Don't Slack
Firstly can we wish everyone a Happy Easter break, indistinguishable as it is from the two weeks prior. As temperatures rise and the skies are blue, we really hope that people try and stay indoors, although in London W12 where this missive is being written, that seems very unlikely given the large groups of people meeting in parks, running, cycling or just chatting, none of whom appear to know what two metres looks like. Stay indoors, drinking like Beau Geste did after the relief column arrived in the desert is our advice, like the government’s, but more honest.
The cyber threat implications of the ongoing COVID-19 situation are serious and worth thinking about. They fall into the following broad categories:
COVID-19 being used as a lure or ‘clickbait’ to redirect unsuspecting punters to malicious sites for the usual purposes. Government agencies the world over have detected more COVID-19 fraud attempts than any other theme in the last month.
State Cyber activity will no doubt be utilised to gather as much real data (i.e. not the drivel coming out on the airwaves in mindless briefings) as possible about the virus, spread, technology, the whole bit.
Government schemes (like business rate relief in the UK) will undoubtedly be targeted by fraudsters cyber, organised and opportunistic (like people who’s businesses went bust years ago for instance).
The lowest of the low will target the healthcare sector and should be sent straight to execution.
Home working technologies will come under scrutiny by both cyber criminals and researchers (there is a difference, we think) as we explained in our blog last week.
Which brings us on to ‘Don’t Slack’ (incidentally a really rubbish tune by Anderson .Peake and Justin Timberlake, yes that full stop before the Peake is a thing, ghastly).
This week has seen a bunch of security researchers from Enable Security, a specialist realtime traffic security outfit (currently rubbing their hands with glee) publish an exploit they carried out TWO YEARS AGO (ilawyers, lawyers) against the infrastructure of Slack by jacking proxy details.
WARNING! If you are technically minded, currently don’t know that much about realtime security and operations and want to see any of your family for the next few days, do not read the next 2 paragraphs, and if you do, do not click on the links! We speak from experience.
Collaboration servers use a nattily named protocol called TURN (Traversal Using Relays around NAT Extensions for TCP Allocations) which is defined in RFC6062, itself a successor to STUN (Session Traversal Utilities for NAT) which is RFC5389, don’t say we didn’t warn you trigger happy techs…
It turns out (see what we did there) that Slack’s internal infrastructure was accessible from the outside world by abusing the NAT configuration and proxies. So an attacker could access the inside of Slack, and Enable Security did just that, published the results in this massively interesting investigation progress report (really not joking, it is fascinating) and were paid $3500 for their efforts, which seems very measly to us (bet they would get a lot more today).
Naked Security has done a really good write up for the less RFC inclined but interested.
The attention of well intended security analysis against collaboration platforms at this time is certainly being matched by the much less well intended. After this old exploit has been published, we wouldn’t want to be running a TURN farm, oh no. We will endeavour to keep you up with the score over the coming weeks.
In other news, it seems that ‘Internet of ting tings’ (tm) devices are being targeted once more by a number of BotNet criminals. New BotNets are used to disrupt businesses and services, you may remember Mirai taking out the East Coast of America in 2016. These are not matters to be ignored or taken lightly.
News about BotNet development is often wildly inaccurate, but we think the following are true.
Last month Russian hackers revealed plans about Russia’s security services (The FSB) using contractors to develop a botnet in the Mirai flavour https://www.infosecurity-magazine.com/news/leaked-plans-reveal-mirai-like/. They are probably all at it, one way or another (the world’s security services) so this isn’t that much of a surprise.
What is surprising is the way in which the development was revealed. One can only imagine that there must be some people ‘off grid’ either temporarily or permanently as you read this.
This week security outfit BitDefender identified a new, quickly developing IoT BotNet which they have dubbed ‘Dark Nexus' mwahaha). This is incredibly sophisticated with different code for different IoT device processors, comprehensive anti detection and disruption measures etc. It is thought to be the work of one very nasty guy/girl/crew called greek.Helios who is well known for renting BotNets for indiscriminate purposes. Rapid development includes the command and control sessions using encrypted traffic - a TLS1.3 version must but on the cards which will make identifying this traffic over corporate networks very difficult. Emerging technologies like Barac which use metadata to identify rogue secured flows are going to be very much required in the future.
With patching of IoT devices very much on the back burner during these difficult times, BotNet activity is inevitable. Let’s hope that some morons do not target healthcare, but they probably will. If you can, keep patching your IoT stuff.
Hope the lock down is treating you ok and all of your family members are still well, virus-wise or just family rucking !