Recovering Huffman tables in Intel ME 11.x

Today Positive Technologies' expert Dmitry Sklyarov will explain how Intel ME 11.x stores its state on the flash and the other types of file systems that are supported by ME 11.x in London during his talk on Black Hat conference. Here is his articles about recovering Huffman tables in Intel ME 11.x

Many Intel ME 11.x modules are stored in Flash memory in compressed form [1]. Two different compression methods are used: LZMA and Huffman encoding [2]. LZMА can be decompressed using publicly available tools [3], but reversing Huffman encoding is a much more difficult challenge. Unpacking of Huffman encoding in ME is implemented in hardware, so writing the equivalent code in software is a far from trivial task—assuming it can be accomplished at all.

Positive Technologies on GitHub

Currently, an increasing number of companies, such as Google, Microsoft, Facebook, and JetBrains, are placing in open access the code of both small and big projects. Positive Technologies is famous not only for its skilled professionals in IT security but also for a lot of professional developers. This enables us to make a contribution into further development of the Open Source project.

PT has the following GitHub groups that support our open projects:

• Positive Technologies
• Open DevOps Community
• Positive Research
• Positive JS
• LibProtection

We have given a detailed description of the first group together with its projects and a brief description of others.

Intel fixes vulnerability found by Positive Technologies researchers in Management Engine

Intel has issued a security advisory and released a patch for a vulnerability discovered in Intel ME by Positive Technologies researchers Mark Ermolov and Maxim Goryachy. Intel has also published a downloadable detection tool so that administrators of Windows and Linux systems can determine whether their hardware is at risk.

Intel Management Engine is a proprietary dedicated microcontroller integrated into the Platform Controller Hub (PCH) with a set of built-in peripherals. Since the PCH is the conduit for almost all communication between the CPU and external devices, Intel ME has access to practically all data on the computer. The researchers found a flaw that allows running unsigned code on the PCH on any chipset for Skylake processors and later.

Do WAFs dream of static analyzers?

Virtual patching (VP) has been one of the most popular trends in application protection in recent years. Implemented at the level of a web application firewall, VP allows protecting web applications against exploitation of previously defined vulnerabilities. (For our purposes, a web application firewall, or WAF, will refer to a dedicated solution operating on a separate node between an external gateway and web server.)

In short, VP works by taking the results of static application security testing (SAST) and using them to create rules for filtering HTTP requests on the WAF. The problem, though, is that SAST and WAFs rely on different application presentation models and different decision-making methods. As a result, none of the currently available solutions do an adequate job of integrating SAST with WAFs. SAST is based on the white-box model, which applies formal approaches to detect vulnerabilities in code. Meanwhile, a WAF perceives an application as a black box, so it uses heuristics for attack detection. This state of affairs makes VP sub-optimal for preventing attacks when the exploitation conditions for a vulnerability go beyond the trivial http_parameter=plain_text_attack_vector.

But what if we could make SAST and a WAF "play nice" with each other? Perhaps we could obtain information about an application's internal structure via SAST but then make this information available to the WAF. That way we could detect attacks on vulnerabilities in a provable way, instead of by mere guessing.

How-To: Obtaining Full System Access Via USB

Debugging mechanisms like JTAG (IEEE1149.1)  first appeared in the 1980s . Over time, microchip vendors extended the functionality of these interfaces. This allowed developers to obtain detailed information on power consumption, find bottlenecks in high-performance algorithms, and perform many other useful tasks.

Hardware debugging tools are also of interest to security researchers. These tools grant low-lev el system access and bypass important security protections, making it easier for researchers to study a platform's behavior and undocumented features. Unsurprisingly, these abilities have attracted the attention of intelligence services as well.

A major flaw in a popular encryption library undermines security of millions of crypto keys

Source: crocs.fi.muni.cz

An international IT security team of researchers from Britain, Slovakia, Czech Republic, and Italy found a critical vulnerability in the popular encryption library RSA Library v1.02.013 by Infineon. Weak factoring mechanism results in attackers obtaining secret crypto keys and using them for data breach and theft. 

This vulnerable library is used to ensure security of national ID maps in various countries and in most popular software products that are used by both government and businesses.

Critical KRACK Flaws in WPA Wi-Fi Security: Here’s How to Protect Yourself

Security researchers from Belgian University KU Leuven revealed a key reinstallation attack vulnerability in the WPA2 Wi-Fi protocol. Using this flaw an attacker within range of a person logged onto a wireless network could use key reinstallation attacks to bypass WPA2 network security and read information that should have been securely encrypted. What are the possible consequences of this revelation and how end users can protect themselves?

How hackers could negatively impact a country's entire economy

Despite enormous efforts, security is always a work in progress because of technical vulnerabilities and the human factor. In the modern digital economy, criminals are becoming ever more creative in ways to make off with millions without having to leave home. And the actions of cybercriminals could actually negatively impact acountry's economy. Here are some scenarios of possible attacks.

Web Application Attack Statistics: Q2 2017

This report provides statistics on attacks performed against web applications during the second quarter of 2017. Sources of data are pilot projects involving deployment of PT Application Firewall, as well as Positive Technologies’ own PT AF installations.

The report describes the most common types of attacks as well as the objectives, intensity, and time distribution of attacks. It also contains industry-by-industry statistics. With this up-to-date picture of attacks, companies and organizations can monitor trends in web application security, identify the most important threats, and focus their efforts during web application development and subsequent protection.

Automated vulnerability scanners (such as Acunetix) have been excluded from the data used here. The example attacks presented in this report have been manually verified to rule out false positives.

Protection data for Positive Technologies itself has been classified under the IT sector for reporting purposes.

New Apache Struts vulnerability allows remote code execution

A new security flaw detected in Apache Struts allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.

Although the Apache Software Foundation classified it as a medium severity vulnerability, Cisco has outlined a long list of its products in the Security Advisory that are affected by this flaw.

12 Great Technical Talks at SHA2017

image credit Arron Dowdeswell @Arronandir

SHA2017 is a large outdoor hacker camp, which took place in the Netherlands on August 4th to 8th. Despite the intensive preparation of his own talk at this event, a Positive Technologies expert Alexander Popov attended a lot of interesting lectures. In this article Alexander shares his impressions and lists 12 great technical talks at SHA2017, which he liked the most.

Blocking double-free in Linux kernel

On the 7-th of August the Positive Technologies expert Alexander Popov gave a talk at SHA2017. SHA stands for Still Hacking Anyway, it is a big outdoor hacker camp in Netherlands.

The slides and recording of Alexander's talk are available.



This short article describes some new aspects of Alexander's talk, which haven't been covered in our blog.

Disabling Intel ME 11 via undocumented mode

Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.

Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.

4G Networks Infrastructure Still Vulnerable Despite Upgrade

Billions has been invested, super speed reached, yet none of the security holes have been fixed. Positive Technologies has warned that its research confirms vulnerabilities in the world’s mobile infrastructure still exist, despite billions being invested to upgrade mobile networks to Diameter to carry 4G and 5G traffic. The unaddressed flaws leave mobile communications, and the security practices founded on them, vulnerable allowing hackers to intercept and divert SMS messages – including passcodes meant to validate identity and authorise transactions; eavesdrop on phone conversations; locate users; instigate denial of service attacks against the whole network; plus other illegitimate actions. Earlier this year attackers stole funds from bank accounts having redirected one time passcodes (OTPs) sent by banks in Germany, via text message (SMS), confirming that real world attacks have been devised and can be successfully executed.

Web application vulnerability report: time to dig into the source code

Introduction

Every year, web applications expand their presence in more and more areas. Almost every business has its own web applications for clients and for internal business processes. However, application functionality is often prioritized at the expense of security, which negatively affects the security level of the entire business.

As a result, web application vulnerabilities provide massive opportunities for malicious actors. By taking advantage of mistakes in application architecture and administration, attackers can obtain sensitive information, interfere with web application functioning, perform DoS attacks, attack application users, penetrate a corporate LAN, and gain access to critical assets.

This report provides statistics gathered by Positive Technologies while performing web application security assessments throughout 2016. Data from 2014 and 2015 is provided for comparison purposes.

This information suggests paths of action: which security flaws in web applications require attention during development and operation, how to distinguish potential threats, and what the most effective techniques for security assessment are. We also illustrate trends over time in web application development in the context of information security.

Cobalt strikes back: an evolving multinational threat to finance

1. Introduction

Bank robbery is perhaps the quintessential crime. The promise of immense, instant riches has lured many a criminal to target banks. And while the methods, tools, and scale of robbery have all changed, two things have stayed the same: the enticement of a hefty payday and the fact that no system is perfectly secure.

In the modern digital economy, criminals are becoming ever more creative in ways to make off with millions without having to leave home. Despite enormous efforts, security is always a work in progress because of technical vulnerabilities and the human factor. Only a small fraction of banks today are able to withstand targeted attacks of the kind perpetrated by Cobalt, a cybercriminal group first described in 2016 that is currently active worldwide. Now the group has set its sights on more than just banks.

Researchers at Positive Technologies and other companies have described the group's methods previously. In this report, we will describe the new techniques used by Cobalt in 2017, the changing target profile, and recommendations on how to avoid becoming their latest victim.

Recovering data from a disk encrypted by #NotPetya with Salsa20

Ransomware attacks are an alarming trend of 2017. There have been many such attacks, but the ones that made the headlines are WannaCry and NotPetya (also known as Petya, Petya.A, ExPetr, and other names). With lessons of the previous epidemic heeded, specialists across the globe promptly reacted to the new challenge and, in a matter of hours after the first computers became infected, began analyzing encrypted disks. As early as June 27, the first descriptions[1] of how NotPetya spreads and infects computers appeared. Even better, a vaccine[2] to prevent NotPetya infections was found.

After NotPetya starts, it performs AES encryption of user files with certain extensions, but the operating system continues to work. The encryption must be completed within a certain time limit (by default, 1 hour). If so, the file README.TXT with a ransom demand appears in the root folder. Unfortunately, recovering user files in that case requires knowing the private RSA key (which is allegedly available for purchase on the Darknet for 100 bitcoins). But if the encryption is not completed, is interrupted, or NotPetya does not have the necessary permissions to write to the root folder, the file README.TXT (containing the encrypted key) is not created, and the files encrypted with AES cannot be recovered even with the private RSA key.

The below method for recovering data works only if NotPetya had administrator privileges and used the Salsa20 algorithm to encrypt the entire hard disk.

It is the second layer of encryption. However decrypting Salsa20 is not a bad idea for several reasons:

• Some file types (for example, images) are skipped during AES encryption.
• AES encryption is limited in time (usually 1 hour), and what was not encrypted with AES may be recoverable.
• AES encryption runs under a specific user account. If several user accounts are used on the computer, AES may not have access to other users' data.

Meanwhile, Salsa20 encrypts all data, regardless of file types, time, and access permissions.

#NotPetya and #Petya compared: any hope for decrypting files? - UPDATED

#NotPetya and #Petya compared: any hope for decrypting files?

Positive Technologies expert Dmitry Sklyarov provides here his comparison of NotPetya ransomware, which attacked companies this week, with a sample of Petya from 2016. Is decryption of ransomed files possible? And what does the code tell us about the malware's creation?

This post considers the portions of the two viruses responsible for MFT encryption. This encryption runs when the ransomware has administrator rights.

The new malware that broke out today is slightly similar to Petya ransomware known since 2016

Positive Technologies experts are still analyzing the malware sample and gathering additional data—in particular, information on the mechanism of its intrusion into a network. But even at this point it is obviously not just a new version of WannaCry. This ransomware combines hacking techniques, such as standard utilities for system administration and tools for obtaining passwords to operating systems. This ensures fast spread of the malware within the network and causes a large-scale epidemic—if at least one computer is infected. As a result, the computer is out of operation and data are encrypted.

SigPloit framework published: telecom vulnerability testing of SS7, GTP, Diameter, and SIP made easy

Code for the open-source SigPloit framework has been published on GitHub by security researcher Loay Abdelrazek. SigPloit is a convenient framework for testing for vulnerabilities in telecommunication protocols. We cannot say state that this project will have a big effect on the security situation, but this is definitely one of the alarm bells that should be noted by telecom industry.

Practical ways to misuse a router

Wi-Fi and 3G routers are all around us. Yet in just one recent month, approximately 10 root shell and administrator account vulnerabilities in home internet devices came to light. And access to tens of millions of IoT devices—routers, webcams, and other gadgets—is available to anyone willing to pay $50 for a shodan.io paid account.

At the same time, developers and vendors of these devices tend to have other priorities than "testing" and "security." Many serious vulnerabilities remain unpatched, and even when patches are released, users are slow to install them. What does this leave us with? Legions of vulnerable devices, lying low until hacked and pressed into service as part of a DDoS botnet.

WAF Bypass at PHDays VII: Results and Answers

Continuing the tradition of past years, the WAF Bypass contest was held at last month's PHDays. Participants tried to bypass PT Application Firewall protection mechanisms in order to find special flags accessible through vulnerabilities specially left in web applications. In a series of challenges, the organizers disabled different features of PT Application Firewall, leaving a "way in" for participants to take advantage of. The focus of attention this time was a prototype database firewall (DBFW), which analyzed SQL traffic from applications to databases.

Positive Technologies expert helps to fix vulnerability in Viber for Windows

Viber has fixed a vulnerability in the company's Windows client found by a group of security experts, which included a Positive Technologies researcher. This security bug enabled attackers to steal data needed for user authentication in Windows. Users urged to update to Viber version 6.7.2

A closer look at the CVE-2017-0263 privilege escalation vulnerability in Windows

May has been a busy month for vulnerabilities in the world's most popular desktop operating system. Hackers have made headlines with massive infections by WannaCry ransomware, which exploits an SMB security flaw and the ETERNALBLUE tool. Shortly prior, on May 9, Microsoft fixed CVE-2017-0263, which had made it possible for attackers to gain maximum system privileges on PCs running Windows 10, Windows 8.1, Windows 7, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Vulnerability CVE-2017-0263 had been used already in phishing messages. The emails contained an exploit that first entered the system by taking advantage of incorrect handling of EPS files by Microsoft Office (CVE-2017-0262) and then, once on the inside, leveraged CVE-2017-0263 to get full administrator rights. Two years ago we looked at a similar vulnerability in Windows, and here we will see how the new CVE-2017-0263 opens the way to "pwning" remote workstations and servers.

In a word, this is a use-after-free vulnerability (CWE-416)—when context menu windows were closed and the memory occupied by the menu was freed up, the pointer to the freed-up memory was not zeroed out. As a result, the pointer could be reused.

The below discussion covers the process of window handling in the win32k.sys driver and how this process makes it possible to exploit the vulnerability.

Intel ME: The Way of Static Analysis

Image: Clive Darra, Flickr

Intel Management Engine (ME) has been known for over 10 years (since 2005), but official Internet sources about ME are few and far between. Fortunately, excellent works on the topic have been published in recent years. However, all of them deal with ME 10 and earlier, while modern computers implement ME 11, which was introduced in 2015 for the Skylake microarchitecture.

If you have never heard about ME, this is a good time to check out great slides from Igor Skochinsky about previous versions of ME.

In short, ME is a separate processor embedded in the chipset of any modern computer with an Intel CPU. ME runs even when the computer is sleeping or powered off (as long as it is plugged in to a power outlet). ME can access any part of RAM, but the RAM region used by ME is not accessible from the OS. What’s more, ME is capable of out-of-band access to the network adapter.

Bank employees using social networks at work: danger or mere distraction?

Banks always have been a lure for attackers, and while new technologies help to improve client service, they also create additional information security risks.

Cyberattacks on banks frequently start with criminals persuading employees of a financial institution to open specially crafted malware. Positive Technologies expert Timur Yunusov explains below if it makes sense for banks to ban workplace use of social networks to reduce the risk of such attacks.

Intel and Lenovo have restricted access to debugging interface of CPUs after Positive Technologies' revelations

Intel and Lenovo have released recommendations that help restrict access to JTAG debugging interface of processors which can be used by attackers. The insecurity was first discovered by Positive Technologies’ experts in December 2016.

At that time Positive Technologies’ experts Maxim Goryachiy and Mark Ermolov presented their findings, during a session at the Chaos Communication Congress (33C3) in Hamburg, explaining that modern Intel processors allow usage of the debugging interface via a USB 3.0 port available on many platforms to gain full control over the system. Modern security systems cannot detect such attacks.

Our new R&D center in Brno

We are pleased to announce the opening of our brand new   R&D center Brno, Czech Republic, which will focus on developing products to secure mobile telecommunications systems.

PostMessage Security in Chrome extensions at Owasp London

CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP

This article discloses the exploitation of CVE-2017-2636, which is a race condition in the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). The described exploit gains root privileges bypassing Supervisor Mode Execution Protection (SMEP).

Security reflections from Mobile World Congress

Michael Downs, Director of Telecoms Security, EMEA

Mobile World Congress is not just a name, it is perfectly descriptive.  The entire mobile world squeezes into a few square kilometres of Barcelona for four days. Given this concentration of senior execs, it’s a good place to form an opinion on industry trends and try to understand the place security has in the future of mobile.    

Transport was a massive theme this year.  Someone mentioned there were more car companies here than at a recent major motor show, and everything from chip-set manufacturers to infrastructure providers were touting their connected mobility play.  It seems to be the most obvious large scale early application for the Internet of Things as companies see problems that can be solved with data connections, namely accidents, congestion and general resource waste. The promise is great. 

However, from a security point of view, I got the impression the priorities for many of these propositions was traditional elements such as speed to market, efficiency of UI, prioritizing functionality, hardware power, connection speeds etc.  Not many of the people on the booths I questioned could truly answer the question of what they were doing to keep connected cars, trucks and buses secure from abuse.  Maybe it was an unfair question, but given the scale of what is being proposed, this raised a few eyebrows amongst our experts.  The consequences of attacks on a fleet of trucks, or the targeting of a car’s systems, don’t bear thinking about.  Theoretically, such attacks are possible in the same way an attacker would abuse existing Diameter or SS7 networks.  Everything is assigned a number in the network the same way a phone is, providing a marker from which to develop an attack profile.

This theme grows further when you look at the underlying narrative for the show as a whole, that of attaching a data connection to everything. Lots of marketing dollars were spent on tiny models of everything from stadiums, to entire cities.  This is being enabled by the hope the industry has for emerging protocols such as 5G and LTE-M.  More capacity and higher speeds, means more things can now talk to the Internet.    

This is good for the mobile industry, but also for attackers, as more connected things simply mean a larger attack surface on which to work.  As was demonstrated at our expert dinner, we believe too many vulnerabilities are still present, both in the underlying infrastructure that carries data and also in the radio delivery from base station to user.  This will only be compounded on as more things become connected on an application level, driven by increased digitization and usage of emerging web technologies.

From a signalling (SS7 and Diameter) point of view, the underlying infrastructure to support this brave new world is vulnerable, and becoming easier and cheaper to access by an attacker. For dollars per day, bad actors can now buy access to core telecoms networks on the black market and exploit either existing flaws, or new ones.  Once inside, all that is needed  is a phone number (MSISDN) of your target or targets, be it a person or a fleet of connected cars, to manipulate the commands accordingly.  The move towards new protocols will only present new opportunities for bad actors, who are notoriously creative and persistent.

There are also weaknesses from a radio frequency point of view, as vulnerabilities exist in the vast majority of communication protocols and their implementation. Again, as we saw at our expert’s dinner, armed with just a Raspberry Pi, a chipboard bought for a few dollars and some Python script, data can be sniffed, intercepted, even decrypted on the fly and altered to carry out the whim of the attacker.  Whilst we demonstrated some of this on a toy drone, it is important to note that the same protocols are used in the delivery of the entire gamut of ‘things’ connected by mobile networks.  This means everything from industrial control systems to cars.

This is not intended to be a doomsday rant.  These are points we believe, as a research based security company, are important to be on the mind of the mobile industry.  Many believe we are on the edge of a new industrial revolution. If this is true, then the old mantra that security needs to be built into the heart of things is never truer than right now.  We look forward to spending time making sure the brave new world the mobile industry is creating, is kept safe and can flourish for everyone’s benefit.

Web application attack trends: government, e-commerce, and finance in the spotlight

Positive Technologies has revealed how hackers attacked web applications throughout 2016. The aim of our research was two-fold: to determine which attacks are most commonly used by hackers in the wild, and to find out which industries are being targeted and how. With this data, organizations can be more aware of digital threats and protect themselves accordingly.

Intel debugger interface open to hacking via USB

New Intel processors contain a debugging interface accessible via USB 3.0 ports that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools.

A talk on the mechanisms needed for such attacks and ways to protect against them was given by Positive Technologies experts Maxim Goryachy and Mark Ermolov at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany.