Understanding Process Injection:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

The Role of Windows Thread Pools:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

1. Inserting Malicious Work Items:
   • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
2. Hijacking Worker Threads:
   • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
3. Exploiting Timer Queues:
   • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
4. Manipulating I/O Completion Callbacks:
   • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
5. Abusing Asynchronous Procedure Calls (APCs):
   • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
6. Worker Factory Manipulation:
   • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
7. Remote TP_TIMER Work Item Insertion:
   • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
8. Queue Manipulation:
   • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

Implications for Endpoint Detection and Response (EDR) Solutions

The research by SafeBreach Labs tested the newly discovered Pool Party variants against five leading EDR solutions: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR. The result was startling, as none of the tested EDR solutions were able to detect or prevent the Pool Party attack techniques. This underscores the need for ongoing innovation in cybersecurity defense mechanisms to keep pace with evolving threats. The exploitation of Windows thread pools for process injection, as highlighted in the SafeBreach article, has significant implications for Endpoint Detection and Response (EDR) solutions. These implications necessitate a reevaluation and enhancement of current EDR strategies:

1. Challenge to Traditional Detection Methods:
   • Traditional EDR solutions often rely on signature-based detection and known behavioral patterns to identify threats. However, the manipulation of Windows thread pools represents a more sophisticated attack vector that may not be easily detected through these conventional methods. This calls for an advancement in detection technologies.
2. Need for Deeper System Monitoring:
   • EDR solutions must now consider deeper system monitoring, particularly focusing on the internals of operating systems like thread pool activities, thread creation, and execution patterns. This level of monitoring can help in identifying anomalies that are indicative of thread pool exploitation.
3. Enhancing Behavioral Analysis Capabilities:
   • EDR systems need to enhance their behavioral analysis capabilities to detect unusual activities that could signify a threat. This includes monitoring for irregularities in thread pool usage, unexpected execution of code within thread pools, and other anomalies that deviate from normal system behavior.
4. Integration of Advanced Heuristics:
   • Integrating advanced heuristics and machine learning algorithms can help EDR solutions become more proactive in detecting new and sophisticated attack methods. These technologies can learn from evolving attack patterns and adapt their detection mechanisms accordingly.
5. Improving Response Strategies:
   • In addition to detection, EDR solutions must improve their response strategies to such threats. This includes automated containment measures, quick eradication of threats, and efficient recovery processes to minimize the impact of an attack.
6. Collaboration and Threat Intelligence Sharing:
   • EDR vendors and cybersecurity experts need to collaborate and share threat intelligence actively. By understanding the latest attack trends and techniques, such as those involving thread pool exploitation, EDR solutions can be better equipped to protect against them.
7. Educating Users and Administrators:
   • EDR solutions should also focus on educating users and system administrators about these new threats. Awareness can play a crucial role in early detection and response to sophisticated attacks.
8. Regular Updates and Patch Management:
   • Continuous updating and patch management are crucial. EDR solutions must ensure that they are updated with the latest threat definitions and that they can identify vulnerabilities in systems that need patching or updates.
9. Zero Trust Approach:
   • Implementing a zero trust approach can be beneficial. EDR solutions should treat every process and thread as a potential threat until verified, ensuring strict access controls and monitoring at all levels.
10. Forensic Capabilities:
    • Enhancing forensic capabilities is essential for post-incident analysis. Understanding how an attack was carried out, including thread pool exploitation, can provide valuable insights for strengthening EDR strategies.

In summary, the exploitation of Windows thread pools for process injection presents a complex challenge for EDR solutions, necessitating a shift towards more advanced, intelligent, and comprehensive cybersecurity strategies.

Mitigation

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

1. Enhanced Detection Algorithms:
   • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
2. Deep System Monitoring:
   • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
3. Regular Security Audits:
   • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
4. Advanced Threat Intelligence:
   • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
5. Employee Training and Awareness:
   • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
6. Behavioral Analysis and Heuristics:
   • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
7. Zero Trust Architecture:
   • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
8. Regular Software Updates:
   • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
9. Isolation of Sensitive Processes:
   • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

The post How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks appeared first on Information Security Newspaper | Hacking News.

Etcd is more than just a storage component in Kubernetes; it’s a critical part of the architecture. It’s a key-value database that stores all the cluster’s information. The data in etcd is stored using a serialization format called Protobuf, developed by Google for efficient data exchange between systems. Kubernetes uses Protobuf to serialize different kinds of data, such as pods and roles, each requiring different parameters and definitions.

The research describes a tool called auger, which can serialize and deserialize data stored in etcd into more readable formats like YAML and JSON. NCC Group has developed a wrapper for auger called kubetcd to showcase how a compromised etcd can be critical.

However, exploiting etcd has limitations. You’d need root access to the host running etcd and have the necessary certificates for authentication. Moreover, this technique mainly applies to self-managed Kubernetes environments, not managed ones offered by cloud providers.

Direct access to etcd could be used to tamper with Kubernetes resources, like changing the startup date of a pod or creating inconsistencies that make pods difficult to manage.

Direct access to etcd, the key-value store for Kubernetes, could allow an attacker to make unauthorized modifications to the cluster state, which could lead to various security issues. Here are some examples of how this could be exploited:

Changing Pod Timestamps:

• Attackers with access to etcd could alter the creation timestamps of pods. This could be used to disguise malicious pods as long-running, trusted processes.
• Example:
  bash kubetcd create pod nginx -t nginx --time 2000-01-31T00:00:00Z
  This command sets the timestamp of an nginx pod to January 31, 2000, making it appear as if it has been running for over 20 years.

Gaining Persistence:

• By changing the path where a pod’s data is stored in etcd, an attacker could prevent the pod from being deleted by the regular Kubernetes API commands.
• Example:
  bash kubetcd create pod maliciouspod -t nginx -p randomentry
  This command creates a pod and stores its data under a different path, making it difficult for Kubernetes to manage or delete it.

Creating Semi-hidden Pods:

• Attackers could manipulate the namespace entries in etcd to run pods in a namespace that does not match their manifest. This can cause confusion and make pods difficult to manage.
• Example:
  bash kubetcd create pod hiddenpod -t nginx -n invisible --fake-ns
  This command creates a pod that appears to run in the default namespace but is actually associated with the invisible namespace in etcd. This pod will not be listed under the default namespace, making it semi-hidden.

Bypassing Admission Controllers:

• Admission Controllers enforce security policies in Kubernetes. By injecting resources directly into etcd, an attacker can bypass these controls and deploy privileged pods that could compromise the cluster.
• Example:
  bash kubetcd create pod privilegedpod -t nginx -n restricted-ns -P
  This command injects a privileged pod into a namespace that is supposed to be restricted by Pod Security Admission (PSA) policies.

Tampering with Cluster Roles and Role Bindings:

• Attackers can modify roles and role bindings directly in etcd to escalate privileges.
• Example:
  bash kubetcd modify rolebinding admin-binding --clusterrole=cluster-admin --user=attacker
  This hypothetical command changes a role binding to give the attacker user cluster-admin privileges.

These examples show the potential dangers if an attacker gains direct access to etcd. They can make changes that are not subject to the usual Kubernetes API checks and balances, leading to unauthorized control over the cluster’s resources. This is why securing etcd access is critical in a Kubernetes environment.

Mitigation

To mitigate the risks associated with etcd and prevent the kinds of tampering mentioned earlier, several steps and best practices should be implemented:

Access Control:

• Restrict access to etcd by implementing strong authentication and authorization mechanisms. Use TLS client certificates to secure communication with etcd.
• Regularly rotate etcd access credentials and audit access logs to detect unauthorized access attempts.

Network Policies:

• Limit network access to etcd servers, ensuring that only specific, authorized components can communicate with etcd.
• Implement firewall rules or Kubernetes network policies to control the traffic towards etcd servers.

Etcd Encryption:

• Enable encryption at rest for etcd to protect sensitive data. Even if attackers gain physical access to the etcd storage, they should not be able to read the data without the encryption keys.

Regular Backups:

• Regularly back up the etcd data store. In case of a breach, this allows the cluster to be restored to a known good state.
• Ensure backup integrity by verifying and testing backups periodically.

Monitoring and Auditing:

• Implement monitoring to detect abnormal activities, such as unexpected changes in etcd.
• Use tools like etcd’s built-in audit capabilities, Falco, or other intrusion detection systems to alert on suspicious behavior.

Least Privilege Principle:

• Apply the principle of least privilege to etcd access. Ensure that only the necessary components have the minimum required access level to perform their functions.

Patch Management:

• Regularly update etcd to the latest version to mitigate vulnerabilities caused by software defects.

Admission Controllers:

• Use Admission Controllers like OPA Gatekeeper or Kyverno to define and enforce policies that can help prevent the creation of unauthorized resources within Kubernetes.

Security Contexts and Policies:

• Apply Security Contexts and Pod Security Policies (or their successors, like Pod Security Admission) to enforce security-related settings in pods and prevent privilege escalation.

Disaster Recovery Plan:

• Have a disaster recovery plan in case etcd is compromised. This plan should include steps to isolate affected systems, revoke compromised credentials, and restore from backups.

Education and Training:

• Train the operations team to understand the security risks associated with etcd and Kubernetes, and how to apply best practices for securing the cluster.

By implementing these mitigations, organizations can significantly reduce the risk of unauthorized access and tampering with etcd, thus securing their Kubernetes clusters. Mitigating the risks associated with etcd ensures the integrity and reliability of Kubernetes clusters. By implementing industry best practices for security and maintaining a proactive stance on potential vulnerabilities, organizations can confidently deploy and manage their containerized workloads, keeping them secure in an ever-evolving threat landscape.

The post Is Your etcd an Open Door for Cyber Attacks? How to Secure Your Kubernetes Clusters & Nodes appeared first on Information Security Newspaper | Hacking News.

The Common Vulnerability Scoring System, more often referred to as CVSS, is a methodology that provides a framework for evaluating and conveying the severity of software vulnerabilities. It offers a standardised way that organisations and security experts may use to analyse vulnerabilities based on the characteristics of the vulnerabilities, and then prioritise those vulnerabilities. The CVSS ratings provide assistance in making educated judgements on which vulnerabilities should be addressed first and how resources should be distributed for vulnerability management.

There have been several versions of CVSS, and each version has included enhancements and modifications that make it possible to more accurately evaluate the severity of vulnerabilities. The previous version, CVSS 3.1, has been upgraded to the current version, CVSS 4.0, which includes a number of significant updates and enhancements, including the following:

CVSS 4.0 has been designed with the goal of simplifying the scoring system and making it more accessible to users. It makes the scoring process more straightforward, which makes it simpler for security experts to grasp and put into practise.

Accurate Scoring: CVSS 4.0 includes enhancements in scoring to enable more accurate evaluations of vulnerabilities. These improvements were made possible by the introduction of new scoring methods. It improves the base, temporal, and environmental parameters such that a more accurate representation of the real effect of a vulnerability may be achieved.

Enhanced Metrics: It provides new metrics, such as Scope and Attack Vector, to offer more insights about the nature of the vulnerability and its effect on the system. Enhanced Metrics.

Formula: CVSS 4.0 comes with a revised formula that may be used to determine the total score on the CVSS scale. When paired with additional indicators, this formula provides a more accurate representation of the severity of vulnerabilities.

Contextual Information: When it comes to rating vulnerabilities, CVSS 4.0 strongly recommends making advantage of any available contextual information. This contributes to the provision of a vulnerability assessment that is more precise and relevant depending on certain deployment circumstances.

Increased Scoring Flexibility: The updated version offers an increased degree of scoring flexibility for vulnerabilities. Users are given the option to choose several temporal and environmental criteria, so that the data may more accurately represent their unique situations.

The Common Vulnerability Scoring System (CVSS) version 4.0 marks an advancement in vulnerability scoring and solves some of the restrictions that were present in prior versions. It seeks to offer a system for analysing and prioritising vulnerabilities that is both more accurate and easier to use, with the ultimate goal of assisting organisations in improving their security posture by concentrating on the most pressing problems. In order to improve their vulnerability management procedures, security professionals and organisations should get aware with CVSS 4.0 and consider implementing it.

Lets take  an example of how you would use CVSS 4.0 to determine the degree of severity of a software vulnerability. For the sake of this example, we will employ a made-up vulnerability:

Vulnerability Description: An application contains a buffer overflow vulnerability, which an attacker can exploit to execute arbitrary code on the affected system.

Here’s how you would use CVSS 4.0 to assess the severity of this vulnerability:

Base Metrics:

• Attack Vector (AV): The vulnerability can be exploited via network (AV:N). The attacker does not need local access to the system.
• Attack Complexity (AC): The attack requires no special conditions (AC:LOW). It’s relatively easy to exploit.
• Privileges Required (PR): The attacker needs to gain elevated privileges (PR:HIGH). This makes it more challenging to exploit.
• User Interaction (UI): No user interaction is required (UI:NONE).
• Scope (S): The scope of the vulnerability is unchanged, and it doesn’t impact other components (S:UNCHANGED).

Temporal Metrics:

• Exploit Code Maturity (E): There is proof of concept code available, but no known exploits in the wild (E:POC).
• Remediation Level (RL): There is an official fix available (RL:OFFICIAL-FIX).
• Report Confidence (RC): The vulnerability has been confirmed by multiple sources (RC:HIGH).

Environmental Metrics (Specific to the organization’s setup):

• Modified Attack Vector (MAV): The organization’s security controls have made it harder for attackers to exploit this vulnerability (MAV:NETWORK).
• Modified Attack Complexity (MAC): The organization’s security measures have increased the difficulty of exploitation (MAC:HIGH).
• Modified Privileges Required (MPR): The organization’s security settings require lower privileges for successful exploitation (MPR:LOW).

Now, you can calculate the CVSS 4.0 score based on these metrics:

1. Calculate the Base Score: In this case, it might be, for example, 7.8.
2. Calculate the Temporal Score by considering the temporal metrics: Let’s say it’s 6.2.
3. Calculate the Environmental Score, taking into account the environmental metrics and organization-specific factors: The final score might be 4.3.

The overall CVSS 4.0 score for this vulnerability would be the Environmental Score, which is 4.3 in this example. This score helps organizations understand the severity of the vulnerability in their specific context, considering the mitigations and configurations in place.

The higher the CVSS score, the more severe the vulnerability. Organizations can then prioritize addressing vulnerabilities with higher scores to improve their security posture. CVSS 4.0 offers more flexibility and a better representation of the vulnerability’s impact, taking into account various contextual factors.

The post CVSS 4.0 Explained: From Complexity to Clarity in Vulnerability Assessment appeared first on Information Security Newspaper | Hacking News.

Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.

Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as ‘surveillance actors’ throughout this paper since they are interested in mobile geolocation surveillance.

Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.

The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a user’s position using mobile signalling networks. They may use numerous strategies to do this.

The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phone’s geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.

However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.

The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a user’s location.

Active Surveillance:

• In active surveillance, actors use software to interact with mobile networks and get a response with the target phone’s location.
• Vulnerable networks without proper security controls are susceptible to active attacks.
• Actors can access networks through lease arrangements to carry out active surveillance.

Passive Surveillance:

• In passive surveillance, a collection device is used to obtain phone locations directly from the network.
• Surveillance actors might combine active and passive methods to access location information.

Active Attacks:

• Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
• They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.

Vulnerabilities in Home Location Register (HLR) Lookup:

• Commercial HLR lookup services can be used to check the status of mobile phone numbers.
• Surveillance actors can pay for these services to gather information about the target phone’s location, country, and network.
• Actors with access to the SS7 network can perform HLR lookups without intermediary services.

Domestic Threats:

• Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
• Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
• In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.

Passive Attacks:

• Passive location attacks involve collecting usage or location data using network-installed devices.
• Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
• Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.

Packet Capture Examples of Location Monitoring:

• Packet captures show examples of signaling messages used for location tracking.
• Location information, such as GPS coordinates and cell information, can be exposed through these messages.
• User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.

The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.

The post The Art of Interception :Active and Passive Surveillance in Mobile Signaling Networks appeared first on Information Security Newspaper | Hacking News.

Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  

Cobalt Strike 4.9 Features

The latest release, version 4.9, introduces several significant features and improvements:

• User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
• Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
• Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
• Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
• Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
• WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
• Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.

Cracked Versions in the Wild

Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.

The Crackdown

Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.

Why Cobalt Strike?

Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.

The Users

Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.

Remediation Efforts

To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).

The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.

The post Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice appeared first on Information Security Newspaper | Hacking News.

TeamsPhisher utilizes a number of other techniques, including some of Andrea Santese’s (@Medu554) older ones, in addition to this one.For the authentication component of the attack flow as well as other basic utility functions, it relies significantly on TeamsEnum, a brilliant piece of work that was developed by Bastian Kanbach (@bka) of SSE.

TeamsPhisher’s goal is to include the most useful aspects of the aforementioned projects in order to provide a method that is robust, fully adaptable, and highly effective for authorized Red Team operations to use Microsoft Teams for phishing in access-related circumstances.

You will need to provide TeamsPhisher with an attachment, a message, and a list of people to target. After that, it will go over the list of targets while simultaneously uploading the attachment to the sender’s Sharepoint.

First, TeamsPhisher will enumerate the target user and check to see whether that person really exists and is able to receive messages from the outside world. After that, it will initiate a new conversation with the person you choose. Note that this is technically a “group” conversation since TeamsPhisher contains the target’s email address twice; this is a clever hack from @Medu554 that will circumvent the “Someone outside your organization messaged you, are you sure you want to view it” splash screen that might offer our targets a reason to stop and think twice about viewing the message.

The user who was identified will get the message that was sent to them along with a link to the attachment that was stored in Sharepoint after a new thread has been established between our sender and the target.

After this first message has been sent, the newly established thread will be visible in the sender’s Teams GUI and may be engaged with manually, if necessary, on a case-by-case basis. Users of TeamsPhisher are required to have a Microsoft Business account (as opposed to a personal one such as @hotmail, @outlook, etc.) that is licensed for both Teams and Sharepoint in order to utilize the software.

This indicates that you will require an AAD tenant as well as at least one user who has a license that corresponds to it. At the time of publishing, the AAD licensing center does have some free trial licenses available for download that are capable of meeting all of the prerequisites for using this product.

Before you may utilize the account with TeamsPhisher, you will have to ensure that you have at least once successfully logged into the personal Sharepoint site of the user with whom you will be exchanging messages. This should be something along the lines of tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com or tenantname-my.sharepoint.com/personal/myusername_mytenantname_mycustomdomain_tld. Alternatively, you could also use tenantname-my.sharepoint.com/personal/myusername_mytenantname_onmicrosoft.com.

In terms of the needs of the local community, We strongly advise upgrading to the most recent version of Python3. You will also require the authentication library developed by Microsoft:

To upload the file to a Sharepoint site, you will need to manually give the site’s name. This would most likely be required in the event if the sender’s tenant makes use of a unique domain name (for example, one that does not adhere to the xxx.onmicrosoft.com norm). Just the singular name should be used; for instance, if your SharePoint site is located at mytest.sharepoint.com, you should use the –sharepoint mytest option.

Replace TeamPhisher’s standard greeting (“Hi,”) with a personalized greeting that will be appended to the message that is supplied by the –message option. For instance, “Good afternoon,” or “Sales team,” are examples.

By default, the Sharepoint link that is provided to targets may be accessed by anybody who has the link; to restrict access to the Sharepoint file so that it can only be viewed by the target who got it, use the –securelink option. It’s possible that this will help shield your virus from the blue team.

TeamsPhisher will make an effort to determine the first name of each person it is targeting and will use that name in the welcome it sends to them. For instance, tom.jones@targettenant.onmicrosoft.com would get an email with the greeting “Hi Tom, ” as the first line of the message. This is not ideal and is dependant on the format of the emails that are being targeted; use the –preview option to see whether or not this is a suitable match for the list of emails that you are targeting.

The preview version of TeamsPhisher will be executed. This will NOT send any messages to the target users; instead, the “friendly” name that would be used by the –personalize option will be shown. In addition, a sample message that is indicative of what targets would receive with the current settings will be delivered to the sender’s Teams. You may log in to check how your message appears and make any required adjustments to it.

You may choose to have a delay of x seconds between each message sent to targets. Can be of assistance with rate-limiting concerns that may arise.

TeamsPhisher will determine which accounts are unable to receive messages from third-party organizations, which accounts do not exist, and which accounts have subscription plans that are incompatible with the attack vectors.

TeamsPhisher now enables login with sender accounts using multifactor authentication (MFA), thanks to code contributed by the TeamsEnum project.

If you use the –securelink flag, the recipients of the message will see a popup asking them to verify themselves before they can view the attachment in Sharepoint. You have the ability to determine if this adds an excessive number of additional steps or whether it adds ‘legitimacy’ by sending them via the actual Microsoft login feature.

Mitigation
By changing the choices associated with external access, which can be found in the Microsoft Teams admin center under Users > External access, companies may reduce the risk that is provided by the vulnerability that has been discovered.

Organizations are provided with the freedom to pick the optimal rights to match their requirements by Microsoft, including the ability to whitelist just particular external tenants for communications and a global block that prevents any communications from occurring.

The post How to send phishing or malware to Teams users evading Teams security features appeared first on Information Security Newspaper | Hacking News.

The MITRE Calder for OT is now accessible to the general public as an addition to the open-source Caldera platform that may be found on GitHub. This would make it possible for cybersecurity specialists who deal with industrial control systems (ICS) to carry out automated adversary simulation exercises. These exercises will have the goal of testing and improving their cyber defenses on a constant basis. In addition to this, this includes security inspections as well as exercises involving red, blue, and purple teams.

This Caldera extension for OT was created via a collaborative effort between CISA and the Homeland Security Systems Engineering and Development Institute (HSSEDI). HSSEDI is a research and development institution that is financed by the federal government and is maintained and run by MITRE on behalf of the Department of Homeland Security (DHS).

The program contributes to the goal of the federal government to strengthen the security of vital infrastructure that is dependent on OT. Some examples of such infrastructure are water and electricity. This objective was elaborated upon in the United States’ National Cybersecurity Strategy, which was published in March 2023, and in the Executive Order on Improving the Nation’s Cybersecurity, which was issued by President Biden in May 2021.
Work done by CISA and HSSEDI to automate opponent emulation simulations in CISA’s Control Environment Laboratory Resource (CELR) served as the foundation for the OT extension, which was developed upon that work. This made it possible to identify hostile strategies that may be implemented in Caldera.

The defensive mechanisms and testing capabilities of critical infrastructure systems are slated to get a boost from the use of these plugins.

These plugins, which are stored in the “caldera-ot” repository, are essential instruments for the protection of operational technology (OT) settings.

They are made available as Git submodules, which enables researchers and experts in the security industry to quickly and readily access them.

The purpose of these plugins is to facilitate enemy simulation inside the OT environment. This was the driving force behind their development.

Because of this, companies are given the ability to strengthen their security defenses and better prepare for possible attacks.

In addition to this, it is compatible with classic use cases for Caldera, such as rigorous testing of security mechanisms and operator training.

The move that has been taken by MITRE marks a major step forward in the continuing endeavor to secure critical infrastructure systems and to strengthen security within the OT sector.

A presentation titled “Emulating Adversary Actions in the Operational Environment with Caldera (TM) for OT” has also been made available by MITRE for individuals who are looking for further information of a more in-depth kind.

Users may apply the following command in order to install the whole collection of Caldera for OT plugins:

git clone https://github.com/mitre/caldera-ot.git –recursive

Individuals also have the option of configuring certain plugins on their own, which allows them to personalize their approach to OT security to meet their unique requirements.

At the moment, the following three important plugins are available:

1. BACnet Catering to Building Automation and Control Networks (BACnet) protocol.
2. DNP Addressing the Distributed Network Protocol 3 (DNP3).
3. Modbus Supporting the Modbus protocol.
   

Open-Source OT Protocol Libraries That Are Unified And Exposed To Users. Caldera for OT plugins is a service provided by MITRE that aims to standardize and expose open-source OT protocol libraries, making them available for use as protocol-specific plugins. Each plugin comes with its own extensive documentation.

The post Caldera: Free Operational technology OT Attack Emulation Tool to secure ICS, SCADA and PLC devices appeared first on Information Security Newspaper | Hacking News.

In the last chapter we saw on how to add resource to a VNet now in this chapter we will see how we will enable connectivity between two virtual networks. As we know that each virtual network is an isolated environment and for 2 resources in different two virtual network to talk to each other we will have to enable communication between two virtual networks. Azure Virtual network peering is supported within and across regions. We will start by creating two virtual networks, then verify routes between them before enabling peering. After enabling peering we will see what peering does.

1. Start by creating a vnet as explained earlier in chapter 2. We created vnet1 in the below screenshot and review our configuration before be create our first vnet1.

2. After clicking create our first virtual network with name as vnet1 with subnet1 (192.168.1.0/24) will be created in East US.
3. Now we will create another virtual network vnet2 and review configuration before clicking create

4. After clicking create our second virtual network with name as vnet2 with subnet2 (192.168.2.0/24) will be created in East US 2.
5. Now we will add resource to each subnet and we will add one virtual machine to each subnet
6. We are adding first virtual machine to vnet1_subnet1 once we create it will bring up our first VM

7. We will add second virtual machine to vnet2/subnet2 as shown below:

8. As we can see in the list of virtual machines below that our both virtual machines in different virtual networks across between regions is ready as shown below:
   • Name of VM1: vnet1-subnet1-vm1
     • Public IP: 52.170.1.138, Private IP: 192.168.1.4
   • Name of VM2: vnet2-subnet2-vm2
     • Public IP: 20.14.205.40, Private IP: 192.168.2.4

9. Now lets try ping between both these machines before we enable vnet peering. Both will not ping each other as shown below:
   • Name of VM1: vnet1-subnet1-vm1
     • Public IP: 52.170.1.138, Private IP: 192.168.1.4
   • Name of VM2: vnet2-subnet2-vm2
     • Public IP: 20.14.205.40, Private IP: 192.168.2.4

10. Lets also check the routes between VM’s

11. Now lets enable vnet peering between virtual networks

12. Once you add peering ping will start working between virtual machines in different virtual networks

13. Lets see routes and see what has been modified or added. To see routes go to Virtual machines > vnet1-subnet1-vm1 > Networking > Network Interface >Effective routes. You will see route with next hop as VNetGlobalPeering

14. Topology is as shown below:

The post Azure cloud security tutorial series – Chapter 4 [Establish VNet Peering] appeared first on Information Security Newspaper | Hacking News.

In the last chapter (Azure cloud security tutorial series – Chapter 2 [Virtual Network]) we saw on how to create VNet in Azure. Once you have VNet created its time to add resources to it. It like once you have your virtual network created you will add computers, servers and other types of devices to it, as the network is private to you. In this chapter we will show you on how we can add 2 virtual machines to our VNet/subnets. To recap in last chapter we added one VNet and added 2 subnets to our VNet. Now in this chapter we will add one Virtual machine in each subnet.

Create a virtual machine in the virtual network

In this we will create a virtual machine in subnet1

1. To access the Azure portal, go to http://portal.azure.com
2. Click on All services > Compute > Virtual machine

3. Hover your mouse over it and you will see + sign. Click on + sign and you will land up in below screen:

We will talk about all the options to select:

Subscription – Free Trial

Resource Group – rg_FreeTrial

Virtual Machine Name – vnet1-subnet1-vm1

Region – Us East US

Availability Option – This options help to keep backup of your resource in case of any failure. 

Security Type – Its like how you want your virtual machine to be accessed. You want to have a simple lock or a stronger lock for additional security.

Image – Choose the Base image of the operating system. In the other words it’s the operating system you want to have in your Virtual machine. 

VM Architecture – It talks about the CPU architecture of virtual machine

Run with Azure spot discount – Its like getting deal on your hotel booking being that you are flexible on your timing. If you choose this option in Azure while creating Virtual machine, you are saying that you are fine to grab discount on cost by using it when its available. There can be chances if someone is willing to pay more for it, you might can lose it.

Size – There are many different type of Virtual machine sizes Azure provides. Azure does this by providing VM series as explained below:

A-Series: These are basic virtual machines, which are suitable for basic working, you can use them for webservers and small databases.

B-Series: B stands for Budget. These Virtual machines are good for work where you need variable performance. They can not take too much load but you get good performance temporarily when required but return to lower performance when not in use.

D-Series: These types are Virtual machines are used when you require high CPU and memory. They are good for remote working and hosting application, large databases.

E-Series: Virtual machines are more designed for providing memory and computational power. They are suitable for memory intensive applications, data warehousing and real time analytics.

F-Series: Virtual machines that require high CPU commonly used for gaming servers, scientific modeling.

G-Series: Virtual machines designed for lot of memory and computational power, they are ideal for SQL server workloads.

H-Series: Used for complex scientific computation. They provide powerful CPU and GPU.

L-Series: VM that require large amount of local storage like big data applications.

M-Series: VM that require lot of memory and fast storage suck as relational databases and big data workloads.

N-Series: VM that require GPU enabled and are used for graphic intensive workloads like gaming and AI/Machine learning.

Administrator account – Mention the way you want to connect to Virtual machine wither through password less way (.i.e. is with SSH key) or using password

Inbound port rules – Keep it to None. We talks about which ports are allowed from outside world or public internet. None means everything is blocked from outside or public internet.

4. Click Next : Disks, you will get following options

When you create Azure VMs it provides one operating system disk and a temporary disk for short-term storage. You can attach additional data disks. The size of the VM determines the type of storage you can use and the number of data disks allowed.

This page talks about configuration of these 2 types of Azure managed disks, one operating system disk and a data disk if configured.

VM disk encryption – It is used to encrypt your data stored in Azure managed disks (OS and data disks). As said Azure disk storage encryption automatically encrypts your data stored on Azure managed disks (OS and data disks) at rest by default when persisting it to the cloud.

OS (Operating system) Disk type – Azure provides following types of disks that go with your Virtual machine for storing operating system. The following table provides a comparison of the five disk types to help you decide which to use. Refer https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types 

Key management – Suppose you a storing very confidential data on the Azure managed disks you can use Azure provided key or generate your own keys for encryption and decryption.  

5. Click Next, to move to Networking section

Virtual Network – Select vnet1. Definition as stated by Azure: 

Virtual networks are logically isolated from each other in Azure. You can configure their IP address ranges, subnets, route tables, gateways, and security settings, much like a traditional network in your data center. Virtual machines in the same virtual network can access each other by default.

Subnet – Select vnet1-subnet1. Definition as stated by Azure:

A subnet is a range of IP addresses in your virtual network, which can be used to isolate virtual machines from each other or from the Internet.

Public IP – Use a public IP address if you want to communicate with the virtual machine from outside the virtual network.

NIC network security group – A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, the virtual machine. To simplify management of security rules, it’s recommended that you associate a network security group to individual subnets, rather than individual network interfaces within the subnet, whenever possible.

Public inbound ports – None

By default, access to the virtual machine is restricted to sources in the same virtual network, and traffic from Azure load balancing solutions. Select None to confirm, or choose to allow traffic from the public internet to one of these common ports.

Delete public IP and NIC when VM is deleted – check it

Public IP addresses and NICs persist independently from the virtual machine. You can choose to automatically delete the public IP address and NIC when the associated virtual machine is deleted

Load balancing – We don’t have load balancer, leave it default

6. Click Next to move to management Tab

Enable system assigned managed identity – 

A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based access control. The life cycle of this type of managed identity is tied to the life cycle of this resource. Additionally, each resource (e.g. Virtual Machine) can only have one system assigned managed identity.

Login with Azure AD –

Use your corporate Active Directory credentials to log in to the VM, enforce MFA, and enable access via RBAC roles.

Keep other setting default

7. Click on Advance it provides options to run script on VM start.

8. Choose Tags default and go to Review+create it will land on below page to create VM

9. Once VM created you will get below screen:

Create another virtual machine in the virtual network 

1. Now we create another virtual machine in subnet2, will follow same steps above. After all Virtual machine 2 configuration we will get final screen for review:

2. Now create VM2 and you will get:

3. When you got virtual machines you will see below output:

4. If you go to any virtual machine > vnet1-subnet1-vm1 | Networking > on right hand side you will see topology. 
5. Once you click on it you can also download your topology from Azure.

6. Click on it you will get final topology:

Allow SSH to Virtual machines in Azure 

1. Add inbound rule in VM > Networking as shown below. Click on Add inbound rule and allow SSH from anywhere.
2. Rule highlighted in yellow in added one.

3. Now you can SSH from internet.

The post Azure cloud security tutorial series – Chapter 3 [Add resource to VNet] appeared first on Information Security Newspaper | Hacking News.

Network is combination of many different systems connected together. In the Azure cloud security tutorial series – Chapter 1 [Azure Account] we talked about virtual network is a private space in a network where you can play around within systems in that virtual network. It’s a more secure way of putting your own network within a network. Virtual network is also called VNet in the Azure cloud or Microsoft cloud.

Create Virtual Network Step by Step

1. To create virtual network step by step we will login into https://portal.azure.com and then go to All services > Networking > Virtual Networks

2.  Hover your mouse over it and you will see + sign. Click + sign

3. Once you click on Create Virtual network you will see below screen:

Subscription – Select Free Trial

Resource Group – To understand resource group, image how do you manage files on your computer. You create a folder and them put similar files in that folder. Similarly resource group in Azure helps you to manage and organize similar resources using resource group.

4. Keep Security tab to default values 
5. In IP Addresses add two subnets as shown below.

6. Keep tags to default
7. Now got to Review + create or click Next

8. After creating you will get screen below:

9. Now we will add resources to VNet and subnets in next post.

The post Azure cloud security tutorial series – Chapter 2 [Virtual Network] appeared first on Information Security Newspaper | Hacking News.

Azure is the mostly used cloud in IT organizations. Before cloud came into existence many companies or organizations were using Microsoft products in their organization like Windows OS, MS Office and even Microsoft server OS on their servers for running internal authentication server called AD and others. So it is easy for all organization to move to cloud that too of Microsoft, as the organization IT admins were already having hands on Microsoft products. So after cloud came into existence many organization migrated to cloud of Microsoft called Azure. There are few terms to understand before we move further:

Azure –  It’s a name given to Microsoft cloud.

Azure subscription – As we have a ticket to theme park. Once we have the ticket we can play around with all the rides in that theme park. Just like a ticket Azure subscription is a ticket to get into Azure and play around or we can say utilize different resources available there. These resources can be Virtual machines, Storage, database.  

VNet – Azure cloud is very vast having thousands of Systems, Databases and other devices connected together. VNet provide a logical isolation of Azure cloud dedicated to your Azure subscription.  With VNet you can connect your Azure resources with your on premises network.

Subnets – It’s a subset of Azure VNet. With the help of subnet you can segment your Azure resources within VNet in a smaller address space. 

Address space – To understand what address space is, think of a network where each device is allocated an IP Address between 192.168.1.0 to 192.168.1.255. So for the network 192.168.1.0-192.168.1.255 is the address space. 

Virtual machine – To understand the Virtual machine concepts, think that Microsoft has purchased a big computer and connected that computer on cloud. Now to earn money from this big computer on cloud, Microsoft decided to create small computers from this big computer and will rent these small or you can say virtual computers to the world. The more people will use these virtual computers the more Microsoft will earn. 

Now to understand Azure in a practical manner. We will start by creating a VNet in Azure tutorials and under this VNet we will create 2 subnets. Under each subnet we will add one Virtual machine.

Follow below steps to create account in Azure portal and subscription.

1. Go to https://azure.com

2. Go to Try Azure for Free
3. And then go to start free

4. It will ask to login into microsoftonline.com portal, if you don’t have credentials create new.

5. Once you are logged in you will have to fill in below form:

6. Next it will ask for credit or debit card information. You will be charged when you will migrate from pay as you go service. As we have opted for Free account we will get $200 approx. 13K INR of credit.
7. It will debit Rs. 2 from your card and once payment is confirmed you will be redirected to Go to Azure portal page.

8. Now go to Azure portal button or go to https://portal.azure.com login as email and password you provide to login in microsoftonline.com. Once you are logged in you will land onto Azure dashboard.

The post Azure cloud security tutorial series – Chapter 1 [Azure Account] appeared first on Information Security Newspaper | Hacking News.

Nevertheless, researchers at Jamf Threat Labs have recently uncovered and successfully demonstrated an exploit approach that allows an attacker to retain persistence on their victim’s device even when the user thinks they are offline. This technique was developed in response to a vulnerability that was revealed in a previous exploit. The approach, which has not been seen being used in the wild, relies on the successful development of a fake airplane mode “experience” by a hypothetical threat actor. This “experience” causes the device to give the appearance of being offline while in reality it is still functioning normally.

The exploit chain that was put together by Jamf ultimately results in a scenario in which processes that are controlled by an attacker are able to operate in the background undetected and unseen, while the owner of the device is blissfully oblivious that anything is wrong.

SpringBoard, which handles visible changes to the user interface (UI), and CommCentre, which controls the underlying network interface and maintains a feature that enables users to limit mobile data access for certain applications, are the two daemons that are assigned with the process of converting iOS devices to airplane mode. SpringBoard handles visible changes to the UI, while CommCentre manages the functionality. When airplane mode is activated under typical circumstances, the mobile data interface will no longer show IPv4 or 6 IP addresses. Additionally, the mobile network will become disconnected and inaccessible to the user at the level of the user space.

The Jamf team, on the other hand, was able to pinpoint the pertinent area of the target device’s console log and, from that point on, utilize a certain string—”#N User airplane mode preference changing from kFalse to KTrue”—to locate the code that was referencing it. From there, they were able to successfully access the code of the device, at which point they hooked into the function and replaced it with an empty or inactive function. They were able to do this in order to construct a bogus airplane mode, in which the device does not truly get disconnected from the internet and they still have access to it.

After that, they went after the user interface by hooking two unique Objective-C methods to inject a tiny bit of code that changed the mobile connection indicator to make it seem dark, leading the user to believe that it is switched off, and highlighting the airplane mode icon, which is represented by a picture of an airplane.If the hypothetical victim were to open Safari at this point, they would have a good reason to believe that they would be prompted to disable airplane mode or connect to a Wi-Fi network in order to access data. This would be a reasonable assumption given that it seems that aircraft mode is enabled on their device.

They would receive a separate message asking them to authorize Safari to utilize wireless data through WLAN or mobile, or WLAN alone, which would be a hint that something was wrong. However, since they are really still connected to the internet, they would see this prompt.The Jamf team was aware that this problem needed to be fixed in order for the exploit chain to be successful. As a result, they devised a strategy that enabled them to give the impression to the user that they had been disconnected from mobile data services. This was accomplished by exploiting the CommCenter feature, which blocks mobile data access for specific applications, and then disguising this action as airplane mode by hooking yet another function.

They accomplished this by creating an environment in which the user was presented a prompt to switch off airplane mode, rather than the prompt that they should have seen.The team made use of a feature of SpringBoard that prompts the “turn off airplane mode” notification after being notified to do so by CommCenter. CommCenter, in turn, receives this notification from the device kernel via a registered observer/callback function. This allowed the team to disable Safari’s internet connection without actually turning on airplane mode.

The group then discovered that CommCenter also handles a SQL database file that records the mobile data access status of each program. If an application is prevented from accessing mobile data, that application is marked with a particular flag. They would then be able to selectively prohibit or enable an application’s access to mobile data or Wi-Fi by reading a list of application bundle IDs and obtaining their default settings from this information.

Chain of exploitation

 After putting all of this information together, the team had basically developed an attack chain in which their fake airplane mode seems to the victim to be running exactly as the genuine one does, with the exception that non-application programs are allowed to access mobile data.”This hack of the user interface disguises the attacker’s movement by placing the device into a state that is counterintuitive to what the user expects,” he added. “The user expects one thing, but the device behaves in a way that betrays their expectations.” “An adversary could use this to surveil the user and their surroundings at a time when no one would suspect video recording or a live microphone capturing audio,” says one researcher. “This could give an adversary an advantage in a fight.” This is feasible because to the fact that the mobile device in question is still connected to the internet, regardless of what the user interface is trying to convey to them.

According to Covington, the discovery does not fall under the normal responsible disclosure process because the exploit chain does not constitute a vulnerability in the traditional sense. Rather, it is a technique that enables an attacker to maintain connectivity once they have control of the device through another series of exploits. Researchers Did Notify Apple of the Research but no one has responded to request for comment.”

The new attack approach poses a danger, but if it were to be used in anger, it would more likely be used in a targeted attack scenario by a threat actor with very particular aims in mind than in a mass-exploitation event targeting the general public. If it were to be used in anger, however, it would be more likely to be used in anger by a threat actor with very specific goals in mind.As an example, exploitation for the purposes of espionage or surveillance by adversarial actors supported by the government against persons of interest is a scenario that is more likely than exploitation by financially driven cyber thieves.

Despite the fact that the technique is most likely to be used in a targeted attack, it is still important to raise awareness on how device user interfaces, particularly those built by trusted suppliers such as Apple, can be turned against their users. This is because of the inherent trust that people place in their mobile devices.The most crucial thing, according to him, is for consumers and security teams to better understand contemporary attack methods like those shown by the fake airplane mode study. In a sense, this is the next generation of social engineering, and it’s not too unlike to how artificial intelligence is being used to produce bogus testimonials that look to be from well-known celebrities.

The post Fake airplane mode attack allows to spy and hack iPhone users appeared first on Information Security Newspaper | Hacking News.