Top threats November 2017
Taking a look at articles and information from open sources, our own Cyber Defense Center and the media, the following list is what we see as the events with the most impact, risk and press from the last few weeks. There are wildly different types of events in this list, such as vulnerabilities, malware and hacks. They aim to give a high-level overview of the threat landscape. If you only have time to digest one item on this list: remember ROCA.
#1. Top threat: ROCA vulnerability allows recovery of RSA private keys
What: ROCA is a vulnerability in Infineon TPM chips. With it, private keys could be recovered.
How: With knowledge of the public key, and without hardware access, one could theoretically recover private keys.
When: ROCA was explained in depth at the ACM conference on November 2nd.
Impact: Infineon TPM chips which are present in most devices made by the big WIFI network companies. You are likely to be affected. ROCA was announced on the same day as KRACK, and many said this was bigger than KRACK. The vulnerability is in the hardware. This is why the full extent of the impact is difficult to oversee. Major vendors, including Infineon, Microsoft, Google, HP, Lenovo, and Fujitsu have addressed the ROCA vulnerability with software updates.
Although the #2 threat definitely won by buzz in the community, we place ROCA at #1.
- ‘Worse Than KRACK’ — Google And Microsoft Hit By Massive 5-Year-Old Encryption Hole
- Flaw crippling millions of crypto keys is worse than first disclosed | Ars Technica
- ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]
#2. BadRabbit crypto ransomware
What: Crypto ransomware. About 2/3rd of the code of BadRabbit is (Not)Petya). The creators, in contrast with Wannacry / Notpetya, took the time to create a process for returning keys to paying victims.
Where: It started in Russia, Ukraine and Bulgaria. However, SecureLink has spotted infections in Belgium, and possibly in Sweden and the Netherlands too. Reports from the US have come in too.
How: It initially used a watering hole attack, faking a Flash Player update. Both the user and the sysadmin managing the network would have to make unwise decisions in order for the infection to succeed. A crude lateral movement system with hardcoded passwords was observed, but later researchers found there was likely a Notpetya style exploit in the malware too.
When: October 25, 2017 (CEST) – now
Impact: Seemingly very high, BadRabbit is the top discussed threat. It’s likely neither risk or impact are as high as publicity would make it seem, since infection is only possible if [A] the user gets social engineered and [B] the user is allowed to “run as Administrator”, which is a bad practice in most enterprises.
- Our blog contains more links to original research: Badrabbit – SecureLink
- Our CDC’s IoC list (bear in mind: not updated): BadRabbit Domain IoC – Pastebin.com
#3. Vulnerability: KRACK breaking WPA2 protection
What: A vulnerability in WPA2, which secures pretty much all home and business Wi-Fi. Could allow an attacker to listen in on you.
How: By manipulating the key exchange process.
When: First published on October 27, 2017 (CEST)
Impact: While the impact is global, many vendors like Microsoft and Apple have released patches. The risk is in (obscure) IoT devices, like home routers, which might never get a firmware upgrade. That said, the research is academic, and while writing this there is no proof of concept exploit available.
- Our blog aggregating sources: Detection and response measures regarding the WPA2 vulnerability | SecureLink
- Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama • The Register
- The original post: KRACK Attacks: Breaking WPA2
#4. Deloitte hack
What: Deloitte was hit by a major cyber-attack that compromised its email system and certain client records.
Where: Deloitte, UK
When: The news came out late September 2017, with reports mentioning the actual hack taking place months earlier.
Impact: Reportedly, confidential e-mail and plans from blue chip customers were stolen. Hacks happen all the time, and serve as a reminder: 100% protection is impossible, but we need to continuously reassess if we can do better.