Skip to content

Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB

Positive Technologies, which in September said it has a way to drill into Intel’s secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration.

The biz has already promised to demonstrate a so-called God-mode hack this December, saying they’ve found a way for “an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard.”

 

For those who don’t know, for various processor chipset lines, Intel’s Management Engine sits inside the Platform Controller Hub, and acts as a computer within your computer. It runs its own OS, on its own CPU, and allows sysadmins to remotely control, configure and wipe machines over a network. This is useful when you’re managing large numbers of computers\, especially when an endpoint’s operating system breaks down and the thing won’t even boot properly.

Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.

For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine.

With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited ta a later date. Alternatively, an attacker can slip into the USB port and meddle the engine as required right there and then.

There have been long-running fears IME is insecure, which is not great as it’s built right into the chipset: it’s a black box of exploitable bugs, as was confirmed in May when researchers noticed you could administer the Active Management Technology software suite running on the microcontroller with an empty credential string over a network.

The JTAG revelation came to Vulture South‘s attention via a couple of tweets:

The linked blog post, in Russian, explains that since Skylake, Intel’s Platform Controller Hub, which manages external interfaces and communications, has offered USB access to JTAG interfaces. The new capability is DCI, Direct Connect Interface.

Aside from any remote holes found in the engine’s firmware code, any attack against IME needs physical access to a machine’s USB ports which as we know is really difficult.

We still don’t know all the details Positive Technologies will show off at Black Hat, but their trailers are sure fun to watch. ®

Bootnote

The IME is able to control a computer because it runs an OS of its own, namely MINIX: a small and simple microkernel system designed to teach computer-science students how hardware and operating systems work. And it turns out that while Intel talked to MINIX’s creator about using it, the tech giant never got around to saying it had put it into recent CPU chipsets it makes.

Which has the permissively licensed software’s granddaddy, Professor Andrew S. Tanenbaum, just a bit miffed. As Tanenbaum wrote this week in an open letter to Intel CEO Brian Krzanich:

The only thing that would have been nice is that after the project had been finished and the chip deployed, that someone from Intel would have told me, just as a courtesy, that MINIX was now probably the most widely used operating system in the world on x86 computers. That certainly wasn’t required in any way, but I think it would have been polite to give me a heads up, that’s all.

 

Reference:

https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/

Advertisements

Buffer Overflows – Video

A good intro to Buffer Overflows in memory.

TOR – Hidden Services – Dark Web

Great introduction to the Dark Web, and how it works, based on  “hidden services”.

End to End Encryption – Computerphile

Theresa May has suggest a plan to ban End to End Encryption.  Here is a discussion of what that means.  In plain terms the suggestion is misguided.  Alas, stupidity seems to the norm for politicians and technology, and we all sigh in frustration when we hear the latest policies.

SHA Hash Function – Computerphile

Hashing functions are like a signature of a file, in the form of a fixed length string to prove data integrity.

MD5 and SHA1 have weaknesses, therefore SHA2 is preferred.

 

Problems with SHA1

Weak against nation states with vast computing power

Nothing to Hide – The Documentary about Surveillance

 

Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

A new ransomware campaign has hit a number of high profile targets in Russia and Eastern Europe.

Dubbed Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, and the way in which organisations appear to have been hit simultaneously immediately drew comparisons to this year’s WannaCry and Petya epidemics.

 Following the initial outbreak, there was some confusion about what exactly Bad Rabbit is. Now the initial panic has died down, however, it’s possible to dig down into what exactly is going on.

1. The cyber-attack has hit organisations across Russia and Eastern Europe

Organisations across Russian and Ukraine — as well as a small number in Germany, and Turkey — have fallen victim to the ransomware. Researchers at Avast say they’ve also detected the malware in Poland and South Korea.

Russian cybersecurity company Group-IB confirmed at least three media organisations in the country have been hit by file-encrypting malware, while at the same time Russian news agency Interfax said its systems have been affected by a “hacker attack” — and were seemingly knocked offline by the incident.

Other organisations in the region including Odessa International Airport and the Kiev Metro also made statements about falling victim to a cyber-attack, while CERT-UA, the Computer Emergency Response Team of Ukraine, also posted that the “possible start of a new wave of cyberattacks to Ukraine’s information resources” had occurred, as reports of Bad Rabbit infections started to come in.

At the time of writing, it’s thought there are almost 200 infected targets and indicating that this isn’t an attack like WannaCry or Petya was — but it’s still causing problems for infected organisations.

“The total prevalence of known samples is quite low compared to the other “common” strains,” said Jakub Kroustek, malware analyst at Avast.

2. It’s definitely ransomware

Those unfortunate enough to fall victim to the attack quickly realised what had happened because the ransomware isn’t subtle — it presents victims with a ransom note telling them their files are “no longer accessible” and “no one will be able to recover them without our decryption service”.

bad-rabbit-ransom-note-eset.png
Bad Rabbit ransom note.

Image: ESET

 

Victims are directed to a Tor payment page and are presented with a countdown timer. Pay within the first 40 hours or so, they’re told, and the payment for decrypting files is 0.05 bitcoin — around $285. Those who don’t pay the ransom before the timer reaches zero are told the fee will go up and they’ll have to pay more.

badrabbit.png
Bad Rabbit payment page.

Image: Kaspersky Lab

 

The encryption uses DiskCryptor, which is open source legitimate and software used for full drive encryption. Keys are generated using CryptGenRandom and then protected by a hardcoded RSA 2048 public key.

3. It’s based on Petya/Not Petya

If the ransom note looks familiar, that’s because it’s almost identical to the one victims of June’s Petya outbreak saw. The similarities aren’t just cosmetic either — Bad Rabbit shares behind-the-scenes elements with Petya too.

Analysis by researchers at Crowdstrike has found that Bad Rabbit and NotPetya’s DLL (dynamic link library) share 67 percent of the same code, indicating the two ransomware variants are closely related, potentially even the work of the same threat actor.

4. It spreads via a fake Flash update on compromised websites

The main way Bad Rabbit spreads is drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites — some of which have been compromised since June — are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.

eset-flash-update-bad-rabbit.png
A compromised website asking a user to install a fake Flash update which distributes Bad Rabbit.

Image: ESET

Infected websites — mostly based in Russia, Bulgaria, and Turkey — are compromised by having JavaScript injected in their HTML body or in one of their .js files.

5. It can spread laterally across networks…

Much like Petya, Bad Rabbit comes with a potent trick up its sleeve in that it contains an SMB component which allows it to move laterally across an infected network and propagate without user interaction, say researchers at Cisco Talos.

What aids Bad Rabbit’s ability to spread is a list of simple username and password combinations which it can exploit to brute-force its way across networks. The weak passwords list consists of a number of the usual suspects for weak passwords such as simple number combinations and ‘password’.

6. … but it doesn’t use EternalBlue

When Bad Rabbit first appeared, some suggested that like WannaCry, it exploited the EternalBlue exploit to spread. However, this now doesn’t appear to be the case.

“We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection,” Martin Lee, Technical Lead for Security Research at Talos told ZDNet.

7. It may not be indiscriminate

At the same point following the WannaCry outbreak, hundreds of thousands of systems around the world had fallen victim to ransomware. However, Bad Rabbit doesn’t appear to indiscriminately infecting targets, rather researchers have suggested that it only infects selected targets.

“Our observations suggest that this been a targeted attack against corporate networks,” said Kaspersky Lab researchers.

Meanwhile, researchers at ESET say instructions in the script injected into infected websites “can determine if the visitor is of interest and then add content to the page” if the target is deemed suitable for infection.

However, at this stage, there’s no obvious reason why media organisations and infrastructure in Russia and Ukraine has been specifically targeted in this attack.

8. It isn’t clear who is behind it

At this time, it’s still unknown who is distributing the ransomware or why, but the similarity to Petya has led some researchers to suggest that Bad Rabbit is by the same attack group — although that doesn’t help identify the attacker or the motive either, because the perpetrator of June’s epidemic has never been identified.

What marks this attack out is how it has primarily infected Russia – Eastern Europe cybercriminal organisations tend to avoid attacking the ‘motherland’, indicating this unlikely to be a Russian group.

9. It contains Game of Thrones references

Whoever it behind Bad Rabbit, they appear to be a fan of Game of Thrones: the code contains references to Viserion, Drogon, and Rhaegal, the dragons which feature in television series and the novels it is based on. The authors of the code are therefore not doing much to change the stereotypical image of hackers being geeks and nerds.

kasperky-bad-rabbit-got-references.png
References to Game of Thrones dragons in the code.

Image: Kaspersky Lab


10. You can protect yourself against becoming infected by it

At this stage, it’s unknown if it’s possible to decrypt files locked by Bad Rabbit without giving in and paying the ransom – although researchers say that those who fall victim shouldn’t pay the fee, as it will only encourage the growth of ransomware.

A number of security vendors say their products protect against Bad Rabbit. But for those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.

Reference:

http://www.zdnet.com/article/bad-rabbit-ten-things-you-need-to-know-about-the-latest-ransomware-outbreak/?loc=newsletter_large_thumb_featured&ftag=TRE-03-10aaa6b&bhid=21735961543072688253262375158449

NSA bloke used backdoored MS Office key-gen, exposed secret exploits – Kaspersky

Analysis The NSA staffer who took home top-secret US government spyware installed a backdoored key generator for a pirated copy of Microsoft Office on his PC – exposing the confidential cyber-weapons on the computer to hackers.

That’s according to Kaspersky Lab, which today published a report detailing, in its view, how miscreants could have easily stolen powerful and highly confidential software exploits from the NSA employee’s bedroom Windows PC.

Earlier this month, it was alleged Russian intelligence services were able to search computers running Moscow-based Kaspersky’s antivirus tools, allowing the snoops to seek out foreign intelligence workers and steal secrets from their hard drives.

The NSA employee’s home PC was one of those tens of millions of machines running Kaspersky antivirus. Kaspersky was, therefore, accused of detecting the American cyber-weapons on the PC via its tools, tipping off Kremlin spies, and effectively helping them hack the machine to siphon off the valuable vulnerability exploits.

Well, not quite, says Kaspersky.

According to the Russian security giant, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with malware from a product key generator while trying to use a bootleg copy of Office.

Later, once reactivated, Kaspersky’s software searched the machine as usual, removed the trojanized key-gen tool, found the secret NSA code during the scan, and uploaded it to Kaspersky’s cloud for further study by staff. Kaspersky’s technology is always on the lookout for the NSA’s secretive surveillance tools in the wild – such as the hard drive firmware spyware it revealed in 2015 – so it’s no surprise the archive of source code and other files was detected and copied for analysis.

Users can configure Kaspersky’s software to not send suspicious samples back to Mother Russia for scrutiny, however, in this case, the NSA staffer didn’t take that option, allowing the highly sensitive files to escape.

Once in the hands of a reverse-engineer, it became clear this was leaked NSA software. The CEO Eugene Kaspersky was alerted, copies of the data were deleted, and “the archive was not shared with any third parties,” we’re told.

Kaspersky’s argument is that anyone could have abused the backdoored key generator to remotely log into the machine and steal the secrets the NSA employee foolishly took home, rather than state spies abusing its antivirus to snoop on people.

Kaspersky does share intelligence of upcoming cyber-security threats, such as new strains of spyware and other software nasties, with its big customers and governments. However, in this case, it is claimed, the American tools went no further, the argument being that if the Russians got hold of the leaked exploits, it wasn’t via Kaspersky Lab.

That the biz deleted the archive almost immediately raised eyebrows in the infosec world.

Here’s a summary of what Kaspersky said happened:

Timeline

On September 11, 2014, Kaspersky’s software detected the Win32.GrayFish.gen trojan on the NSA staffer’s PC. Some time after that, the employee disabled the antivirus to run an activation-key generator designed to unlock pirated copies of Microsoft Office 2013. The malicious executable was downloaded along with an ISO file of Office 2013.

As is so often the case with rogue key-gens, the software came with malware included, which was why the employee had to disable his AV. Fast forward to October 4, and Kaspersky’s software was allowed to run again, and the fake key-gen tool’s bundled malware, Win32.Mokes.hvl, which has been on the security shop’s naughty list since 2013, was clocked by the defense software.

“To install and run this keygen, the user appears to have disabled the Kaspersky products on his machine,” Kaspersky Lab said in its report.

“Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the keygen malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the keygen was run. Executing the keygen would not have been possible with the antivirus enabled.”

The user was warned his computer was infected, so he told the toolkit to scan and remove all threats. The antivirus duly deleted the Mokes malware, but also found several new types of NSA code – which appeared to be similar to the agency’s Equation Group weapons that Kaspersky was already familiar with – which were pinged back to Russian servers for analysis.

According to the security firm’s account, one of its researchers recognized that they had received some highly advanced malware, and reported the discovery to Kaspersky’s CEO Eugene:

One of the files detected by the product as new variants of Equation APT malware was a 7zip archive.

The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware.

After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

Kapsersky said it never received any more malware samples from that particularly user, and went public with its Equation Group findings in February 2015. It says that after that disclosure, it began to find more Equation Group malware samples in the same IP range as the original discovery – honeypots to snare whoever may have stolen copies of the cyber-weapons, presumably.

“These seem to have been configured as ‘honeypots’, each computer being loaded with various Equation-related samples,” Kaspersky Lab said. “No unusual (non-executable) samples have been detected and submitted from these ‘honeypots’ and detections have not been processed in any special way.”

Reference:

http://blog.internetcases.com/2017/10/24/reverse-engineering-of-competitors-software-cost-company-big/

KALI Linux: Revealed – Free Book

Kali Linux Revealed is available to buy on Amazon.co.uk – or it can be downloaded free from this link:

https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf

 

For anyone interested in pentesting, Kali Linux is a must have operating system.

KRACKATTACKS.com – Key Reinstallation Attack – WPA2 cracked

We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded.

DEMONSTRATION

As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks:

https://www.krackattacks.com/

The research [PDF], titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2, has been published by Mathy Vanhoef of KU Leuven and Frank Piessens of imec-DistriNet, Nitesh Saxena and Maliheh Shirvanian of the University of Alabama at Birmingham, Yong Li of Huawei Technologies, and Sven Schäge of Ruhr-Universität Bochum.
The team has successfully executed the key reinstallation attack against an Android smartphone, showing how an attacker can decrypt all data that the victim transmits over a protected WiFi. You can watch the proof-of-concept (PoC) video demonstration above.

“Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past,” the researcher say.

The researchers say their key reinstallation attack could be exceptionally devastating against Linux and Android 6.0 or higher, because “Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info).”

WPA2 Vulnerabilities and their Brief Details

The key management vulnerabilities in the WPA2 protocol discovered by the researchers has been tracked as:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.

The researchers discovered the vulnerabilities last year, but sent out notifications to several vendors on July 14, along with the United States Computer Emergency Readiness Team (US-CERT), who sent out a broad warning to hundreds of vendors on 28 August 2017.

“The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others,” the US-CERT warned. “Note that as protocol-level issues, most or all correct implementations of the standard will be affected.”

Reference:

%d bloggers like this: