Attacks/Breaches

3/2/2015
06:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What You Need To Know About Nation-State Hacked Hard Drives

The nation-state Equation Group compromise of most popular hard drives won't be a widespread threat, but future disk security -- and forensic integrity -- remain unclear.

The recent discovery that a nation-state hacking group had fashioned its own tools to reprogram more than a dozen major vendors' hard drives such that it could harbor malware and store stolen information in them undetected has cast a shadow over the security and reliability of these disk drives.

Most security experts weren't shocked that a nation-state was messing with hard drive firmware--hard drive attacks had been demonstrated by researchers over the past year, and it was only a matter of time before an in-the-wild attack was found. Even so, the so-called Equation Group's ability to wrest control of such a broad array of drive products was eye-opening, given the level of skill, time and financial resources such a feat required. 

"The more telling part of the Kaspersky Lab report was that the hard drive malware supported a large number of hard drive vendors. That is a lot of work to set up and test and maintain," says HD Moore, chief research officer with Rapid7.

Kaspersky Lab last month announced that it had discovered a leading-edge nation-state group, which it dubbed the Equation Group, that among other things had built malware modules that can reprogram hard drive brands, ensuring that the malware remains undetected by antivirus software and that even if a hard drive is reformatted or the operating system is reinstalled, the malware can't be eradicated. The attackers could also swap one drive sector with a malware-infected one, and use the drive to store stolen information, for example.

Vitaly Kamluk, director of the EEMA Research center at Kaspersky Lab, contends that it would take a skilled programmer months or years to successfully pull off this type of hack. "This is what makes this whole group gods among APT actors. We haven't seen anything close to this" before, Kamluk says. "You would have to get internal documents from the vendor," for instance.

So now that most major hard drive brands apparently have been compromised by the Equation Group-- which has not been officially identified by Kaspersky Lab but most experts say is most likely the NSA--what next?

Big-name hard drive vendors for the most part have remained mum or vague about the Equation Group findings. Neither Hitachi nor Toshiba responded to press inquiries about the firmware hack. Meanwhile, a Seagate spokesperson told Dark Reading that the company "has no specific knowledge of any allegations regarding third-parties accessing our drives."

"Seagate is absolutely committed to ensuring the highest levels of security of the data belonging to our users. For over seven years Seagate has been shipping drives offering industry-leading levels of self encryption, while putting in place secure measures to prevent tampering or reverse engineering of its firmware and other technologies," he said.

Hard drive vendors indeed could enhance the security of their drives to thwart such attacks in the future. Many of the newest ARM processors come with secure boot mode support as well as digital signatures of both the boot loader and OS kernel, Rapid7's Moore says. "Securing the ARM chips on the drive controllers isn't impossible and there are ways to make rogue firmware installation harder," he says. "Granted, there is likely a way to bypass those just like all other 'secure' boot modes and it would make flashing and diagnostics more complicated, but they could certainly improve the security, all the same."

A secure boot basically includes cryptographic checks in each stage of the boot process, which would prevent malware from running during that process.

Still, the majority of organizations won't need to worry about their hard drives getting hacked this way, security experts say. While the Equation Group hard drive hack is alarming and sophisticated, it's not likely to become a widespread threat vector, but instead used in very limited and targeted attacks. "One of the reasons you're not going to see these kinds of attacks widespread is because they are very hardware-specific," Moore says. "That effort is too high for most [attackers] intent on causing harm. Most nation-states wouldn't want to go through that much effort," either, he says.

The actual number of victims of the hard drive hack discovered by Kaspersky researchers was small, and in one case that the researchers spotted, the attack began with an infected CD-ROM disk. A scientist who had attended a conference in Houston, Texas, in 2009, received a CD-ROM from conference organizers with pictures from the event; but the disk also harbored a Trojan that later spread to one of his hard drives.

"He made a copy on a backup hard drive. Our product detected and blocked it on the external hard drive" and it was something we had not yet seen before, says Costin Raiu, head of Kaspersky's global research and analysis team, and one of the lead researchers on the Equation Group findings. The researchers were able to contact the scientist by tracking him down via his IP address, and he relayed the CD-ROM story. "It was [apparently] intercepted [by the Equation Group]… and then shipped to its final destination," Raiu says.

The key to stopping an undetectable hard drive hack is spotting the early stages of the attack, before the drive damage is done. "As amazing and covert as a lot of the Equation Group [hard drive attack] was, if you look at all of the stages, there were plenty of other components that were detectable and use the same techniques as other malware does, but people didn't piece it together," says Ryan Kazanciyan, technical director at Mandiant, a FireEye company. "Even the most covert malware has to get on the system and has the use of lateral movement. Even the best actors aren't invincible."

Kazanciyan says companies need to reduce the attackers' "funnel of operation" and make them have to work harder and up the chance of quicker discovery, he says.

The big problem, of course, is that conventional wisdom always has been that a malware-infected machine can be cleaned up after you reboot and reformat the drive. "How many years have we been told that malware on the machine can be cleaned by formatting the hard drive?" says Dan Kaminsky, chief scientist with WhiteOps Security.

Kaminsky says it's no surprise intelligence agencies would abuse the functionality of a hard drive for their own purposes. "We've known there are secret places to store data … and secret commands," he days. "Hard drives have their own operating systems, interfaces, and other places to store information. In fact, there are many places in a computer to surreptitiously place malware."

But the hacked hard drive brands have left all types of organizations vulnerable, he says. "This is part of the ongoing global conversation of the proper role of intel," he says. "A lot of businesses and military establishments just got left wide open."

With hard drives potentially silently infected, incident response and evidence collection also could be compromised, notes Mike Davis, CTO at CounterTack. "Now you can no longer take a hard drive to court and say beyond a reasonable doubt" its content is intact, he says. "It puts a massive [monkey] wrench in IR and evidence collection."

The Best Defense

Aside from taking a hammer to the hard drive, there's not much you can do to clean up a drive that's infected this way. Kaminsky recommends separating storage and execution as a way to prevent such an attack: "Stored data should never be allowed to execute code," he says.

The problem, of course, is that anti-malware doesn't scan hard drives for malware. "As long as customers are not able to check the firmware, they have to focus on preventing reaching this stage," says security expert Boldizsar Bencsath at the Budapest University of Technology and Economics'  Laboratory of Cryptography and Systems.

That means trying to stop the malware component from achieving the high level of user privileges that got the attackers so embedded and ultimately into the hard drives. And if a computer continues to get reinfected after reinstallation, that's a good clue something like a hard drive hack could be present, Bencsath says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/12/2015 | 10:48:43 AM
Re: Changing behaviours regarding security
I like your not-dated analogies, @jamieinmontreal. You are so right about the balancing act between security and convenience, and the ultimate changing of habits. And you're right--some level of fear is a great motivator.
jamieinmontreal
50%
50%
jamieinmontreal,
User Rank: Strategist
3/12/2015 | 10:36:44 AM
Changing behaviours regarding security
@klevkoff117 I'm not necessarily dating myself with this analogy (I hope) but when I was a kid we left the house doors unlocked at all times... it just never occurred to us that locking them was necessary.   Kids were left in cars, often with the keys hanging from the ignition and car doors also unlocked.

Times changed and we became more aware of terrible and tragic incidents we started to change behaviour "just in case".   Doors started to be locked, security chains were installed, we learned to ask who was there before opening doors.

It feels like the world is slowly learning these same habits in regards to their Valuable Blob Of data (VBOD), now we install AV at home, we are less inclined to plug random USB devices into things (a lesson which will very likely be summarily ignored the first time a "really useful" IoT type device is issued with a USB Charger) and we don't "just click OK" on random messages - at least not all the time.

As far as ROI for security is concerned it's implicit - why do we buy insurance after all?   it's simply a measure of security against the threat of physical or financial harm.   

If all of this is true then the battle is between fear and convenience.   Fear can be created or developed and can be a powerful motivator - parents leverage it all the time (if you don't believe me, read Hansel and Gretel again).  

However, desire for convenience is a really strong mtivator as well; to paraphrase an old saying, necessity is the mother of invention - convenience is the father.   We needed to make things faster, more accessible and we wanted to do it the easy way.   

So the initial fear surrounding something has to be amplified many times to overcome the natural inclination towards inertia - look at campaigns for wearing seatbelts, putting on sunscreen, not smoking in bed (somewhat older reference to be fair), or indeed not smoking at all... Once the inertia has been overcome and action has started, the new habits will form and they will be hard to break - when was the last time you saw a "wear your seatbelt" campaign?

As we read more and more about data breaches and many other concerns look for firms to start locking everything down and managing access even more tightly - once that starts it will be unstoppable and while there will always be exceptions (does everyone always wear a seatbelt?) the habits will be formed and they will define the newer world.   The winners will be those that have developed the means to allay the fear in as easy a manner as possible.

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/7/2015 | 11:34:32 PM
Re: Maybe the problem is too much flexibility
That's beautiful, man.  I agree with Marilyn; you should be in marketing.

Unfortunately, marketing ROI and security ROI are very tricky to determine and justify.  It's all about UX these days -- even though nobody in the room at the UX meetings is a "U."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/6/2015 | 12:09:30 AM
Re: Infected conference materials
Scan everything.  :)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/6/2015 | 12:08:11 AM
Re: Infected conference materials
They do make good gifts, though.  One Christmas, when I was stuck for a Christmas present for someone, I gave them one of my free mega-storage USB sticks from a conference.  They loved it.

Maybe they're hacked now.  Who knows?  :p
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2015 | 11:10:50 AM
Re: Maybe the problem is too much flexibility
Great idea  @klevkoff117! You should be in marketing! But seriously, I look forward to the day that strong security is a product differentiatior -- in finance and other industries..
klevkoff117
50%
50%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:36:39 AM
Re: Maybe the problem is too much flexibility
I think a lot of that problem simply comes down to how institutions interact with the public. Most people I know really do care whether their bank account is safe or not - and would probably respond favorably if their bank actually told them "our account summary page isn't especially pretty, but it's much more secure than our competitors". However, that doesn't happen - presumably because somewhere there's a web designer who's worried that their competitors have pretty 3D mouseover buttons and they don't.

Perhaps it would be more useful for them to educate their customers rather than to always play into their least little whims and desires. (I'm imagining a variation of the old Volkswagen commercial... "Our website is ugly, but our security is better, so we can offer you a credit card with a lower interest rate, and pay better interest rates on our accounts; we think the tradeoff is worth it - don't you?" I know I'd move my accounts there tomorrow - if I actually believed the pitch :) )
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/5/2015 | 10:26:41 AM
Re: Maybe the problem is too much flexibility
@klevkoff117-- It's  certainly not a new problem. And hats  off to whoever figures out the right balance between user convenience and security .
klevkoff117
100%
0%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:24:58 AM
Re: Infected conference materials
I think a large part of this is our modern obsession with convenience and looks.

My bank tells me that I should have the latest browser "so I can enjoy the latest features"; if they wanted the best security they would be telling me to disable JavaScript and Active-X - and using pure HTML. Likewise, does anyone here remember when, if you had a bunch of text to deliver, you did so as a plain text file? A pure text file isn't especially pretty, but you can't practically infect it with malware.

The simple reality is that nobody wants to trade away convenience, or the latest whiz-bang features, for real security... and so the endless quest for good security that is also convenient, cheap, and looks pretty... which is probably just not possible.

Obviously the promoters of that conference had no idea that anyone would want to hack their conference materials. Otherwise they could have put all their conference material into an archive on that CD - and then published the MD5 hash for the archive on their website.

Likewise, another reader posted about, while conducting business at a bank, being permitted to print something through their network off a USB stick... and how this was a rather unsecure practice. Am I the only one who remembers when even HAVING a USB drive in a computer that was supposed to be secure was considered a bad idea?

We sacrifice security for convenience at every turn, then we act surprised when we learn that the security isn't there any more....

 
klevkoff117
100%
0%
klevkoff117,
User Rank: Apprentice
3/5/2015 | 10:11:23 AM
Maybe the problem is too much flexibility
I'm sorry, but maybe it's time that people just plain grow up. There is an easy - and 100% effective - solution that can be implemented for just a few cents that will prevent anyone from hacking the firmware on your hard drive. Simply attach a physical switch to the physical write-enable pin on the BIOS storage medium; this way, it will be impossible to alter the firmware without physical access to the drive. Many years ago we had an antiquated version of "flash" that was 100% un-hackable - it was called a ROM (read-only memory); since a ROM cannot be reprogrammed, the only way to change the code stored on a ROM is to physically replace it with a new one..... so it's totally secure... and securing your hard drives is as simple as locking the server and posting a security guard. Do we really need the ability to field upgrade the BIOS on a hard drive? If not, then a ROM will do just fine.

Now, I realize that people these days are obsessed with convenience, and nobody is willing to accept the possibility that a product should be correct the first time (and so require no updates), but it seems to me that it wouldn't be a hardship to simply ship hard drives which physically cannot have their firmware or BIOS altered after they leave the factory. (Use a ROM, cut off the write-enable pin, or burn a link to disable the program function.)

The vast majority of the security breaches and hacks we're seeing lately are simply the result of our modern obsession with convenience... 

(And let's not even discuss passwords which can be reset after a simple request to do so. Am I the only one who sees the irony of generating a "password reset token", which is secured by a nice long cryptographic hash, then sending that secure link to an unsecured e-mail account, as a plain old unencrypted e-mail. Gee, guys, if you want real security, maybe you really should have to go into the branch and talk to someone in person if you want to recover your lost bank password. )

 

 

 

 

 
Page 1 / 3   >   >>
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6705
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.
CVE-2018-15717
PUBLISHED: 2018-12-12
Open Dental before version 18.4 stores user passwords as base64 encoded MD5 hashes.
CVE-2018-15718
PUBLISHED: 2018-12-12
Open Dental before version 18.4 transmits the entire user database over the network when a remote unathenticated user accesses the command prompt. This allows the attacker to gain access to usernames, password hashes, privilege levels, and more.
CVE-2018-15719
PUBLISHED: 2018-12-12
Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-6704
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.