nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Hacking

China’s Volt Typhoon: Espionage and Disruption Threats to National Infrastructure

A Chinese state-sponsored hacking group known as “Volt Typhoon” has been conducting a cyberespionage campaign targeting military and government organizations in the United States, as revealed by Microsoft and various cybersecurity and intelligence agencies. The group’s activities have triggered alerts and raised concerns about potential disruptions to critical communications infrastructure between the US and Asia.

The US Navy has confirmed that it has been impacted by the cyberattacks attributed to the Chinese hackers. The Navy’s Secretary, Carlos Del Toro, stated that China’s behavior in cyberattacks is not surprising and has been ongoing for decades. Microsoft’s warning emphasized that the group exploited a vulnerability in a popular cybersecurity suite, affecting critical cyber infrastructure across various industries. The hackers specifically targeted the communications and maritime sectors in Guam, where a significant US military base is located. Experts have expressed concerns that the surveillance activities in Guam may be related to China’s potential invasion of Taiwan.

Volt Typhoon, characterized as an advanced persistent threat (APT) group, primarily focuses on stealth and espionage. They employ “living off the land” techniques and use the command line to scrape credentials and gather information. To simulate a realistic attack like this, an nGuard red team assessment can test how your organization might perform against real threats. Volt Typhoon also utilizes compromised small office/home office (SOHO) routers and other network devices to proxy their network traffic, blending in with normal network activities and evading detection. nGuard’s managed SIEM solution with User and Entity Behavior Analytics (UEBA) can help detect this type of activity happening within your network before it is too late.

While the hackers have primarily engaged in espionage, there are concerns about their potential to carry out disruptive actions. Microsoft’s analysis suggests that Volt Typhoon is developing capabilities to disrupt critical communications infrastructure between the US and Asia, particularly during future crises. The escalating tensions between the US and China, particularly regarding Taiwan, add weight to the concerns.

The Chinese government has rejected the accusations, dismissing them as a “collective disinformation campaign” and pointing fingers at the US, labeling it the “empire of hacking.” However, researchers from cybersecurity organizations have observed Volt Typhoon targeting defense and government organizations in the US for espionage purposes. While no evidence of destructive activity has been found, the hackers’ focus on stealing information related to US military activities raises concerns.

The revelations about Volt Typhoon’s cyberespionage activities come at a time when the US has been increasing efforts to protect critical infrastructure from cyber threats. Multiple attacks on vital systems in recent years, including those targeting gas pipelines and meat suppliers, have highlighted the need for stronger defenses. Conducting regular penetration testing and vulnerability scanning can help you find and fix the vulnerabilities in your network before groups like Volt Typhoon do. The potential disruption of critical communications infrastructure by groups like Volt Typhoon underscores the importance of bolstering cybersecurity measures to safeguard national security interests.

In summary, the Chinese state-sponsored hacking group Volt Typhoon has been conducting cyberespionage targeting military and government organizations in the US. The group’s activities have triggered warnings from various agencies and raised concerns about potential disruptions to critical communications infrastructure. While China denies the allegations, evidence suggests that their focus on espionage and the development of disruptive capabilities poses a significant threat to US national security. The situation highlights the ongoing challenge of protecting critical infrastructure from cyber threats in an increasingly tense geopolitical landscape.

NIST’s Retirement of SHA-1: The Clock is Ticking

Introduction
The National Institute of Standards and Technology (NIST) has announced that the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life. This algorithm, which has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1, is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST has announced that SHA-1 should be phased out by December 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.

Importance of SHA-1
SHA-1, whose initials stand for “secure hash algorithm,” has served as a building block for many security applications such as validating websites, SSL certificates and digital signatures. It secures information by performing a complex mathematical operation on the characters of a message, producing a short string of characters known as a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash provides an easy way for a recipient to check whether the original message has been compromised, as even a slight change to the message alters the resulting hash dramatically. However, today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine the security of SHA-1 in recent years.

Recommendations
At nGuard, we recommend that organizations still using SHA-1 for security conduct a thorough network and database assessment to identify and address vulnerabilities. Our team of experts can assist with this transition by identifying any instances of SHA-1 usage and recommend a migration plan. Additionally, our web application testing can also lead to the discovery of data hashed with SHA-1, further highlighting the need for an upgrade.

Conclusion
In conclusion, SHA-1 has reached the end of its life, and organizations should consider migrating to the more secure SHA-2 or SHA-3 algorithms as soon as possible. It is important to note that NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. And by that date, NIST plans to:

  • Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
  • Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
  • Create and publish a transition strategy for validating cryptographic modules and algorithms.

As a result, modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that The Cryptographic Module Validation Program (CMVP) has time to respond.

TWiC | Fortinet PoC, US Airport Sites Go Offline, CISA Warns of Industrial Appliance Flaws, & Windows 11 Phishing Protection

Over the past few weeks there have been several hot topics and time sensitive advisories released. In this edition of This Week in Cybersecurity, nGuard will highlight the Fortinet proof-of-concept (PoC) that was released; Russian-speaking hackers taking down US Airport websites; Windows 11 offering automatic phishing protection; and CISA warning of critical flaws in some industrial appliances.

Fortinet PoC Released
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager. A successful exploitation of the shortcoming is tantamount to granting complete access “to do just about anything” on the affected system. Fortinet issued an advisory urging customers to upgrade affected appliances to the latest version as soon as possible and CISA added this to their Known Exploited Vulnerabilities (KEV) Catalog. 12 unique IP addresses have accounted for most responsibility in weaponizing CVE-2022-40684 as of October 13, 2022. A majority of them are located in Germany, followed by the U.S., Brazil, China and France. nGuard covered this in more detail in a Security Advisory last week. Conducting ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment.

US Airport Sites Taken Down by Russian-Speaking Attackers
On Monday October 10th, more than a dozen public-facing airport websites, including those for some of the nation’s largest airports, appeared inaccessible, and Russian-speaking hackers claimed responsibility. The attack was carried out by a group known as Killnet, who support the Kremlin but are not thought to be government hackers. Killnet favors a type of attack known as a distributed denial of service (DDoS). Two of the sites that were affected by this attack were Atlanta’s Hartsfield-Jackson International Airport and the Los Angeles International Airport websites. Fortunately, there did not seem to be an impact to air travel itself but may have caused inconveniences for individuals traveling during the time access to those sites was attempted.

Windows 11 Offers Automatic Phishing Protection
Enhanced phishing protection now comes prebuilt into the Windows 11 operating system. This protection can automatically detect when users type their password into any app or site that is known to be dangerous. Admins can know exactly when a password has been stolen and can be equipped to better protect against such attacks. According to Microsoft, “When Windows 11 protects against one phishing attack, that threat intelligence cascades to protect other Windows users interacting with other apps and sites that are experiencing the same attack.” A blocking dialog warning is displayed prompting users to change their password if they type it into a phishing site in any Chromium browser or into an application connecting to a phishing site. If users try to store their password locally, like in Notepad or in any Microsoft 365 app, Windows 11 warns them that this is an unsafe practice and urges them to delete it from the file. To help train and test your employees on their security awareness, nGuard offers custom, tailored Security Awareness Training and social engineering.

CISA Publishes Two Advisories Regarding Industrial Appliances
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The list of issues, which affect R-SeeNet Versions 2.4.17 and prior are:

Patches have been made available in version R-SeeNet version 2.4.21 released on September 30, 2022.

These alerts come less than a week after CISA published 25 ICS advisories on October 13, 2022, spanning several vulnerabilities across devices from Siemens, Hitachi Energy, and Mitsubishi Electric.

nGuard has a wide array of experience assessing critical infrastructure, SCADA, and Industrial Control Systems (ICS) and can help you secure yours. Conducting annual penetration testing, having a proper Incident Response Plan, and ensuring you have the proper logging, alerting, and correlation can help you stay ahead of the attackers.

URGENT | Fortinet Authentication Bypass Vulnerability

On October 10, 2022, Fortinet, Inc released a new advisory for CVE-2022-40684 which affects the FortiOS, FortiProxy and FortiSwitchManager products.

Each of these products are vulnerable to an authentication bypass vulnerability. This vulnerability could allow an attacker to perform unauthenticated actions on the target system.  These actions include, but are not limited to:

  • Modifying admin user SSH keys.
  • Adding new local users
  • Updating network configurations to reroute traffic
  • Initiating packet captures to capture sensitive information

Publicly available exploit code is now starting to become available.

Affected Products

  • FortiOS version 7.2.0 through 7.2.1
  • FortiOS version 7.0.0 through 7.0.6
  • FortiProxy version 7.2.0
  • FortiProxy version 7.0.0 through 7.0.6
  • FortiSwitchManager version 7.2.0
  • FortiSwitchManager version 7.0.0

Solutions

  • Upgrade to FortiOS version 7.2.2 or above
  • Upgrade to FortiOS version 7.0.7 or above
  • Upgrade to FortiProxy version 7.2.1 or above
  • Upgrade to FortiProxy version 7.0.7 or above
  • Upgrade to FortiSwitchManager version 7.2.1 or above

Read more in:

Ongoing penetration testing and vulnerability management can alert you to these types of vulnerabilities being present in your environment. nGuard account executives are standing by to discuss solutions that elevate the overall security posture of your organization and ensure you are ready to handle vulnerabilities such as the ones described above.

Microsoft Zero-Day with No Patch!

Overview
CVE-2022-30190, known as Follina, was released by Microsoft on Monday, May 30th, 2022. The vulnerability resides within the Microsoft Support Diagnostics Tool (MSDT), which may allow an attacker to run arbitrary code with the privileges of the calling application. Microsoft Office applications use MSDT to troubleshoot and collect diagnostic information when something goes wrong.

This vulnerability was discovered by the independent cybersecurity researchers at nao_sec after they noticed a strange word document posted to VirusTotal. Using the Remote Template feature in Microsoft Word, an HTML file was pulled from a remote web server. It then made use of the “ms-msdt://” URI scheme to run a malicious payload. Experts are now saying this vulnerability is being exploited by attackers in the wild. Some security researchers have demonstrated execution of the malicious code merely by previewing the document in Windows File Explorer or Outlook.

Exploit
The video below demonstrates how easily this vulnerability can be exploited. Exploit code is now publicly available, making this process trivial. We will outline the steps taken in this video below:

  1.  An attacker downloads exploit code from GitHub.
  2. This exploit code is then utilized to create the malicious Word document and stand up a web server to serve up the HTML file. In the video below, this Word document is called “sploit.docx.”
  3. Once the user opens the Word document, you see the MSDT tool also fire off. MSDT is also commonly referred to as “Program Compatibility Troubleshooter.”
  4. The producer of this video then shows you that both a cmd.exe process and powershell.exe process have been launched on the system. At this point, the document can be closed, but the malicious process is still running.
  5. The demo then shows a Cobalt Strike window. Cobalt Strike is a command-and-control framework used for maintaining persistent access on compromised systems. You can see in the video that a “beacon” has been launched on the system. A beacon is an agent on the system that allows an attacker to maintain persistent access and run arbitrary code.
  6. At this point the producer of this video runs “whoami” on the system itself to show you which user account launched the Word document. They then flip back to Cobalt Strike and run “whoami” from the interactive beacon. This displays the same user account. Persistent remote code execution achieved.

What To Do?
At this point in time, Microsoft has not released an official fix for this vulnerability. They are recommending that the MSDT URL protocol be disabled in order to protect systems from this vulnerability. That guidance can be found here. nGuard offers a bevy of services that can help prevent and identify these types of attacks. Both Social Engineering simulations and Social Engineering Awareness Training can assist your organizations employees in identifying these types of attacks. Internal Penetration Testing can boost the overall security posture of your internal network. If a machine on your network does become compromised, you have assurance that the adversary won’t make it very far. Lastly, Managed Event Collection & Correlation gives you 24×7 monitoring from advanced log analysis tools and nGuard professionals who are trained to detect suspicious activity.

FBI Secretly Removing Malware

Late last week, Attorney General Merrick Garland announced that the FBI was removing malware from computer systems around the world in an attempt to thwart Russian cyber-attacks. In March, the White House warned that Russia could be targeting critical infrastructure in the United States. The malware that is being removed from systems by the FBI is reported to allow an arm of the Russian military called the GRU to take over machines and create botnets for DDoS attacks. The GRU is Russia’s largest foreign intelligence agency responsible for handling multiple forms of military intelligence.

The Justice Department says that this strain of malware is designed to compromise externally facing firewalls and loop them into a botnet called Cyclops Blink. The botnet is controlled by a notorious group called Sandworm that has been known to work with the GRU. The DOJ warned owners of infected devices that their machines were part of this Cyclops Blink botnet, but decided that it was not worth the wait and took it upon themselves to remove the malware from infected devices.

Through secret court orders, the Justice Department and FBI were able to quietly remove this malware from infected devices across the globe. After removing the malware, the FBI also closed the management port that was being used as the attack vector. The Biden administration has been ramping up their cyber security operations since the breakout of war in Ukraine. While Ukraine has been the number 1 target of cyber attacks over the last couple months, authorities warn that critical infrastructure organizations in the United States could be next.

Performing external penetration testing and having a formal external vulnerability management program can help to thwart attacks like this. By identifying these vulnerabilities and patching them before adversaries get their hands on them, you can protect your externally facing machines from becoming a part of a worldwide botnet.