Sophisticated Method to Hack Your Network Devices

So the Criminal hackers have to get more sophisticated as some networks are patching their devices.

 

You must have heard of the Casino that got breached through a thermometer in the fish tank?  We get excited with new capabilities of Internet connectivity. But unfortunately we forget that a Cybersecurity weak device can open doors for criminal hackers.  You have a firewall right? It defeats the easy entry of a hacker.

But what if the hacker is already in your network? How? Somehow they were able to make the connection…

“Wicked Botnet uses passel of exploits to target IoT”by Threatpost.com has an interesting paragraph:

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”

Since other previous malware has already infected the easy to infect routers, the  botnets now have to infect using exploit tactics.  This is typical of old and new tactics as the cybersecurity landscape changes quickly.

This new botnet is called “Wicked Botnet uses passel of exploits to target IoT”  and scans for ports 80,81,8443, and 8080.

Unfortunately  there are cloud based problems as well:

Nolacon2018 had Sean Metcalf discuss this very issue

There is a specific issue  Sean is concerned about

because every 2 minutes password synchronization has to occur for Azure cloud, thus an attacker can capture the stored password hash, and then try to guess it at their leisure.

The reality is the hacker will always try to use the technologies that you use to outfox and steal your money, data, and anything else they can.

In some ways it is always a losing game – a catch-up if you will. We have to defend everything, and all the criminals have to do is to attack and succeed in one spot.

So we have to do the proper risk management analysis to figure out where to put most of our time and resources.

Contact us to discuss.

 

100 days to find adversary in Network: Do I hear 50?

How can we improve the odds of finding a criminal hacker in our networks?   (My old blogpost in 2017 discusses some threats in your network “Insider Threats: No1 Cybersecurity Problem” in case you want to review)

A great video on this topic is the following Irongeek.com video from BSides Charm2018

In this part of the video they are explaining all the logs and where the logs should be sent.  The idea to send the logs to Splunk is to then create a ticket or an SMS alert to a team.  After Splunk receives data you have to configure Splunk to  create SMS alerts and tickets.

There are specific items to look for in your logs to help you find the criminal hacker.monitoring email

monitor who accesses OWA (Outlook Web Access), monitor the attachments sent out, file transfers.

Web traffic, monitor proxy logs – what sites get accessed? Who is trying to go to dangerous websites.

 

Create daily reports and then you will see what is normal.

Every environment is different, with varying needs for compliance and other needs (HIPAA compliance is likely not needed from a Flower retailer).

The above diagram in the video is the most important diagram for you to understand and digest:

I.e. most companies and people end up logging everything and thus do not check anything (because you cannot drink from a firehose) OR log very little – nothing.   So this is why one must understand what is important in logging to you.

Even though it may be different with every company there will be a specific report that will become a goto report that you will review daily for suspicious behavior. Do not become a statistic which says you do not see the criminal hacker in your network for 100 days, or are told of a breach by law enforcement.  That means you will know at that time that IT has not done their job (too late of course).

 

Get ahead of future problems, and contact us to review your logging environment.

Cyberjoke Friday v1.993 May2018 edition

  

(Image from cartoonstock.com)

I found interesting how we are moving toward more robotic capabilities without the understanding of the  Cyber Criminal potential mischief.

Inc.com story about a new AI “feature” of Google

 

Apparently Google AI can make calls with a very convincing human voice, so now Cyber criminals will up their game. I can’t make anything else with this then include it in a Robo joke edition blogpost…

 

 

 

 

Why Are we in a Big Cybersecurity Mess?

To answer this question logically and truthfully we have to go back to how computers have evolved and connected to each other.

During WW2 the beginning stages of electronic machines tabulating artillery tables faster and more accurately than humans (Colossus mark 1 and 2)

(public Domain picture)

As the computers evolved more and more effort was put in for how the programming and processing abilities occurred and security was not even a worry, as security was physically done not networking wise.

So when and what was the first networked computer?

The first network was the precursor of the internet as we know it and it was called ARPANET (Advanced research Projects Agency Network): EDN Network article discusses this.  On Arpanet in 1969 and shortly thereafter the focus was on making the network operational (it finally was deemed “operational” in 1975 at six years later).  The work on this technology is available for everyone to see: TCP Transmission Control Protocol as it was developed in the public domain :  The RFC 793 September1981

If you look at the Table of Contents of the TCP RFC (Transmission Control Protocol – Request For Comment) document there is no place for security or encryption.  It is up to you to develop security. So that is what we have done. New technologies with SSL(Secure Socket Layer) and TLS(Transport Layer Security) have been built on top of the TCP technology.

As you may know from our past blogpost SSL is no longer PCI compliant

So THIS IS THE PROBLEM !!!

We are developing our current software on an insecure platform.

Until there is a computer built from scratch for security using a network mechanism that is also built with security in mind, we will always be fighting a losing battle.

So we have developed Compliance mechanisms:

  1. PCI – Payment Card Industry  (2004 major credit card companies came together)
  2. HIPAA – Health Insurance Portability and Accountability Act of 1996
  3. Other public company compliance regulations (SOX)

 

The compliance systems are not designed to make you 100%secure, they are designed for you to mitigate security problems. If you follow all the rules for the most part you will keep problems in check and thus  business risk is reasonable.

The bottom line  is for IT resources to provide business capabilities, in that environment security has to be mitigated. Until someone develops a 100% secure platform this is the life we have. We will have to keep up on patches, and review logs while always looking over our shoulders to see if the criminal hackers have finally come into  the environment or not.

Interesting to note, that as more people get connected  we stop to think about our security, I mean who thinks about cybersecurity as they get a new phone or tablet/laptop? especially if that is their first foray into smartphones.  The new connectee is interested only in how I can connect (usually with free WiFi or an unlimited data plan.  The reason we stop to think about security is that we expect security to be there.

The unfortunate aspect of more people connecting is that not all people are knowledgeable about phishing emails and other cyber security problems. It takes time to become knowledgeable in anything, so the overall understanding is pushed down (common denominator).

So my theory is as more people connect the average knowledge about cybersecurity is pushed down. Thus allowing more attacks to  be successful by the criminal  hackers.

In the following image Cisco predicted IoTs to balloon to 50billion devices by 2020. (this seems correct or low).

So nothing has changed – we are so busy connecting to the Internet we are not focusing on Security. This phenomenon is moving faster towards a larger Chaotic environment.

Contact us to discuss

Criminals Trying to Run Crypto Miners on Your Systems

Good YouTube video: “Rise of the Miners Josh Grunzweig

Ransomware is no longer a viable method of making money for the criminals, since Bitcoin is worth a lot of money, and it would be difficult to get people to pay for their ransomed computers.

So the Criminals have moved to Cryptomining.

The cryptominers have infected hundreds of thousands of machines to capture pennies per day for each machine.  Together on a daily basis the criminal can accumulate wealth. And it never ends. 609000 machines times 2 pennies per day = $12,180  per day or $365,000 per month. $4.4mil per year.

It may be worth it for the criminal to spend a little money on spam or watering hole attacks.   A water hole attack is where a popular website is infected with malware (a water hole).   as soon as the infections go into the hundreds of thousands the traffic and infrastructure will be noticed, so you may need to bribe various organizations as well. Like in Russia,  you may have to pay the local government officials to keep quiet (or China too).

In North Korea, the state itself could be running an operation like this.

 

Contact us to discuss this phenomenon.