This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
After taking August off to focus on some special projects, the Sherlock team returns to blog this month. And like the leaves turning color for autumn, so do the attackers start changing their techniques. This month, as we head back to school, we revisit old friends and outdated software.
It is an unfortunate reality that many businesses do not patch to a reasonable level. They risk everything, due to out-of-date software that attackers use to compromise or pivot deeper into the infrastructure.
Another vector that concerns us is zero-day vulnerabilities. Hacking communities trade techniques, instead of responsible bug disclosure. This can be extremely dangerous for companies who use that software. Once knowledge of the exploit starts spreading, the damage can be extensive.
Tracking these two challenges is part of what we do at Sherlock. Let’s take a look at three issues we have been active tracking this past month.
SNMP Vulnerability, Zero-Day for Cisco ASA
What: A group referring to itself as the ‘Shadow Broker’ notified the public they intended to sell (for about one million bitcoin) a huge pile of stolen zero-day exploits. These exploits were touted as coming from the Equation Group in some fashion, method currently unknown. A sample of the obtained exploits was released publicly. This was no longer a rumor, but a tangible threat. A lot of businesses use Cisco ASA hardware. One exploit in the sample named EXTRABACON, took advantage of a vulnerability that Cisco was un-aware of. To boot, it apparently was present since at least 2013. We may never know the true impact of how much that vulnerability was exploited, nor by whom. Responsible disclosure is a must for things like this.
The lesson learned is that security technology can be part of an attack. It is why you must watch traffic not just from servers and desktops, but from the infrastructure as well.
Addendum: Included in the sample was an exploit against FortiOS, in versions released before August 2012. We have seen forti-devices that are still running the older, unpatched versions. Newer versions are not vulnerable, and a patch that mitigates the vulnerability has been available for a while. This is why keeping infrastructure equipment patched is equally as important as servers.
Epic Games Breach, 2nd round
What: An unknown attacker breached the Epic Games forums, due to the website using an older version of vBulletin forum software. The end effect was that 800,000+ user accounts were stolen. Those user accounts included things like dates of birth, email information, IP address last used, forum usernames post history, and private messages. This is the second reported breach on this site.
Why: All of this information allows attackers to craft more realistic and targeted phishing emails. Unsuspecting users may divulge credentials without realizing it’s a phish. This leads to further compromises. It also puts a lens on that company for more scrutiny, since hackers know this site could be an easy target.
DLH.net, Steam Key Sharing site, 9.1m Steam Game Keys
What: An article surfaced on ZDNet that DLH.net wasbreached. An older version of vBulletin forum software was in use, and attackers took advantage of that fact. The theft garnered about 3.3m unique registered users, passwords, dates of birth, Steam usernames, approx. 9.1m Steam game keys, Facebook access tokens and other user activity data. Nearly 84% of the passwords were encrypted using MD5, which is considered very insecure. The site operators, at the time of this writing, have denied their site was breached. However, reports of people checking their credentials against leakedsource.com show that they are in fact contained within the database from DLH.net. What kind of trust does that build with the consumer? When you make a mistake, own up to it, and take steps to prevent it from happening again. People are already angry that their information is out there. Refusing to acknowledge that shows a startling lack of integrity.
Why: Not only does this include personal information on forum users, but also, allegedly, 9.1m Steam keys were pilfered. These were included in the forum posts of users looking to trade them for other keys. This represents a financial loss for those users, since the stolen keys could be activated on illegitimate accounts whom did not originally pay for those games. This also allows for password reuse attacks to occur, since MD5 is easily broken with very little effort.
Why do we continue to trust negligent companies with our data. They are obviously not responsible. Attackers change their methods like the seasons, perhaps it’s time for us to change how and who we trust.
It is time for businesses everywhere to take trust serious and protect data. That means best practices we all know, like strong encryption, consistent patching of all software, and third party testing, from unbiased sources.
Yes, there is cost for all this. But what is the cost of losing trust?
Oh, and make sure you safeguard passwords. Remember, authentication credentials are one of the most valuable things to hackers. Lots of great password vaults out there.
See you next month.