Using Ultrasound to Hack Air-Gapped Computers

Air-gapped computers are computers that are not connected to any network. They may even be physically isolated. Such computers are usually presumed to be safe from cyber manipulation. For this reason, businesses or organizations will often store important data on such computers. However, they are not as safe as most people think. Researchers have found a number of ways to breach such computers. For example, it has been found that the pressing of keys on a keyboard emits electronic signals that can be detected and analyzed. So, it would be possible for a hacker with the right equipment to analyze these signals to, at least theoretically, steal passwords and other data. It would be the same as if they had installed a keylogger. Other air-gapped hacking has used variations in magnetic, radio, or optical signals that have escaped from the air-gapped computer during its normal operations. Here is a summary of ways air-gapped computers have been breached.

air gapped channels

But there’s a problem. Such hacks are limited by proximity and transfer speed. All attempted hacks of air-gapped computers need to occur physically close to the target machine and the data they access is only transferable in bits per second. In other words, for a successful hack of an air-gapped computer to occur, a malicious machine in the same room or, at best, a nearby room, must have appropriate malware installed on it and, in addition, be connected to some network so that the information it receives from the air-gapped computer can be transferred to the hacker. The other alternative is to have data hacked from the air-gapped computer and stored on the hacking computer. Later, the hacking computer and the stolen data can be physically accessed by an insider.

The concept of hacking through ultrasound has been around for a while. In most of these scenarios, communication with an air-gapped computer was established using the computer’s speaker and microphone. In 2014, Hanspach and Goetz showed how ultrasound communications could use a series of ultrasound-connected laptops to extend the normal transmission range. The use of ultrasound is important in keeping these transmissions covert, i.e. above the level of human auditory detection. However, there is one big problem. Such attacks can be easily thwarted by simply turning off the microphone on the air-gapped computer. In addition, some desk top computers may not have a built-in microphone as laptops do.

This problem has now been solved by researchers at Israel’s Ben-Gurion University. They have demonstrated how audio output devices can be converted into audio input devices, and visa versa. This means that a computer’s speakers can be used, not only to receive ultrasound signals, but transmit them. In other words, turning off an air-gapped computer’s microphone will not stop the transmission of data. Speaker to speaker communication is a possible channel. Not only that, but headphones and earphones can also be used for transmission. The main problem here is installing malware on the target computer which is necessary to make this audio transformation possible.

This attack vector shows some increase in transmission rates (300 to 600 bits/sec), but still has a limited range of about 8 meters (~25ft). One positive point about using ultrasound is that it is not substantially affected by background noise. On the other hand, ultrasound is more affected by the directionality of the transmitting and receiving devices. That is, they work better if they are aligned, which, you cannot always rely on to occur in a natural setting.

With such limitations, is it really worth worrying about being hacked in such a way? For the average individual, probably not. The difficulty of accomplishing such a breach means that it is beyond the capability of the everyday bedroom hacker. This is a technique that would be reserved for nation-states looking for specific information on specific air-gapped computers. Such attacks would need to be well-organized and precisely targeted. A computer in proximity to the target air-gapped computer must get the appropriate malware installed on it before any attack could take place. This would normally require the use of either a well-formed spear phishing email or the help of a malicious insider. Far more troublesome would be getting malware onto the air-gapped computer. Again, this would likely be in the form of an insider working with the attackers or a naïve insider using something like an infected USB. The installation of malware on both devices would open a communication channel between the two devices. 

The transfer rate of data is also a problem, but that can be overcome with pure patience. Even small bits of code can compromise machine performance. Passwords, for example, can be transferred in bits of code.

The malware installed, the two computers, using the speakers or earphones on the air-gapped computer, would establish a communication channel and begin exchanging information. Obviously, one way to stop any such attack would be to disable any speakers or the use of earphones on the air-gapped computer. Apparently, even using an amplifier on the air-gapped computer can prevent an attack. Here is a summary of countermeasures from the same report.

air gapped countermeasures

All of this may make it seem as if ultrasound communication between devices is nothing to worry about. This would be a mistake. Last year, researchers learned that voice assistants, such as Siri and Alexa, have a better hearing range than humans. In other words, they can hear commands in the ultrasound range. In fact, any device that can be voice activated may be commanded to do things that its owner may not want it to do. Yet, they would never hear these commands themselves. Advertisers could, for example, have these devices go to their web pages and play ad messages. But before you panic, this only seems to work when the ultrasonic message transmitter is near the listening device, often, within one meter.

Thus, if the distance limitations can be overcome with amplification of the ultrasonic signal, all sorts of unusual and dangerous hacks could take place. Ultrasound has been amplified using the SASER (sound amplification by stimulated emission of radiation), which is, basically, the sound equivalent of a laser. Could this be used to infect an air-gapped computer at a distance? I simply don’t know, but it is an avenue that is no doubt being explored. The problem is that such ultrasonic waves can be dangerous to nearby humans. In fact, 180 decibels of ultrasound can even cause death.

Hearing loss is the major result of being exposed to ultrasound. Studies on the effect of ultrasound exposure have found people also complain of “fatigue (36.8%), headache (12.1%), somnolence (5.3%), dizziness (5.3%) and palpitations (5.3%).” Other studies on excessive ultrasound exposure found people complaining of “irritation, memory problems and difficulties with concentration and learning.” These symptoms are similar to those reported by workers at the American Embassies in Cuba and China. Some have claimed that these symptoms were psychosomatic; however, if some sort of ultrasound hacking was being attempted, it could have accidentally produced these symptoms. In fact, research done by the University of Michigan indicates that this is a possible explanation for the health problems experienced by the embassy staff.

There is no way for us to know how far nation-states have advanced in such hacking, but I have no doubt it is under development. Could malware be installed directly onto an air-gapped computer through ultrasound? That would be the next big step and it would mean that any computer, not only an air-gapped computer, could be vulnerable. If all this is true, businesses and agencies serious about security need to consider using ultrasonic jammers as part of their cybersecurity architecture. In any event, the cybersecurity landscape has just become a lot more complicated.

Posted in Uncategorized | Tagged , | Leave a comment

Fake Lawyers and Law Firms Scam Multiple Victims in Multiple Ways

When I started investigating this problem, I thought I might find a few fake law firms being used as fronts to perpetrate fraud. I now realize that I profoundly underestimated how widely this attack vector is being used. In fact, I doubt if the legal profession realizes what it is up against.

There are a number of reasons why fraudsters would set up fake legal firm websites or pose as lawyers. First of all, scammers really need to get your personal information to begin their scam. One way to do this is to offer you free legal advice if you simply fill out a form on their website. The form will ask for personal information which can then be used to scam you.

The victim, visiting the fake website, will see that it is well-designed and even includes the biographies of the lawyers who work for the firm. The pure believability of the site lowers suspicion. Many law firms have pages for sending personal information in order to begin a case. Once these criminals get your email or phone number, they will contact you and agree to take you on as a client. They will likely promise you a favorable outcome. However, they tell you that you should send them a filing fee so that they can begin the paperwork. If you follow their directions you will never see that money again and no paperwork will be filed.

The above scam is quite basic. It is used to fool people who have a built in motivation for getting the help of a lawyer and who may, therefore, be willing to overlook any inconsistencies they may find on a law firm’s website because they want to solve their problem as quickly as possible. The website below is an example of such a well-designed site.

edmunds

In this case, it appears that the criminals took over the name of a law firm that existed until 2011. They then tried to perpetrate the old inheritance scam. In this scam, you, the victim, have had a distant relative die (they will always have the same surname as yours) and it has been found that you are the only heir. You will get this information in an email that may bear the logo of the law firm it is purportedly sent from. The sum of the inheritance is considerable, often into the millions of dollars. You are then told that you will get most of the inheritance if you pay for the legal work that must be done. Of course, you will probably check to see if the law firm that sent you the email actually exists. If you find a legitimate-looking page like the one above, it may be enough to convince you to proceed. That’s the scammer’s hope, anyway.

Recently this basic scam has been upgraded in a number of ways. In some cases, a person from overseas contacts a legitimate law firm about some problem they have “in your jurisdiction”. They are told that a settlement has been agreed upon but that they need a law firm to arrange for the receipt and forwarding of the funds to a foreign account.

Of course, the law firm will ask for documentation, and it will be sent and appear to be authentic. The documents will have the name and contact information for a person working with the company that has agreed on the settlement. When contacted, all will seem normal. In a short time, the law firm will receive a check, often for hundreds of thousands of dollars, by FEDEX. The check will look legitimate, like the one received by a New York law firm.

citibank check

Since the check has a correct routing number, it will be accepted by the bank. The money from the check will appear in the firm’s account. At the same time, the person who is to receive the money from the check has contacted the firm explaining that they need the money transferred immediately because of some emergency. Thinking that the check is valid and seeing that it has been deposited in the firm’s account, the firm may go ahead and send the money. Only days or weeks later will they learn that the check was a counterfeit and the firm has been bilked out of hundreds of thousands of dollars.

This scam template also uses fake law firm websites to validate other spurious claims. One targeted law firm may be told to contact another law firm, a fake one, to validate a transaction. Searching the internet to gather information on the validating firm will find a well-designed website with contact information and pictures of real lawyers, cloned from another valid law firm site. The phone number will either lead to a voice mail or to a scammer who will validate the fake transaction. In other words, contacting the fake firm will only further ensnare the victim firm.

Such scams are widely perpetrated but there seem to be a few hot spots. In the U.S., Texas, Florida, and California have been heavily targeted. Texas has been scammed by fake estate planning firms which target the elderly. California has been targeted by fake firms offering advice to legal and illegal immigrants. Their websites are often in Spanish.  In Florida, a variety of fake law firm scams are on the rise

In the United Kingdom, fake law firm scams are reaching epidemic proportions. In the last month alone, according to the Solicitors Regulation Authority website, scammers in the UK have used the names of actual solicitors or firms over 20 times to try to trick victims into sending them money. The scams are believable as they use the actual or similar names of real solicitors and real firms to perpetrate the scams. Here is an example.

There is a legitimate law firm called Crystal Law. It maintains the following website.

crystal law real

And here is the fake website that pretends to be Crystal Law.

crystal law fake

The format seems to be copied from the website of the Odaman & Taskin Law Firm located in Istanbul, Turkey.

While researching this post, I found two other fake websites using the same format.

ian bright

phillip johnson

I found that some of the images on these sites were stolen from another law firm site, Harcourt Chambers, and linked to a number of other sites, some of which Microsoft has determined to be dangerous. On its site, Harcourt Chambers notes that, “it has come to our attention that a number of bogus emails have been sent to individuals which purport to have originated from Harcourt Chambers or individuals from Chambers.” Many of these could be traced to a scam look-alike site and any correspondence from it should be either ignored or reported to the authorities.

After finding a number of these scam sites, I reported them to the Solicitors Regulation Authority. I received a reply (“We will look at your information alongside other relevant information we hold in order to consider the next steps”) and hope to work with them to expose the scammers. However, due to the massive prevalence of such scam sites, the task will be daunting. My suspicion is that I stumbled upon several of these sites before they had a chance to be monetized. The scammers may have taken over firms that have closed but did not, or could not, remove the original websites. I will update this information when necessary.

But why are law firms such tempting targets? That’s easy. They can give legitimacy to any scam. However, more importantly, information on law firms and lawyers is readily available. Most states have a searchable database for all of its bar members and firms. The database gives information such as the following from the Florida Bar website: Bar number, mail address, office phone, personal phone, fax, email, personal bar URL, vCard, practice areas, and the firm’s website. Below is the scammer’s dream page for setting up a scam.

florida bar

A potential scammer can find law firms specializing in the areas they are interested in, such as estate planning or real estate. They can then clone an appropriate website and begin their scam.

A few days ago (June, 8), the Better Business Bureau received a complaint about a fake law firm that scammed a victim out of $5,000 by pretending to represent a buyer of a timeshare. The fake law firm even encouraged the victim to go to their website. They also told the victim to check out the firm’s lawyers on the Idaho State Bar website. Yes, they were using the state bar site to legitimize the scam. The fake website is still up and, you would think that it was an obvious fake from some of the odd language on the home page, such as, “WE HAVE A LOT OF EXPERIENCE AND DON’T HAVE TO DO A BUCKET OF RESEARCH” and “ARE YOU HAVING ANY PROBLEMS BUT YET NOT CONSULT TO ANYONE ?” Or how about this puzzling banner.

idaho law

In researching this particular scam, I found more fake sites than I could ever report on. Not all of them were fronts for fake legal firms, but many were. According to a 2017 report by Webroot, 1.4 new phishing sites appear every month and are online for less than 8 hours. The short time-span makes it impossible for the site to be blocked and scammers can easily direct victims to new, unblocked sites. Fake law firm sites will be persistent through simply tweaking the URL. As the victim of the timeshare scam noted, “the problem we found was that by the time we got the website shut down (a herculean effort) a new one popped up with a new host.”

On the surface, the situation may seem hopeless. In fact, the responsibility of avoiding a scam comes down to the individual. Don’t rely on online communication or phone calls to validate a law firm. Check with authorities or meet with the firm representative in person. You may still become a victim, but the chances for this will be significantly reduced.

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Trending: Hacking School Networks to Change Grades

Have you noticed a sudden increase in your son’s or daughter’s grades? Do you wonder how they can do so well at school when they seem to spend most of their time playing online games? Well, maybe there’s a simple explanation. You see, there’s a new trend making the rounds among some students these days. It’s a trend that is becoming more popular now that graduation is approaching. This latest trend is hacking the school’s computer network to change grades. Why bother studying if you’re guaranteed to be a top student?

As most students who’ve been caught admit, hacking into the school’s network was surprisingly easy. Sixteen-year-old David Rotaro hacked his school’s network and admitted, “it was like stealing candy from a baby… It was like beginner level.” He claimed it only took five minutes to write the phishing email that began the hack. What he didn’t say was how long it took him to make the fake login page. Rotaro used a time-honored defense: He wanted to point out the school’s cybersecurity vulnerabilities. Sure. And, as is often the case in these stories, his parents had no idea he even possessed such hacking skills.

According to the 2018 Hacker Report, about 46% of hackers (we’re talking white hat hackers here) are below the age of 24. Since 25% of all hackers are students, we can assume that most of those under 24 fall into this category.

hacker age

According to the report, there are a number of reasons why these hackers hack.

hackers hack why

However, students wouldn’t hack a school to make money (13%), so we can eliminate that as a source of motivation. We can also eliminate that they would hack to advance their careers (12%) or do good in the world (10%). No, most would hack to have fun or show off. They may also like the challenge. David Rotoro hacked his school to raise the grades of his friends and lower those of his enemies. The fact that he didn’t change his own grades seems to show that he was trying to gain the praise of his peers.

Hacking to get passwords, alter records, or steal upcoming exams has been on the rise as well. Here are some hacks that have occurred in just the last month.

Bloomfield Hills High School – Students changed grades and attendance records. They also refunded lunch purchases.

W.S. Neal High School – Students changed grades and rankings of students. School cannot determine who the valedictorian is.

Gadsden High School – 55 students were found to have changed the grades of 456 students. They were in the system for at least 3 months.

Oakton High School – All student passwords changed.

University of Georgia – Student takes over a professor’s account and changes his grades.

Florida Virtual School System – All records and passwords of students and teachers hacked.

And here’s the bad news. There are probably many more cases that are yet to be discovered or were discovered but not reported.

A Note to Parents

There are a number of YouTube videos that claim to teach students how to hack their grades. Most are fake. They simply show students how to change the HTML code on the page they are looking at so that the grade appears to have changed. Once refreshed, the original grade reappears. So why use this hack? The answer: to fool parents. If a student’s parents are concerned about a particular grade and ask to see it on the student’s internet grade page, the student can change the grade via HTML manipulation and show the fake grade to their parents. So, if you are confronted with a suspicious grade on your son’s or daughter’s computer, simply refresh the page. If the grade has been tampered with, the original one will magically appear. Busted.

How Such Hacking is Actually Done

David Rotoro probably knew what he was doing. He sent phishing emails to all of the teachers which told them they had to change their passwords. Supposedly, most of these emails were caught by spam filters. However, one teacher opened the email and followed the link to a fake login page. Rotaro must have installed a keylogger or a RAT (Remote Access Trojan) so he could record or watch the login. It only takes one victim because, after that, he had the keys to the kingdom. In other words, he was allowed to freely roam the part of the grade site that was only accessible to teachers. Alternatively, he could have taken over the teacher’s email and sent more believable phishing emails to other teachers, thereby compromising them. Why was he caught? He made an amateur mistake and did not hide his IP addresses. They were easily traced back to him. As one student disturbingly commented, “so the kid wasn’t smart enough to at least use a VPN? I change grades all the time but I’m smart about it.”

But how did he manage to get the hacking tools necessary to pull this off? That’s pretty simple. You can get them online for free. The DarkComet RAT, for example, has been around for years. It can perform many malicious actions, such as turn on a victim’s microphone and webcam. It also comes with a keylogger to capture passwords and credit card information. It is readily available for download and even has its own legitimate website. How is this possible? Because it is advertised as a remote access tool. In other words, you could use it to access your home computer remotely. Sure, it has malicious potential but… Free keyloggers are also widely available. They are legitimately used by parents to monitor their child’s online behavior or by employers wanting to keep an eye on employees.

darkcomet

So, all of the tools for hacking grades are just waiting to be used by enterprising students. I’ve been monitoring discussions on this topic on some forum sites and was surprised at how many people confessed to hacking their schools. Some methods were quite complex but others were surprisingly simple, like installing a keylogger on the teacher’s computer from a flash drive when the teacher left the room.

Though many of the exploits used are relatively simple, there are some that are too complex for most students. Fortunately, for the aspiring grade hacker, there are step by step online instructions on how to hack into a school’s server and, in this particular example, steal the final exam.

how to hack

As the hacking instructor writes, “so for today, we’ll look at how to break into your school’s server to download the final exam file with the answers onto your computer. Just think of the benefits to your academic record, your Call of Duty skills, and your popularity when you show up at school with the final exams days ahead of the finals!” Yeah, that about sums it up. Of course, this all comes with a disclaimer, “this is for demonstration/entertainment purposes only. Please do not break into your school’s server and steal exams as it’s illegal and very likely will get you kicked out of school.” And he then gives the details of the hacking. Of course, you shouldn’t actually do this hack, but if you do, he advises you not to make your grade too high because that would look suspicious. Interestingly, this type of hack may escape all detection and has likely been performed with the school never learning a thing about it.

This exam-stealing exploit, as well as any grade-changing exploit, could easily be monetized. How much would a failing student pay to get a passing grade? My guess is quite a lot. How much would a student with a gaming addiction pay to get a final exam in advance and give themselves more gaming time?

The good news is that most students are not as computer savvy as the adult world thinks they are. Only a small percentage of students would actually know how to perform a hack of their school’s network. Fewer still would want to take that risk. However, the demand for getting grades changed or getting advanced copies of exams probably exists. There is an opportunity here for the enterprising student and they may be beginning to take advantage of it.

 

Posted in Uncategorized | Tagged , , | Leave a comment

New Malware Uses a Facebook-YouTube-Chrome Combo to Steal Bitcoins

The FacexWorm has been around since late last year, but it has been continually upgraded to be more efficient in stealing Bitcoins. It’s use of a select blend of social media to propagate itself makes it rather unique and may portend a new approach that criminals may use,

Stage 1: Facebook Messenger

 Criminals get control of a Facebook account or at least an account that allows friends to be seen by anyone. Using Facebook Messenger, the attacker sends a message seeming to come from one of the victim’s contacts. The message will have the victim’s name, a random emoji, and, in it’s basic form, the word, ‘video’. There is a link on which the victim is supposed to click.

facex link

Recently, these messages have been upgraded to make it appear that the link goes to YouTube.

facex youtube link

The lack of any well-formed sentence leads one to suspect the attackers are either of foreign origin or are seeking victims in numerous countries.

Stage 2: YouTube

 If you click on the YouTube link above, the newer versions of FacexWorm will direct you to a fake, but superficially believable, YouTube page. But to view the video you were sent on Messenger, you are told you must install a codec, as seen in the example below.

facex codec

Although the URL has nothing to do with YouTube, the victim may overlook this because of the similarity of the page to an actual YouTube page. If the victim agrees to add the extension, the malware will, through a series of communications with the C&C (Command and Control) server, gain control of the victim’s original Facebook website and send similar messages to the victim’s contacts, propagating the infection.

Stage 3: Chrome Browser 

 As of this writing, the extension that the victim adds in the scenario above only works in Google’s Chrome browser. The malware injects code into a normal Chrome extension. In fact, new code is added with every new web page that the victim opens. The code is programmed to recognize if particular login pages are opened and will send the login information to the C&C server.

FacexWorm’s main function is to gather cryptocurreny. It is programmed to contact the C&C if the victim either visits one of 52 cryptocurrency sites or even writes the word of a particular cryptocurrency. Such actions will trigger the browser to go to a fake web page that matches the cryptocurrency that the victim has shown an interest in. Once at the scam web page, the victim will be asked to send a certain amount of cryptocurrency to the attacker’s wallet to prove they are a valid user. They are informed that the currency will be returned once it is validated. Of course, the money will never be seen again.

FacexWorm will also inject code in web pages in order to allow for cryptocurrency mining which will benefit the attacker. The mining is programmed to take no more than 20% of the infected computer’s CPU’s power which will slow down browsing but will not make it so obvious that the victim becomes suspicious.

If the victim actually does perform a transaction in one of the attacker’s targeted cryptocurrencies, the attacker replaces the recipient’s address with their own and, thereby, pockets the currency. According to the Trend Micro report, these are the targeted trading platforms: Poloniex, HitBTC, Bitfinex, Ethfinex, and Binance, and the wallet Blockchain.info. These are the targeted currencies for this stage of victimization: Bitcoin (BTC), Bitcoin Gold (BTG), Bitcoin Cash (BCH), Dash (DASH), ETH, Ethereum Classic (ETC), Ripple (XRP), Litecoin (LTC), Zcash (ZEC), and Monero (XMR).

FacexWorm attackers can make money if they refer victims to particular cryptocurrency sites. They do this by redirecting a cryptocurrency web page request from the victim through the attacker’s site, making it appear that the attackers were the ones who referred the victim. Thus, if the victim registers an account, the attackers make a little money from having referred them. These are the sites that the attackers receive fees from: Binance, DigitalOcean, FreeBitco.in, FreeDoge.co.in, and HashFlare.

Here is a diagram from the Trend Micro report that summarizes how FacexWorm propagates.

facex diag

Circumventing FacexWorm

 If you are worried that a cryptocurrency web page is a fake, simply refresh the page and it will go to the real page. Make sure to check the URL. Refreshing the page works because the malware has code that prevents redirection to the same page within a certain time frame.

If the victim becomes suspicious, (possibly because they sense that their browsing is slower than usual) and tries to open the extension management menu in the Chrome browser, the malware will close the tab before any action can be taken.

The weak point in the attacker’s propagation is actually in the initial Facebook Messenger attack. Facebook algorithms can readily identify such simple links as malicious and they routinely remove them. Chrome has also been removing extensions containing the malicious code. Installing new updates is important to mitigate any FacexWorm attacks. The sad truth is that these removals only teach the attackers more about hiding their code.

It appears that this entire, somewhat sophisticated, malware exploit is still in the development stage. It is currently affecting computers in Asia and parts of Europe. In fact, the attackers may just be testing it out to see where the weak spots are. I would expect them to develop more techniques to bypass detection as time goes by because the FacexWorm package contains too many good exploits to simply toss aside. It should, when the time is right, begin to show up in the U.S. and that’s something you can bet on.

 

Posted in Uncategorized | Tagged , , , , , | Leave a comment

World Cyberwar I

Minor skirmishes in preparation for an all out cyberwar have been taking place in the Middle East for a number of years now. Since the Stuxnet attack on Iran’s nuclear facilities in 2010, the region has seen a number of attacks on key infrastructure. These attacks have been troubling but have intentionally been kept at a level to irritate but not mitigate. No nation in the region will declare an all out cyberwar unless they are already in a declared conventional war. The reason for this is that cyberwar is a zero sum enterprise. All the major players have cyber weapons that could severely damage the infrastructure of the other players. Attacking a rival nation will almost certainly bring an identical cyber response from the attacked nation. It’s the only factor that has kept most of these attacks at the espionage level. There have been a few exceptions, such as the Iranian attack on Saudi Aramco last December, but such attacks have been heavily obfuscated to the point where absolute attribution cannot be assigned. Maybe, but most cybersecurity experts have little doubt that Iran was behind the Aramco attack.

Now, the situation may have changed. Israel has put Iran in its sights. It will only take one key event by either adversary to set off a chain reaction that will lead to the first declared cyberwar. I suggest that the situation is similar to the state of the world before World War I. In that scenario, one event, the assassination of Austria’s Archduke Ferdinand by a schoolboy, triggered preset alliances into a wartime footing.

In World War I, the assassination of the Archduke forced the Austro-Hungarian Empire to declare war on Serbia. However, Serbia was aligned with Russia, which, in turn, declared war on the Austro-Hungarian Empire. The entrance of Russia into the fray led Germany to declare war on Russia. France, then, declared war on Germany and the Austro-Hungarian Empire. Germany, then, invaded France, which pulled Great Britain into the war. Japan, The United States, and Italy entered the war later.

In the Middle East, Iran is allied with Syria, Lebanon (Hezbollah), the Palestinian Authority, and Russia. It considers Israel, Saudi Arabia, and the US as its enemies. Egypt has grown closer to the US and has historic animosity towards Iran. Turkey is in a tough position. Although Turkey has traditionally been antagonistic towards Saudi Arabia, they have a common enemy in Iran, which may be enough to pull Turkey into any conflict that develops. Turkey has always wanted Assad out as the leader of Syria and resents the fact that both Russia and Iran are helping him maintain his power. The United Arab Emirates has mixed feelings towards Iran. Iraq has been friendlier towards Iran after Saddam Hussein’s departure, but they have enough problems to solve in their own country and will likely try to avoid being drawn into any conflicts. The US will stand with Israel. Whether the US’s European allies will offer more than moral support is difficult to say, but they may be drawn in under some circumstances. Interestingly, the only major country that might be able to avoid this conflict is China.

So who are the greatest cyber powers among these operatives? The US must be considered as the strongest with Russia second, Israel third, and Iran a close fourth. All are among the world’s top cyber powers and each is able to deliver devastating cyber attacks.

An official declaration of war would not be necessary for an all out cyberwar to begin. If confrontations between major participants are severe enough to threaten the existence of one of the parties, cyberwar will ensue. Any nation pushed into a corner will use whatever weapons it has at its disposal as it would believe it would no longer have anything to lose. Here, briefly, are the types of attacks that would take place during such a cyberwar.

Attacks on Industries Related to the War Effort

Don’t expect the target to be obvious. It may not be a main aerospace industry that is attacked, but a smaller industry that makes a key component. A sophisticated attack would attempt to alter the parameters of such components so that they malfunction when used. This is basically what Stuxnet did to Iran’s centrifuges. Most participants would try to find ways to cause weapons to misfire. Russian hackers infected an app that helped the Ukrainian artillery hit targets. They purportedly infected the app to send out geolocation signals which, in turn, transformed the artillery into targets. Some have claimed that Russia is using Ukraine to hone their cyberwar skills.

There are other ways to target key industries. They may be hacked to get information that can be used by the adversary. They may be undermined with a DDoS attack so that their internet connectivity is disrupted. Or, their networks may be injected with malware that can either hold crucial information for ransom or destroys it outright.

Attacks on Infrastructure

 Infrastructure attacks are the scariest aspect of an all-out cyberwar. Most people think such an attack would simply mean that their lights go out for a while. However, it is far worse than this. Here are some implications of such an attack on a power grid.

Financial Breakdown

Without electricity, how will you use an ATM machine? How will companies and banks transfer money? How will the stock market operate? Forget about using your credit cards. It will be back to a cash-only society and stores will not be able to use cash registers. Cashiers will have to mechanically add up prices and figure out how much change to give you. Imagine waiting in those lines. If you use your smartphone for banking, that will only work until the battery runs down and assuming the internet is still operating. But that won’t matter because if you expect your pay to be electronically transferred to your bank account, it won’t be.

Transportation Breakdown

 You can imagine the chaos that would ensue if all traffic lights were suddenly turned off (or, in some scenarios, all turned to green). Trains and planes could not operate. Gas pumps could not pump gas. People could die in plane crashes when air traffic controllers cannot communicate with pilots. Others could be trapped in elevators and subways. In short, all transportation, other than bicycles, will come to a stop.

Health Breakdown

Hospitals have generators which will operate as long as their fuel supplies last. The lives of patients on life support systems will be in continuous jeopardy. Food will spoil as freezers stop operating. If the grid stays down for a long time, starvation may become a problem. Water pumps will stop. Water purification systems will not operate. Toilets will not flush. Sewage treatment systems will fail. Ambulances will not be able to save the rapidly increasing number of accident victims, either because roads will be blocked with abandoned vehicles, or fuel would be impossible to come by. Without streetlights and alarms, crime will certainly begin to rise.

Industrial Breakdown

Industries will be unable to operate. Manufacturing will stop. Important products, such as canned foods, would not be produced. Weapons and their components would no longer be manufactured. Basic commodities, such as oil, iron, and grains would not be available if such attacks continue for a long time. Large farms would be unable to supply food processing plants with their produce as they could not transport their crops. Without feed, animals will die.

industry attacks

Information Breakdown

Normally, the first hacks that occur in a war are those on media. Adversaries will try to infiltrate each others media in order to shut the outlets down, disseminate misinformation, or spread propaganda. Social media accounts will be hacked to make major players in the conflict look bad. High profile government agencies will be breached to make them look incompetent and vulnerable.

If the past is any indication of the future, the following graph shows the sectors most likely to be affected by an infrastructure attack.

cyber attack sectors

 

It seems evident that a full out conventional war will now incorporate cyber weapons. However, it is also possible that a serious cyber attack could cross the digital-analog divide and precipitate a conventional war. After all, if a country’s citizens were killed or seriously threatened by a cyber attack, there would be justifiable reason to retaliate physically. Indeed, this has already been taken into account by the members of NATO. In 2014, the NATO members agreed that a serious cyber attack on any of its members would trigger Article 5. Article 5 states that any “attack against one or more of them in Europe or North America shall be considered an attack against them all”. So could a serious cyber attack on the US pull NATO members into a Middle East fray? That certainly seems possible if the cyber attack was severe enough.

But is it really possible to launch a cyber attack that is devastating enough to start a war? Maybe, but it would be difficult to organize without being discovered and it would be so costly that it could probably only be pulled off by a nation-state. Even if the attack was successful, it may not be sustainable. Sustainability is crucial for devastating damage to occur. The BlackEnergy Trojan attack on the Ukraine, probably the largest such attack in history, only managed to cut off power to about 1.4 million people for a few hours: A bad, but not devastating attack, which probably cost more to organize than what it was worth.

Sustainable attacks, lasting 6 months to a year or more, are said to possess the potential to kill large numbers of people. According to former director of the Central Intelligence Agency (CIA), R. James Woolsley, in a widespread, sustained attack, “two-thirds of the United States population would die. The other estimate is that within a year or so, 90% of the U.S. population would die. We’re talking about total devastation. We’re not talking about just a regular catastrophe.” Although most experts consider this an exaggeration, numbers in the 10 to 20 million range are quite plausible.

As you are reading this, Israel’s elite cyber intelligence group, Unit 8200, is practicing defending itself against anticipated Iranian cyber attacks. Cybersecurity firm, CrowdStrike, has reported a sharp increase in malicious cyber activity coming out of Iran. No longer constrained by the nuclear agreement, they feel emboldened to attack adversaries and especially the US. Both Israel and the U.S. will be attacked. They will, in turn strike back. Israel’s prime minister, Netanyahu, professed that “Whoever hits us will get hit seven times over. Whoever prepares themselves to attack us will be attacked first. That is what we have done and that is what we will continue doing.” If Iran’s cyber attacks are met with this type of resistance, it will be a short path from incident to full out war.

Posted in Uncategorized | Tagged , , , | Leave a comment

The Dangerous Rise in Code Injection Attacks

So what’s code injection and why is it dangerous? In terms of a malware exploit, code injection is performed by an attacker to make a legitimate application do something it shouldn’t. Attackers place or inject code into an application or process to subvert its normal activity and makes it perform tasks that will benefit the attacker. This is dangerous because the application can then be manipulated to give the attacker full control over a victim’s computer or other device.

Code injection is rapidly becoming the preferred attack vector because it offers more benefits to an attacker. The 2018 IBM threat intelligence report shows that code injection increased alarmingly in 2017, composing more than 79% of all attacks.

ibm injection

This post will outline several recent exploits that use a variety of code injection techniques to target victims. These are the FakeUpdate campaign, Smoke Loader malware, and the Early Bird technique.

The FakeUpdate Campaign

The FakeUpdate campaign began last December and has been rapidly increasing ever since. For whatever reason (phishing email, redirection), you may end up on one of the campaign’s infected, but valid, websites. Most of these sites have been abandoned or are simply outdated. Upon arriving at the site, the malicious code will analyze what browser you are using and then tell you it’s time to update it. The popup will look legitimate as in the following example.

firefox update

You are told to update the file from a legitimate looking Dropbox account. However, if you look at the URL, you will see the site in which the malicious code was injected. Here is that compromised site, as exposed by Malwarebytes.

firefox compromised

This exploit will only send you to a specific infected site only once so as to avoid detection. Accepting the ‘update’ above will download a file onto your device which will connect to the C&C server and receive instructions. The exploit has the ability to detect and avoid sandboxes. If the exploit is successful, banking malware (Chtonic, ZeusVM) will be installed on your device. Some of the infections installed RATs (Remote Access Trojans), which will give total control of your device to the attacker.

The campaign targets Firefox and Chrome browsers through fake updates, while Internet Explorer users are targeted through Flash Player updates. Thousands of sites are said to be infected. Normal browsing precautions should subvert these attacks. In other words, check out any URLs you are being directed to.

Smoke Loader Malware

 In March, within a 12 hour period, Windows Defender found 400,000 computers infected with Smoke Loader malware (aka Dofoil). Smoke Loader is designed to take over computers in order to mine cryptocurrencies. Windows Defender quickly undermined the attackers, but they returned with upgraded attacks shortly thereafter. Smoke Loader injects its code into explorer.exe, which loads Windows Explorer.

Last year, one of the big tech stories concerned flaws in Intel and other chips. Smoke Loader has been known to take advantage of this by masquerading as a patch for that problem. Victims may be led to a site that tells them to download the “Intel-AMD-SecurityPatch-11-01bsi.zip”. Downloading and running the included “Intel-AMD-SecurityPatch-10-1-v1.exe” will install the malware. The site the malware is stored on will often be an HTTPS site constructed by the criminals, which many users may assume is safe. But cheap certificates are easy to come by. It should be kept in mind that any news event can be manipulated to trick victims into downloading malware.

Cryptocurrency mining malware has rapidly grown in popularity among criminals. The malware enslaves a group of computers, devices, or things and has them work for the attackers on producing new coins by solving complex algorithms. Since mining requires huge amounts of power, the attackers want the owners of these compromised computers to absorb the electricity costs. So, in addition to sudden increases in their electric bills, victims may notice that their devices have suddenly slowed down. In the case of cryptocurrency mining malware, it is in the perpetrators’ best interest to remain undiscovered. They will want to slow, but not stop, the devices the mining malware is running on.

The Early Bird Technique

In this technique, code is injected into legitimate processes that start before any antivirus software starts running. It thereby avoids detection by these programs since the antivirus programs only see legitimate processes running. The malware within these processes can be installed without being detected. The legitimate processes normally targeted were exporer.exe, svchost.exe, and rundll32.exe. The injected malware will remain persistent after reboot by writing a registry key.

This is more sophisticated than normal exploits and Cyberbit, the firm that exposed the technique, suggests connections with the government-backed Iranian hacker group, APT33. This is disconcerting because APT33 has been known to target the aerospace and energy sectors.

How does APT33 get the Early Bird technique into devices in the first place? In the past, the group specialized in spear phishing employees in the firms or organizations they wanted to target. These employees were apparently sent emails concerning potential jobs in their fields. The emails contained links to HTML files with legitimate job ads but with malicious code injected. Visiting such sites would install the Early Bird attack vector, which would, in turn, install whatever malware the attackers wanted to use. If this is, indeed, an attack vector being used by APT33, then the goal of the malware would be to use the compromised employee device to access the corporate network and steal information. If, however, Early Bird is being used by other attackers, this technique can be used to install anything from banking malware to RATs.

The Future of Code Injection

Some code is routinely injected into browsers by antivirus programs to stop malicious actions. However, leaving this door open gives attackers a potential entry point that can be exploited for evil purposes. For this reason, Google will prevent all third party code injection by January, 2019. Expect other browser makers to follow this example and expect attackers to find ways to circumvent this. That’s just the way it is.

 

 

 

Posted in Uncategorized | Tagged , , , , , , | Leave a comment