organization, the recipient’s address was randomly selected from a large number of email addresses, and in order to claim your prize you have to reply to the email and provide some personal information. We have recorded cases where the same attachment was sent in messages with a different text, but the theme of the email is essentially the same. The fraudsters also use different email addresses and change those used in the body of the message and the attachment.
We have also come across advertising spam in different languages, for example in Dutch, asking recipients to buy a 2-euro commemorative coin issued specifically for Euro 2016.
We expect to see a growth in football-themed spam as the start date of Euro 2016 approaches. This type of fraudulent spam can be one of the most dangerous for users: the perpetrators are unlikely to limit their activity to fake lotteries, and will start spreading various emails offering the chance to win tickets to the games, as was the case before the World Cup in Brazil. The amount of spam targeting users in France, which is hosting the championship, may also increase.
A detailed presentation of this research was delivered at RSA US 2016, and is available at https://www.rsaconference.com/writable/presentations/file_upload/tech-t09-smart-megalopolises.-how-safe-and-reliable-is-your-data.pdf
In the past two years traffic sensors have mushroomed in Russian cities. Drivers using speed camera detectors were the first to spot the white boxes stuck to posts along the roadside. Their devices, designed to warn drivers about traffic enforcement cameras, react to the signals emanating from the new sensors in the same way they do to the radar guns used by traffic police. Helping enforce the speed limit is merely a positive side effect, however; the city authorities installed the sensors for a completely different reason. The devices count the number of cars of varying size in each lane, determine their average speed, and send the data to a unified traffic control center.
A traffic sensor in Moscow
As a result, the city authorities receive information about traffic intensity, which allows them to, for example, adjust traffic light phasing or plan further road infrastructure. The weekly reports issued by Moscow’s traffic authorities present information about the slowest and the fastest highways, based on data coming from both the Center for Road Traffic Management and from Yandex. While the latter’s data comes from apps running on users’ smartphones, the former would not be able to collect its data without the road infrastructure that will be discussed here.
Each week the Moscow city authorities publish data about the city’s fastest and slowest highways
These sensors are the lowest tier of ‘smart city’ infrastructure – they collect raw data about traffic and pass it on; without that data, no analysis can be done and systems cannot be configured properly. Therefore, the information coming from the sensors has to be accurate. But is that actually the case? Can an outsider manipulate the operation of the sensors and the information that they collect? We will try to answer these questions and identify any improvements that can be made to the urban IT infrastructure.How to search for devices and information about them
Any research begins by collecting all the available data, and research into embedded systems, to which traffic sensors belong, is no exception. Even in a narrow market segment, you cannot know all sensor types and models by sight unless you are dealing with them professionally every day. The odds are that you won’t be able to immediately identity the manufacturer of a device by just looking at it. This makes all the logos and manufacturer labels on devices all the more valuable.
If you do succeed in identifying the model of a road sensor just by looking at it, you can find various documentation on the vendor’s site (or that of their integrator), and, if you are lucky enough, you will also find the software used for working with the devices. You will almost certainly find a marketing leaflet about your device; there is also a good chance you will find a larger sales-oriented document. It is also not uncommon to come across documentation, but finding a full-fledged technological description with the device’s command system is a rare piece of luck.
It is practical to automate the process of working with the sensors, so you don’t have to sit under each and every device with a laptop. Nowadays, such automation is quite normal – wireless connections are no longer a rarity for ‘smart city’ components. However, to ensure such automation, you first need to know which communication protocol each sensor uses, and how to separate the devices you need from all the other devices.
For this purpose, you can use any identifiers, including peculiarities in how the devices communicate their data. For example, most MAC addresses are reserved to specific manufacturers (however, anonymous MAC addresses also exist). As well as numeric IDs, devices also typically have alphabetic names that may also follow some type of standard, i.e. the device model plus an incremental index.
All of this makes it possible to write a scanner to search for devices that are of interest to us. One of the sensor models installed in Moscow uses Bluetooth for data communication. These devices have both MAC addresses and ‘friendly names’ that are quite distinctive, so we can add only these traffic sensors to the list and filter out all nearby smartphones and TV sets. A discussion on Bluetooth security goes beyond the scope of this topic, so we will not talk here of compromising Bluetooth devices. We informed the Moscow city authorities about the configuration drawbacks in November 2015.
Traffic sensor records saved to a database
I used Python, PostgreSQL and a bit of C. In real time, as I drive by each traffic sensor, the scanner identifies each device’s MAC address, friendly name and coordinates. The fields with the vendor name and the physical address are filled out later on a separate pass through the database based on the data already collected. Determining the device’s physical address from coordinates is, to a certain degree, a time-consuming procedure, so it shouldn’t be done simultaneously while searching for devices. Establishing a Bluetooth connection is not fast either, so if you want to find traffic sensors, you’ll have to drive slowly.What can be done with the firmware
The openness shown by the manufacturers to installation engineers, their readiness to give them access to tools and documents, automatically means they are open to researchers. (I respect this sort of approach; in my view, this sort of openness combined with a ‘bug bounty’ approach yields better results than secrecy.) After selecting any of the identified sensors, you can install the device configuration software supplied by the vendor on your laptop, drive to the location (the physical address saved in the database), and connect to the device.
As we do in any research of embedded system security, we first of all check if it’s possible to reinstall the firmware on the device.
The configuration software allows the firmware on the traffic sensor to be changed
Yes, we can install new firmware on the device via this wireless connection designated for servicing purposes. It is just as easy to find the manufacturer’s firmware and as it is its software. The firmware looks reminiscent of Intel iHex or Motorola SREC, but this is the manufacturer’s proprietary product. If we remove the overhead information (‘:’ – the write instruction, serial numbers, memory addresses and checksums) from the data blocks for the digital signal processor (DSP) and the main processing unit (MPU), we obtain the clean code. However, we don’t know the architecture of the controllers in the device, so we cannot simply open the file with a disassembler.
The traffic sensor firmware
Oddly enough, LinkedIn helps out here – it’s not just a handy resource for careerists and HR departments. Sometimes the device architecture is not a secret, and engineers who used to work for the manufacturer may be willing to talk about it. Now, as well as the file, we also have an understanding of the architecture which the firmware was compiled for. However, our good fortune only lasts until we launch IDA.
You can find the controller types even if they aren’t specified in the documentation
Even when we know the architecture, the firmware remains a meaningless jumble of bytes. However, we could find out from the same engineer how exactly the firmware is encrypted, as well as the encryption algorithms and key tables. I didn’t have the device to hand, so at that stage I decided this black box mode of firmware modification was showing little promise, and set it aside. We have to admit that in this specific case the microelectronics engineers know how to protect firmware. However, this did not mean the end of the road for our sensor research.Only trucks travel at night
Firmware modification is “good” in that new functional capabilities can be added. However, there is sufficient functionality in the manufacturer’s standard software. For example, the device has about 8 MB of memory that is used to keep a copy of traffic data until the memory is full. This memory can be accessed. The firmware allows you to change the way that passing vehicles are classified according to their length, or change the number of lanes. Would you like a copy of the information collected on traffic? No problem. Would you like to classify all vehicles as trucks driving in the right lane? You can do that too. Of course, this will affect the accuracy of the statistics that are collected, with all ensuing consequences.
Sample of the data traffic sensors collect and pass along. The same data is stored on the device
If someone wants to get a copy of Moscow traffic statistics or manipulate the data, they will have to walk or drive around all the traffic sensors; however, they won’t have to launch software for each of the thousands of sensors and modify the settings manually. In this specific case, there is a description of the proprietary system of commands for the devices. This is not something that you come across a lot when researching embedded systems. In any case, after establishing a connection to the traffic sensor using the manufacturer’s software, the commands are no longer a secret – they are visible using a sniffer. Even then, there’s a description in English that saves us the trouble of analyzing the machine-language communication protocol.
Documented device commands make traffic analysis unnecessary
Bluetooth services are not actually implemented on the traffic sensor; the wireless protocol in this case is only a data communication environment. The data is communicated via a regular serial port. Software handling of such ports is no different from reading and writing to files, the code for sending commands is trivial. For these purposes, it’s not even necessary to implement the usual multithreaded port handling – it’s sufficient to send bytes and receive the response in a single thread.
To sum up, a car driving slowly around the city, a laptop with a powerful Bluetooth transmitter and scanner software is capable of recording the locations of traffic sensors, collecting traffic information from them and, if desired, changing their configurations. I wouldn’t say that traffic stats are a major secret, but tampering with sensor configurations could affect their validity. And that data could be used as a basis for controlling ‘smart’ traffic lights and other traffic equipment.
The sensor sent a response, the command has been accepted. Because we know the command system, it is easy to ‘translate’ the responseWhat can be done?
It turns out that the answers to both questions we raised at the beginning are negative: traffic data is not protected, and it can be manipulated. Why is that? Well, there was no authorization except that required for Bluetooth, and that was not configured properly. The manufacturer of the road sensors we examined is very generous when it comes to service engineers, with a lot of information about the devices publicly available on the manufacturer’s official website and elsewhere. Personally, I agree with the manufacturer and respect them for this, as I don’t think the “security through obscurity” approach makes much sense these days; anyone determined enough will find out the command system and gain access to the engineering software. In my view, it makes more sense to combine openness, big bounty programs and a fast response to any identified vulnerabilities, if for the only reason that the number of researchers will always be bigger than the number of employees in any information security department.
At the installation stage, it makes sense to avoid using any standard identifiers. Obviously, manufacturers need to advertise their products, and the servicing teams may need to collect additional information from the adhesive labels on a device, but besides the convenience there are also issues of information security to consider. Last but not least, it’s not worth relying solely on the standard identification implemented in well-known protocols. Any additional proprietary protection that is properly implemented will be relevant and make penetration much more difficult.
A detailed presentation of this research was delivered at RSA US 2016, and is available at RSA conference website.
Last week vulnerability developers, security researchers, and even a couple of friendly govies descended upon my native Miami for two daily servings of novel implants, exploits, and the latest in offensive research. To contrast the relaxed bikini-clad environment, an adversarial tone was set by conference badges in the form of survival paracord bracelets with Infiltrate dogtags. In good spirits, white-, grey-, and black-hats sparred for tech supremacy and today I’d like to share some thoughts on insightful talks that forecast the intricacies and stumbling blocks that await us as defenders.
This industry has seen its fair share of military analogies for cyberconflict (including Chris Hoff’s brilliant 2015 SAS keynote) and this conference did not disappoint in that area. Kicking off Infiltrate, Nate Fick (CEO of Endgame) brought to bear his wealth of experience in the Marines to the current situation in infosec to great effect. Perhaps doing a disservice to an insightful talk, I’d like to recall some key concepts of Nate’s keynote that build up to a cohesive argument for understanding the role of escalation dominance in our space:
- ‘A dollar of offense almost always beats a dollar of defense’. Let that sink in.
- ‘One of the tenets of civilized societies is that governments have a monopoly on the legitimate use of force’, a just-war theory concept worth remembering when the preposterous suggestion of ‘hacking back’ is thrown around as a legitimate option for companies.
- ‘What level of hacking warrants a bullet, rendition, or a drone?’. This is not a trivial question in our space. As Nate discussed, if we are going respect the cyber-equivalent of a monopoly on the legitimate use of force so that only the government is allowed to conduct offensive cyber-operations in retaliation for an attack on private industry, and we expect this to function as some form precedent-based deterrence, then we should have a clear idea of what offenses merit certain types of retribution.
This is all by way of preparing the ground for the concept of ‘escalation dominance’. As Nate stated, “Escalation dominance, if you don’t have it then don’t fight someone who does”. And that is to say, “You can only deter an adversary if you have the escalatory capability to beat them all the way up the ladder”. I hope these serve as timely takeaways as companies weigh the possibility of ‘hacking back’, an option that is sure to yield meager gains when compared to the next play that awaits on the escalatory ladder.
Further highlights, include Joe Fitzpatrick’s talk on hardware implants titled ‘The TAO of Hardware, the Te of Implants’. Joe is one of those rare unicorns that focuses on hardware security and showcased his skills by trying to convince us of the ease and accessibility of hardware implants. A common misconception is that hardware implants are so difficult to design and expensive to manufacture that they’re only available to the most well-resourced and technologically-capable tier of attackers but Joe shows that this is clearly no longer the case. A valuable takeaway was his starting premise, that the role of a good hardware implant is simply to provide software access and then back off entirely.
As ‘Cyber-Pathogens’ are all the rage with kids these days, I want to discuss Travis Morrow and Josh Pitt’s talk on ‘Genetic Malware’. The title is a reference to their analogies to different types of attack targeting, in this case that of bioweapons and chemical weapons. In reality, the intention is to provide a framework (now public) with which to execute Gauss-style attacks: malware binaries whose final payload is encrypted in such a way as to only decrypt and execute on a specific victim system thereby stumping third-party research efforts to reverse engineer and understand the ultimate objective of the attackers.
Travis and Josh’s E.B.O.W.L.A. (Ethnic BiO Weapon Limited Access) framework drastically lowers the entry threshold for attackers to perform Gauss-style attacks by encrypting their payloads based on specific environment variables on the victim system, environmental factors like IP range or time ranges to trigger, or even a one-time pad based off of a specific system binary. This strategy for buying time was ultimately effective in the case of Gauss whose encrypted payload remains a mystery to this day and, if popularized, will surely prove an interesting challenge for the anti-malware industry going forward.
Finally, as a result of the historic work done by Katie Missouris to help launch the federal government’s first public bug bountry program, Lisa Wiswell of the newly formed Department of Defense Digital Defense Service joined us with an articulate plea to enlist the best and brightest to ‘Hack the Pentagon’ (within scope) and help better defend the country. The crowd was accommodating and we can only hope this program proves a success if only to set precedent for further friendly outreach efforts between the US government and the larger infosec community (in all of its monochromed haberdashery).