Cyber Round-up for 5th October
Welcome to Ironshare’s Cyber Round-up, where we take a look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.
Bloomberg Bombshell on China’s US infiltration
Thursday 4th October appears to be a big day for the Cyber community, which saw the release of some big stories. Non-seemingly bigger than the Bloomberg Businessweek Bombshell that uncovers the mass infiltration of major US companies by the Chinese.
Bloomberg’s BusinessWeek post dubbed “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” provides an in-depth account of a top secret 3-year probe into how a tiny pencil tip sized microchip was implanted on the computer motherboards of up to 30 US companies, by the Chinese.
With China manufacturing approximately 75% of the worlds mobile phones and PCs it should be no surprise that they would be in a strong position to launch this otherwise very difficult type of hardware attack. It is believed that operatives from the Peoples Liberation Army (PLA) used the motherboard provider Supermicro, who were engaged with the likes of Apple and Amazon, to install these chips during the motherboard manufacturing process.
This attack has very far reaching consequences, as it impacted hardware and servers used by Apple, Amazon, the US Department of Defence, CIA drone operations, Navy warships, banks and government contractors.
Amazon and Apple have denied these reports, stating they are unaware of the compromise or any such investigation. Unfortunately for them several former senior National Security Officials in the US have countered these denials, during conversations on the investigation which began during the Obama administration.
During the investigation a method was developed to monitor the chips activity, without disclosing to the attackers that the chip had been found. During months of monitoring brief check-in communications between the attackers and the compromised servers were detected, but no attempts to remove any data was witnessed.
US investigation officials stated: “In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.”
“Think of Supermicro as the Microsoft of the hardware world. Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
NCSC confirms Russian state sponsored attacks
A news post released by the NCSC on the 4th Oct, exposes the ongoing campaign of cyber-attacks carried out by the Russian Intelligence service, the GRU. The post confirms that several known actor groups that have been operating around the world are in fact the GRU.
Groups that the NCSC have confirmed are associated with the GRU are well known in the community including Fancy Bear, APT28, Strontium & CyberCaliphate.
Jeremy Hunt the UK Foreign Secretary stated:
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.
This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.
Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”
Further news articles and press conferences broke out throughout Thursday where the British and Dutch Governments joint operations confirmed they had hard evidence of these cyber activities, including Russia’s attempted hack of the UK Foreign Office.
Patience with Russia is wearing thin, the UK are prepared and committed to continue working with their allies, to apply and maintain pressure on countering these Russian activities, which NATO has described as “a reckless pattern of behaviour, including the use of force against its neighbours”.
Facebook Hacked – 50 Million users face potential compromise
Last Friday Facebook admitted that an unknown actor group had exploited a zero-day vulnerability in their social media platform that allowed them to access and exfiltrate the secret tokens of more than 50 million users, that keep you logged into your Facebook account and supported applications.
Technical details of the attack have not been disclosed by Facebook, but they have confirmed that it related to three distinct bugs in the ‘View-As’ feature code (which allows people to view what their own profile looks to someone else) and that the vulnerability has been successfully patched.
As a precaution, Facebook has forcibly reset the access tokens of over 90 million users, which logouts all current sessions and initiates the login process when the app is next used.
Unfortunately, this is not isolated to the Facebook service alone, if you use your Facebook account to login to third party applications / sites such as Instagram, Tinder, and many others, these will have been affected too.
Facebook VP Guy Rosen, explained “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”
Rosen also stated that the attackers did not get access to or steal user password’s, so unless you are one of the 90 million logged out users, you should not be affected, and will not need to change your password.
Cisco IOS XE and ASA Vulnerabilities
Cisco have disclosed a High severity vulnerability in the IOS XE and ASA Firewall code, that could result in an unauthenticated attacker rebooting the affected device.
The vulnerability exists in the IPSec driver of multiple products such as the ASR and ISR Routers running IOS XE, and the ASA 5500-X series firewalls with Firepower Threat Defence.
By sending malformed IPSec packets using ESP (Encapsulating Security Payload) or AH (Authentication Header) which are processed by an affected device, a remote attacker can exploit this vulnerability and cause a reload of the device.
It is recommended to update your devices to the latest fixed versions of software provided by Cisco.
For more information and a breakdown of the affected products and software see the link below.
New Linux Kernel bug allows Root access
Right on the back of last weeks round-up Linux is in the headlines again with a second Kernel based flaw in a week.
This latest vulnerability CVE-2018-17182, was discovered by Jann Horn a researcher at Google Project Zero, and affects the Linux Memory Management in Kernel versions 3.16 to 4.18.8.
Horn explains that this results from an overflow in the VMA memory cache, which can be exploited in a number of different ways, opening the door to privilege escalation, root access and arbitrary code execution.
As this affects numerous Linux distros, including Red Hat, Debian, Ubuntu and Android it is recommended that you review your current OS and patch accordingly.
Threatposts coverage of this vuln can be found here: https://threatpost.com/another-linux-kernel-bug-surfaces-allowing-root-access/137800/
It been a huge week for news in Cyber Security, with some big pieces that I am sure will roll on for some time, please do tune in for our next instalment.
To keep up to date with our news and posts why not join our mailing list by using the link to subscribe: http://bit.ly/IronMailList
You can also follow us using the social media links provided.
If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment: http://bit.ly/IronFreeCyberReview
Ironshare – Security Simplified
Edition #11 – 5th October 2018