December 2014 | Volume - 9

OffSec Bulletin December 2014 | Volume - 9

Index

02 executive summary 03 pivoting: game over 05 rakshasa : a real daemon 07 777 – Permission to come and hack me 09 DLP: friend of foe 12 firmware backdoor 14 about us 2 executive summary

‘Offensive Security’ a technology that can help any organization in finding critical vulnerabilities to mitigate and safeguard their IT asset. But the same technology can be used to take down any network infrastructure and send it back to stone ages. Taking example of Sony Pictures, if they had already used offensive technologies to perform real life penetration testing in their network then there should be a different scenario. But unfortunately they were limited only to standard penetration testing and didn't used offensive technologies to assess their network. Most of us do the same, we do not perform offensive methods while performing security assessment, thinking that if we will use offensive technologies then it may impact my servers and devices. But the truth is that when a attackers attacks a network, he don’t use any standard protocols, he will always use offensive technologies to take down your network and hence one must perform offensive assessment and simulate worst case scenario while performing security assessment. In this bulletin we have discussed few offensive technologies like advanced malware, server issues and example of hardware backdooring. s The “any-to any” evolution already involves billions of internet connected devices and is expected to grow many folds in next few years. OffSec Bulletin is a small step to make our Users aware about Internet Security. 3 pivoting: game over

Most of us secure only those servers and systems which are directly or in-directly connected outside the network. In lots of security assessments, we have realized that network & system administrators only focuses on securing the web server and firewalls, not the internal PC. Most of them claims that we are not exposing these PCs, they are on different VLAN, they doesn’t have any live IP, we have end point antivirus and their servers, we have strict firewall policy, etc. and many more. But what we have realized that when the attack is targeted, nothing stops the system from compromising, take example of recent hacking of Sony. Hacker’s first attempt to compromise any system from exploiting is by locating and targeting the most insecure machine of any network. Sometimes they also take advantage of combination of technology weakness with human weakness.

In a research recent research conducted at CCFIS labs, we created a network scenario to simulate such attack. First we created a small network, installed router and latest firewall, installed a web server, installed few reputed PHP and ASP based CMS, created another DMZ network, installed internal router and firewall for additional security of database server and storage. Now we defined database server as target and tried to compromise it from outside the network, to simulate the most complex environment for attacking and we found that there are several ways to achieve the same –

 An attacker can compromise the database server if he find a SQL injection in web application/CMS installed on web server.

 Another targeted method is first compromise the webserver using some remote exploit and then using the compromised system to target another machines of network and hence finally compromising the server.

 Another simple method was to compromise any system of user network and then simply pivoting attack from that compromised user machine to database server. After this research we concluded that no matter if you have configured even a second firewall in your network to secure your database or server then also it can be compromised by taking advantage of any less secure system. The best recommendations our research team concluded is to secure not only your network but also to secure your end points. Proper training to employees can may reduce threat to network by human weakness. 5 rakshasa : a real daemon It’s the age where we lives on information: What if, no matter how hard we are trying, every computer on the market - from PCs to smartphones to fridges to cars - can come pre-loaded with an irremovable backdoor that allowed the government or spy agency or company or even hacker to snoop on our data, behavior, and communications? It’s quite hard to believe but with recent research and talks on conferences, we already have the technology to do this. It’s called a hardware backdoor, and it’s a lot like a software virus that grants backdoor access to your computer — but the code resides in the firmware of a computer chip. Firmware is software that is stored in non-volatile memory on a computer chip, and is used to initialize a piece of hardware’s functionality. In a PC, the BIOS is the most common example of firmware — but in the case of wireless routers, a whole Linux operating system is stored in firmware. Hardware backdoors are lethal for several reasons like they can’t be removed by conventional means (antivirus, formatting), they can circumvent other types of security (passwords, encrypted file-systems), and they can be injected while manufacturing. 6 In recent responsible disclosure by CCFIS we found that even manufactured don’t have any idea how and why their systems have backdoors pre-installed in their laptops. A leading vendor concluded that we import system components from different other small and local vendor to create a complete system and it might be possible that they had installed something in their components. But scenario become scarier when some malware like BadUSB and Rakshasa, source code is available on internet for anyone to tinker with. We captured one malware sample of Rakshasa travelling in Indian network through our ATP sensors. We have heard about Brain virus, backdoor EFI bootloader, patch/flash a Pheonix-Award Bios, Stoned bootkit, vbootkit, UEFI rootkitting, and many more but after analysis we found that this Rakhasa is a masterpiece. So of its beautiful features are that its persistent, stealth (0 hosting code on the machine), portable (OS & version independent), remote access, remote update, state level quality like plausible deniability and non- attribution, cross network perimeters, redundancy and till date not detected by almost all antiviruses. Its core components are coreboot, SeaBios, iPXE and few payloads; the best part is that you can embed your own payload too. Its development stages includes flashing the system BIOS then flashing the network card or any other PCI devices, booting a payload over the network..say it bootkit, booting a payload over Wi-Fi, and then finally remotely re-flashing the BIOS. Rakshasa can do everything that one need to spy a system completely. 777 – permission to come 7 and hack me No, doubly Linux is the best OS for hosting web applications servers especially when you are on low budget and application works and supports better in Linux than Windows planform. The best part of using Linux server is that the OS is free and one can configure security as per their requirements. But think from another perspective, Linux is best for you only when you know how to use it or how to secure it, a misconfigured Linux system are open call invitation for hackers to come and compromise the server. Most of administrators says that why someone will come and hack me, I don’t have anything to hide or I am not a MNC. But in CCFIS research labs with our experience we have realized that hackers doesn’t always hack your server or network to harm you, most of the time your IT assets like server, systems, bandwidth are used to hard someone else. A hacker network can be used to perform DoS or DDoS attack that can take down another server and the actual hacker will never be traced back. 8 While performing penetration testing we discovered Remote Code Execution vulnerability in several servers of a network. While delivering the assessment report, we recommended the server administrator to not to keep any folder or file with permission 777. He implemented our recommendations and just after implementation, the application running on server stopped working. When he changed the folder permission to 777, again the application started working. We tried changing several combination of permissions but they all had some glitch. At last we analyze the entire web application and assigned different permission to different folders and files inside them and this made the application work properly. Due to pain in analyzing most of us simple assign vulnerable permissions like 777 and run the application but this is an open call for hackers. So next time when you are configuring your server or troubleshooting and web application, make sure to assign permissions only after analyzing all the folders and files. Even one single mistake in permission to any of folder can compromise your entire server. 9 DLP: friend of foe

Most of us deploy DLP (Data Leak Prevention) software or hardware to add additional layer on security into our networks. We define web rules to monitor and control web traffic, mail rules to monitor and control emails, removable storage rules to control data copies and pasted over removable media, printer rule to manage printing jobs, discovery rules to control data storages, and lot many other rules depending upon types of device and your users. DLP devices saves a lot of company confidential data like URL visited, quarantine documents, mails, network map and in some cases username and passwords too. Most of the DLP software are installed on some OS and these OS are generally Linux based OS. Even products developed by top most security companies are also based on customized version of Linux. With recent release of Shellshock and other vulnerabilities, these all devices are at risks. Most companies release updates for the software that is running on the OS, very few are releasing update for the based Linux OS over which the software is running. Our ATP sensors installed in different location have analyzed attack traffics and we have come to know that attackers are now targeting the DLP to take advantage of vulnerabilities that exists in operating systems rather than exploiting the DLP software that’s running on appliance. 10 By compromising any DLP of organization, attacker will get everything that he wants, he doesn’t need to compromise any network anymore. The same issue can happen with any devices running on Linux. Even if you are using any open source firewall, IDS/IPS or DLP then first of consider upgrading your base operating system before upgrading the software installed on it. We recommend our readers to verify thoroughly before deploying any types of security appliances and if you have already installed then ask your vendor if he is releasing only software updates or updates related to OS installed on that device too. 12 firmware backdoor

As a research organization CCFIS team is always involved in R&D to find vulnerabilities and backdoors in IT of different manufactures ranging from camera, servers, systems, scanners, network devices, and almost all IT assets. Also as a part of commercial services, we find vulnerabilities in suspected devices sent to us by our clients. Hence CCFIS research team get a hand’s on experience in finding backdoor and vulnerabilities in these devices. Recently we picked one random IP camera from market. We installed the device and it was working perfectly fine for couple of weeks. We had some doubts over that camera and later on we realized that it used to change its defined position automatically. For further verification, we downloaded the exact firmware that was installed on that camera from official site of manufacturer. After reverse engineering in our malware analysis labs, we found a backdoor user that was included in the source code of the device except the default user. There wasn’t any information about this user in camera documentation or anywhere in site. Manufacturers are creating root level access to cameras, some for genuine reasons to release updates and some for malicious purposes for government spying. 13 The issue that raise here is that the firmware can be downloaded by anyone over internet and even if the download option isn’t available than anyone can extract the source code of the firmware from actual device and start tinkering with it. So these credentials can be used by anyone to access any camera with backdoor user account. Using a device for government surveillance isn’t bad but installing backdoor in these devices leave the device vulnerable to hackers. Now a days with smart Google dorks and ShodanHQ search engines, anyone can locate any specific camera of any country or state and access it with the backdoor username and password without even knowing the original credentials. It might be possible that the devices that you are using, most of them are backdoored for any good or bad reason but it can be good for manufacturers or government but it’s always bad for users like us. We recommend our readers to perform analysis of any device’s firmware before installing it in your network. And if any such vulnerability or backdoor is found, CCFIS team will help you to create PoC and report it to authenticated vendor so that they can either release update or close this backdoor. 14 about us Center for Cyber Forensics and Information Security (CCFIS) is a Research Organization incubated at Amity Innovation Incubator which is a Technology Incubator supported by NSTEDB, Ministry of Science & Technology (Government of India).

Noida Office HQ : Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida, UP-201301, India, Email Id: [email protected], Phone no: +91-120-4659156

Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India

Gwalior Office: Amity University Madhya Pradesh, Maharajpura (Opposite Airport), Gwalior Jaipur Office: Amity University Rajasthan, 14, Gopalwadi, Ajmer Road, Jaipur, Rajasthan Manesar Office: Amity University Haryana, Panchgaon, Manesar, Gurgaon, Haryana

Disclaimer—This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees, nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, apparatus, product, or process disclosed, or represents that its use would not infringe pri- vately owned rights. © Center for Cyber Forensics & Information Security