Forensics Summary for Week of February 9, 2018

Stealthy Magnetic Fields Able to Exfiltrate Data Through Faraday Cages

Malware Name: MAGNETO (PoC) and ODINI (PoC)

Researchers at Ben-Gurion University of the Negev Cyber Security Research Center in Israel have published a report showing that magnetic fields can be used to exfiltrate data from an air-gapped computer containing certain malware. They developed two proof-of-concept (PoC) malware designed to regulate the workloads of the CPU on the systems in order to control the magnetic fields being emanated. With this, they can capture and send small pieces of data, such as passwords, encryption keys, or keylogging data, to a nearby receiver. This can be done even if the device is in a Faraday cage, a container designed to to block any inbound and outbound wireless communication, or if the device is in airplane mode.

Air-gapped systems are secured networks where defensive measures are in place to create and maintain a physical separation from public networks. Malicious actors seek to exfiltrate data from these secure networks using what are known as covert channels. For the scenario described here, both the air-gapped computer and the receiver need to be running the malware for the covert channel to function.

Both of the malwares, MAGNETO and ODINI, have the same premise and mode of execution. They take advantage of the basic function of hardware found in almost all modern computers and smartphones: the CPU on a computer which is used for transmission and the magnetometer used for reception of data. The magnetometer, found in smartphones and tablets, typically contains three magnetic sensors that are used to detect the orientation and position of the device. It is not considered a communication interface and thus can be accessed with basic permissions and also remains active even if the device is in airplane mode.

How it works:

Once the malware has been installed on the systems, it starts collecting the data by generating magnetic fields at the required frequency. Magnetic fields are created when current moves through a wire changes according to its acceleration. Modern CPUs are energy efficient which means that there are dynamic changes in its power usage when there is a workload. The malware ends up regulating the workload of the CPU which controls the magnetic field being generated. A way it can do this is by overloading the CPU with calculations, causing it to use a greater amount of power and generating a stronger magnetic field. The malware modulates binary data by intentionally starting and stopping the workload.

The researchers used two modulation schemes for this on-off keying (OOK) and binary frequency-shift keying (B-FSK). In OOK, the data is represented through the presence, “1”, or absence, “0”, of the signal. 

Waveform of a binary sequence (‘10101010’) modulated with OOK (Source: Ben-Gurion University of the Negev Cyber Security Research Center)

In the B-FSK method, a specific frequency is set to transmit the “1” bits and another is set for the “0” bits.

Binary sequence (‘1010’) with two frequencies (0.25Hz and 0.5Hz) modulated with FSK (Source: Ben-Gurion University of the Negev Cyber Security Research Center)

The receiver, in the case of MAGNETO, is a smartphone that has also been compromised with the malware. The researchers used an Android application that accessed the magnetic sensor through the android.hardware.Sensor class and creating an instance of Sensor.TYPE_MAGNETIC_FIELD. The malware uses SensorManager.SENSOR_DELAY_FASTEST setting to sample the magnetic field. Then the SensorSample() event header is invoked whenever new data is sent to the sensor. It has three states of operation which are SAMPLE, PREAMBLE, and DEMODULATE. During SAMPLE it measures the magnetic field, in PREAMBLE it uses the bit-frame header to find the beginning of the frame, and finally during DEMODULATE the signal is extracted.

Video Demonstrations of the Malware

The researchers provided two videos showing the attacks sending data to nearby receivers through Faraday protections.

MAGNETO

ODINI

Differences in the Malware

The two malware developed by the researchers, dubbed MAGNETO and ODINI, have the same result in the exfiltration of data, but there were a few differences. The MAGNETO malware uses uses a regular smartphone for its receiver while ODINI requires a dedicated magnetic sensor. This means that MAGNETO’s mode of transfer is harder to detect because a smartphone would be less conspicuous. They found that MAGNETO’s working distance and speed was much less when compared to ODINI.

Mitigations

While developed as a proof of concept, this shows the potential threat posed to air-gapped systems. Fortunately, the attacks are dependent on both the air-gapped device and the receiver both being infected so ensuring that good security practices are in place can help to prevent compromise. The researchers recommended some countermeasures to mitigate the issue such as using magnetic shielding, signal jamming, or zoning procedures.

Sources:

MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU- Generated Magnetic Fields (Ben-Gurion University of the Negev Cyber Security Research Center)

ODINI : Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields (Ben-Gurion University of the Negev Cyber Security Research Center)

New MAGNETO & ODINI Techniques Steal Data From Faraday Cage-Protected Equipment (Bleeping Computer)

Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers (The Hacker News)

Stealthy Data Exfiltration Possible via Magnetic Fields (Security Week)

 

ICS Summary for Week of October 27, 2017

Critical Vulnerabilities Found in SATCOM Systems

Researchers at IOActive have found two critical vulnerabilities in the AmosConnect 8 SATCOM systems.  Created by telecommunications company, Inmarsat, the AmosConnect 8 system provides access to e-mail, instant messages, position reporting, crew internet, automatic file transfer, and application integration in a maritime environment.  It’s meant to minimize satellite connectivity costs by optimizing the compression of the data being transmitted.

The first of the critical vulnerabilities they found was a Blind SQL Injection in the login form.  A Blind SQL Injection is similar to a SQL injection but differs in that is does not require an error message returned from the server.  It instead relies on asking true or false queries to the database.

According to IOActive researchers, this vulnerability in AmosConnect 8 could allow an unauthenticated attacker to acquire stored credentials.  These credentials are stored in plaintext on the server of usernames and passwords.

Source: IOActive

 

A user logging into the AmosConnect would receive a POST request.  It it, the user would see the parameters MailUser and emailAddress.  These are the parameters that can be exploited in a Blind SQL Injection that would allow an attacker to gain access to the backend SQLite database.  The log in credentials can then be taken by the attacker using the queries:

SELECT key, value from MOBILE_PROPS WHERE key LIKE ‘USER.%.password’;

SELECT key, value from MOBILE_PROPS WHERE key LIKE 

‘USER.%.email_address’;

The findByEmail() function in the mail_user.php created a COM object that invokes native C++ coding.  In this, the Neptune::ConfigManager::findAllBy() function in this instance allows for the insecure concatenation of the queries.  This allows the attacker to perform a SQL query to retrieve data from the database.

The second vulnerability found was a Privileged Backdoor Account vulnerability.  The AmosConnect 8 server had a full privileged built-in backdoor account.  Through the AmosConnect Task Manager, an attacker could execute high level commands remotely.  First, on the login page the Post Office ID was plainly shown.

Source: IOActive

In the authentication method of the mail_user.php, the researchers found a function called authenticateBackdoorUser().  When they looked closer into this, they found that the an attacker could gain the SysAdmin password through use of the Post Office ID.

Source: IOActive

IOActive notes that most networks on vessels are segmented and isolated, typically into the following segments:

  • Navigation Systems Network
  • Industrial Control Systems Network
  • IT Systems Network
  • Bring Your Own Device Network
  • SATCOM Network

The vulnerabilities the researchers found could only be exploited through access to the IT Systems Network.  They did note that not all vessels have the same segmentation on their networks and that the AmosConnect 8 might have exposure to other areas.  This would allow an attacker to gain access to other areas of the network.  The researchers warned that “These vulnerabilities pose a serious security risk.  Attackers might be able to obtain corporate data, take over the server to mount further attacks, or pivot within the vessel networks.”

Inmarsat has discontinued the AmosConnect 8 as of June 2017.  The company has stated that they released a patch to the AmosConnect 8, despite it reaching its end of life, that greatly reduces the risks of exploitation.  Their public website also no longer allows users to download or activate the product.  Inmarsat also released a statement saying that “this vulnerability would have been very difficult to exploit as it would require direct access to the shipboard PC that ran the AC8 email client. This could only be done by direct physical access to the PC, which would require an intruder to gain access to the ship and then to the computer.  While remote access was deemed to be a remote possibility as this would have been blocked by Inmarsat’s shoreside firewalls.”

Sources: AmosConnect: Maritime Communications Security Has Its Flaws (IOActive), Two Critical Vulnerabilities Found in Inmarsat’s SATCOM Systems (Threat Post), Critical flaw in martime comms system could endanger entire ships (HelpNetSecurity)


Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

ICS Alerts and Advisories for Week of October 20, 2017

ICS-CERT Advisories:

ICS Summary for Week of October 20, 2017

SpiderControl MicroBrowser Found Vulnerable

ICS-CERT has released an advisory for SpiderControl’s Microbrowser system.  Security researcher, Karn Ganeshen, reported a vulnerability in the Swiss-based company’s touch panel operating system that, if exploited, would allow an attacker to execute arbitrary code on the system (ICS-CERT, 2017).  SpiderControl creates products for programmable logic controllers (PLC), supervisory control and data acquisition devices (SCADA), and human machine interface systems (HMI), and these systems are used in different sectors.  The Microbrowser is a viewer for HMI’s designedwith CoDeSys or SpiderControl Editor.  It is deployed on a variety of PLCs and is used primarily in the Critical Manufacturing sector in Europe.

SpiderControl Microbrowser Display

The vulnerability found is that of an uncontrolled search path element (CWE-427).  This means that “the product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.” (Mitre, 2017).  In this instance, if the attacker placed a specifically crafted dynamic-link library (DLL) file in the search path prior to a valid DLL, then they could then execute code on the system.

As of now, there are no known public exploits that are specifically targeting this vulnerability.  An attacker with low skill could exploit this vulnerability, however, and it has remote capabilities which means it poses a definite threat to a system’s security.  SpiderControl has released a software update for the MicroBrowser, Version 1.6.30.148, addressing the vulnerability.  Users are urged to update to the new version as soon as possible.

Vulnerable Devices:

  • SpiderControl Microbrowser Windows XP, Vista, 7, 8, 10 – Versions 1.6.30.144 and prior

Patches and Updates:

Sources: ICSA-17-292-01 (ICS-CERT), CWE-427: Uncontrolled Search Path Element (Mitre)

 

ICS Summary for Week of October 12, 2017

JanTek TCP/IP Converter Vunerabilities Found – No Patch Available

Security researcher, Karn Ganeshan, found two vulnerabilities in the JTC-200 TCP/IP converters.  The products from Taiwan-based company, JanTek, are primarily used in the Critical Manufacturing sector in Europe and Asia.  The vulnerabilities, if exploited could allow an attacker to to execute remote code on the device with administrative privileges.

The two vulnerabilities found were a cross-site request forgery (CSRF) and improper authentication.  The improper authentication vulnerability (CVE-2016-5791) was deemed critical with a CVSS score of 9.8.  This could allow an unauthenticated attacker to have access to the Busybox linux shell over Telnet service.  The access would also be undocumented.  The CSRF vulnerability (CVE-2016-5789) was given a CVSS score of 8.0 and ICS-CERT states that “An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.”  If these vulnerabilities are exploited, it could allow an unauthorized remote user to execute code on the device with high level privileges.

JanTek has decided not to create a patch for the vulnerabilities affected the device.  Instead, they have stated that they are developing a newer model, JTC-300, which is scheduled to be released late 2017.  Because of the lack of any manufacturer mitigations, ICS-CERT offered some recommendations to help minimize risk when using this product.  Users should minimize network exposure for all control systems devices and to not allow internet access, these control system networks should be located and isolated from the business network, and finally, if remote access is necessary, ensure that all methods are fully updated.  

Vulnerable Devices:

  • JanTek JTC-200 – All versions

Sources: ICSA-17-283-02 (ICS-CERT)


ProMinent MultiFLEX Controllers Found Vulnerable

ICS-CERT has released an advisory regarding five vulnerabilities found in US-based company ProMinent’s MultiFLEX M10a Controller.  The exploitation of these vulnerabilities could lead to an attacker bypassing defense measures, “assuming the identity of authenticated users”, and being able to alter the configuration of the device.  These devices are used worldwide in water and wastewater systems.

Security researcher, Maxim Rupp, found and disclosed the vulnerabilities to ICS-CERT.  Two of these vulnerabilities were given a CVSS score of 8.8.  They were a cross-site request forgery (CSRF) and an unverified password change.  The MultiFLEX M10a Controller’s web interface did not properly very requests, thus making it susceptible to CSRF.  Exploitation of that would allow an unauthorized attacker to make changes in the configuration of the device.  The other high scoring vulnerability was found when setting a new password for a user.  The old password was not required for the change, so an authenticated attacker could change a user’s password for future access.

The other medium scoring vulnerabilities were the use of client-side enforcement of server-side security, insufficient session expiration, and information exposure.  The application’s log out function only removed the user’s session from the client side which could allow an attacker to assume the identity of the authenticated user.  The sessions would also last for an extended period after last activity.  This would allow an attacker to have access to reuse an old session to gain authorization.  The information exposure vulnerability happened when the “Change Password” option was used.  The current password for the user was displayed in plain text.

ProMinent has not yet released any mitigations for these vulnerabilities.  Because of the lack of any manufacturer patches, ICS-CERT offered some recommendations to help minimize risk when using this product.  Users should minimize network exposure for all control systems devices and to not allow internet access, these control system networks should be located and isolated from the business network, and finally, if remote access is necessary, ensure that all methods are fully updated.

Vulnerable Devices:

  • MultiFLEX M10a Controller web interface – All versions

Sources: ICSA-17-285-01


Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

ICS Summary for Week of October 6, 2017

Siemens Data Manager Found Vulnerable

ICS-CERT reported this week that security researcher, Maxim Rupp, found a vulnerability in Siemens’ 7KT PAC1200 data manager.  This vulnerability allowed a remote attacker to bypass authentication and perform high level administration functions on the exploited device.  Siemens has released a firmware update to address the issue this critical vulnerability.

The 7KT PAC1200 measuring device is a part of Siemens’ SENTRON portfolio, designed to monitor  power usage and is used worldwide in the energy sector.  Sensors are used for this power detection and it sends back the information graphically or as values through a web browser or an application (iOS and Android).

Siemens 7KT PAC1200

The integrated web server, accessible through TCP port 80, contained a vulnerability that gave a remote, unauthenticated attacker the capabilities to bypass authentication.  This is done using an alternate path or channel.  If exploited, this allowed the attacker to perform administrative commands over the network.  Through the web interface, the attacker could gain information on power usage statistics or even alter settings related to various areas, such as the sensors and Modbus protocol.

The vulnerability was given a high CVSS score of 9.8 (out of 10).  It is strongly advised that users update their firmware as soon as possible and to take defensive precautions on network access to the server.  To do this, ICS-CERT recommends that users minimize network exposure for all control system devices, isolate these devices from the business network, and if remote capabilities are required, users need to understand the risks involved with implementing a Virtual Private Network (VPN) or other such method.

Vulnerable Devices:

  • Siemens 7KT PAC1200 – Any version prior to V2.03

Patches and Updates:

Sources: ICSA-17-278-02 (ICS-CERT), Critical Flaw Found in Siemens Smart Meters (Security Week)


Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

ICS Alerts and Advisories for Week of September 22, 2017

ICS-CERT Advisories:

ICS Summary for Week of September 22, 2017

SCADA Webserver Found Lacking Proper Authentication

A SCADA webserver made by Swiss-based company, iniNet Solutions GmbH, was found to have a critical vulnerability that may allow a malicious attacker to gain access to human-machine interface (HMI) pages without authentication.  The third party software is used worldwide, primarily in the critical manufacturing sector.  The vulnerability was found by Matthias Niedermaier and Florian Fischer of Augsburg University of Applied Sciences and it affects the iniNet Solutions GmbH SCADA Webserver, in all versions prior to V2.02.0100.  

The webserver had a improper authentication (CWE-287) vulnerability with the highest criticality rating of 10.0.  IniNet Solutions GmbH has stated that the “webserver is designed to used in a protected environment”, so this might be why there is this lack of authentication. The vulnerabilty allows a malicious attacker to bypass the authentication and gain access to various pages on the webserver.  Some of these pages, such as the HMI ones, held sensitive data that the attacker could access.  They would also have the ability to modify and control PLC variables.

The company has released a new version of the webserver, V2.02.011, that allows users to implement basic authentication.  It can be found here at http://spidercontrol.net/download/downloadarea/?lang=en and the instructions for implementing this can be found in the V2.02.011 user manual.  They also have provided some best practices for users to follow to keep their systems secure.  These recommendations include never connecting a PLC to the internet unless absolutely necessary and, if so, using a managed infrastructure, minimize network exposure for all control devices and systems, and isolate all control system networks and remote devices from the business network.  Currently, no public exploits have been found that are specifically targeting this vulnerability.

Source: ICSA-17-264-04 (ICS-CERT)


Vulnerability Found in Schneider Electric Equipment

Researcher Aaron Portnoy, formerly of Exodus Intelligence, found a critical vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition.  These systems are used in the critical manufacturing, energy, healthcare and public health, and water and wastewater systems sectors around the world.  The InduSoft Web Studio is a set of automation tools that provide users the start of building human machine interfaces (HMI), supervisory control and data acquisition (SCADA) systems, and embedded instrumentation solutions.  InTouch Machine Edition is a highly flexible HMI that is setup to provide varying levels of control.  This means that if either of these systems are compromised, the attacker would have a lot of power on the system.

The vulnerability was that of a Missing Authentication for Critical Function (CWE-306) and given a high CVSS score of 9.8 (Out of 10).  ICS-CERT described the vulnerability: “InduSoft Web Studio provides the capability for an HMI client to trigger script execution on the server for the purposes of performing customized calculations or actions. A remote malicious entity could bypass the server authentication and trigger the execution of an arbitrary command. The command is executed under high privileges and could lead to a complete compromise of the server.”  The fact that it’s remotely accessible and also relatively easy to exploit makes this a serious security flaw.

The affected systems were:

  • InduSoft Web Studio v8.0 SP2 or prior
  • InTouch Machine Edition v8.0 SP2 or prior

Schneider Electric has released a patch for this vulnerability for both products which they recommend users apply as soon as possible.

Links to the updates:

Sources: ICSA-17-264-01 (ICS-CERT), Schneider Electric Cyber Security Updates (Schneider Electric)


Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

ICS Summary for Week of September 14, 2017

Syringe Infusion Pumps Vulnerable to Remote Attacks

ICS-CERT has published an advisory detailing eight vulnerabilities found in Medfusion 4000 Wireless Syringe Infusion Pump manufactured by US-based device maker Smiths Medical.  These systems are meant to deliver accurate small doses of medication to patients in critical care situations, such as intensive care or in the operating room.  They are widely used worldwide in the Healthcare and Public Health sector.  The specific infusion pump versions affected were:

  • Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1
  • Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5
  • Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6

ICS-CERT warned that “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”  These exploits could give a malicious actor the potential cause great harm to patients on the infusion pumps.  Fortunately, a high skill is necessary in order use these exploits and there are currently no public exploits that target the vulnerabilities.

Medfusion 4000 (Source: Smiths Medical)

Vulnerabilities

The most critical of the vulnerabilities was a use of hard-coded credentials (CVE-2017-12725) and given a CVSS score of 9.8.  If the default network configurations are not changed, the pump establishes a wireless network connection even if actively connected to Ethernet through the use of hard-coded usernames and passwords.  There are four other high-risk vulnerabilities found in the devices.  

  • Buffer copy without checking size of input (‘Classic Buffer Overflow’) – Input buffer size was not verified prior to copying which lead to buffer overflow and allowing remote code to be executed on the device.
  • Improper Access Control – The pump has an FTP server and, if it allows FTP connections, does not require authentication for access.
  • User of Hard-Coded Credentials – If the FTP server is allowing connections, a malicious actor could gain access using hardcoded credentials.  
  • Improper Certificate Validation – There is no validation on the host certificate which leaves the pump vulnerable to man-in-the-middle (MitM) attacks.

Smiths Medical is planning to address these vulnerabilities in their upcoming release in January, 2018.  For now, they gave some recommendations for users to help in mitigation:

  • Assign static IP addresses to the devices
  • Monitor network activity for rogue DNS and DHCP servers
  • Make sure the segment of the network the pumps are on are segmented from other IT infrastructure
  • Consider use of network virtual local area networks (VLANs) for segmentation
  • Use proper password hygiene standards
  • Do not allow password re-use
  • Routinely make backups and perform evaluations

Sources: ICSMA-17-50-02 (ICS-CERT), Syringe infusion pumps can be fiddled with by remote attackers (HelpNetSec), Hacks Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses (The Hacker News)


Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu