October started out loudly, with spies and hackers going deep into European territories causing mischief. With those kinds of events, we might forget there’s stuff happening closer to home, which are more relevant for our risk. For example, on the same day as the attempted OPCW hack, a big story broke on hardware espionage. Here’s an overview of very diverse events, impacting the InfoSec threat landscape. October will go down in history as a Big Month.
Attempted OPCW hack & deporting spies
It would be difficult to ignore the news coming out of the Netherlands in early October: four spies had been caught while trying to hack into the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Hague. As attacks from a distance are commonplace in geopolitics, sending in assassins and hackers and spies are now blatantly done out in the open. The attempted attacks we attributed to Russia linked APT28, and earlier attacks by the same group. A lot has been said about this subject, and we ourselves devoted a podcast to this (look for the September edition, S01E05). In it, we discuss a timeline and place events into context.
On the 16th of October, a critical vulnerability in libssh, a C library implementing the SSHv2 protocol, was publicly disclosed. The vulnerability, given the identifier CVE-2018-10933, affects all versions of libssh 0.6 and later and enables an attacker to bypass the authentication process over SSH. This is essentially an ”Open, Sesame”, giving you access without credentials. The bypass is done by presenting the SSH server with a message of SSH2 MSG USERAUTH SUCCESS instead of the regular message of SSH2 MSG USERAUTH REQUEST, which is given to initiate the authentication. Libssh is not very widely used, for example openssh (the popular secure shell service) doesn’t use it. That said, it’s probably a good idea to check, and the SecureLink CDC recommends that customers patch vulnerable systems immediately, as the vulnerability is so trivial to exploit.
Electronic currency theft nearing 1 billion in 2018
According to several reports, stealing cryptocurrency is on the rise. Targeting exchanges, and their customers, heists are increasing in size and frequency, with a 250% increase since 2017. There are several good reasons criminals are going after electronic currency:
- It is lower hanging fruit than traditional currency, with exchanges and trade platforms having nowhere the same experience in fraud as traditional banks.
- Not everything you steal from criminals will get reported or prosecuted. Criminals can use some of the old tricks they innovated 10 years ago. From monitoring clipboards (replacing bitcoin addresses with your own) to simple web injects.
- The money laundry process is easier.
North Korea’s APT38 group is suspected of doing a lot, if not most of these large bitcoin heists, for the purpose of government financing. Whichever way you slice it, it seems today your funds are more secure in a bank than in a bitcoin wallet. Until bitcoin exchanges grow up, that is.
Another Windows Zero Day
A new Zero-Day Exploit on Windows was disclosed (again) on Twitter in late October. The vulnerability allows low-privilege attackers to elevate their privileges on target systems by exploiting Microsoft Data Sharing (dssvc.dll). The PoC exploit code released by the researcher does, however, only allow a low-privileged user to delete critical system files that normally would only be possible to delete with admin level privilege. The vulnerability can be used for DLL hijacking in third party applications as application dll’s can be deleted and the system lured into seeking for them in user writeable locations. Due to the Data Sharing service being launched in Windows 10 and Server 2016, the vulnerability does not affect older versions of Windows, including 7 or 8.1. As the flaw was disclosed publicly on Twitter, it has left all Windows users vulnerable to hackers until next month’s security Patch Tuesday, occurring November 13th.
Alleged espionage by secretly adding chips to main boards
On the same day as the OPCW hack, October 4, another big story broke. Written by Bloomberg, it outlines how the Chinese compromised supply chain by secretly adding espionage chips to circuit boards. Super Micro, a US based hardware manufacturer was supposedly at the receiving end of these ”free extra’s”. They supply pretty much all of big tech, like Amazon and Apple, so for a second it seemed like all of big tech was compromised by Chinese threat actors.
Almost instantly, the big tech companies denied the Bloomberg claims, then people started backing the Bloomberg journalists. The events, after the initial press attention, evolved into a US senate FBI briefing.
These reports have now played down the original news, but an uneasy feeling lingers: Bloomberg is supposed to be a respected news source, Chinese espionage activity is on the increase according to many organizations with visibility on the issue, and a big chunk of hardware you and I use on a daily basis originates from China. Supply chain attacks are hot, although this news can be classified as being a bit hysterical.
Emma Blid, CDC analyst
Eward Driehuis, CRO