At a glance.
- Kr00k vulnerability puts Wi-Fi traffic at risk.
- A proof-of-concept shows that ultrasound can be used to control voice assistants.
- iBaby monitors overshare video.
- The evolving psychological techniques of ransomware operators.
- Monitoring privileged access as a way of detecting lateral movement.
Kr00k allows some Wi-Fi traffic to be decrypted.
ESET researchers discovered a serious vulnerability (CVE-2019-15126) in Broadcom and Cypress Wi-Fi chips that could allow an attacker to decrypt certain wireless network packets. The flaw, which ESET calls "Kr00k," affects more than a billion devices, including smartphones, tablets, laptops, IoT devices, routers, and Wi-Fi access points. The affected vendors have released patches, and users are advised to update all of their Wi-Fi capable devices. The researchers particularly emphasize patching routers and access points, because data transmitted to a patched client device from an unpatched access point will remain vulnerable.
The vulnerability lies in the way the Wi-Fi chips handle disassociations (disconnecting from a Wi-Fi access point) and reassociations (disconnecting from one access point in order to connect with another, or to reconnect to the same access point). After one such disconnection occurs, the key used to encrypt data during the session is overwritten with zeros, since the key isn't meant to be used anymore. However, ESET found that this all-zero key was used to encrypt the several kilobytes of data that remained in the chip's transmit buffer after the disassociation took place. As a result, an attacker could easily decrypt any data transmitted just after a disassociation.
The risk of Kr00k is compounded by the fact that disassociations are triggered by unauthenticated and unencrypted management frames. An attacker could repeatedly send frames to cause disassociations and subsequent reassociations, enabling them to capture a greater amount of decryptable data. Additionally, the attacker can intercept the data using a wireless network interface controller (WNIC) in monitor mode, which wouldn't require them to be authenticated on the wireless network (although they would still need to be within Wi-Fi range). It's worth noting that data transmitted via HTTPS isn't vulnerable to this attack, since it's already been encrypted using TLS.
Ultrasound used to control voice assistants.
Researchers from Michigan State University, the Chinese Academy of Sciences, the University of Nebraska-Lincoln, and Washington University in St. Louis published a paper outlining a more advanced version of a known attack technique that uses inaudible frequencies to manipulate voice assistants such as Siri, Google Assistant, and Alexa. The researchers "found that it is possible to deliver various inaudible voice commands in ultrasound to a wide range of target devices from different manufacturers via different solid media." Specifically, they managed to send multiple voice commands to a phone sitting on a table by sticking a piezoelectric disc smaller than a nickel to the underside of the table.
The researchers first used this technique to inject voice commands that lowered the phone's volume so that the voice assistant was inaudible to a person sitting at the table, yet still loud enough to be picked up by small microphones, which were also placed on the underside of the table. Possible attack scenarios could involve stealing SMS-based authentication codes, sending fraudulent messages from the victim's phone, or data theft.
This attack isn't something most people need to worry about, but it is more practical than previously discovered techniques for voice assistant manipulation.
iBaby Monitor users can access each other's videos.
Researchers at Bitdefender, in partnership with PCMag, identified a series of vulnerabilities in the popular iBaby Monitor M6S camera that could enable an attacker to access video and audio files belonging to every iBaby Monitor. The camera's developers misconfigured their AWS cloud server so that any owner of an iBaby device could use their personal credentials to gain access to any other monitor's files. Additionally, the MQTT protocol used by the monitors is configured insecurely and could grant an attacker remote access to the device.
The researchers notified iBaby in May 2019 and never received a response, so the vulnerabilities are still present in the devices. PCMag notes that the vulnerabilities shouldn't be difficult to fix, so it's not clear why iBaby ignored Bitdefender's disclosures. The company did respond to an inquiry by Recode three days after Bitdefender publicly revealed the vulnerabilities, saying that it's "taken a few measures" to address the issues, and that it will be releasing a security update "soon."
Analyzing the persuasiveness of ransom notes.
SentinelOne has looked at the ways ransomware notes have changed over the years as attackers have tried to nail down the most effective ways to convince their victims to pay up. When ransomware first began to go mainstream, many strains (including WannaCry) presented ransom notes containing a countdown to a deadline at which point the decryption keys would be deleted, leaving the victim's files permanently encrypted. This was meant to force the victim to pay the ransom quickly, but it often resulted in victims missing the deadline for various reasons, leaving the attackers empty-handed. As a result, current ransomware operators generally tell their victims that the ransom will be lower if they pay up quickly, but they don't set a hard deadline.
Some strains also try to employ frightening (and in truth juvenile) effects, such as images of scary clowns and sinister sound effects. The operators of Cerber are known to have used this approach. SentinelOne says the efficacy of this technique is inconclusive.
Many of the newer ransomware operators try to seem professional and empathetic, and negotiate the ransom amount with the victim. The proprietors of Snake are known for this, acting as if they're a legitimate partner of their victims, offering reassurance, avowals of quality of service, and a helpful set of frequently asked questions.
Others take the opposite approach, making it clear from the outset that the victim isn't going to get any leeway. MegaCortex's operators, for example, state in their ransom note that they frequently hear victims say "We are not the Super Mega International Corporation ltd., we are just a nursery, etc." MegaCortex says such appeals to pity will fall on deaf ears, and they insist that "If you don't have money don't even write to us. We don't do charity." Thus mom-and-pop operations can expect no slack. The hoods don't care any more than crooks who smash a car window and comes up empty handed because the driver's left nothing of value inside care that they've troubled the vehicle's owner.
The most recent development is the use of stolen data for additional leverage. The operators of Maze ransomware were early adopters of this approach, and its since become sufficiently widespread to count as the new normal: DoppelPaymer, Sodinokibi, and Nemty, for example, have all adopted this approach. The upshot of this development is that it's now prudent to regard any ransomware attack as tantamount to a data breach, with all of its attendant reputational and regulatory risk.
The lower reaches of the ransomware underworld are occupied by libidinous skids SentinelOne dismisses as "script kiddies." They're likely to demand payment not in alt-coin, but rather in the form of lewd pictures of their victims.
Understanding privileged access as a way of understanding lateral movement.
Vectra AI released the findings from its Spotlight Report on Privileged Access Analytics, compiled annually from data collected from tens of thousands of hosts. The researchers explain the motivation for their study as follows: "Privileged access is a key part of lateral movement in cyber-attacks because it leads to the most valuable capabilities and information because privileged accounts have the widest range of access to critical information. Adversaries leverage privileged accounts to gain unauthorized access using multiple techniques, ranging from stolen credentials, protocol abuse, malware, phishing, or merely guessing at simple and default account names and passwords."
The most common privilege anomaly by far, accounting for some 74% of the total, is an "unusual host." The study found that finance, insurance, healthcare, and education organizations accounted for the largest fraction of privilege access abuse cases, combining for 47% of the total. Meanwhile, technology and education organizations are nearly three times more likely to exhibit anomalous command-and-control behaviors than other types of organizations. Companies with less than five thousand employees are almost twice as likely to experience attacks involving lateral movement than larger organizations.
Vectra's concluding recommendation is that monitoring how privilege works across an organization, and detecting anomalous behavior as it occurs, makes an important contribution to security.