presented by: lee neubecker “nation state malware: the ......v. attack points routers - clock...

Nation State Malware: The Next Cyberwar Begins = Copyright 2017 leeneubecker.com

“Nation State Malware: The Next Cyberwar Begins”

Presented by: Lee Neubecker● Cyber Security Professional and Computer Forensics Expert

● Former Founder and CEO of Forensicon.com 2000 - 2016

● Former Group Product Manager Lycos.com Community Products

● Security Research & Blogger: just Launched at leeneubecker.com


OverviewI. Recent News

II. History of Computer Convergence

III. Overview of Super Nation State Malware

IV. Attack Points / What you probably didn’t know

V. Safeguarding Yourself

VI. Public Policy


I. Recent News:A. Snowden DisclosuresB. OPM Data BreachC. Hacking Team Code PostedD. Presidential Campaigns Hacked / DNCE. US Cert Advisory to ICSF. CIA VAULT 7 Wikileaks Dump


https://docs.google.com/file/d/0Bw5aK5cD032_SXdNa09JMTNzbjg/preview


https://docs.google.com/file/d/0Bw5aK5cD032_Q0w2ajZRNElPZ0E/preview


https://docs.google.com/file/d/0Bw5aK5cD032_V2xaSG9GY0NNaGM/preview


https://ics-cert.us-cert.gov/sites/default/files/documents/NCCIC_ICS-CERT_AAL_Malware_Trends_Paper_S508C.pdf






“Only fully restoring the BIOS of the motherboard would take it out”


More from wired.co.uk


OverviewI. Recent News

II. History of Computer Convergence

III. Overview of Super Nation State Malware

IV. Attack Points / What you probably didn’t know

V. Safeguarding Yourself

VI. Public Policy


First there was BIOSThe Basic Input / Output System stored onboard a hardware chip that controls the

initial boot up of the computer.


BIOS limitations● Could only use the first 512KB of Memory

● Maximum 4 primary partitions

● Max size of 2.2TB sized partitions

● Required Master Boot Record to store the Bootloader

● Often Unsigned BIOS


Migration of all Major Computer OS to

Common Framework - UEFI● UEFI - The Unified Extensible Firmware Interface (UEFI) is a specification

that defines a software interface between an operating system and platform

firmware.

● In 2005 Intel donated EFI to the newly-formed UEFI Forum, a consortium

made up of the usual suspects: AMD, Apple, IBM, Intel, Microsoft, and so on.

● Introduced a more efficient means to combat terrorism

● With the new surface came new vulnerabilities to exploit


UEFI (Unified Extensible Firmware Interface)● Rather than all of the boot code being stored in the

motherboard's BIOS, UEFI sits in the/EFI/ directory in

some non-volatile memory (NVRAM); either in NAND on

the motherboard, on your hard drive, or on a network

share.

● NAND memory doesn’t require power to retain storage.


UEFI Advantages● GPT Partition Allows Unlimited Logical Partitions

(Windows max of 128 Logical Partitions)

● Maximum Partition Size Increased 2.2Terabyte -> Massive size 9.4 Zetabyte

● Shorter OS Boot Times

● With Secure Boot On Prevents Non-Signed OS from Loading

● Flexible pre-OS environment, including network capability

● CPU Independent Architecture and Drivers


Boot Process Diagram with UEFI / SMM(System Management Mode)


Boot LoadersBootstrap loader. Alternatively referred to as bootstrapping,

bootloader, or boot program, a bootstrap loader is a program

that resides in the computer's EPROM, ROM, or other

non-volatile memory. It is automatically executed by the

processor when turning on the computer.


GRUB Bootloader● GNU (GNU’s Not UNIX) GRUB (short for GNU Grand Unified Bootloader) is a

boot loader package from the open source free GNU Project.

● GRUB provides a user the choice to boot one of multiple operating systems

installed on a computer or select a specific kernel configuration available on a

particular operating system's partitions.

● Most Major Current Popular Computing Devices now based off Linux GRUB

Bootloader.


Serial Peripheral Interface (SPI) - Flash

Storage


SMM - Where Nation State Malware Resides


Boot Process Diagram with UEFI / SMM(System Management Mode)

SMM Takes Control Before the OS Loads from the Hard Drive or Other Boot Device


Modem Implant on Chip SMM Recovery


II. History of computing platform convergenceI. UEFI - Unified Extensible Firmware Interface

II. Plug and Play

III. Bootloaders (GRUB)

IV. System Management Mode (SMM) Rootkit Control

V. New exploit surface before OS - SPI / SMM

VI. False on off for networking services


III. Super Nation State Malware● Why this is a threat - why we should be concerned

● Where it resides

● How it infects

● What it does

● Detection

● Remediation

● Prevention


Why We Should be Concerned● January 2015 Corey Kallenberg Discloses Vulnerabilities

● June 2015 US OPM Hacked

● July 2015 Hacking Team Hacked - Source Code Posted

● Summer/Fall 2016 Presidential Candidates Hacked

● October 2016 US Cert Issues Notice to Industrial Control Systems

● US NIST Compromised December 2016

● March 2017 CIA Vault 7 Tools Leaked

Script Kiddie Wars will begin soon!


Where Nation State Malware Resides● Resides within RAM / NVRAM / SPI / Option ROMS

● Can Load from Network shares if no boot media available

● Can call out via Socket Level connections pre OS boot using sound, Infrared,

Bluetooth, WIFI, Ethernet

● Creates Partitions to virtualize your main OS

● WMIC May Provide Insight - (Windows Management Instrumentation

Command-line)


How it Infects● Emailed Attachment Containing Payload

● Peripheral USB Driver / Plug and Play / Printer Connection

● SMB File Shares

● SSH Brute Force Attacks

● MITM Attack - Flash Update

● Memory Attacks - Buffer Overflow

● Cell Phone Network Compromise - Bad Update


What it Does● Establishes Backdoor for Monitoring and Exfiltration of Data

● Sends the targets GPS location using processor based modem on the chip

● Can Schedule Remote Boot Ups

● Overrides DNS Routing

● Control of Camera / Microphone

● Establishes Encrypted Outbound Channels to Exfiltrate Data

● Moves Laterally and Attacks Other Devices on Local Network

● Persists With User by Attaching to Smart Phone

● Hides in RAM and Kernel - Largely Undetectable by OS Applications


Detection● Escapes Detection from Most Antivirus Programs

● Alteration of partitions - hidden partitions (WMIC may help detect)

● Firewall logs - may show irregular outbound activity

● Tracer Routes - Odd delays when loading webpages or routes that are

unusual

● Trusted Root Certificates - Unusual certificates in trust

● Local Loopback Network Connections

● Multiple IP Addresses / Devices Active

● EFI Content - Intel’s CHIPSEC utility may be useful in detection


Intel CHIPSEC UEFI ToolAdvanced Threat Research team at Intel Security has designed a new module for

its existing CHIPSEC open-source framework that is able to detect malicious EFI

binaries.“CHIPSEC is a framework for analyzing the security of PC platforms

including hardware, system firmware (BIOS/UEFI), and platform components. It

includes a security test suite, tools for accessing various low-level interfaces, and

forensic capabilities.” reads the description of the framework.”It can be run on

Windows, Linux, Mac OS X and UEFI shell.”


Remediation● Replacing hard drives can’t mitigate infection

● Internet Restore of IOS Can’t fix

● Apple Security Engineer - Corey Kallenberg told me “You

have to replace your motherboard” Fall 2016

● Replacing/Reflashing SPI / BIOS / NVRAM / RAM and

onboard storage may fix but beyond the scope of most


Prevention● Use older mouse & keyboard (Pre 2005) with USB adapter (No vulnerable

SPI chip nor remote broadcasting via Bluetooth or RF)

● Don’t share USB devices between untrusted computers

● Firmware patch all hardware & peripherals too latest

● Apply software / security updates regularly and timely

● Use OPENDNS.com 208.67.222.222 · 208.67.220.220

● Verify all download installation packages before installing (Virustotal.com)


FCC Warning Added ~2005 to bottoms of USB Keyboards

(2) This device must

accept interference

received, including

interference that may

cause undesired

operation.


BAD USB


Verify Your Download Installation Packages


VirusTotal.com Reports when they last analyzed fileIf the program has never been analyzed - big problem!


Virustotal.com Provides Results from AV VendorsVerify What Other AV Vendors Say


More on Prevention● Enable Secure boot and BIOS Hardware Boot Password

● Use a non-privileged user account to surf the web

● Encrypt your hard drive

● Don’t connect to untrusted devices or networks

● Use SOPHOS for Antivirus - install first thing

● Enable firewall (Block SSH and other inbound traffic)

● Use Complex 14 character plus passwords


Smartphone Safety Tips● Plug your smartphone only into your own brick charger

● Keep bluetooth & wifi off on your phone unless required

● Turn off data / network roaming / handoff features

● Turn off NTP auto time set - manually set

● Don’t check for updates on untrusted networks

● Beware of signal deprecation LTE to 3G, 2G, 1x, GSM


V. Attack points● Routers - clock rollback attack

● Cell Phone Network

● USB devices (driver hijacking) / Plug N Play / Auto Run

● Bluetooth / Wifi / Infrared / MIDI Open Sound Protocol

● Modem onboard processor - backdoor - SMM

● Monitor / Mouse as transmitter - Mikrotik Patent

● IOT devices as relay attack point for Mesh Networks

● Mesh Networks - P2P - Fluxwire CIA Vault 7 Leak


VI. Public policy● Balance the Need for Privacy and Security vs. Need to Keep Country Safe

● Government should disclose leaked vulnerabilities to Software / Hardware

Makers for fixes to known zero day vulnerabilities leaked

● If our government monitors everything, they must be able to protect those

tools from distribution

● Track record doesn’t look that great

● Notification laws will collapse business if they follow the rules


Public Policy - Things that need to happen● Ease of Verifying Certificates - Library Printed Bulletins

● All Peripherals need to have Drivers Signed especially USB Storage

● Hardware BIOS / Firmware needs reliable roll back option to restore defaults

● New computing equipment needs to be secured at point of purchase

● Distribution of Firmware and Security Updates via Read Only Disc Media

● Leaked tools for Backdoor Access Need to be Disclosed & Patched

● Cell Phone Networks Need to be Secured

● Computing devices need to block date/time rollbacks prior to mfg date


Q&A DiscussionAbout Lee Neubecker

● Blogger at leeneubecker.com

● Former founder and CEO of Forensicon.com

● Available as a Speaker for your Next Organization’s Event

● Security Research & Forensic Expert Considering New

Opportunities in the Cyber Security Realm

● Contact & Inquiries to me at: [email protected]

presented by: lee neubecker “nation state malware: the ......v. attack points routers - clock...

Documents