January 2018: DDOS-ed countries, alleged retaliation, broken chips & stolen records

When I say this has been an unprecedented month of threats, I feel like I am sounding like a stuck vinyl record. So, I won’t. Depending on where you live, you might have heard more than others. That’s why today we’re taking a small tour, because some of the most exciting events have been happening in the Netherlands and Norway. That said, the chip in the device you’re reading this on is broken, but we’ll get there after the juicy stuff. Then we’ll end this tour in the US.

1. DDOS attacks and media fallout in the Netherlands

During the weekend of January 27 In the Netherlands, DDOS attacks started targeting banks and government functions, and after several days they’re still happening. A nuisance, since in many cases retail payments and online banking were interrupted. AV company ESET mentioned the attacks came from Russia, later retracting the statement to say there’s something coming from Russia, but not necessarily DDOS attacks. The reality is, through C2 servers from Russia or not, DDOS can be operated from all over the globe, by anyone; including pranksters, copycats and activists. A decent size DDOS attack can be bought for a few dozen dollars. The Russia narrative is interesting for a different reason.

A week earlier, a story broke that US authorities had been bragging over “friendly spy agencies having access to FSB networks”. This lead to an article stating Dutch spies were warning the US about DNC and other hacks, by hacking into the Russian spy office. Many (amateur) cyber sleuths found the DDOS / Russia story a bit convenient and suspected Russia coordinated a retaliation. Indeed, countries rallying activists to attack enemies is not new. That said, there is as of yet, zero proof, and attribution to these kinds of attacks is extremely hard.

The takeaway is: whether Russia is involved or not, the Netherlands has been mildly disrupted for several days now.  There’s a lot of FUD being spread on blogs, radio and TV, some mentioning this is a test attack before jackpotting ATM’s. (Just to be clear, it’s not). The continued attacks could technically be a result from press attention, as much as from Nation State coordination. The Dutch, in typical fashion, are shrugging their shoulders.

Still, the #1 threat (because we sometimes tend to forget) on our beloved internet anyone with a TOR browser and 20 dollars can take down someone else.

2. Norwegian healthcare heist

Nearly half of the Norwegian population’s health care records were stolen. Health South-East RHA is a healthcare organisation that manages hospitals in Norway’s southeast region, including Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.

The danger for the victims is there might be severe consequences in the future. This kind of data has a long shelf time and is “rich enough for identity theft”. Like in the Equifax hack, this might come back way later and bite someone in the behind.

For that reason, and although victims might find it overblown, we’re placing this at #2.

3. Meltdown / Spectre vulnerabilities

Meltdown & spectre, chip vulnerabilities exploiting “cumulative speculation“, seems ages ago, and you might be surprised to learn it was this month. (Almost) all chips are affected, with Intel and Apple ones the most vulnerable. The biggest global story by far, and many people including us have written detailed articles about this. At SecureLink, before hopping on the “biggest threat ever” bandwagon, we tried to exploit meltdown (easier to do than spectre), before making a statement. It turned out to be pretty hard, and because you require execution rights on the target device before even attempting it, there’s dozens of easier ways for bad guys to steal your stuff.

That’s why we’re placing this at #3. Your OS has already updated. Microcode patches are a mess. There’s really not a lot else you can do.

That said, this can change tomorrow. If a motivated individual creates a new, workable PoC, we’re out of luck.

4. Intel’s AMT feature

If I were a criminal after your secrets, and I had access to your PC, this is the first thing I would try: using Intel’s AMT feature. By enabling remote access you get full control and the OS sees nothing! No logs, no SIEMS, no analytics, no detection. Just totally invisible access.

However, this is a feature, and you need physical access, so it only gets spot #4 on this list.

5. Jackpotting ATM’s in the US

Circling back to jackpotting (as falsely claimed by experts to be the second step after DDOS), it definitely does exist. The most elegant version (which doesn’t require any drilling) is owning the ATM software, so it starts ejecting bills. Believe it or not, it happens. Pioneered a few years ago in Russia, targeting Russian banks, then moving to Asia, it has now landed in the US. It requires a tremendous amount of skill, as you first need to own the ATM network, then stay hidden, then manipulate the ATM software.

The US Secret Service has sent warnings that this now happening in the US, and we can trust that these “good old” criminals have evolved their capabilities.

6. All the other threats

After Rapid ransomware, the Blizzard vulnerabilities leaving gamers vulnerable for malicious updates, and a google Pixel vulnerability, it would be safe to say January has been an eventful month. And that’s without even taking into account this story from the EFF that spies have now moved in to mobile territory in order to steal data. Dark Caracal, possibly a nation state, is social engineering people to install hijacked chat apps on their Android phones and they track them from there. In the U.S., Canada, Germany, Lebanon, and France; military, journalists and lawyers have been targeted in an attempt to steal information on their communication devices.

Further reading

2018-02-02T13:32:04+00:00February 1st, 2018|

About the Author:

Eward Driehuis
Chief Research Officer, SecureLink Group

Leave A Comment

SecureLink