New cyber-attack model helps predict timing of the next Stuxnet


Of the many tricks used by the world’s greatest military strategists, one usually works well—taking the enemy by surprise. It is an approach that goes back to the horse that brought down Troy. But surprise can only be achieved if you get the timing right. Timing which, researchers at the University of Michigan argue, can be calculated using a mathematical model—at least in the case of cyber-wars.

James Clapper, the director of US National Security, said cybersecurity is “first among threats facing America today,” and that’s true for other world powers as well. In many ways, it is even more threatening than conventional weapons, since attacks can take place in the absence of open conflict. And attacks are waged not just to cause damage to the enemy, but often to steal secrets.

Timing is key for these attacks, as the name of a common vulnerability—the zero-day attack—makes apparent. A zero-day attack refers to exploiting a vulnerability in a computer system on the same day that the vulnerability is recognized (aka when there are zero days to prepare for or defend against the attack). That is why cyber-attacks are usually carried out before an opponent has the time to fix its vulnerabilities.

Read 15 remaining paragraphs | Comments

New DoS attacks taking down game sites deliver crippling 100Gbps floods

Online gamers such as these ones often stream their play in real time.

Recent denial-of-service attacks taking down League of Legends and other popular gaming services are doing more than just wielding a rarely-seen technique to vastly amplify the amount of junk traffic directed at targets. In at least some cases, their devastating effects can deprive celebrity game players of huge amounts of money.

As Ars reported last week, the attacks are abusing the Internet's Network Time Protocol (NTP), which is used to synchronize computers to within a few milliseconds of Coordinated Universal Time. A command of just 234 bytes is enough to cause some NTP servers to return a list of up to 600 machines that have previously used its time-syncing service. The dynamic creates an ideal condition for DoS attacks. Attackers send a modest-sized request to NTP servers and manipulate the commands to make them appear as if they came from one of the targeted gaming services. The NTP servers, which may be located in dozens or even hundreds of locations all over the world, in turn send the targets responses that could be tens or hundreds of times bigger than the spoofed request. The technique floods gaming servers with as much as 100Gbps, all but guaranteeing that they'll be taken down unless operators take specific precautions ahead of time.

Among the recent targets of this type of attack are game servers used by celebrity players who broadcast live video streams of their gaming prowess that are viewed as many as 50,000 times. In some cases, the massive audiences translate into tens of thousands of dollars per month, as ads are displayed beside video feeds of the players blowing away opponents in Dota 2 and other games.

Read 8 remaining paragraphs | Comments

2014 Threats Predictions: Network and Host Attacks Will Again Target Adobe and Microsoft Apps, Java

This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Bing Sun, with assistance from Andy Cheng, Yingwu Han, Haifei Li, Qiang Liu, Shennan Wang, Jun Xie, Chong Xu, and Stanley Zhu.

Our research into threats to networks and applications shows us three top targets of malware developers. They aim zero-day and advanced persistent threat attacks against vulnerabilities in Microsoft Internet  Explorer (including IE plug-ins and ActiveX), Adobe applications (including PDF and Flash), and Sun’s Java. We also see vulnerabilities in Microsoft Office applications and other Windows native components (such as GDI +, the kernel module, and drivers) exploited in the wild. These targets are favorites each year for attackers, so it’s not hard to predict where they will look in 2014.

  • Browsers will remain the primary target for remote code execution attacks. Browsers have a range of factors that can be leveraged for exploitation, such as third-party plug-ins and various scripting-language support.
  • The prevalence of vulnerabilities in Adobe applications will increase, perhaps related to source-code leakage. Adobe product vulnerabilities, especially in Flash, are often used in conjunction with other application vulnerabilities (in browsers, Office, etc.) to bypass protections.
  • Java vulnerabilities and exploits, either of the Java virtual machine or native component layer, will remain very popular. Compared with memory corruption issues, Java exploits don’t require a shellcode-like payload; thus they are more reliable and easier to make. Although Java enhanced its security in Version 7.0—a security alert will prompt users before running any unsigned applet, for example—many users will choose to disable the alert to avoid the noise. Moreover, we suspect many Java users still use old or unsupported versions due to compatibility issues with legacy Java apps or simply bad habits. This would explain why so many old Java vulnerabilities are still actively exploited by exploit kits.
  • Attackers will continue to find holes in Office. Our analysis of the recent Office exploit CVE-2013-3906 (TIFF embedded in .docx) reminded us that Office documents employ a compound-document format that is designed to allow many other types of content (such as OLE objects). Such a rich set of features, some perhaps unknown or hidden, will inspire attackers to find new weaknesses in these applications. From this exploit, we know that a Word document can embed a number of ActiveX binaries to do heap sprays, and can load an incompatible module (VB6) to completely disable data execution prevention for the entire process.
  • Kernel-mode elevation of privilege vulnerabilities will be widely exploited in combination with other application vulnerabilities to achieve both temporary and persistent infections. As we see in Microsoft’s Patch Tuesday security bulletin data, there are often new patches for kernel-mode vulnerabilities, notably in the GUI subsystem (win32k.sys). Kernel-mode issues accounted for roughly one-quarter of all Microsoft product vulnerabilities in 2013. Considering the complexity of kernel-mode components, we can foresee that the number of kernel vulnerabilities of 2014 will be at least as high as in 2013.

To add to our worries, exploits have become more advanced in their reliability, persistence, and ability to bypass various protections. Further predictions:

  • Native operating system and application protection mechanisms are not adequate to detect and stop advanced exploits. Attackers will increase their efforts to break these defenses in 2014. Although both OS and application vendors have made many security improvements, attackers can always find new ways to create reliable exploits, which was well demonstrated in the 2013 Pwn2Own hacker contest. For example, the combination of data execution prevention and address space layout randomization can be easily defeated by memory information leaks and return-oriented programming.
  • Many exploits are now aware of the existence of network and endpoint security software. As we have observed during our research, the trick of API hook hopping has become a standard weapon of advanced shellcode to prevent its execution from being monitored. We have seen this technique in wide use, especially in zero-day exploits. We expect exploit tools such as Metasploit Framework and Canvas may soon add this feature.
  • Many applications have implemented “sandbox” solutions to confine malicious behaviors in a restricted environment to minimize their impact. Office, Adobe Reader, and Google Chrome each have a sandbox implementation. To break out of an application-level sandbox and do malicious things to a whole system, an attacker will have to use more than one vulnerability and achieve a multistage exploitation. An elevation of privilege vulnerability can help an attacker escape from the sandbox and install malware on the compromised system. Here’s where a kernel-mode vulnerability will come in handy because it can let an attacker run code in Ring 0. We expect more attackers to take advantage of kernel exploits to escape application-level sandbox products.
  • We believe exploits (especially zero day and advanced persistent threats) will soon evolve to include features that defeat sandboxing. First, exploits will become stealthier, especially during the postexploitation stage. They will try to leave as few footprints as possible because sandbox detection relies heavily on postinfection behaviors to identify an attack. Further, more exploits will begin to detect or even escape from a sandbox. Although the latter seems difficult, it is possible.

The post 2014 Threats Predictions: Network and Host Attacks Will Again Target Adobe and Microsoft Apps, Java appeared first on McAfee.

Attacks Against the Energy Sector

Energy is crucial to our modern lifestyle. Disturbingly, reports of attempted attacks against the companies and industries that supply it are increasing every year. In the first half of 2013, the energy sector was the fifth most targeted sector worldwide, experiencing 7.6 percent of all cyberattacks. So, it’s not surprising that in May 2013, the US Department of Homeland Security warned of a rising tide of attacks aimed at sabotaging processes at energy companies. At Symantec, our researchers are finding that traditional energy utility companies are particularly concerned about scenarios created by the likes of Stuxnet or Disttrack/Shamoon which can sabotage industrial facilities. 
We are also learning that aggressors who target the energy sector also try to steal intellectual property on new technology, like wind or solar power generators or gas field exploration charts. While data theft incidents may not pose an immediate and catastrophic threat to a company, they can create a longer term strategic threat. Information stolen could be used in the future to perform more disruptive actions. 
The motivations and origins of attacks can vary considerably. A competitor may commission actions against energy companies to gain an unfair advantage. There are “hackers for hire” groups such as the Hidden Lynx group, who are more than willing to engage in this type of activity. State-sponsored hackers could target energy firms in an attempt to disable critical infrastructure. Hacktivist groups may also victimize companies to further their own political goals. Symantec researchers know these threats can originate from all over the world and sometimes from within company walls. Insiders who are familiar with the systems can carry out attacks for extortion, bribery or revenge. And disruptions can simply happen by accident such as a misconfiguration or a system glitch. For example, in May 2013, the Austrian power grid nearly had a blackout due to a configuration issue.
Our research has found that modern energy systems are becoming more complex. There are supervisory control and data acquisition (SCADA) or industrial control systems (ICS) that sit outside of traditional security walls. And as smart grid technology continues to gain momentum, more new energy systems will be connected to the Internet of Things, which opens up new security vulnerabilities related to having countless connected devices. In addition to this, many countries have started to open the energy market and add smaller contributors to the electric power grid, such as private water power plants, wind turbines or solar collectors. While these smaller sites make up only a small portion of the grid, the decentralized power input feeds can be a challenge to manage with limited IT resources and need to be carefully monitored to avoid small outages that could create a domino effect throughout the larger grid. 
We see the need for a collaborative approach combining IT and industrial component security to protect the industry’s information. To partner in this effort, Symantec has conducted an in-depth study into attacks focused on the energy sector that took place in the past 12 months. This research presents the facts and figures, and covers the methods, motivations, and history of these attacks. 
The following infographic illustrates some of the key points around attacks against the industries in the energy sector.