presented by: lee neubecker “nation state malware: the ......v. attack points routers - clock...
TRANSCRIPT
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
“Nation State Malware: The Next Cyberwar Begins”
Presented by: Lee Neubecker● Cyber Security Professional and Computer Forensics Expert
● Former Founder and CEO of Forensicon.com 2000 - 2016
● Former Group Product Manager Lycos.com Community Products
● Security Research & Blogger: just Launched at leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
OverviewI. Recent News
II. History of Computer Convergence
III. Overview of Super Nation State Malware
IV. Attack Points / What you probably didn’t know
V. Safeguarding Yourself
VI. Public Policy
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
I. Recent News:A. Snowden DisclosuresB. OPM Data BreachC. Hacking Team Code PostedD. Presidential Campaigns Hacked / DNCE. US Cert Advisory to ICSF. CIA VAULT 7 Wikileaks Dump
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
https://ics-cert.us-cert.gov/sites/default/files/documents/NCCIC_ICS-CERT_AAL_Malware_Trends_Paper_S508C.pdf
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
“Only fully restoring the BIOS of the motherboard would take it out”
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
More from wired.co.uk
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
OverviewI. Recent News
II. History of Computer Convergence
III. Overview of Super Nation State Malware
IV. Attack Points / What you probably didn’t know
V. Safeguarding Yourself
VI. Public Policy
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
First there was BIOSThe Basic Input / Output System stored onboard a hardware chip that controls the
initial boot up of the computer.
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
BIOS limitations● Could only use the first 512KB of Memory
● Maximum 4 primary partitions
● Max size of 2.2TB sized partitions
● Required Master Boot Record to store the Bootloader
● Often Unsigned BIOS
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Migration of all Major Computer OS to
Common Framework - UEFI● UEFI - The Unified Extensible Firmware Interface (UEFI) is a specification
that defines a software interface between an operating system and platform
firmware.
● In 2005 Intel donated EFI to the newly-formed UEFI Forum, a consortium
made up of the usual suspects: AMD, Apple, IBM, Intel, Microsoft, and so on.
● Introduced a more efficient means to combat terrorism
● With the new surface came new vulnerabilities to exploit
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
UEFI (Unified Extensible Firmware Interface)● Rather than all of the boot code being stored in the
motherboard's BIOS, UEFI sits in the/EFI/ directory in
some non-volatile memory (NVRAM); either in NAND on
the motherboard, on your hard drive, or on a network
share.
● NAND memory doesn’t require power to retain storage.
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
UEFI Advantages● GPT Partition Allows Unlimited Logical Partitions
(Windows max of 128 Logical Partitions)
● Maximum Partition Size Increased 2.2Terabyte -> Massive size 9.4 Zetabyte
● Shorter OS Boot Times
● With Secure Boot On Prevents Non-Signed OS from Loading
● Flexible pre-OS environment, including network capability
● CPU Independent Architecture and Drivers
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Boot Process Diagram with UEFI / SMM(System Management Mode)
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Boot LoadersBootstrap loader. Alternatively referred to as bootstrapping,
bootloader, or boot program, a bootstrap loader is a program
that resides in the computer's EPROM, ROM, or other
non-volatile memory. It is automatically executed by the
processor when turning on the computer.
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
GRUB Bootloader● GNU (GNU’s Not UNIX) GRUB (short for GNU Grand Unified Bootloader) is a
boot loader package from the open source free GNU Project.
● GRUB provides a user the choice to boot one of multiple operating systems
installed on a computer or select a specific kernel configuration available on a
particular operating system's partitions.
● Most Major Current Popular Computing Devices now based off Linux GRUB
Bootloader.
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Serial Peripheral Interface (SPI) - Flash
Storage
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
SMM - Where Nation State Malware Resides
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Boot Process Diagram with UEFI / SMM(System Management Mode)
SMM Takes Control Before the OS Loads from the Hard Drive or Other Boot Device
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Modem Implant on Chip SMM Recovery
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
II. History of computing platform convergenceI. UEFI - Unified Extensible Firmware Interface
II. Plug and Play
III. Bootloaders (GRUB)
IV. System Management Mode (SMM) Rootkit Control
V. New exploit surface before OS - SPI / SMM
VI. False on off for networking services
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
III. Super Nation State Malware● Why this is a threat - why we should be concerned
● Where it resides
● How it infects
● What it does
● Detection
● Remediation
● Prevention
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Why We Should be Concerned● January 2015 Corey Kallenberg Discloses Vulnerabilities
● June 2015 US OPM Hacked
● July 2015 Hacking Team Hacked - Source Code Posted
● Summer/Fall 2016 Presidential Candidates Hacked
● October 2016 US Cert Issues Notice to Industrial Control Systems
● US NIST Compromised December 2016
● March 2017 CIA Vault 7 Tools Leaked
Script Kiddie Wars will begin soon!
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Where Nation State Malware Resides● Resides within RAM / NVRAM / SPI / Option ROMS
● Can Load from Network shares if no boot media available
● Can call out via Socket Level connections pre OS boot using sound, Infrared,
Bluetooth, WIFI, Ethernet
● Creates Partitions to virtualize your main OS
● WMIC May Provide Insight - (Windows Management Instrumentation
Command-line)
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
How it Infects● Emailed Attachment Containing Payload
● Peripheral USB Driver / Plug and Play / Printer Connection
● SMB File Shares
● SSH Brute Force Attacks
● MITM Attack - Flash Update
● Memory Attacks - Buffer Overflow
● Cell Phone Network Compromise - Bad Update
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
What it Does● Establishes Backdoor for Monitoring and Exfiltration of Data
● Sends the targets GPS location using processor based modem on the chip
● Can Schedule Remote Boot Ups
● Overrides DNS Routing
● Control of Camera / Microphone
● Establishes Encrypted Outbound Channels to Exfiltrate Data
● Moves Laterally and Attacks Other Devices on Local Network
● Persists With User by Attaching to Smart Phone
● Hides in RAM and Kernel - Largely Undetectable by OS Applications
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Detection● Escapes Detection from Most Antivirus Programs
● Alteration of partitions - hidden partitions (WMIC may help detect)
● Firewall logs - may show irregular outbound activity
● Tracer Routes - Odd delays when loading webpages or routes that are
unusual
● Trusted Root Certificates - Unusual certificates in trust
● Local Loopback Network Connections
● Multiple IP Addresses / Devices Active
● EFI Content - Intel’s CHIPSEC utility may be useful in detection
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Intel CHIPSEC UEFI ToolAdvanced Threat Research team at Intel Security has designed a new module for
its existing CHIPSEC open-source framework that is able to detect malicious EFI
binaries.“CHIPSEC is a framework for analyzing the security of PC platforms
including hardware, system firmware (BIOS/UEFI), and platform components. It
includes a security test suite, tools for accessing various low-level interfaces, and
forensic capabilities.” reads the description of the framework.”It can be run on
Windows, Linux, Mac OS X and UEFI shell.”
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Remediation● Replacing hard drives can’t mitigate infection
● Internet Restore of IOS Can’t fix
● Apple Security Engineer - Corey Kallenberg told me “You
have to replace your motherboard” Fall 2016
● Replacing/Reflashing SPI / BIOS / NVRAM / RAM and
onboard storage may fix but beyond the scope of most
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Prevention● Use older mouse & keyboard (Pre 2005) with USB adapter (No vulnerable
SPI chip nor remote broadcasting via Bluetooth or RF)
● Don’t share USB devices between untrusted computers
● Firmware patch all hardware & peripherals too latest
● Apply software / security updates regularly and timely
● Use OPENDNS.com 208.67.222.222 · 208.67.220.220
● Verify all download installation packages before installing (Virustotal.com)
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
FCC Warning Added ~2005 to bottoms of USB Keyboards
(2) This device must
accept interference
received, including
interference that may
cause undesired
operation.
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
BAD USB
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Verify Your Download Installation Packages
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
VirusTotal.com Reports when they last analyzed fileIf the program has never been analyzed - big problem!
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Virustotal.com Provides Results from AV VendorsVerify What Other AV Vendors Say
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
More on Prevention● Enable Secure boot and BIOS Hardware Boot Password
● Use a non-privileged user account to surf the web
● Encrypt your hard drive
● Don’t connect to untrusted devices or networks
● Use SOPHOS for Antivirus - install first thing
● Enable firewall (Block SSH and other inbound traffic)
● Use Complex 14 character plus passwords
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Smartphone Safety Tips● Plug your smartphone only into your own brick charger
● Keep bluetooth & wifi off on your phone unless required
● Turn off data / network roaming / handoff features
● Turn off NTP auto time set - manually set
● Don’t check for updates on untrusted networks
● Beware of signal deprecation LTE to 3G, 2G, 1x, GSM
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
V. Attack points● Routers - clock rollback attack
● Cell Phone Network
● USB devices (driver hijacking) / Plug N Play / Auto Run
● Bluetooth / Wifi / Infrared / MIDI Open Sound Protocol
● Modem onboard processor - backdoor - SMM
● Monitor / Mouse as transmitter - Mikrotik Patent
● IOT devices as relay attack point for Mesh Networks
● Mesh Networks - P2P - Fluxwire CIA Vault 7 Leak
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
VI. Public policy● Balance the Need for Privacy and Security vs. Need to Keep Country Safe
● Government should disclose leaked vulnerabilities to Software / Hardware
Makers for fixes to known zero day vulnerabilities leaked
● If our government monitors everything, they must be able to protect those
tools from distribution
● Track record doesn’t look that great
● Notification laws will collapse business if they follow the rules
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Public Policy - Things that need to happen● Ease of Verifying Certificates - Library Printed Bulletins
● All Peripherals need to have Drivers Signed especially USB Storage
● Hardware BIOS / Firmware needs reliable roll back option to restore defaults
● New computing equipment needs to be secured at point of purchase
● Distribution of Firmware and Security Updates via Read Only Disc Media
● Leaked tools for Backdoor Access Need to be Disclosed & Patched
● Cell Phone Networks Need to be Secured
● Computing devices need to block date/time rollbacks prior to mfg date
Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com
Q&A DiscussionAbout Lee Neubecker
● Blogger at leeneubecker.com
● Former founder and CEO of Forensicon.com
● Available as a Speaker for your Next Organization’s Event
● Security Research & Forensic Expert Considering New
Opportunities in the Cyber Security Realm
● Contact & Inquiries to me at: [email protected]