Sophisticated CyberWeapons (?), Fuzzing, Five eyes, Risk Aversion, Distract

  • Is it just me? I'm kind of annoyed by how they claim that simple worms / ransomware / cryptoware / malware (Petya / NotPetya / ExPetr / PetrWrap / GoldenEye) are 'massive advanced sophisticated weapons grade cyber attack'. For me, it's extremely hard to see the connection. Think the news are massively misleading. Automated worm isn't some kind of massive targeted attack. I'm sure some agencies do massive targeted attacks, but those are probably mostly unnoticeable and won't bother with ransomware. We're talking about something much more valuable and strategic here. I don't see anything surprising here, nor I don't see anything advanced here. This is all just so much blah blah. AFAIK, it's even misleading to call it a cyber attack. Since when worms and viruses have been cyber attacks? - There's nothing new about compromising automatic updates and using those to ... Phew ... Actually I've warned about this exact attack vector over and over again in my blog. Also the original targeting means it's not even ransomware. It's real target is to just cripple systems. It's was also reported that wiping mbr / partition table has been used by other software earlier to 'finalize' the infected systems. Anyway the exploits being used were already patched, etc. So ... Yeah ... I actually agree with this writing. Known issue: "many organizations employ flat networks in which an administrator on one endpoint can control other machines", that's why that isn't being done in certain environments. The Registers article. This doesn't mean that the end result of these kind of tools and tactics wouldn't be highly damaging. Even simple sabotage could lead to horrible results. What if the tower fire in London would have been lit on purpose? I also agree that these attacks worked so well, because security is bad. This also should make entities which know they got bad security, to think about it again, if that's a 'acceptable risk of doing business'. It seems that others have been also annoyed about calling everything affecting IT systems as a cyber attack. F-Secure's blog post about the topic. Yet, as seen, most of the articles and references are speculation. Nobody really knows who and why. It makes accreditation incredibly hard. Post about possible motivations?. GitHub repo which contains updated information about 'petya'. Schneier's blog post. Petya @ Wikipedia.
  • This is like the issues I've talked earlier. The scale of 'what happened', is more important than 'how sophisticated the attack was'. Something extremely simple, could lead to huge disaster. Yet it doesn't make the attack sophisticated. Something extremely sophisticated could do very little or no damage at all. Yet it's not getting news headlines. This of course is a good question. What's the point of using huge amounts of money to create something really sophisticated if anyone can make more devastating things by exploiting something extremely simple and cheap?
  • Fuzzing. Had long discussion about Fuzzing. Generic claim is that applications should receive only valid data. Of course the fuzzing point is that application shouldn't get screwed up when the data isn't valid. What kind of data validators should be used and is that enough? Is endless data validation excessive and resource wasting? That's a good question too. Perfect balance remains to be found. As we know, actually the data validation could also provide new attack vectors etc. Just like anti-virus software can work as arbitrary code execution starting point.
  • Five eyes are asking for encryption backdoors, just like United Kingdom and Russia. Nothing new, and this discussion will be going on for long in the future. And different nations will have different approaches to these privacy and surveillance questions.
  • Interesting remark about risk aversion and psychology. Sometimes you get stressed about risk of things going badly. But even so, it's totally ok to do things, where it's guaranteed that things will go badly? Why? Because there's no risk of things going badly. The end result is already known to be bad. So there's no unknown risk. Therefore it's a stress free option. - That's quite strange psychological thing.
  • Still wondering when attackers and intruders do seemingly stupid things. Is this just to distract the defense or are they really that stupid? Of course there are different kind of attackers. Some might be more advanced than others. But generally it has been quite funny when owned systems are being used for something which is clearly utter nonsense. Maybe attackers gained access to so many systems, they have no interest for specific instances or maybe it's just all a cover-up. Someone breaks into bank, to look for lighter to light up cigarette. Ok, maybe the lighter wasn't the primary target? Or maybe it was? We've seen strange things, like people breaking into stores and drinking beer and passing out to be found by the staff in morning. Doesn't sound too smart business theft strategy. Watched Kasperskys Win32/Petya talk - Collects credentials using own methods, ETERNALBLUE, ETERNALROMANCE. Multiple spreading vectors, PSExec / WMIC. SMB remote execution. XOR based signature detection evasion. MBR fake bootloader. Encrypts files (AES128). Select files to be encrypted based on file extension. Watering hole attack. Ransomware requires trust. Single email, single Bitcoin wallet. Victim distribution so that Ukraine is well over presented. Chose supply-chain attack. Disable SMB. Many organizations do not care about software updates. Have off-site and off-line backups. Powershell is very powerful and dangerous.

2018-09-09