Cybersecurity , DDoS , Network & Perimeter

Beyond the Hype, Badluck Bugs Will Still Bite, Experts Warn Mathew J. Schwartz (euroinfosec) • April 13, 2016    

Behold Badlock, a critical Windows and Samba bug that publicly debuted April 12 to much fanfare - plus predictable accusations of hype, since it arrives backed by its own logo and marketing campaign.

See Also: 2016 State of Threat Intelligence Study

But here's the security challenge: Samba is a free software implementation of SMB - Server Message Block - that facilitates cross-platform file sharing and print services, and which is a default service that runs on most Windows, as well as Unix and Linux-based operating systems. Because of Samba's wide install base, Badlock is bad news.

The Samba security team warns that the nine separate flaws referenced as Badlock could be used for man-in-the-middle attacks, as well as to view or modify Samba servers or Samba Active Directory services, including viewing or modifying users' password hashes or shutting down critical services. They also warn that the flaws could be exploited to create a denial of service, for example if attackers gain either internal or remote access to a Samba service.

Samba 4.4 and earlier are vulnerable, and the Samba team has released fixes in the form of patched versions of Samba 4.2.10 and 4.2.11, 4.3.7 and 4.3.8, and 4.4.1 and 4.4.2 "Pre-4.2 versions have been discontinued," Samba says.

But Tod Beardsley, security researcher manager for security firm Rapid7, advises keeping these new vulnerabilities in perspective. "While we do recommend you roll out the patches as soon as possible - as we generally do for everything - we don't think Badlock is the Bug To End All Bugs (TM)," he says in a blog post. "In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse - or better, depending on your point of view - attacks they may leverage."

In part, that's because Samba tends to only be enabled and used on internal networks. And attackers with internal access to the network don't necessarily need to bother with the somewhat technologically advanced attack that would be required to exploit Badlock. "The most likely attack scenario is an internal user who is in the position of intercepting and modifying network traffic in transit to gain privileges equivalent to the intercepted user," Beardsley says. "While some SMB/CIFS [Common Internet File System] servers exist on the Internet, this is generally considered poor practice, and should be avoided anyway."

Microsoft Patches Samba

The Samba team purposefully released its updates the same day that Microsoft released its monthly collection of patches, including MS16-047, which Microsoft says patches Badlock-related flaws in all versions of Windows. Microsoft has released updates for all supported versions of Windows, from Windows Vista and Windows 10, and Windows Server 2008 to Windows Server 2012 R2.

While Microsoft only rates the Badlock flaws as "important" - not "critical" - Rapid7's Beardsley cautions that there are plenty of serious vulnerabilities that have been patched and predicts that related exploits will soon be developed for the open source Metasploit penetration-testing toolkit, which Rapid7 maintains. "You can bet that exploit developers around the world are poring over the Samba patches now," he says, to reverse-engineer them.

Researchers Defend Logo

A team from both Samba and Microsoft say the Badlock-related fixes come after months of related development efforts. They've also defended their decision - in the wake of Heartbleed, Shellshock and a bevy of other branded vulnerabilities - to give this vulnerability its own unique name and logo.

"This process didn't start with the branding - it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up," the group says on the badlock.org site.

The group adds: "What branded bugs are able to achieve is best said with one word: awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs."

Warning: Old Applications May Break

Because of the large number of fixes involved, the Samba team is warning that patched versions of Samba may no longer work with older software. As a result, IT groups will need to carefully test new versions of any software they use that includes Samba once vendors take the patches that were released April 12, update their software and distribute it to customers.

"The number of changes [is] rather huge for a security release, compared to typical security releases. Given the number of problems and the fact that they are all related to man-in-the-middle attacks, we decided to fix them all at once instead of splitting them," Samba says in its update notes. "The security updates include new [SMB configuration] options and a number of stricter behaviors to prevent man-in-the-middle attacks on our network services, as a client and as a server. Between these changes, compatibility with a large number of older software versions has been lost in the default configuration."

More Critical Flaws From Microsoft

In other vulnerability news, Microsoft this month patched 31 separate flaws by releasing 13 updates for Windows, including a fix for critical vulnerabilities in Internet Explorer that could be exploited by attackers to take full control of a system, as well as in the Edge browser, which could allow an attacker to gain the same access rights as a user. "Do not forget that Microsoft only patches the newest browser for each operating system: that means IE11 for Windows 7 upwards, IE9 for Vista, and IE10 for Windows server 2012," Wolfgang Kandek, CTO of security firm Qualys, says in a blog post.

This month's other critical Microsoft updates patch a bug - designated CVE-2016-0127 - in Microsoft Office that could be used by attackers to remotely execute arbitrary code without user interaction. The flaw "is a remote-code execution vulnerability in the RTF file format, which [appears] automatically in the Outlook preview pane and can give the attacker [remote code execution] with a simple email," Kandek says. "If you can afford it, harden your setup by outlawing RTF emails. You can turn them off with the Office File Block Policy, which works across 2007/2010 and 2013."

Another critical flaw that's been patched is in Microsoft XML Core Services. The bug can allow attackers could use to execute arbitrary code, if they trick users into clicking "a specially crafted link," Microsoft says, for example if displayed on a malicious website.

Adobe Ships Patches

Also on April 12, Adobe released updates to patch flaws in its help authoring tool Robohelp, as well as for Creative Cloud Desktop, a hosted service that is used to download Adobe applications such as Photoshop onto users' desktops. That followed Adobe last week releasing an emergency update for Flash, patching a zero-day flaw that was being exploited by at least two crimeware toolkits. Experts recommend immediately upgrading all versions of Flash, or uninstalling the software if it's not required (see Emergency Flash Patch Battles Ransomware).

Microsoft says its April patch updates include the Flash update for "all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10."

Cybersecurity , Legislation

Koskinen Seeks Renewal of Law That Boosted Pay Levels Eric Chabrow (GovInfoSecurity) • April 12, 2016     Senate Finance Committee's hearing on protecting taxpayer data

The Internal Revenue Service, which has been plagued by data security incidents, faces the loss of key IT and data security personnel over the next year unless Congress renews a lapsed law that boosted the pay of top-notch personnel temporarily recruited from the private sector, the head of the IRS says.

See Also: Detecting Insider Threats Through Machine Learning

"The loss of streamlined critical pay authority has created major challenges to our ability to retain employees with the necessary high-caliber expertise," IRS Commissioner John Koskinen testified at an April 12 hearing on cybersecurity and protecting taxpayer information held by the Senate Finance Committee. He said the agency's top cybersecurity expert recruited through the program recently left. "In fact, out of the many expert leaders and IT executives hired under critical pay authority, there are only 10 IT experts remaining at the IRS, and we anticipate there will be no staff left under critical pay authority by this time next year."

IRS Commissioner John Koskinen discusses the benefits of the streamlined critical pay law.

The lapsed law, which expired in September 2013, allowed the IRS to pay more than usual to hire up to 40 individuals for positions requiring extremely high-level expertise, including information security. Among those recruits: IRS Chief Technology Officer Terence Milholland, who served as executive vice president and CTO at card issuer Visa International when recruited 8½ years ago and is leaving the agency later this year.

Higher Salaries

The streamlined critical pay law limited a term of service to four years, although the average tenure was 2.2 years, according to a 2014 inspector general report. But recruited personnel could serve more than one term. Employees recruited under the streamlined critical pay program could receive a top annual salary of $227,300; that's 24 percent higher than the top yearly pay of $179,700 members of the federal government's senior executive service could receive.

Losing key IT and cybersecurity personnel could be damaging for the IRS, which over the past year has experienced a number of IT security breaches and has come under criticism by government auditors for failing to implement cybersecurity safeguards (see Audit Reveals IRS Struggles to Implement Security Controls).

Koskinen received a sympathetic ear from several senators who called on their colleagues to reauthorize the hiring program, including the ranking member of the committee, Sen. Ron Wyden, D-Ore.

Impact of Congressional Inaction

"When it comes to blocking hackers, Congress has done next to nothing while the IRS loses its ability to hire the experts who can keep taxpayer information safe," Wyden said. "If you're a top-notch tech expert, you're already taking a pay cut to work in public service. Now, without what's called streamlined critical pay authority, it can take four to six months to bring a new hire on board at the IRS. So let's be clear: Taxpayer information is under assault every day, but the IRS does not have the legal authority it needs from Congress to build a cybersecurity team that can beat back the crooks."

The committee's chairman, Republican Orrin Hatch of Utah, said the panel will address legislation to reauthorize the program, but he did not provide a time frame for doing so.

DDoS

His Homemade Tools Used to Launch 600,000 DDoS Attacks, Police Say Mathew J. Schwartz (euroinfosec) • April 12, 2016     Birmingham's Victoria Law Courts (Source: Tony Hisgett//CC-by-2.0)

A British man who pleaded guilty to selling homemade distributed denial-of-service attack tools reportedly used to carry out more than 600,000 attacks has escaped jail time, with a judge calling him "young and naïve."

See Also: The Inconvenient Truth About API Security

Grant Manser, 20, who lives in Kidderminster, England, appeared last week in Birmingham Crown Court, where he pleaded guilty to six charges under the U.K. Computer Misuse Act, as well as four charges under its Serious Crime Act, the Birmingham Mail newspaper reports.

Judge Nicholas Cole imposed a two-year sentence on Manser - to be served in a youth detention center. But the judge suspended imposing that sentence for 18 months. That means that if Manser stays out of trouble for 18 months, he'll avoid jail time. Cole also sentenced Manser to 100 hours of unpaid community service and an £800 ($1,100) fine.

Manser's attorney, Jamie Baxter, told the court that his client wasn't a hacker, hadn't ever stolen or sold information, and programmed his software to avoid certain types of targets, including banks, healthcare organizations, police agencies and the FBI, Birmingham Mail reports. "He is not a hacker; the system doesn't take or hack any information from the websites being attacked," Baxter said. "He was only 16 when he started to do this and it was his immaturity and naivety which led him to commit these offenses."

Prosecutor Raj Punia told the court that Manser created four pieces of "stresser" software - named Dejabooter, netspoof, Refinedstresser and Vexstresser - that sold for £5 to £20 ($7 to $29) via unnamed "dark web" sites.

While that might seem inexpensive, the price range is typical for many of today's cybercrime tools and services. On the outsourcing front, for example, several Russian underground markets charge $5 per hour or $50 per day to wage a DDoS attack on a site, according to a new report from Dell SecureWorks. For longer disruptions, Dell researchers found that attackers were charging $200 per week - $350 if the site to be disrupted had anti-DDoS defenses in place - or $1,000 per month.

Illegal DDoS Attacks

As with the Russian outsourced DDoS services, Manser's software was not sold for the legitimate purpose of testing websites' resiliency, but instead to enable buyers to launch illegal DDoS attacks, Birmingham Mail reports. Punia told the court that Manser started his business at the age of 16, in January 2012, and that it ran until November 2014, when he was arrested by England's West Midlands Regional Cyber Crime Unit. At that point, she said, Manser counted nearly 4,000 clients who had paid him a total of £50,000 ($71,000) via PayPal and used his software to carry out more than 603,000 DDoS attacks against almost 225,000 targets (see How Do We Catch Cybercrime Kingpins?).

Manser ploughed his earnings into buying better computer equipment and fixing up his motorcycle and was so successful that he was advertising for additional employees, Birmingham Mail reports (see Cybercrime Recruiters Want You).

Punia told the court that the victims of Manser's DDoS floods against websites, servers and email addresses included not only businesses but also schools, colleges and government agencies across not just the United Kingdom, but also other EU countries - including France, the Netherlands and Poland - as well as the United States. Manser reportedly told police that he cooked up the DDoS software business after working for someone in the United States who was running a similar scheme and witnessing the profit potential.

Stresser Software Arrests

Manser isn't the first young man to be arrested for selling or using stresser software. Last year, for example, the U.K.'s National Crime Agency announced that it arrested six teenage boys for buying and using the online "Lizard Stresser" DDoS tool sold by hacking gang Lizard Squad, and that it was visiting and warning 50 other individuals - one-third of whom were teenagers - who it believed had registered for the service, but not yet used it (see UK Police Detail DDoS-for-Hire Arrests).

The preponderance of young hacking offenders is concerning and begs the question of whether sentences should be more severe. But Dublin-based cyber psychology expert Grainne Kirwan says that most young people who commit crimes tend to naturally stop doing so as they "age out," referring to their getting more responsibilities - including a job, long-term relationship, mortgage or children - that leave little time for cybercrime (see Young Hackers: Jail Time Appropriate?).

Fraud

Jail Time for Russian Cybercriminals Is Rare Mathew J. Schwartz (euroinfosec) • April 15, 2016     Dmitry 'Paunch' Fedotov at the time of his arrest by Russian authorities. (Source: Group-IB.)

Russian authorities have sentenced Dmitry "Paunch" Fedotov, the developer of the notorious Blackhole exploit kit that's been linked to large amounts of fraud, to seven years in prison - an unusually severe sentence for online crime in that nation.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

He was one of seven Russian men who were found guilty of computer crimes and sentenced to spend up to eight years in prison for committing a spree of hacking and malware attacks that resulted in the theft of more than 25 million rubles (worth about $800,000 at 2013 exchange rates) from Russian banks, state-owned Russian news agency TASS reports. All are due to serve their sentence in a "penal colony," it adds.

Russia's Ministry of Internal Affairs had previously tied the Blackhole gang to 70 million rubles in fraud, which would have been worth $2.1 million at 2013 exchange rates. Authorities in other countries also tied the gang to many millions of dollars in fraud and ransomware payments that they received from victims.

Artem Palchevsky, who remains at large, was convicted in absentia of helping to design software that hacked PCs and exfiltrated sensitive financial information that could be used to drain accounts, TASS reports. He's been sentenced to serve eight years in prison. Fellow hackers Roman Kulakov, Sergey Shumarin, Ilya Bragin, Valery Gorbunov, and Vladimir Popov were also sentenced to between five and a half and eight years in prison, Tass reports.

But the most notorious member of the group was Fedotov, who was arrested in October 2013 at age 27. Russian authorities often turn a blind eye to Russians who run cybercrime campaigns that target foreigners. But Fedotov, a.k.a. "Paunch," made the mistake of stealing from Russian banks while residing on Russian soil (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

The length of the prison sentences imposed on the gang members is "not typical for the Russian legal system," says Sergey Nikitin, deputy head of the computer forensics laboratory and malicious code analysis team at Moscow-based cybersecurity firm Group-IB. He called the sentences "a very positive step" toward combatting cybercrime.

"Court judgments for cybercrimes in Russia are usually delivered in accordance with Articles 272 and 273 of the Russian Criminal Code, and criminals often receive a suspended sentence," Nikitin tells Information Security Media Group. "However, in this particular case investigators managed to prove that cybercrimes had been accompanied by monetary theft, which meant criminals had committed fraud and therefore should be sentenced to imprisonment."

Group-IB assisted Russian authorities with their Blackhole investigation (see How Do We Catch Cybercrime Kingpins?).

Subscription-Based Cybercrime Service

The arrest of Fedotov and his colleagues shuttered the Blackhole cybercrime service. The service, which was sold on a subscription-only basis starting at $50 per day or $500 per month, was primarily used to send large volumes of spam that included email attachments that attempted to exploit known vulnerabilities on PCs. Security experts say Blackhole was the most prevalent online threat in 2012 and was used to distribute many different types of malware, including banking Trojans that could be used to drain victims' bank accounts. The exploit kit was also used to infect systems with ransomware, providing a separate revenue stream for criminals in the form of ransom payments.

Blackhole was so successful that Fedotov, beginning in October 2012, was then able to develop and sell a premium offering called Cool Exploit Kit that was packed with zero-day flaws and available for $10,000 per month. He also offered the malware obfuscation service Crypt.am, according to Group-IB.