Perimeter
8/25/2016
10:00 AM
Yoni Allon
Yoni Allon
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Secret Behind the NSA Breach: Network Infrastructure Is the Next Target

How the networking industry has fallen way behind in incorporating security measures to prevent exploits to ubiquitous routers, proxies, firewalls, and switches.

Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On Aug. 13, the shady “ShadowBrokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation-states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by ShadowBrokers signal a shift in attack methods and targets?

We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate, and Juniper (formerly NetScreen) firewalls. The names of the exploits provided by the ShadowBrokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping.

The exploit names are not the only link to the NSA. By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach.

Cyber Attacks with a Side of EXTRABACON
Researching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device. The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance. The payload can also re-enable the original password to reduce the chance that the attacker will be detected.

The python code handles multiple device versions and patches the payload for the version at hand. This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers.

Our attempt yielded a shell without password protection:

Networking Equipment in the Crosshairs
While the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot. This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network.

Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling endpoints; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network. 

Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures. A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing. In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer. The affected networking devices provide none of these security mechanisms and it shows.

Not the First and Definitely Not the Last
The Equation Group breach is not the first example of highly capable attackers targeting network devices. The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles. The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well-known administrative tools. This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one:

So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices. A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.

As always, nation-state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits.

In the meantime, here are four recommendations to help fortify network devices against attack:

Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date.

Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP.

Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device. Do not use a standard template for passwords. For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords.

Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices. Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices.

Related Content:

 

Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr. Allon has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
lorraine89
100%
0%
lorraine89,
User Rank: Ninja
10/20/2016 | 10:09:40 AM
Cyber security
Breaches, either made by hackers themselves or by the government agencies is bad anyway. Online hackers are attributed they breach cyber security but governement agencies like the NSA get away with them in the name of federal investigation. It is therefore, important to secure your connection from such snooping activities any way by anone and start protecting your online privacy with a secure vpn connection like PureVPN. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.