Vulnerabilities, threats and cyber-attacks on industrial systems

Diego Samuel Espitia    24 May, 2022

We have been monitoring security in industrial environments for some years and have seen how these infrastructures have become a target for cybercriminal groups.

Our innovation area has developed a system for capturing threats in industrial environments which allows us to carry out a detailed analysis of the attack techniques and tactics used in this area.

Threat detection in industrial systems

With this honeypotting tool called Aristeo, we have seen exponential growth in attacks, reaching figures of around 7 million detections in 24 hours and 35 million in 7 days.

The data from these samples allows us to show that the IT components of OT infrastructures are the main attack vector. In our tool they are called Engineering Bay and HMI, systems that are usually supported by common operating systems and protocols in IT networks.

Screeshot - Telefónica Tech's cybersecurity tool Aristeo
Telefónica Tech’s cybersecurity tool Aristeo

These detected attacks can mostly be mapped to the techniques that make up the initial access tactics framed in the ATT&CK matrix for ICS, which was updated on 21 April.

Additionally, these detections often turn into ransomware attacks, as indicated by Nozomi Networks in its 2H2021 security report.

Timeline of notable ransomware and supply chain attacks in 2021 second half. Source: Nozomi Networks
Timeline of notable ransomware and supply chain attacks in 2021 second half. Source: Nozomi Networks

The biggest concern about this increase is the physical repercussions that these attacks can generate, which have increased in the last two years.

Cases such as the JBS Food hijacking, which caused meat shortages in several countries around the world, added up to 10 impact cases in 2020, surpassed 20 in 2021, and are projected to reach 50 in 2022, according to waterfall and icsstrive’s OT incident report.

Improvements for threat detection in industrial systems

This trend has led to more in-depth and detailed research into potential vulnerabilities in industrial systems equipment, with 651 reports on 47 manufacturers and 144 products by the second half of 2021 alone.

Companies in the industrial sector have improved their own threat detection and testing systems. The best example of this is Siemens, which created a CERT and reports once a month all vulnerabilities or updates of vulnerabilities in its products (a process similar to Microsoft’s). By May 2022, they reported 27 alerts, of which 12 were reports of new detections.

This initiative has been followed by other companies in the sector, such as Schneider Electric, which, like Siemens, opted for the strategy of monthly reporting of threat detections revealed by its research teams or by external researchers. In this case, for the month of May they reported 6 alerts

Cybersecurity, a critical need for industry

These changes in industrial environments undoubtedly make cybersecurity a burning need. As we have said on previous occasions, they require a change in the approach of the operations teams and an integration of these networks into the security governance of the entities or companies.

One of the common points in specialised OT cybersecurity analyses is the lack of visibility of events within operations networks, which means that incidents cannot be detected in their early stages.

The reason is that you can’t protect what you can’t see, and industry studies have confirmed that less than 62% of companies have complete visibility of network events.

In terms of personnel, it is critical that operations environments start with cybersecurity training processes on an ongoing basis, just as they are constantly trained in occupational safety, operational risk and occupational health processes. It is essential that operators understand the importance and procedures they must comply with to safeguard information.

Cyber Security Weekly Briefing, 13–20 May

Telefónica Tech    20 May, 2022

VMware fixes critical vulnerabilities in several of its products

VMware has issued a security advisory to fix a critical authentication bypass vulnerability affecting several of its products. Identified as CVE-2022-22972 and CVSSv3 9.8, the flaw involves an authentication bypass that affects local domain users and would allow an attacker with network access to the user interface to gain administrator access without authentication.

VMware has also released patches for a second serious local privilege escalation vulnerability (CVE-2022-22973 – CVSSv3 7.8) that could allow a threat actor to upgrade their permissions to ‘root’. Both bugs affect VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manage products.

The publication of these flaws has also prompted entities such as CISA to issue emergency advisories to multiple federal agencies this week, urging them to immediately upgrade or remove VMware products from their networks before next Monday, due to an increased risk of attacks.

For its part, VMware has provided patch download links and installation instructions on its knowledge base website, as well as workarounds in case an immediate upgrade is not possible.

More info: https://www.vmware.com/security/advisories/VMSA-2022-0014.html

* * *

​​New campaign against SQL servers

Microsoft’s Security Intelligence team has shared on its Twitter profile a new campaign they have recently discovered, which is reportedly targeting SQL servers and is known to use the LOLBin sqlps.exe. Brute-force attacks have been observed to be used for initial access to the SQL server.

In addition, they describe that once the server is compromised, the threat actor uses sqlps.exe, a Windows tool used for start-up and PowerShell use in relation to SQL instances, to achieve persistence by executing reconnaissance commands and changing the server’s start-up mode to LocalSystem.

Attackers also use sqlps.exe to take control of the server by creating a new account with administrator permissions, allowing them to inject payloads into the system.

URL:  https://twitter.com/MsftSecIntel/status/1526680337216114693

* * *

Increased activity of XorDDoS malware

Microsoft researchers have published an analysis of the so-called XorDDoS trojan targeting Linux systems, in which they claim to have detected an increase in activity over the last six months. XorDDoS, active since at least 2014, owes its name to the XOR encryption used for its communications with the Command & Control server, as well as to its most characteristic type of attack, namely distributed denial of service (DDoS).

To this end, XorDDoS usually focuses its activity on compromising Internet of Things (IoT) devices to generate its botnet for DDoS attacks. Microsoft’s analysis details that devices infected with XorDDDoS are later compromised with the Tsunami backdoor, which in turn deploys the XMRing crypto-ominator.

Among the TTPs employed by XorDDoS, the use of brute force against accessible SSH services stands out as the main entry vector to obtain root permissions on the compromised machine. It also has modules designed to evade security systems, hiding its activity, which makes it harder to detect. Microsoft provides recommendations to try to fight this threat.

More info:  https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/

* * *

CISA exposes commonly used entry vectors

CISA, together with authorities in the United States, Canada, New Zealand, the Netherlands, the United Kingdom and the United States, has issued a warning about security controls and practices that are commonly used as initial access during compromises of potential victims.

They note that cybercriminals often exploit poor security configurations (misconfigured or unprotected), weak controls and other bad practices as part of their tactics to compromise systems. Some of the most commonly used Tactics, Techniques and Procedures (TTPs) are: exploiting a publicly exposed application [T1190], external remote services [T1133], phishing [T1566], exploiting a trust relationship [T1199] or exploiting valid accounts [T1078].

In order to avoid these techniques, the advisory summarizes a series of recommended practices to protect systems from these possible attacks, highlighting access control, credential reinforcement, establishing centralized log management, the use of antivirus, detection tools, operating exposed services with secure configurations, as well as keeping software up to date.

URl: https://www.cisa.gov/uscert/ncas/alerts/aa22-137a

AI of Things (V): Recommendation and optimisation of advertising content on smart displays

Víctor Vallejo Carballo    17 May, 2022

Digitalisation or, to put it another way, the movement to transform analogue processes and physical objects into digital ones, is advancing at a constant pace, encompassing practically all aspects of our daily lives.

One of the sectors where it is having the greatest impact, despite the existence of some currents that predicted its decline due to the rise of the Internet and digital marketing, is none other than outdoor advertising –OOH, an acronym for Out Of Home– which in this way becomes one more mechanism in the process of urban conversion from the traditional city to the Smart cities of the future.

Mupis or Urban Furniture as an Information Point are undoubtedly the star device supporting this digitalisation process in order to be successful in digital marketing/advertising campaigns at street level. Traditionally, it has been one of the tools used for signage and outdoor advertising in cities, located in locations with high visibility, both outdoors and indoors, to maximise the number of impacts of campaigns. 

Advantages of digital outdoor advertising

The digitalisation of these assets brings with it a series of advantages, such as the elimination of printing and travel costs to change the signage, but above all the adaptation of the commercial message in different locations and time slots or daily.

This improves the capture of the attention of the target audience in each area, thanks to specific animated communications and creating interactive campaigns that measure the effectiveness of the campaign in real time through the sentiment generated and conversion rates. And all of this at a contained cost by being able to plan exposure periods instead of having static signage for weeks or months as has been the case up to now.

Billboard in a building
Photo: Finn / Unsplash

At the same time, the decrease in costs in the production of LCD devices has only pushed towards the complete transformation of these assets, which together with the integration of more technology in the terminals (WiFi, bluetooth, augmented reality, communication with RRSS, etc.) allow offering a more enriching experience, favouring the alignment between different channels of communication with the customer and, therefore, improving conversion rates or reaching your target audience more effectively.

Smart displays open up new possibilities and locations

This reduction in costs is also opening up the possibility of finding new locations for adapted digital Mupis, such as in petrol stations while refuelling, in areas of electric chargers,… New locations that can mean an improvement in revenue for businesses derived from the placement of these Mupis, but above all allow them to better connect with users at times when their attention span will be greater as they have almost no competition from stimuli (do not look at the mobile while refuelling etc.).

Thus, one of the main keys to successful communication and subsequent conversion is to correctly identify the target audience to be addressed and to know what their general mobility patterns are with the greatest possible granularity, namely: mobility on a daily, weekly, time slot, most frequented locations and most likely routes to reach them, recurrence of visits, average dwell time and a long etcetera will allow us to modulate and articulate the projected message in an unprecedented way.

Smart screen billboard
Photo: Yuksel Goz / Unsplash

By identifying areas where clusters of individuals from your target audience are concentrated or recurrently pass through, you will be able to communicate with them more efficiently; moreover, the adaptability of the message will allow, for example, the message on a rainy Monday to be very different from that of a sunny Friday afternoon, or to have different messages depending on the location of the Mupi where they are projected.

Big Data to adapt content on smart screens

Why not? We are all aware that, to a greater or lesser extent, the weather, the day of the week, the time of day and other exogenous factors modify our perception of reality and, therefore, our sensitivity and capacity to react to stimuli.

As we said before, we are not as motivated, happy or sensitive on a sunny day as we are on a grey and rainy one, or at 8 a.m. on a Tuesday morning waiting for the bus as we are on our way to our favourite activity on a Sunday at noon.

You really only need to have different communications prepared so that when the right conditions are met, those that bring together clusters of target audiences with sites or locations, weather, calendar and the stimuli to which they react best, the content is displayed per screen or set of screens spread over a given geographical area.

The digitalisation of Mupis turns them into programmed platforms, where the purchase of the space and the delivery of the message occurs in real time

What seems like science fiction is already a reality thanks to Big Data and some of the mobility solutions, such as Smart Steps, since working with multiple sources and large volumes of anonymised and aggregated data allows us to profile and discover insights that previously went unnoticed, or to detect improvements for situations or actions that we took for granted and unchangeable.

This ability to profile the audience and its subsequent communication through smart Mupis is also available to public administrations, which can carry out public awareness campaigns in different areas such as ecology, sustainability, civic awareness, etc., so that when the optimal conditions are met, these campaigns can be executed, such as this one in Australia to promote healthy eating habits to tackle the obesity epidemic among its citizens.

The benefits of technologies such as smart displays and Big Data for the outdoor advertising industry.
Photo: John Cameron / Unsplash

If you want to reach more people, or rather if you want to reach the people you really need to reach, profiling consumers not only by their consumption habits but also by their general mobility criteria is key to attracting, converting and/or retaining customers at a contained cost in a world that interconnects the physical and digital planes in more and more facets of daily life.

If you want to know more applications of the fusion of the Internet of Things and Artificial Intelligence, known to us as AIoThings, you can read other articles in the series:

AI of Things(I): Multiplying the value of connected things
AI of Things (II): Water, a sea of data
AI of Things (III): IoT anomalies, how a few wrong pieces of information can cost us dearly
AI of Things (IV): You can already maximise the impact of your campaigns in the physical space

Cyber Security Weekly Briefing, 7–13 May

Telefónica Tech    13 May, 2022

Vulnerability in BIG-IP exploited to erase data

On May 4th, F5 fixed, among others, a vulnerability affecting BIG-IP devices (CVE-2022-1388 CVSSv3 9.8), which could allow an unauthenticated attacker with network access to the BIG-IP system, via proprietary IP addresses or an admin port, to execute arbitrary commands, delete or create files, or disable services.

The severity of the flaw at the time raised the need for patching, and multiple security researchers warned of the possibility that proofs of concept could be released without delay.

Only a few days later, security firms like Horizon3 or Positive Technologies, and some security researchers confirmed the development of functional exploits for the flaw.

Since then, massive exploitation has been reported, mainly to download webshells that allow initial access to networks, to steal SSH keys, and to enumerate system information. On the other hand, researchers at the SANS Internet Storm Center have warned of the detection in their honeypots of several attacks that execute the rm -rf /* command on BIG-IP devices.

This command is focused on deleting all files, including the configuration files that allow the device to function properly, as the exploit gives the attacker root privileges on the devices’ Linux operating system.

This type of attack has also been confirmed by security researcher Kevin Beaumont, who warns about the disappearance of multiple Shodan entries from this type of device.  

More info: https://www.bleepingcomputer.com/news/security/critical-f5-big-ip-vulnerability-exploited-to-wipe-devices/

* * *

​Microsoft fixes three 0-day vulnerabilities

Microsoft has published its monthly security bulletin for the month of May in which it has fixed a total of 75 flaws, including 3 0-day vulnerabilities. One of them is being actively exploited, and 8 critical vulnerabilities that could allow remote code execution or privilege escalation on the vulnerable system.

The actively exploited 0-day, categorized as CVE-2022-26925, is a spoofing vulnerability in Windows LSA, which could be exploited by an unauthenticated attacker by calling a method on the LSARPC interface and forcing the domain controller to authenticate via the Windows NT LAN Manager (NTLM) security protocol.

According to its discoverer, security researcher Raphael John, this flaw is being exploited and appears to be a new attack vector for PetitPotam, an NTLM relay attack discovered in July 2021.

The other two 0-day flaws correspond to a denial-of-service vulnerability in Windows Hyper-V (CVE-2022-22713) and a flaw in the Magnitude Simba Amazon Redshift ODBC driver (CVE-2022-29972, also known as SynLapse). Microsoft recommends applying the security updates as soon as possible.

More info:  https://msrc.microsoft.com/update-guide/releaseNote/2022-May

* * *

​​​​CNPIC warns of a possible cyber-attack on critical infrastructures

Spain’s National Centre for the Protection of Critical Infrastructure and Cybersecurity (CNPIC) has sent a security warning to companies considered to be critical infrastructures in the country.

In this way they have been alerted to the risk of a possible cyber-attack on companies in critical sectors such as energy, communications and finance, among others.

This alert implies that companies should take extreme precautions and protection mechanisms within their IT infrastructure in order to be able to deal with a possible cyber-attack in a preventive manner, and to avoid a possible disruption of services that could affect the functioning of services.

The specific type of threat that could cause the possible cyber-attack, as well as the attribution, is not known at this stage, although the aim seems to indicate the disruption of strategic services.

More info:  https://www.lainformacion.com/empresas/alerta-maxima-en-las-infraestructuras-espanolas-por-riesgo-de-ciberataques/2866557/

* * *

Database with nearly 21 million VPN users exposed

Researchers at vpnMentor have reported a leak on Telegram of a Cassandra database containing 21 million unique records of VPN service users. The file, initially traded on the dark web in 2021, was reportedly shared for free via the messaging app as of 7 May.

A total of 10GB of information includes user data from free VPN services known as GeckoVPN, SuperVPN and ChatVPN. The exposed data reportedly includes usernames, emails, personal names, countries, billing details, randomly generated password strings, and account validity period.

The researchers who analysed the database emphasised two things:

  • that 99.5 per cent of the accounts were Gmail addresses, indicating that it is possible that this database is only a fragment of the compromised data;
  • and that the passwords were hashes, salt or random passwords, suggesting that each one is different, making the task of cracking them more complicated.

More info: https://www.vpnmentor.com/blog/vpns-leaked-on-telegram/

* * *

​​New Nerbian RAT distribution campaign

Researchers at Proofpoint have detailed a malware distribution campaign they have named Nerbian RAT (Remote Access Trojan), after a reference to the fictional location (Nerbia) in the novel Don Quixote in one of the malware’s functions.

It is a new RAT that uses multiple libraries written in Go, a programming language widely used for malware development, and includes multiple components aimed at evading detection.

In the campaign observed, the World Health Organization (WHO) is being impersonated in malspam mails containing alleged information related to COVID-19.

These mails include an attached Word document whose enabling of macros will trigger the download of a .bat file that is responsible for executing a PowerShell command to connect to the “Command & Control”.

As a result, the executable that acts as a dropper for Nerbian RAT will finally be downloaded. The campaign has reportedly been active since 26 April and is said to have been directed primarily against entities in Italy, Spain and the UK.

More info: https://www.proofpoint.com/us/blog/threat-insight/nerbian-rat-using-covid-19-themes-features-sophisticated-evasion-techniques

The new end of passwords

David García    11 May, 2022

Legend has it that it wasn’t long after someone invented doors that locks were created. In ancient Egypt, an ingenious primitive mechanism was already in use that allowed a hook to be inserted through a hole as a key to move the wedges that acted as cylinders on a pin. These ingenious devices were perfected until they became the modern locks that we have in front of us today to curb the excesses of curiosity or empathy for other people’s belongings.

Moving away from the physical plane, in the digital world, locks are forms with two little boxes and a button, and keys are strings of characters. In the early days, when modern internet users could fit into a couple of first division football stadiums, those “keys” were as simple as counting to five, i.e., “12345”. Of course, it was just the seed for a well-known disaster.

We don’t know how to create strong passwords

And we can’t memorise them either. Let’s add to this mix the unhealthy ability we have to reuse passwords on dozens of sites where we open accounts. But isn’t it easy to carry a simple master key to open all our doors? Of course, it is, and that’s what the (now digitalised) thieves love to do every time they get your pet’s name or the date of your birthday. One password, thousands of websites. A bargain.

Second authentication factor, secure key generation algorithm, CAPTCHA systems to detect bots, password managers in the cloud… patches and patches and patches and patches on top of these to mend an exhausted system, concluded, obsolete, called to extinction, vilified and outdated… but, mind you, universal, ubiquitous, unanimous and anointed for being unique and unrivalled. What other alternatives do we have?

As on the physical plane, locks do not have many competitors, although they change shape (and there are even those with facial recognition), in the end it is the same thing: a shutter that moves, leaving the way open to the supposed bearers of the right to access and enjoy the contents of that which they guard.

However, doors and locks are not as driven by research and initiatives as the digital world in which we move on a daily basis (and at ungodly hours too), so the progressive abandonment of the headache of passwords was a problem that needed to be addressed and whose solution was to put an agreement on the table to standardise “something” that would allow, once and for all, to discard a mechanism more typical of the previous century than of this interesting and busy century.

Transparent passwords

At last, half of GAFAM and the FIDO Alliance in conjunction have signed a principle to push for a common mechanism to free our memory (the grey one, not the silicon one) from the tediousness of remembering or managing passwords. Could we be living in the historical moment where the last human being enters a password to access his or her binary piggy banks? Probably not yet. It’s a long way off, but as we said at the beginning, it’s a start. A first step already taken to walk a long road that is not going to be exactly flat.

OK, but how exactly are we going to stop using passwords? What would be used instead? Well, strangely enough, we are not going to stop using them in a certain way or, rather, form. You simply won’t use passwords, it will be a transparent action for you.

It takes advantage of a number of items that are already widespread among the public: diversity of devices federated into a personal or distinguishable identity and the ability of these devices to offer biometric sensor features.

Case studies

All with a front camera and two of them with fingerprint reading capability. They don’t have to be from the same manufacturer, but surely, in most cases, the same person has the same identity under one, two or even three providers. Do you access the mobile terminal? You can do it with your fingerprint or with facial recognition.  Even laptops allow access with fingerprint (Apple’s Touch ID) or facial recognition (Microsoft’s Windows Hello).

Now picture that all these manufacturers (who are also, let’s not forget, identity providers) agree and allow a single identity to be used for all devices. You open your account once and that same identity is used on all your other systems. Sounds good, doesn’t it?

What if you now make it possible for a third party, on a website, to use that same system? Easy, you enter the identity saved on your device and on that or another device (from laptop to mobile and vice versa) it asks you to put your fingerprint or face. No password travelling, no password or hash is stored on the website, there is nothing an attacker can use to guess your password because it simply doesn’t exist. There’s no point in snooping through your social networks to guess your birthday or a pet’s name

Some of the challenges

Of course, in all these advantages, there are some points that need to be elaborated in order to be fair. The first and most important of all is privacy. That quality that no one misses until it is too late to repent and remedy. Once you hand over control of your bunch of digital keys to a third party they will know at all times where, when and with which device you are visiting which site.

The second, less likely but not impossible, is that an integrity failure in the identity provider can be catastrophic. Very catastrophic. Security is better (albeit more complex) when the weights (the risk) are distributed and it has never been a principle of this science to place the weight of a whole virtual life on a single point.

Let’s also talk about the third point: availability. What if you need to make an urgent transfer and your provider’s servers have a meltdown at that moment and do not recover until many moments later?

Bonus, fourth point: What if you wake up one morning and suddenly a machine learning-based automated system randomly decides that your account is fraudulent and deletes it? Where is the customer service desk? Hello, is anyone there? Hello? Can anyone hear me? My name is K, and I can’t access my money?

We can only celebrate the beginning of the farewell to passwords, even if there is still a long way to go, but we must also be critical of those who claim to be guarding what is ours, and we must be wary of betting with caution. We will see what the arrival of these new capabilities has in store for us and, above all, what alternatives are available for those who do not want or find it an inconvenient convenience.

Dark Markets in the internet age

Marta Mª Padilla Foubelo    9 May, 2022

What are Dark Markets or Black Markets? This concept has been in the news for a long time as a consequence of clandestine sales. The markets for drugs and pharmaceuticals or firearms, for example.

As well as the illegal sale of animals, credit cards, child pornography, documentation, permits, licences, counterfeit money, the contracting of cosmetic operations, the hiring of hitmen, and a long etcetera. Almost anything you can think of will be on the black markets.

In the age of digitalisation, and this has been going on for a few years now, everything is modernised, even the black market. Whereas in the past it was necessary to know someone, that someone knew someone else who had a contact in a gang operating on the black market, the old-fashioned word of mouth, now it is no longer necessary.

All you need now is a computer, internet connection and, in the worst-case scenario, an “IT responsible friend” who can explain how to connect to the black market network. Although, excuse the joke, our grandchildren, children and nephews and nieces are going to know almost more than any of our friends. But the point is: a computer, internet connection and someone to help you, and you are free to search, pay and get what you really want.

What are Deep Web and Dark Web?

To give value to the part in which our IT expert friend is involved and to make it easier to understand how it works, we would like to explain this process in a very summarised way. It is true that it is not as easy as it seems to access some of the black markets, because yes, there are many places, many gangs and a lot of demand, hence the large supply.

In order to minimally understand how to gain access and which is the part where the “computer-savvy friend” will help you, you need to know in which part of the internet these black markets are to be found. That part is known as the Deep Web and Dark Web.

Although the terms Deep Web and Dark Web have a “bad reputation”, not everything on them is bad or illegal

For the sake of clarification, the term Deep Web was originally introduced in 2001 by Michael K. Bergman. Just as the Dark Web has no clear origin, it can only be said that the first times this term was used date back to 2009.

Both have the “bad reputation” of being sites where only illegal acts can be committed. What if we told you that absolutely all of us, even my mother, use the Deep Web on a daily basis?

The following is an approximation of what one can find in the three different parts of the web:

  • Surface web: These pages are the ones that are indexed in the main internet search engines. All the pages that appear after a simple search on Google, Bing, Yahoo, etc. all comprise part of the Surface web. These pages can be accessed from any conventional browser such as Google Chrome, Firefox, Opera, Safari, etc.
  • Deep Web: These are the pages that are not indexed in the main search engines. For example, our private area in the bank, on Amazon, in our favourite clothes shop, our email inbox, even messaging services such as WhatsApp.
    That is the Deep Web. It is true that there are other services and Markets that are not indexed in the main search engines, and that would be part of the Deep Web, that carry out illicit activities. As you can see, not everything on the Deep Web is bad or illegal. These pages can also be accessed from any conventional browser.
  • Dark Web: These pages are also not indexed in the major search engines. However, they are often, but not always, associated with illicit activities. Similarly, I myself could set up a Dark Web forum and provide access only to the people I consider appropriate.
    Only people I share my URL with would be able to access it, and the forum could only deal with horoscope topics, for example. And it would not be associated with any illegal activity.
    It is true that nobody wants to be “invisible” and not take advantage of it. For example, a rather hot topic is the fact that the Islamic State of Iraq and Syria (ISIS) uses the Dark Web to communicate internally. This tracking is made almost impossible because they are so protected by the protocols used in this type of navigation.

How to access Dark Markets

As already mentioned, the Dark Web pages will only be accessible through protocols or services that anonymise their users, such as Tor (The Onion Router), Freenet, I2P, Zeronet and many others. Tor is mentioned here because it is the most widely used and known by most people.

This type of browser offers layers of security in order to avoid or make it as difficult as possible to be identified while browsing, i.e., the cap with the glasses of celebrities when they go out in the centre of a big city, and the pages, instead of ending in “.com”, “.es”, “.org”, etc. They end in “.onion”. 

Once you have access to these browsers, you need to know which page of the Market you want to connect to. Sometimes, these pages can be found in search engines such as DuckDuckGo, or even in Google’s own search engine, where you can find articles sharing the latest addresses of the main Dark Web markets.

However, on other occasions, it is necessary to have that page through contacts, and here we are back to word of mouth, but via Telegram, Discord, or any other type of messaging platform. Once you have obtained that specific URL address, all you have to do is enter it through your browser, depending on the website, and, as we mentioned before, search for what you are interested in in that specific market.

Police surveillance of illegal Dark Markets

These markets, and speaking of the central concept of the article, offer everything. While it is true that some specialise in drugs, others in weapons, others in documents, etc., there will always be a Market, at the very least, that can satisfy the needs of those who are looking for it. It should be noted that this practice is just as illegal and punishable as when it is carried out in the old way.

It should be noted that police work becomes very complicated in this respect as it is very difficult and sometimes impossible to attribute a criminal act within this type of surfing. So, just as in the past there were police officers infiltrating the gangs to be able to identify all the details of illegal activities, the same thing is happening now, but in the gangs operating in the markets of this part of the web.

Police officers infiltrate gangs to identify illegal activities, just as they infiltrate the gangs operating in the markets of this part of the web.

Likewise, part of the police work focused on the Dark Web consists of setting traps for people who want to consume certain types of commerce because access alone constitutes a crime, as would be the clear example of consuming child pornography.

This consists of honeypots. A honeypot is a lure placed, in this case, on the Internet, to be targeted and attract the attention of people who want to be identified by consulting certain types of information. The Dark Web is full of honeypots to track illegal activities.

One of the most active markets in recent months has been confirmed not to specialise in the sale of a particular illegal commodity, but to be a general marketplace providing many services, as can be seen from the navigation panel on the left-hand side of the website. What can be said is that the majority of the offer is focused on the sale of drugs.

Screenshot: One of the most active markets in recent months
One of the most active markets in recent months

The same applies to another of the markets with the largest offer in recent months.  This market was at the centre of the biggest cyber-raid in the history of the Dark Web market when the site’s administrator was arrested. However, it has risen from the ashes like a phoenix and is once again one of the most popular markets.

Screenshot: one of the markets with the largest offer in recent months.
One of the markets with the largest offer in recent months.

As shown, it offers more of the same as above. Above all, it would focus on the sale of drugs.

Going even deeper into the black markets of the Dark Web, we find another one that is off to a strong start. In this case, we can already see offers for weapons, the sale of stolen goods, and even a section listed as “organs for transplants”.

As this type of Markets has been found, many more can be found. However, it is better to stop at this point, as I think we have gained enough of an idea of what is happening here.

Why should cybersecurity experts monitor the Dark Web?

I currently work in one of the teams dedicated to cybersecurity at Telefónica Tech. We regularly visit this type of websites, mainly to analyse the buying and selling of access to services, as well as sales of privileged information and vulnerabilities associated with our clients’ exposed assets.

We may find, for instance, sales of username and password for access to VPN services, access to remote desktops exposed to the Internet, and even sales of exploits, i.e. software that would exploit vulnerabilities in the exposed services and could allow, for instance, remote code execution on the victim company’s systems. Any type of sale that could result in an intrusion into our clients’ systems would be covered by this type of search.

There is only some obvious advice left to give here.

  • If you need any drugs, the best thing to do is to go to your doctor and have him prescribe them.
  • If you want to obtain a licence, study or make the necessary arrangements, you should always use the legal route.
  • If you want to have an aesthetic operation, we refer to beauty and the beast, beauty is on the inside!
  • In case you want to kill someone, the best idea is to count to 10 and approach the ” issue ” in a less dangerous way.

Generally speaking, the items found on these sites are often illegal or unethical to use at best. If they were legal merchandise, they could be purchased from legitimate portals. We should think very carefully about any activity in this type of environment.

Before finishing this post, we must remember that purchases on these types of portals are always outside the applicable tax system and that —in almost all cases— the items or services to be purchased will be illegal at an international level, with the purchase process itself (or subsequent attempted use) being a criminal offence in the relevant jurisdiction.

Cyber Security Weekly Briefing, 24 April – 6 May

Telefónica Tech    6 May, 2022

TLStorm 2 – Vulnerabilities in Aruba and Avaya switches

Researchers at Armis have discovered five vulnerabilities in the implementation of TLS communications in multiple models of Aruba and Avaya switches.

The vulnerabilities are caused by a design flaw similar to the TLStorm vulnerabilities, also discovered by Armis earlier this year, which could allow a malicious actor to remotely execute code on the devices, affecting potentially millions of network infrastructure devices at the enterprise level.

The cause of the problem is due to code used by vendors not complying with NanoSSL library guidelines, so at Aruba it can lead to data overflows for vulnerabilities tracked as CVE-2022-23677 and CVE-2022-23676, with CVSS of 9.0 and 9.1 respectively.

On the other hand, in Avaya, the library implementation has three flaws, a TLS reassembly overflow (CVE-2022-29860 and CVSS of 9.8), HTTP header parsing overflow (CVE-2022-29861 and CVSS of 9.8) and a HTTP POST request handling overflow, with no assigned CVE.

In addition, successful exploitation of the vulnerabilities could lead to everything from information leakage, complete device takeover, to lateral movement and bypassing of network segmentation defences. Armis stresses that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer be considered a sufficient security measure.

URL:  https://www.armis.com/blog/tlstorm-2-nanossl-tls-library-misuse-leads-to-vulnerabilities-in-common-switches/

​​​* * *

​​Millions of IoT devices affected by serious DNS flaw

The Nozomi Networks Labs team has discovered an unpatched vulnerability that directly affects the domain name system (DNS) of multiple routers and IoT devices, deployed in various sectors of critical infrastructure.

The identified flaw is located in two C libraries (uClibc and uClibc-ng) that are commonly used in IoT products, employed by Linux distributions such as Embedded Gento, and widely used by major vendors such as Netgear, Axis and Linksys.

According to the research, a threat actor could use DNS poisoning or DNS spoofing to redirect network traffic to a server under its direct control and thereby steal or manipulate information transmitted by users and perform other attacks against devices to compromise them completely.

Nozomi estimates that more than 200 vendors could be affected by this vulnerability, with no CVE identifier as yet, and given that there is currently no patch to fix it, specific technical details about its exploitation have not been released until new firmware versions are available to fix the issue.

URL:  https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-DNS-bug-in-popular-c-standard-library-putting-iot-at-risk/

​* * *

Severe vulnerabilities in AVAST and AVG

The SentinelOne team discovered in December 2021 two critical vulnerabilities, catalogued as CVE-2022-26522 and CVE-2022-26523, in Avast and AVG antivirus products. These vulnerabilities were reportedly present for exploitation in the products since 2012 and affected the “Anti Rootkit” system in both products.

The flaws allowed malicious actors to exploit the socket connection in the kernel driver to escalate privileges to disable the security products, making it possible to overwrite system components, corrupt the operating system and/or perform unhindered malicious operations, such as injecting code, performing lateral movement, installing backdoors, etc.

Both vulnerabilities were patched with version 22.1 of Avast antivirus (AVG was acquired by Avast itself in 2016), released on 8 February. It should be noted that despite the length of time these vulnerabilities have existed, no signs of exploitation have been detected.

URl: https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/

​* * *

Vulnerability in several ransomware families could prevent data encryption

Security researcher John Page (hyp3rlinx) has shown that several of the most recently active ransomware families are vulnerable to a “DLL hijacking” flaw that would prevent the ultimate purpose of encrypting their victims’ data. The details of his research have been published through the Malvuln project, created by the researcher himself, where he catalogues vulnerabilities detected in malware samples.

The exploitation of the detected flaw consists of a DLL hijacking, a type of vulnerability that is generally used for arbitrary code execution and privilege escalation purposes. In this case, by creating a specially crafted DLL file that impersonates the DLL required for the execution of the malware, the ransomware processes would be intercepted and terminated, thus preventing data encryption.

For the time being, Malvuln has published some proof-of-concepts (PoCs) affecting the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit and WannaCry ransomware families, without ruling out that the flaw is perfectly exploitable in other ransomware as well.

URL: https://www.malvuln.com/

Where is your company on the cybersecurity journey?

Diego Samuel Espitia    5 May, 2022

Although the cybersecurity path is not linear and each company has its own characteristics, experience has allowed us to classify companies into five levels of cybersecurity evolution.

The existence of these levels does not imply that all companies must reach the maximum (this depends a lot on the characteristics and size of the organisations), but they must reach an optimal level that reduces the probability of an incident.

In this article, we try to provide companies with a tool to identify where they are, what the challenges are and what they need to do to raise the level of evolution. The aim is to enable them to create their improvement action plan. It is not a definitive guide, but a useful aid to simplify some of the steps indicated by norms or standards without much context.

We will analyse each level in detail, taking into account the network security posture, device security, services and file management.

Unaware

This kind of organisation makes information management decisions based on recommendations or best practices in the market. They usually see the acquisition of cybersecurity equipment as an expense or a compliance with an industry standard.

This means that the acquisition of cybersecurity elements is not coherent and is done with the sole objective of having minimal control or compliance. On the other hand, there is no security or information management policy that employees or third parties must comply with, therefore exposing their own and their clients’ information.

  • The corporate network usually has perimeter protection systems and browsing controls. This is managed by IT staff, meeting business rather than cybersecurity requirements. No segmentation or device access controls.
  • Remote access to equipment on the network is enabled with the sole control of a username and password, usually shared by several workers, to connect to internal equipment or services from home.
The impact of cybersecurity attacks on SMEs and corporates
  • The organisation’s computers often have a non-enterprise anti-virus system, which cannot be monitored or controlled from a central system.
  • Operating systems are often not managed for proper updates or configurations, so it is common for computers to coexist with malicious software, undetected.
  • Information in these organisations is not controlled or classified, so any user on the network can access all information without restriction. Managers often generate uncontrolled copies of information and work is not done in teams or with traceability over access to data but is handled independently on users’ devices.
  • Cloud storage systems do not have access control systems enabled, nor are they encrypted. They are often used connected as an additional directory to the users’ operating system, so the main function is as a backup of information.

Reagents

This kind of organisations start the process of integrating information security in the organisational areas of the company, understanding that in today’s world everything depends on the management of information and therefore cybersecurity is essential for the growth of the company.

The main characteristic of these organisations is that they have a security operations centre (SOC) service, either externally or internally. Allowing correlation and threat detection to be done reactively in the network and based on detection configurations.

  • Such organisations have many cloud services and multiple security devices in the network that send events to the operations centre for threat detection. In some of these cases, the threats that are monitored and alerted originate from external networks, but rarely are internal threats monitored with equal rigour.
‘Insiders’ in Cybersecurity: “Catch me if you can”
  • Security management is usually the responsibility of the technology area, where network administration teams and core security teams are in place to take reactive action on SOC notifications.
  • Users have VPN access for remote connections, controlled through centralised identification systems such as the active directory and monitored from the SOC. However, the networks are not segmented and VPN connections have the same privileges and access as the organisation’s network.
  • User devices are managed from a central administration, which deploys control policies and access permissions, based on user classification, but there are usually local administrators on the machines and administrative users for management or network management.
  • Personal devices are allowed to be connected to the corporate network, allowing possible access by malicious software or the extraction of sensitive information. Given the lack of file controls, this is one of the main causes of information leakage.
  • Non-enterprise backup systems, such as external drives or shared folders in the cloud, have no guarantee of data recovery and are susceptible to data hijacking attacks.
  • Cloud storage systems do not have access control systems enabled, nor are they encrypted. They are often used connected as an additional directory to the users’ operating system, so the main function is as a backup of information.

Proactives

These companies have systems and infrastructures that allow them to take anticipatory controls, which enables them to base all information security decisions on data and the timely detection of threats, for which they have a security architecture oriented to the challenges involved in information management.

Not only do they have a SOC, but they also carry out an analysis of the internal and external threats that are detected in these systems, in order to implement improvements in controls and corporate information management policies.

  • These organisations use identity management systems to initiate information classification processes and access control improvements. They control not only access to data, but also allow through multiple authentication factors to guarantee a user’s identity, mitigating the most common phishing attacks.
What On Earth Is Going on With Ransomware And Why We Won’t Stop It Any Time Soon
  • In order for this to work properly, corporate controls over network devices and users in the company are in place, allowing not only to detect existing threats, but based on the knowledge and behaviours detected on networks or devices, alerts and controls on suspicious situations can be generated. These implementations use indicators of attack, rather than indicators of compromise, to be proactive in applying control.
  • Another important feature is the level of staff awareness, trained on how to detect threats and which tools to use for business communications, always taking into account the categorisation of documents.

All of the above is managed by a dedicated cybersecurity team, with a management level that allows them to give their opinion and analyse corporate decisions with a vision of data protection and that allows them to have teams specialised in monitoring, incident response, identity management, security architecture, among others.

Anticipated

In these organisations, the platforms, network architecture and corporate procedures are aimed at protecting information and responding in advance to possible threats from the cyber world, generating information protection at any point where it is located and taking care of any way of communicating or connecting to it.

  • The company’s executive management is aware of the importance of information security, therefore, every decision made regarding suppliers, equipment, network deployment, use of cloud services and others, has a prior analysis of the information security area, which in turn ensures that policies and controls are aligned with business objectives.
  • Threat Hunting teams and Incident Response teams are essential in these organisations. In close collaboration with the company’s defence, monitoring and attack teams, they not only analyse alerts from various detection systems, but also, using the attack techniques and tactics disclosed by companies specialising in information security, generate mechanisms for detecting or analysing possible anomalous behaviour.
If you want to change your employees’ security habits, don’t call their will, modify their environment instead
  • Document management and classification systems are closely integrated with identity management systems, allowing traceability of events on each corporate file and access control based on identities, not only of employees but also of computers or autonomous systems within the network that programmatically have access to company files.

All of this is orchestrated by the security team, which reports directly to the presidency or board of directors, comprising personnel trained in detection, monitoring, threat hunting, attack teams and defence teams, supported by specialised tools for each field and with advanced protection on user devices and network devices, which control access and allow the network architecture to be modified.

Automated

This is the highest level of corporate information security management. Its main characteristic is that, by having a solid structure and architecture, it is integrated with intelligent automation platforms, which allow orchestrating the various monitoring, detection and threat hunting systems, using deep learning technology and generating automatic reactions to the various threats or behaviours detected.

  • These companies base their information security operation on Zero Trust, which extends controls to all levels and instances where data is handled, managed, generated or manipulated, regardless of whether they are employees, suppliers, third parties, automated devices or anyone who has access to data.
  • In order to manage these orchestration and automation systems, it is necessary to have specialised cybersecurity personnel and aware employees, in addition to having clear security policies that are closely aligned with the business to avoid friction that can be generated in the application of control.

Cyber Security Weekly Briefing 22–29 April

Telefónica Tech    29 April, 2022

New malicious RedLine distribution campaign

Researchers at BitDefender have published a report on a new RedLine malware distribution campaign. According to the analysts, malicious actors are using the RIG Exploit Kit for distribution, which exploits a vulnerability in Internet Explorer that causes memory corruption when the victim accesses a specially crafted website. This flaw, identified as CVE-2021-26411 with a CVSSv3 of 7.8, was patched by Microsoft in March 2021.

Following exploitation of the vulnerability, the kit then distributes RedLine by placing a JavaScript file in a temporary directory, which in turn downloads a second RC4-encrypted payload, generating the final infection process on the victim’s computer. According to The Record, Bogdan Botezatu, director of research at Bitdefender, said that in April they identified a total of 10,000 RedLine attacks around the world with their solutions alone, which shows the widespread use of this malware in cybersecurity incidents.

Read more: https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf

​Privilege escalation in Windows Active Directory

Security firm SOCPRIME has published an article stating that security researchers have revealed a flaw in Windows Active Directory (AD) in environments where the default settings are used. This flaw, which could allow a user with access to add machines to the domain without the need for administrator privileges, could lead to privilege escalation on the vulnerable system. This bug, for which a proof of concept exists, could be exploited using the KrbRelayUp tool.

A possible mitigation would require changing the default configuration and removing authenticated users from the default domain controller policy. More details on mitigating the vulnerability can be found in Mor Davidovich’s research repository.

Nimbuspwn: Privilege escalation vulnerabilities in Linux

Microsoft researchers have identified two new vulnerabilities, called Nimbuspwn, that could allow an attacker to escalate privileges to root on vulnerable Linux systems.

The flaws have been identified as CVE-2022-29799 and CVE-2022-29800, and are found in the networkd-dispatcher component, whose function is to make changes to the state of the network interface.

According to the researchers, the chained exploitation of these vulnerabilities would allow malicious actors to achieve root privileges, giving the possibility, at later stages, to deploy payloads, backdoors, distribute malware and/or perform other malicious actions through arbitrary code execution.

It should be noted that Clayton Craft, administrator of the networkd-dispatcher component, has implemented the corresponding fixes and users are advised to update their instances to prevent possible attacks.

Read more: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

0days in numbers: Chrome, Windows, Exchange… What are attackers and manufacturers looking for?

Sergio de los Santos    27 April, 2022

Very interesting data from Google’s Project Zero, which tries to catalogue, find and disseminate 0days. They do not discover them directly, but “detect” them in any manufacturer when they are being exploited if the manufacturer so declares. They can then analyse, alert and correct in order to close the door to attackers as soon as possible.

They advocate for proper 0day cataloguing and transparency to improve the community. For example, the starting point is for manufacturers to properly label their vulnerabilities (whether they are in-the-wild) or not when they are detected or corrected. This year they have detected 58. The previous record was 28 in 2015. Project Zero has been working since 2014.

0days are vulnerabilities found when already being exploited by attackers and, therefore, without a known patch

The numbers from this tracking are rather interesting. If we divide them by major manufacturers during 2021, they would look like the following chart.

0days reported by vendor in 2021

Source: Project Zero

Does this chart mean that Chrome has more flaws and is more vulnerable? Not at all. In fact, there is so much information to be gleaned from this chart that it is necessary to break down the argument.

Chrome

14 0days reported in 2021. Undoubtedly, the browser is the one that has been attracting the greatest interest from attackers for some time now. Firstly because of the number of new attacks they carry out, and secondly because it is known that bypassing Chrome’s sandbox has always been a technical challenge.

Now, however, it is even more of a challenge because Edge uses Chromium and some of the bugs may be shared. Six of these bugs were in the V8 JavaScript engine.

Webkit (Safari)

The first full year that Apple reports 0days as such in Webkit. And that makes 7, so you can’t really establish a trend. Certainly a lot compared to its market share, but we already know that it’s a juicy target on iPhone phones above all. Again, 4 of them in the JavaScript engine.

Internet Explorer

Yes, it still matters, given how embedded it is in the system and as a consequence it is still Office’s HTML engine. In addition, there are always 3 or 4 0days on a constant basis since 2015.

Windows

10 0days. The funny thing is that until now, the vast majority of them were attacking win32k to escalate privileges. Up to 75% of all 0days in previous years.

In 2021, only 20% are attacking this driver. Why? Because these attacks were aimed at versions prior to Windows 10. With its disappearance, this module becomes more complex to exploit. Although it may not seem like it, in this respect, Windows 10 is more heavily shielded.

iOS/MacOS

Always hermetic, this 2021 has been the first year in which Apple has reported 0days as such in its operating system. And there have been 5 of them, one of them (the first) on MacOS (so far all of them on iOS).

Once again, iOS is a very interesting target for attackers in high geopolitical spheres. Pegasus is an example of this.

Windows 11 security improves and joins Zero Trust

Android

We have gone from a single 0day in 2019, to none in 2020 and 7 in 2021. And out of these 7, 5 bugs in the GPU driver.

Since Android operating systems are highly fragmented, it is difficult to make a working exploit for most flavours of operating systems. However, a flaw in the GPU driver allows an attacker to need only two exploits. One for the Qualcomm Adreno or one for the ARM Mali GPU.

It is curious how not only in Android, but in all other platforms, the most valued for attackers are privilege escalations. Why? Because getting the user to execute is relatively easy thanks to social engineering.

Exchange Server

The big star of 2021. The first time it appears since 2014 and it does so with 5. It is also true that 4 of them were part of the same operation or campaign related to ProxyLogon.

Conclusions

It will never be known how much is unknown, or what portion of those 58 of the total number of 0days attackers are using. At least this year is the first year in which Apple has committed to labelling its vulnerabilities as known in-the-wild for Webkit, iOS and macOS.

Most of these 58 0days follow very similar practices as they always have: they build on known exploits and vulnerabilities to develop new and derivative exploits. Only two were new in their techniques and sophistication. And this is quite relevant. Because as long as known methods, techniques or procedures are used, they are theoretically easier to detect because they are “expected”. This is where the industry should improve.

Another conclusion is that these numbers show us something that is incomplete, part of a full map we do not know. These are only the vulnerabilities declared as 0days detected by the manufacturers. There will certainly be more, but we don’t know how many. Google’s call for all manufacturers to report their 0days as such is of great help for analysing the industry itself.