This Week In Security: Dan Kaminsky, Banned From Kernel Development, Ransomware, And The Pentagon’s IPv4 Addresses
This week we start with a grim note as well Dan Kaminski passed only 42, of diabetic ketoacidosis. Dan made a name for himself by noticing a weakness in DNS response checking that could allow attackers to poison the cache of the target DNS resolver. There is a theoretical attack in which fake DNS responses can collide with queries, but Time-to-Live values mean that DNS queries only come out once every eight hours or so. The breakthrough was conscious that the TTL restriction can be circumvented by requesting fake subdomains and directing false responses to those requests. This simple technique transforms a theoretical attack that will take 87 years to a very real attack of 10 seconds. Watch the video for the period after the break, where Dan talks about his efforts to eliminate the problem.
What may be the most impressive work is how many suppliers and supporters he has persuaded to cooperate, while keeping the vulnerability quiet. Due to the seriousness of the problem, it was decided to wait for the publication of details for another 30 days after the coordinated release of the patch. It took 13 days for the vulnerability to expire, but it still gave the world enough time to prevent major problems.
Throughout his life, Dan always had a “come out and fix it” mentality that was an inspiration to others. Half of the reasons we have DNSSEC today is because of Dan’s persistent behind-the-scenes lobbying. He was a force for good and a hacker hacker.
The University of Minnesota is banned for Linux
A story has been leaking for a while and eventually led to a total ban on core stickers sent by anyone to the University of Minnesota. This extreme step is the result of known bad patches sent for inclusion in the kernel. The original idea was to test whether the kernel would be susceptible to a bad actor sending a malicious patch disguised as a fix. Paper was written for the test. Their proposed adjustments are not credible, especially once they start, recommending an amendment to the Code of Conduct for a project, adding a promise not to press malicious code.
The newspaper was published in 2020, but the ban happened more than a week ago. Why? Months after dealing with the initial incident, suspicious stains from the same university began to arrive again. The explanation was that these new patches were generated by a new code analysis tool, but seemed to introduce new bugs instead of actually fixing them. See the article : By exploiting an LTE vulnerability, attackers can impersonate mobile phone users. Greg KH called that enough maintenance time had been lost to deal with the stickers, and announced the ban. My opinions are mixed. There is some usefulness in testing the core community against this type of attack, but it also seems to be the right call to release the hammer in recurring misbehavior.
The end of Emotet
Emotet was described by Europol as “the most dangerous malware in the world”. The American DOJ calculates 1.6 million machines were part of this botnet, but thanks to global law enforcement action, it’s no longer there. To get an idea of the size of the Emotet download operation, note that the number of management and control servers (C2) that need to be downloaded offline, numbered in the hundreds. Law enforcement castrated the botnet, but there is still a problem with the malware, which is still installed and running on machines around the world.
The solution was to host a set of C2 servers, which pushed a new module to all infected. On April 25, this uninstall module will remove the auto-start hooks and shut down all Emotet processes on any infected machine. This process seems to have gone smoothly, but cleaning is still being done. Namely, 4.3 million email addresses were collected from infected machines and found on the seized servers. Law enforcement is partnering with our old friend, [Troy Hunt] of HIBPand these emails are already part of the database of this service.
Ransomware
It took several weeks for Ransomware News. Apple deals with $ 50 million search for ransomware. Acer is also facing a similar demand from the same group, REvil. In the case of Apple, the actual infringement appears to have been in systems owned by Quanta, one of Apple’s suppliers. REvil is believed to be using the latest Microsoft Exchange vulnerabilities to gain access to target networks.
QNAP devices are also severely affected. We covered some of the vulnerabilities, but ransomware schemes are actively hitting unconnected NAS devices exposed to the Internet. Qlocker is an attack that is simple. The attackers simply executed a remote command using 7zip to generate password-protected archives, and appear to have earned nearly $ 300,000 in just one week of malicious business. A character came out of the story when [Jack Cable] try to help a friend get his data back and found a vulnerability in the criminal payment system. Using the transaction ID, but with a capitalized character, was enough to confuse the system to abandon the decryption key. About 50 victims got their data back through this trick before it was captured and fixed.
The mystery of the Pentagon’s IPv4 addresses
The Washington Post began covering a unique evolving story. Millions of unused IPv4 addresses assigned to US DoD were suddenly redirected for the first time. (Beware of the paid wall, although temporarily disabling Javascript can help you read the related story.) The story makes up a lot of the time, as the route seems to be published a few minutes between the swearing in of a president and the real end of the previous administration. My first response was annoyed that politics was injected into what was probably a direct security story. The Post seemed to be trying to find a sensational story to release. But the weather was really strange. And what’s going on here?
So first, let’s look at some contexts. The world is running out of IPv4 addresses – it’s over, depending on how you count them. Although they were all technically assigned, in the early days of the Internet some very large blocks of addresses were assigned and were never fully used. The classroom network contains 16 million addresses, and they were distributed like candy in the early days, and the Department of Defense has several. It is then worth noting that Congress was amused by the idea of forcing the Department of Defense to sell its unused IP addresses. On the same subject : Barclays Counts Benefits for EM of $500 Billion IMF Reserve Plan – BloombergQuint. As the delivery is over, unused IPv4 addresses can reach a fairly high price on the free market. The last remarkable piece is that just because nothing actively uses an IP address, there is still network traffic addressed to and from there. Various network worms and scanners are constantly scanning the entire Internet, and DDoS attacks typically use UDP packets with arbitrary source addresses. Probes and response traffic can be a valuable source of real-time information about what is happening on the Internet.
There was coverage now with more knowledgeable voicesand even a mysterious answer from DoD. The growing consensus seems to be a trio of explanations for what’s going on. The first is the simplest. IP squatting is known to occur, and if no one declares Border Gateway Protocol (BGP) routes as IP space, it is much easier to use addresses illegally. By requesting an IP over BGP, DoD protects these IP addresses. Second, it is much easier to defend yourself against a Congress that wants to take away resources if you can make a valid claim that you are using those resources. Finally, it appears that some part of DoD is analyzing background noise on the Internet and the backscatter obtained from otherwise unused network space.
There is one last question: Why was the project launched in the literal last minutes of the administration? Was this some dirty conspiracy? Not likely. A project of this scale will take a long time to go from the original idea to the implementation and will probably have to be signed by a high-level administration. While I’m not sure why the switch was turned as late as it was, I find it very likely that if it was later, much of the bureaucracy would have to be shifted a second time and the new administration would have to unsubscribe.
Drupal Core flaw
We cover flaws in Drupal extensions, WordPress plugins and Joomla plugins. What is quite rare is a serious vulnerability in the main code of one of these projects. That doesn’t mean it doesn’t happen. Indicated case, Drupal has a script vulnerability on various sites in its core code. XSS is usually shown as a way for one user to inject javascript into a comment, which is executed when other users visit the site. This can be as benign as a user suddenly becoming the friendliest myspace account, or as malicious as a comment made by a commenting administrator when a site owner tries to moderate a trapped comment. There aren’t many details available for this yet, but make sure your Drupal installations are up to date.
New old Linux Backdoor
Last this week, a bit of Linux malware was foundand was then found in a 2018 filing file called RotaJakiro, this back door uses a handful of techniques to avoid detection, such as rotation through encryption methods when connecting to management and administration servers. It is a little disturbing to know that it has been so long without being noticed before. Fortunately, there are some simple compromise indicators (IoC), such as a pair of file names and four possible md5 amounts for those files. I thought it would be interesting to document the system verification process for these files.
My first thought was a simple combination of On the same subject : Africa faces worst economic shock since 1970s, says IMF chief.find
to list all the files in the system and then grep
to search for the file name.sudo find / | grep systemd-daemon
We can do this better by getting rid of grep
command since find
has embedded name matching. For bonus points we use xargs
to continue and calculate md5sum when a matching file is found.
sudo find / -name "gvfsd-helper" -o -name "systemd-daemon" | xargs md5sum
There is a potential problem if folder names contain spaces or other special characters, xargs
would see special signs such as a break between entrances. Fortunately, both find
and xargs
have a zero-delineated mode in which special characters are preserved. The shielded bracket is needed to specify that -print0
flag applies to both named models.
sudo find / ( -name "gvfsd-helper" -o -name "systemd-daemon" ) -print0 | xargs -0 md5sum
I showed this one-layer line and they immediately reminded me find
also has -exec
a flag that uses the use of xargs
needless.
sudo find / ( -name "gvfsd-helper" -o -name "systemd-daemon" ) -exec md5sum {} ;
So this gives us a simple one-line line that will calculate md5sum
on any file with a suspicious file name. If you get a match, compare the baseline values with the known IoC. We hope that none of us will find this nasty for our systems, but better know.
Comments are closed.