Report

Weekly Threat Report 23rd September 2016

Created:  29 Sep 2016
Updated:  29 Sep 2016
This report is drawn from open source reporting between the dates of 19th-23rd September.

Threat assessment and trend analysis

Shadow Broker’s Cisco vulnerabilities in the wild

Cisco’s Product Security Incident Response Team (PSIRT) has become aware that some of its customers have been targeted through the exploitation of one of the ‘zero-day’ vulnerabilities, leaked this summer by the hacking group known as Shadow Brokers.

The vulnerability [CVE-2016-6415] was found in the IKEv1 (Internet Key Exchange version 1) packet processing code and affects various Cisco products running the internal IOS software, including "Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software". Hackers can exploit this vulnerability to extract the decryption keys, and use them to decrypt the encrypted traffic that passes through the affected device. They can also drain the "memory", which in turn can lead to the disclosure of critical and confidential information.

A patch for the vulnerability has yet to be released, but administrators of affected devices are advised to keep a close eye on them and to implement intrusion prevention and/or detection systems to spot exploitation attempts. Reporting suggests that this is just one of the 300mb of exploits, implants and hacking tools that were stolen this summer from the elite cybersecurity unit Equation Group, which some researchers have claimed are associated with the NSA.

iPhones can be cracked... cheaply

A researcher from Cambridge University has set out to prove that he could crack an iPhone for as little as £75 ($100). He has demonstrated a technique called NAND mirroring which appears to be able to crack iPhone security using low cost electronic components obtained from local distributors.

Focussing on the iPhone 5C specifically, the technique involves removing a NAND chip from the phone – the main memory storage system for Apple devices. This is then cloned so that when one became locked due to too many failed access attempts, it would be substituted with a fresh clone that had its pin attempt counter set to zero. A working prototype has been built that can allegedly brute force an updated iPhone 5C in order to reveal a password in under 24 hours. However, this process does require specific technical ability and removing a NAND chip without damage is particularly difficult. Apple have yet to comment on the research, but this news comes shortly after Apple announced it would be rewarding hackers who are able to identify security flaws in its products.

Breaking Point

A security consultant claims that state-sponsored cyber-attacks are being conducted against major companies providing core internet services, in order to test cyber defence capabilities.

In an article entitled Someone is Learning How to Take Down the Internet, Bruce Schneier describes how these companies have seen an increase in DDoS attacks against them. These attacks are reportedly larger, more sustained and more sophisticated than previous ones, and appear to have probed the companies’ defences to determine how well they can protect themselves. While acknowledging that it is possible to disguise the country of origin for these sorts of attacks, the report suggests that their size, scale and persistence points to state actors. Schneider likens the probing activity to a nation’s military cyber-command trying to calibrate its weaponry in the case of cyber war; however, a single attack on a major provider of internet infrastructure could have considerable wider economic ramifications. The attempt to take down a major Internet Service Provider (ISP) could be aiming to severely affect e-commerce and international banking between continents and adversely affect global stock markets and trade. Therefore sufficient resilience against this kind of attack is essential and the issue could act as a catalyst for increased investment by companies in core internet infrastructure.

 

Vulnerabilities

Mozilla Malware

Mozilla have announced that they will patch a flaw [CVE-2016-5284] in the Firefox browser that attackers could exploit to not only “impersonate Mozilla’s servers and to deliver a malicious extension update” but also unmask people using the Tor project's Firefox-based anonymizing web browser. The vulnerability is not thought to be severe, as a successful attack would require a valid (faked) certificate, which many experts believe only nation states or APTs could obtain. Mozilla will push the fix into its stable release version on 20th September.

Further Vulnerabilities

Multiple vulnerabilities were reported in Apple MacOS/OS X 10.11.6 which allows a remote or local user to cause denial of service conditions on the target system [CVE-2016-4717], obtain potentially sensitive information [CVE-2016-4708] and elevated privileges on the system [CVE-2016-4698].

Adobe has also reported vulnerabilities in Flash Player 22.0.0.211, and prior, in which a remote user can cause arbitrary code to be executed on the target user’s system and obtain potentially sensitive information [CVE-2016-4271, CVE-2016-4277, CVE-2016-4278]. Adobe has issued a fix and the advisory for these vulnerabilities.

Was this report helpful?

We need your feedback to improve this content.

Yes No