Security Week 13: crypto-parade parade, FBI hacked iPhone without Apple’s help; more details about Badlock

The six-week opposition saga of Apple and the Federal Bureau of Investigation is over . On March 28, the FBI officially announced that they had managed to crack the iPhone 5c, which belonged to a terrorist, without the help of the manufacturer. From Apple no longer require the manufacture of tools for hacking this phone. The story ended, perhaps, in the most profitable way for both the vendor and the consumer, the stock uncle from the picture will not let you lie. But this does not mean that the topic is closed.

Apart from the details, the manufacturer of the smartphone and (in some way) the state argued about who is obliged to provide access to protected user data if it is necessary to investigate a crime. Perhaps for the first time on such a scale, the question was discussed: what should government agencies do if the protection in the form of data encryption is so good that it is impossible to hack it without the help of the manufacturer? As a result, it turned out that the FBI were rushed - if you really need to, there are other ways.

But sooner or later (rather sooner) this issue will be raised again, in a court proceeding or even under the new legislation. The problem will have to be solved, and this solution can seriously affect the security of any encrypted (no matter from whom!) Data, that is, it will affect everyone. Therefore, we continue to observe. All editions of the digest are available by tag .

Crypto-Parade Parade
Three of the five most popular news of the past week are dedicated to Trojan encoders. I can not say that the newly discovered attacks are seriously different from previous ones, although the researchers found a couple of interesting tricks. As before, the vast majority of cryptographs are detected by a good defensive solution proactively. Attention to this topic is not provided by the technology of attacks, but by the growth of their number, serious incidents in companies that store important information - primarily in hospitals. Go through the main events.
')
Fileless crypto-fiber attacks medical centers
News Carbon Black study .

Investigating the attack (not the first ) on an unnamed company operating in the health sector, Carbon Black experts uncovered the activities of minimalist cybercriminals. Office documents are sent to potential victims. When they are opened, they are offered to enable macros, after which the data is encrypted using a script in Windows PowerShell. That is (with some reservations) we are dealing with a very simple Trojan "on batch file", with primitive communication with the command server without encryption, and the result is either a loss of either data or $ 500-1000 for a ransom. As you can see, the attack method with a 20-year history continues to work, and with the support of the bash command shell in Windows, it opens up new perspectives.

Targeted attack of crypto-fiber on hospitals using vulnerabilities in server software
News Cisco Talos Research

But the extortionist SamSam uses quite nontrivial methods to attack. It is not the employees' computers that are attacked, but the JBoss application servers (aka WildFly). The motivation of attackers is clear: instead of not always working social engineering, vulnerabilities are used in the configuration of servers, which, unlike employees, work not from 8 to 5, but around the clock. Researchers claim that the organizers of the attack choose hospitals as victims. In the last issue, I suggested that such an increased interest in medical centers is the desire to attack the most sensitive infrastructure and data. If a small “traditional” business comparable in size to the infrastructure stops working for a couple of days, no one will suffer much, and there’s no time to figure it out - people need to be treated. Researchers at Cisco Talos give a different motivation: the fact is that the hospital IT infrastructure is very often in poor condition from a security point of view. Perhaps: IT in medicine is not a core business, but if so, then it's time to do something about it.

Troyan Petya ( pictured ) demands ransom for disk encryption entirely
News Research Bleeping Computer.



In professional terms, most cryptographic security files use file level encryption — when individual files are encrypted, the operating system remains operational. The Trojan Petya, which was discovered during the study of a narrowly targeted spam sent to German companies, encrypts the entire disk instead, making the system boot and access to any data impossible, until the ransom payment ($ 380). Researchers from the resource Bleeping Computer showed the work of the Trojan on this video:



In short, the Trojan forces a forced reboot of the system, after which, by showing the user a fake “disk check”, it encrypts the data. The link to the study can be seen in detail and with pictures of the process of infection and redemption. Here we are dealing with another rather ancient method of attack, which, thanks to the advent of Tor and Bitcoins, was used in a new way. A very interesting sample, albeit dubious in terms of scale: unlike traditional Trojans, encryption at the disk level requires a serious study of the attack and provides a lot of opportunities when something goes wrong.

Vulnerability Badlock in Samba: experts are trying to understand whether the exploit will not appear before the patch
News

I wrote about the Badlock vulnerability at the beginning of the previous digest. Over the past week, nothing has changed: we are still waiting for the disclosure of details of the vulnerability on April 12 - on Tuesday, after the release of the next set of patches from Microsoft. Their own implementation of the network file sharing protocol was exposed just like free Samba. Discussions continue on the ethical side of the early announcement by SerNet researchers, who are also Samba maintenders. The motivation of SerNet is clear - they (officially) want the administrators of a huge number of potentially vulnerable servers and dependent software developers to prepare in advance and (unofficially) do not object to the additional attention of the media and potential customers to their cybersecurity company.

The arguments of opponents of this approach are as follows:
- They turn security into a farce. We will not discuss this argument as clearly unconstructive.
- Early disclosure of information about the vulnerability gives enough information to attackers to write an exploit, and use it before the patch is available.

This is a reasonable argument, and this week there were arguments in support of it. One of the employees of SerNet and at the same time Samba contributor is Stefan Metzmacher, and of course his commits to the Samba code immediately became the focus of attention. Among them, in the lock.c module (note the correspondence between the name of the vulnerability and the purpose of the module), the following comment appeared:

/ * this is quite a spec - we say we must lie about the length! * /

And when something goes wrong with determining the size of something, the next step may well be a buffer overflow and the launch of arbitrary code. However, there is no evidence yet that the bug is there (interested users can follow the link to the githab).

- Prepare for such an announcement will not work. Indirectly, this was confirmed in an interview with Threatpost by SANS Institute researcher Johann Ulrich. In his opinion, more information disclosure can really help exploit writers. But the information on the vulnerability site in its current form does not allow preparation either. Preparation is to write a scanner of certain ports, make an inventory of the infrastructure for vulnerable versions of Samba, evaluate the scale, knowing that only servers are vulnerable, but not clients (or vice versa). To wait and fear is not preparation.

At the same time, the SANS Institute specialist believes in the effectiveness of early announcements: after the patch is released, they have a positive effect on the dynamics of its implementation. True, the “brand”, according to Ulrich, is only really serious vulnerabilities - otherwise the method will not work. Conclusion: for now, for now, there are more benefits than harm in approaching the discovery of Badlock vulnerabilities. But the technique would be nice to improve.

Antiquities:
Tula Family

Resident and non-dangerous viruses. Standard affected start .COM-and .EXE-files. Reduce the size of DOS memory (word at address 0000: 0413). Intercept int 8, int 13h, int 21h. "Tula-417, -593" periodically report "Fuck you!". "Tula-419" is very dangerous, it is recorded at the beginning of the COM files being launched for execution. On Saturday, the 14th is trying to format the drives. Intercepts interrupt 21h, contains the text: "Tula 1990.Sat".

"Tula-635" gives the message: "Formatting Drive ..." and reads sectors from disk, although it is very likely that by changing one byte of the virus code, you can achieve that the disk will actually be formatted.

“Tula-1480” at every 50th launch of the file with a funny tune is reported by the popular teenage verse in English.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 48.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.