Security Week 38: Attack on Cisco routers, bug in AirDrop, arrest of cryptobarg

“The life of three billion people ended on August 29, 1997. Survivors of nuclear fire called this day ship. But they had to endure a new nightmare: a war against cars. ”

Not really. In 1997, they developed the very first standard for WiFi networks (802.11b), Steve Jobs returned to Apple, invented the PNG format, and the computer beat a man in chess. But the Day of Judgment did not happen, which is not, that is not. Machines are not so evolved to make it happen. They are far from real artificial intelligence even now, but this does not mean that in 18 years nothing has changed. Very much. If we interpret the concept of "robots" widely and outside the Hollywood framework, then they are now around us - darkness, and local Armageddon happen every day, here and there. Due to the fact that the robots, created to make it easier for people to live, are increasingly out of control. Not themselves, it was just that someone once did not create them very well, that's all.

In today's news digest, there are three topics about what mistakes people make when creating (software) robots, how other people exploit these flaws, and what happens to people. I do not promise the end of the world, but the level of danger is coral, with hints of pumpkin. Traditional rules: Every week, the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .

In the last post was a survey on password managers , here are the results. Slightly more than half ( 62% ) of those who voted believe that the password manager is still needed to ensure the uniqueness of these passwords. Half of the respondents to the second question (123 people in total) use such a manager - let me remind you that this is noticeably higher than outside the Habr, where password managers use only 7%. Thanks to all!
')
Permanent backdoor through Cisco router firmware update
News FireEye study .

I already said that a modern router is such a black box, which (in most cases) works quietly in the corner, and no one really thinks about what is happening there? So, this applies not only to home devices, but also to industrial. Specifically, at least three models of Cisco routers discovered the potential for installing a backdoor, which, given the above, may go unnoticed for a very, very long time. The attack model in words is simple, in fact difficult: we get access to the router, we upload modified firmware, we get remote access to the device from anywhere and the ability to load additional plug-ins for (various atrocities).



In fact, not so bad. FireEye researchers identified three vulnerable models - Cisco 1841, 2811 and 3825. As far as I understand, all three were released in 2004, are no longer sold, and will soon cease to be supported by the manufacturer. The original infection vector does not exploit vulnerabilities in routers: presumably, the firmware was modified after accessing the device using the default login-password pair. Or using a unique password that somehow managed to find out. By itself, this situation is already a failure of corporate security, making a huge gap in the security system. A simple theft of login credentials would not interest anyone, but it is the modification of the firmware that is important for giving permanent access to the device and, most likely, to the corporate LAN outside. The conclusion from this story is ordinary: working with the field of information security, you can not trust anyone. By the way, less than a hundred infected routers were found on the entire Internet (at least in its IPv4 part).

Serious bug in the AirDrop data exchange system
News

So, about the uprising machines. In the invented universe of the second Terminator (the third and later I deny), humanity first built the Machines, which then, in fact, revolted. And it built them so that, to humanity (well, more precisely to the warriors) it was convenient. Well, there, in order to point the laser pointer on the map of the world, fight viruses and so on. Such a highly simplified fairy tale model is already being implemented. For a long time, the role of a person in managing gadgets, connecting to the network and sharing data comes down to pushing buttons. Everything is done so that the answer is loaded and prepared for display, at the time or even before the device user asked a question.


Comfortable user experiment looks like this

This, in general, is called progress, but there is one fundamental flaw: we have almost no control over the interaction of our devices with the network. Take for example the excellent function AirDrop. She decided how many problems with the transfer of files - no need to think about “pairing”, “connecting an access point”, “authorization”, simply chose the recipient within sight and sent the data. Vulnerability in this holiday comfort sooner or later had to find, and still found.

Australian researcher Mike Dowd showed how using AirDrop you can remotely overwrite data on a victim's device. All you need is to send a prepared package to your phone (or even to a computer running Mac OS X). When a user is received, they are asked whether to accept data or not, but it does not matter: the exploit has already worked (very much like the Android StageFright vulnerability). There is a limitation: the ability to receive data from all devices in the limit of visibility must be enabled in AirDrop. But for convenience (!), You can switch the AirDrop reception mode without unlocking the device — that is, get the attacker access to the phone for a couple of seconds — and that's it. Result: you can remotely put on the iPhone application. Of course, it will be with the rights of a regular application and so simply can not steal anything, but this is already a story about other exploits, with the help of which they usually perform jailbreak.



Vulnerability closed in iOS 9.

The creators of the extortionist coder CoinVault are arrested
News Research experts "Laboratories". A previous CoinVault study with a decrypted encrypted session without payment.

While the machines have not acquired their own intelligence to create evil, people are doing an excellent job with this task. Not so often, as we would like, the disclosure of the information that “someone has hacked someone” ends with arrests of real cybercriminals. Let's take the previous story: found modified firmware for routers with backdoor. Who modified? What for? Unclear. Sometimes it may appear that the anonymity technology on the Internet makes that part of the work for which the police are responsible is extremely difficult, almost impossible. Encryption Trojans - one of the typical examples. Tor is used to hide the control servers, Bitcoin is used to get a ransom, and it seems that you don’t want to dig at all.



The more pleasant is the news that in Holland two men were arrested on suspicion of involvement in the creation of the CoinVault crypto-fiber. Kaspersky Lab experts have done a lot to ensure that this arrest took place, carrying out its part of the investigation of the technical side of the case. CoinVault is not the most common extortionist, but a very telling example of how difficult it is to disassemble such an attack. A report published in November last year describes in detail how actively the cipher samples are trying to avoid analysis — if you launch a trojan in a virtual machine or on a computer with WireShark and similar software, the execution of the “payload” is blocked.

After the November study was published, it seemed for a while that the organizers of the attack stopped all activity until the researchers from Panda Security shared a couple of new samples. Having collected a lot of indirect “evidence”, the specialists of “Laboratories” were able to decipher the data of CoinVault victims without a ransom. Malicious code analysis also helped arrest suspects for CoinVault. At first, researchers discovered strings in “perfect Dutch”, while for the most part, the malware standard is nonlocalizable bad English. Then, thanks to the technical information of the Dutch police (a division of the National Hi-Tech Crime Unit), it was possible to withdraw the command server and identify those who controlled it.

Perhaps from this story we can conclude that not one, even the most perfect way to preserve anonymity, while engaging in crime, cannot be completely invulnerable. First, sooner or later, on every new technology there is some method of counteraction. Secondly, the capture of criminals contributes not so much to the vulnerability of technology, as the mistakes of the criminals themselves. And they will always be, it remains only to find and use them.

What else happened:
In Paypal (and not only), we found a family of bugs that allow you to bypass the user authorization process, even two-factor. In the case of PayPal, the mobile API is to blame, which turned out to be slightly less secure than necessary.

The Let's encrypt initiative was launched, which allows site owners to obtain a certificate to enable HTTPS access relatively easily.

We closed the vulnerability in Android, which allows you to bypass the lock screen when introducing oooooooooooooooooooooeeeeeeeeeee_dliiiiiiiiiiiiiiiiioynogoooooooooooooooo_paroooooooooooooooool.

Antiquities:
Family "Invader" and "Plastique"

Resident very dangerous viruses. They affect .COM- and .EXE-files (except COMMAND.COM) according to the algorithm of the Jerusalem virus and Boot sectors of floppy disks and the hard drive. A floppy disk format an additional track, with the defeat of the hard drive recorded immediately after the MBR. Depending on their counters, they can perform a single cycle at each timer interrupt (int 8), erase information on disks, play a melody, decrypt and display texts:

"Invader" - "by Invader, Feng Chia U., Warning: Don't run ACAD.EXE!"
“Plastique” - “PLASTIQUE 5.21 (plastic bomb) Copyright 1988-1990 by ABT Group (in association with Hammer LAB.) WARNING: DON'T RUN ACAD.EXE!”

Also contain the text "ACAD.EXECOMMAND.COM.COM.EXE". Intercepted int 8, 9, 13h, 21h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 104.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.