Cybersecurity
Posted on 11/19/22:
Zapping Down the Zeppelin
Major accomplishments have been made on cracking and stopping Zeppelin, the highly-precise ransomware plaguing high-profile technology, healthcare, real-estate, as well as humanitarian and non-profit organizations throughout the EU and US since November 2019.
A member of the VegaLocker ransomware family, which includes a number of other notable malware siblings such as Jamper, Storm and Buran, Zeppelin infects a machine, installs itself as a temporary folder which it uses as a launching point to spread and encrypt files at the discretion of the attacker. It then generates a Notepad document informing the victim that they have been infected, their files are encrypted, and they must submit payment for decryption keys to recover their data.
Lance James and his security firm Unit 221B succeeded in identifying vulnerabilities in Zeppelin's encryption algorithms and brute forcing its decryption keys. Once Zeppelin fully encrypts the target files, there is a 5-minute window researchers have to recovery one of the RSA-512 public keys from the registry before they are deleted. These public keys can be used to crack the 256-AES key that encrypts the file.
221B produced a "Live CD" that they can load onto infected devices to extract the RSA-512 keys. They then load these keys into a network of 800 CPUs to work on cracking.
This kind of progress is always encouraging to read about. It does make me wonder, despite declining cases of Zeppelin popping up, whether or not the creators are paying attention and adapting their code and encryption methods to expand the ransomware's longevity. 221B even came out saying that they were trying to provide victim organizations with relief under the radar to avoid this from happening.
Posted on 11/5/22:
Digital Forensics in a World Run by the Cloud
Unless you've been living under a rock, you probably know by now that everything is moving to the cloud. Whether you are a simple consumer storing your dog pictures in Dropbox or an Azure system administrator, the ever-increasing value of cloud computing and its use cases will bring us to a day when we no longer physically own any of our own data on-hand. With this in mind, have you ever thought about how the cloud has affected law enforcement? I know I hadn't, at least not until today.
Published in Electronics back in May 2021, Prakash et al. investigated the methods, tools, challenges and future scope of digital forensics involving data existing in cloud and edge systems. You can read the paper here, no sign-in or sign-up required.
For those who don't know, the Cloud might appear to be a seemingly elusive galaxy of storage to which there are no limits or rules. To be honest, you're not too far off, but there are rules. When you upload your photos to iCloud or Google Photos, those photos have to live somewhere. This somewhere is within the respective company's virtualized storage that they offer as a service to customers like you and me. Using real hardware and computers, organizations like Google and Microsoft use the processing capabilities of powerful computers to create virtual storage banks, which can be scaled and stretched as needed depending on your needs (i.e. why you can pay Apple $0.99 or more for extra iCloud storage). Edge storage is similar to cloud except for the storage is closer to a device (i.e. the workstation or server), improving the speed at which your data can be accessed and used.
The cloud seems all fine and dandy, right? The real challenges arise when investigators need data for a criminal case that exists only in the cloud. Gone are the days when law enforcement could track down a hacker and study their hard-drives to find all the incriminating evidence needed to establish how they succeeded in their attack and what specifically was damaged in the process. Today, criminals hide digital evidence in the cloud, which causes problems for digital forensics to discover data, verify its integrity and determine who accessed it. Prakash et al. discuss the technical and legal challenges associated with cloud forensics. Let's discuss legal first.
In a court of law, data integrity is critically important. If it cannot be proven that evidence has not been tampered with, it is not suitable to be presented and is susceptible to further legal complications such as hearsay, preservation and chain of custody. To further complicate things, cloud service providers (CSPs) store data in multiple locations to ensure that in the case of a single location's systems going down, the data is still available for use. Sometimes, this could mean an entirely different country, and different countries may have different laws and regulations about what and how information can be shared. To make things easier, Congress passed the CLOUD Act. The UK passed something similar with their COPOA. Basically, confidentiality and access become a problem when you need data that is stored in another country.
What makes cloud forensics challenging from a technical perspective is navigating through the indescribable volume of data stored in the cloud to find evidence, as well as moving the data while maintaining its integrity. On top of that, cybercriminals have gotten better at damaging or destroying cloud data before it can be accessed. They do this by first destroying data at the Edge node, before turning their attention toward attacking the central Cloud node. Edge nodes are not located in a single administrative domain and therefore are not always compatible or compliant with the otherwise highly secure central management authority protocols that CSPs have in place. Additionally, data owners and CSPs are not always within the same trusted domains.
To add to the "technical difficulties," data sent to the cloud is encrypted using either basic public-key encryption (PKE) or the new attribute-based encryption (ABE, also known as 'one-to-many' or 'fuzzy' encryption). In both cases, the person who has the decryption key or algorithm can only retrieve and access the original data shared by the data owner.
For those interested, the researchers go on to discuss the forensics of steganography in multimedia sources like audio and image files.
I think the main takeaway from this paper is that cloud computing is evolving faster than we can understand how to control it. Because I love analogies, here's one: car manufacturers have developed vehicles that go faster than police cruisers can keep up with, and after-market car parts exacerbate the problem. Similarly, CSPs have developed an ecosystem of technology that gives consumers (and therefore attackers) more freedom and accessibility to create, share, use and destroy data, and digital forensics doesn't have the cruisers to keep up. But they're trying.
Posted on 11/4/22:
Hacktivists Use of DDoS Activity Causes Minor Impact
I want to preface this post by first saying that despite recent perceptions of the FBI, the continuous efforts of their cyber division to disclose information about vulnerabilities and zero-days to the public along with mitigation recommendations is always refreshing. At least the ones they're not hanging onto for the cataclysm...which we all know they are.
Today they released a short report regarding the latest pro-Russian hacktivist group utilizing DDoS attacks to bring down organizations in various industries. You can find the report on their official LinkedIn. The TLDR is that in light of recent events in Ukraine, hacktivists are conducting attacks on private industries (finance, healthcare, etc.) within Ukraine and allied nations. Their conclusion is that, so long as you have basic security posture, you have nothing to worry about. They say nothing about the attackers' TTPs and go on to say that the psychological impacts of DDoS attacks from this group are greater than the potential financial losses and offer some nondescript advice about partnering with your ISP to stay safe.
At this point, the Russians need to realize that America's Achilles heel, when it comes to cyber warfare, is social media. All you need is a few loosely-believable stories about the heinous violations of tax evasion or embezzlement committed by notable American politicians or business owners to have us fighting each other. Also, having been in healthcare technology sales for years now...the healthcare sector doesn't have as much money as you think they do. In fact they're in the red. So targeting healthcare is like asking a homeless person if he can spare some change.