Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

// // //
4/25/2018
08:15 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick

5 New Network Attack Techniques That Will Keep You Awake at Night

You can't trust anything -- not the cloud, not hardware, not industrial control systems. Take nothing for granted, advise the experts, and trust nothing.

Get ready for insomnia. Attackers are finding new techniques, and here are five that will give you nightmares worse than after you watched the slasher film everyone warned you about when you were a kid.

At a panel at the 2018 RSA Conference in San Francisco last week, we learned that these new attack techniques aren't merely theoretically possible. They're here, they're real, and they're hurting companies today. The speakers on the panel laid out the biggest attack vectors we're seeing -- and some of them are either different than in the past, or are becoming more common.

Here's the list:

1. Repositories and cloud storage data leakage
People have been grabbing data from unsecured cloud storage for as long as cloud storage existed. Now that the cloud is nearly ubiquitous, so are the instances of non-encrypted, non-password-protected repositories on Amazon S3, Microsoft Azure, or Google Cloud Storage.

Ed Skoudis, the Penetration Testing Curriculum Director at the SANS Institute, a security training organization, points to three major flaws here. First, private repositories are accidentally opened to the public. Second, these public repositories are allowed to hold sensitive information, such as encryption keys, user names, and passwords. Third, source code and behind-the-scenes application data can be stored in the wrong cloud repository.

The result? Leakage, if someone happens to find it. And "Hackers are constantly searching for repositories that don’t have the appropriate security," Skoudis said.

2. Data de-anonymization, and correlation
Lots of medical and financial data is shared between businesses. Often that data is anonymized. That is, scrubbed with all the personally identifiable information (PII) removed so it's impossible to figure out which human a particular data record belongs to.

Well, that's the theory, said Skoudis. In reality, if you beg, borrow or steal enough data from many sources (including breaches), you can often correlate the data and figure out which person is described by financial or health data. It's not easy, because a lot of data and computation resources are required, but de-anonymization can be done, and used for identity theft or worse.

3. Monetizing compromised systems using cryptominers
Johannes Ullrich, who runs the SANS Internet Storm Center, said that hackers care about selling your stuff, like any other criminal. Some want to steal your data, including bank accounts, and sell that to other people, say on the Dark Web. A few years ago, hackers learned how to steal your data and sell it back to you, in the form of ransomware. And now, they're stealing your computer's processing power.

What's the processing power used for?

"They're using your system for crypto-coin mining," the experts said. This became obvious earlier this year, he said, with a PeopleSoft breach where hackers installed a coin miner on thousands of servers – and never touched the PeopleSoft data. Meanwhile, since no data is touched or stolen, the hack could stay undetected for months, maybe years. (See Malwarebytes: Cryptomining Surges as Ransomware Declines.)

4. Hardware flaws
Meltdown and Spectre, which exploited flaws in microprocessor design, were not flukes, Ullrich said. Spectre and Meltdown allowed hostile programs to access other programs' memory. But other hacks can allow unintended code to execute on the microprocessor, or leak information from caches. (See In Wake of Spectre & Meltdown, Intel Shifts Memory Scanning to GPU.)


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

Ullrich warns against relying upon the hardware features of a system for security, and backing that up with robust software.

"Hardware has complexity issues. You have to think, how much can you trust your hardware, especially if you're depending on hardware features to separate processes," Ullrich said. If you can't trust hardware, he asks, who can you trust? "Trust no one."

5. Exploitability in industrial control systems
Everyone running a power plant or a dam is probably kept awake by the ability of hackers to target, infiltrate and manipulate industrial controls -- like those which ran Iran's nuclear enrichment centrifuges, and which were successfully damaged by the Stuxnet.

Attacks on industrial controls, including widely used Supervisory Control and Data Acquisition (SCADA) systems, are becoming more widespread. James Lyne, Head of R&D for SANS, is concerned that these systems rely upon obscurity and isolation for protection -- and may not have been robustly tested for flaws.

Perhaps it's only a matter of time before hackers use hijacked industrial control systems to turn things off, turn things on, damage things or worse. That's good stuff for your nightmares.

"How prepared are we?" asks Lyne.

Sweet dreams.

Related posts:

— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.