Web Security Archives - Muharib AlSuhairi

U.S. Government Issues Urgent Warning of DNS Attacks

2019-01-23/in Cloud Security, DNS, Web Security /by Muharib AlSuhairi

An emergency directive from the Department of Homeland Security provides “required actions” for U.S. government agencies to prevent widespread DNS hijacking attacks.

The Department of Homeland Security is ordering all federal agencies to urgently audit Domain Name System (DNS) security for their domains in the next 10 business days.

The department’s rare “emergency directive,” issued Tuesday, warned that multiple government domains have been targeted by DNS hijacking attacks, allowing attackers to redirect and intercept web and mail traffic.

“[The Cybersecurity and Infrastructure Security Agency] (CISA) is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them,” said the alert.

The warning comes on the heels of a Jan. 10 FireEye report which detailed a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa.

The Attacks

DNS hijacking is a type of malicious attack in which an individual redirects queries to a domain name server via overriding a computer’s transmission control protocol/internet protocol (TCP/IP) settings – generally by modifying a server’s settings.

The DHS, for its part, said that the attacker begins by logging into the DNS provider’s administration panel using previously-compromised credentials.

The attacker then alters DNS records – including the address mail exchanger or name server records – and replaces the legitimate address of a service with their own address controls, thus redirecting traffic. Attackers can also alter and tamper with the traffic flows.

“This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose,” said the DHS in its advisory. “This creates a risk that persists beyond the period of traffic redirection.”

Since the attackers can set record values for the domain name systems, they can obtain valid encryption certificates for an organization’s domain names; this allows browsers to establish a connection without any certificate errors as the certificate can be trusted, FireEye researchers said. In the most recent campaigns, the attackers have used certificates from the Let’s Encrypt open certificate authority.

That valid certificate then enables the redirected traffic to be decrypted and exposes any user-submitted data.

Government Response

The emergency directive issued by the DHS provides “required actions” that government agencies must fulfill in the next 10 business days.

“To address the significant and imminent risks to agency information and information systems presented by this activity, this emergency directive requires… near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains and detect unauthorized certificates,” said the report.

First, the DHS said all .gov domain admins must audit their DNS records over the next 10 days to verify if any traffic is being redirected.

The department also urged agencies to update their passwords for all accounts on systems that can make changes to agency DNS records, and to implement multi-factor authentication for accounts on DNS admin systems. Finally, agencies are being directed to monitor certificate transparency logs.

The warning comes as the U.S. government enters its 33rd day of a shutdown (as of Wednesday), a longstanding incident which has sparked concerns about its impact across the board when it comes to security.

Iran Attribution

Researchers assess “with moderate confidence” that the recent DNS hijacking activity is conducted by a group or groups in Iran, and that the activity aligns with Iranian government interests.

The attacks have been observed in clusters between January 2017 to January 2019, the researchers said in an analysis of the attacks.

Alister Shepherd, MEA director of Mandiant at FireEye, told Threatpost that the campaign is ongoing – but that there is no indication of how many credentials have been harvested thus far. However, researcher do state that the attackers had “a high degree of success” harvesting targets’ credentials.

This most recent DNS hijacking campaign “showcases the continuing evolution in tactics from Iran-based actors,” FireEye researchers stressed. “This is an overview of one set of TTPs that we recently observed affecting multiple entities.”

How Web Apps Can Turn Browser Extensions Into Backdoors

2019-01-22/in Privacy, Web Security /by Muharib AlSuhairi

Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.

Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted systems.

“We identified a good number of extensions that can be exploited by web applications to benefit from their privileged capabilities,” wrote Université Côte d’Azur researcher Dolière Francis Somé, in an academic paper titled Empowering Web Applications with Browser Extensions (PDF).

A web application is a client-server computer program that a computing device runs in a web browser – such as an online form or browser-based word processor. That’s separate from a browser extension – a small software add-on for customizing a web browser with something like an ad-blocker or a web-clipping tool.

“[Browser extensions] have access to sensitive user information, including browsing history, bookmarks, credentials (cookies) and list of installed extensions,” Somé pointed out. “They have access to a permanent storage in which they can store data as long as they are installed in the user’s browser. They can trigger the download of arbitrary files and save them on the user’s device.”

That access is unique to web applications, which are subject to what are called a Same Origin Policy (SOP) that bars an app from reading and writing user data between domains. The research, however, demonstrates how a specially crafted web application can bypass SOP protections by exploiting privileged browser extensions.

“Our results demonstrate that the communications between browser extensions and web applications pose serious security and privacy threats to browsers, web applications and more importantly to users,” according to the research.

The attack, according to researchers, would follow this example:

“An attacker [uses] a script that is present in a web application currently running in the user browser. The script either belongs to the web application or to a third party. The goal of the attacker is to interact with installed extensions, in order to access user sensitive information. It relies on extensions whose privileged capabilities can be exploited via an exchange of messages with scripts in the web application,” researchers wrote.

They added, “Even though content scripts, background pages and web applications run in separate execution contexts, they can establish communication channels to exchange messages with one another… APIs [are used] for sending and receiving (listening for) messages between the content scripts, background pages and web applications.”

Somé focused on a specific class of web extension called “WebExtensions API,” a cross-browser extensions system compatible with major browsers including Chrome, Firefox, Opera and Microsoft Edge. After analyzing 78,315 extensions that used the specific WebExtension API, it found 3,996 that were suspicious.

While it seems voluminous, Somé noted that research found a small number of vulnerable extensions overall, and that concern should be measured. However, “browser vendors need to review extensions more rigorously, in particular take into consideration the use of message passing interfaces in extensions.”

PHISHING BIGGEST THREAT TO GOOGLE ACCOUNT SECURITY

2017-11-15/in Web Security /by Muharib AlSuhairi

Last year may have been mostly about ransomware, but it’s difficult to forget the billion or so passwords that were spilled in high-profile breaches and credential leaks.

Google and researchers from the University of California Berkeley attempted to ease some of that pain, and teamed up to analyze how cybercriminals operating underground markets for stolen credentials steal, use and monetize this data.

Looking at black market activity from March 2016 to March 2017 and its impact on exclusively Google accounts, the researchers said they wanted to know how the multitude of keyloggers, phishing kits and available data from publicly known breaches for sale can be turned around to learn valid email credentials and in turn control over a user’s online identity.

The news isn’t good.

In a paper presented at the recent Conference on Computer and Communications Security, Google said that between 7 percent and 25 percent of exposed passwords matched a victim’s Google account. Overall, Google and UC Berkeley estimates there are 1.9 billion usernames and passwords cultivated from breaches that are being traded on the black market. Tack on to that another 12.4 million victims of phishing kits and another 788,000 victims of commercial keyloggers and the climate is dire.

“We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s,” the researchers wrote.

Of the black markets tracked in this research, Google said there are 25,000 tools for phishing and keyloggers at attackers’ disposal. Even though attackers are failing to access Google accounts three out of four times, it’s not for a lack of effort.

“Because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity,” Google said in a blog post accompanying the report. “We found 82 percent of blackhat phishing tools and 74 percent of keyloggers attempted to collect a user’s IP address and location, while another 18 percent of tools collected phone numbers and device make and model.

“By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches,” Google said.

Phishing remains one of the most successful phenomena in security, despite more than a decade of education and examples of successful attacks based on the technique.

“Hijackers also have varying success at emulating the historical login behavior and device profile of targeted accounts. We find victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user,” the researchers wrote. “In comparison, this rate falls to 10x for data breach victims and roughly 40x for keylogger victims. This discrepancy results from phishing kits actively stealing risk profile information to impersonate a victim, with 83 percent of phishing kits collecting geolocations, 18 percent phone numbers, and 16 percent User-Agent data.”

Backing this up, the researchers found more than 4,000 phishing kits used in active attacks during the period of time studied compared to 52 keyloggers. Phishing kits are packages of all-in-one tools for creating and configuring content used in these attacks, including email and website creation. These kits generally are used to collect a victim’s username and password, but also geolocation information and a lot more. The credentials are forwarded to the attacker over SMPT, FTP or uploading them to a website. Most phishing kits—and keyloggers—are configured to steal Gmail credentials, the study said. Yahoo webmail users, however, were the biggest victims of credential leaks. Yahoo has reported that at one time all of its 3 billion users’ data has been exposed to attackers.

Google said it has already used this data to reinforce the security of Gmail.

“Our findings illustrate the global reach of the underground economy surrounding credential theft and the need to educate users about password managers and unphishable two-factor authentication as a potential solution,” the researchers wrote.