Update to PuTTY to Fix 8 High Severity Flaws

Hello All. Many of us who have to interact with a Linux or Unix host use PuTTY for SSH, etc. PuTTY developers have just released an update to the 0.70 release from July 2017 with version 0.71 which corrects the following issues:

  1. Authentication Prompt Spoofing — Since PuTTY doesn’t have a way to indicate whether a piece of terminal output is genuine, the user-interface issue could be exploited by a malicious server to generate a fake authentication prompt at the client side, prompting victims to enter their private key passphrases.
  2. Code Execution via CHM Hijacking — When a user launches the online help within the PuTTY GUI tools, the software tries to locate its help file alongside its own executable.
  3. Buffer Overflow in Unix PuTTY Tools — According to the advisory, if a server opens too many port forwardings, PuTTY for Unix does not bounds-check the input file descriptor it collects while monitoring the collections of active Unix file descriptors for activity, leading to a buffer overflow issue.
    “We don’t know if this was remotely exploitable, but it could at least be remotely triggered by a
  4. Reusing Cryptographic Random Numbers — This issue resides in the way cryptographic random number generator in PuTTY, occasionally using the same batch of random bytes twice.
  5. Integer Overflow Flaw — All prior versions of PuTTY suffers an Integer overflow issue due to missing key-size check-in RSA key exchange.
  6. and 7 and 8. Terminal DoS Attacks — Last three vulnerabilities in PuTTY allows a server to crash, or slow down client’s terminal by sending different text outputs.

Update to 0.71 as soon as possible. The PuTTY development team seem pretty serious about this one – https://www.chiark.greenend.org.uk/~sgtatham/putty/releases/0.70.html

Bad Day for Citrix…

On March 8, it was confirmed through a statement posted by Citrix that the company’s internal network had been breached by hackers who had used password spraying, successfully using a short list of passwords on a wide range of systems to eventually identify credentials that worked. Apparently, the attackers made off with 6 TB to 10 TB of data from internal systems.

It wasn’t a surprise to hear that Citrix initially found out about the breach from law enforcement (specifically the FBI) on March 6 that it had evidence that Citrix had potentially been breached. I think the stats are still pretty high regarding organizations that are informed regarding a potential breach by law enforcement. Specifically when they are gathering intelligence on some organized crime campaign or some other organization that had been breach and come across evidence such as source IPs to indicate another organization was also hacked.

As per folks at Citrix, the attackers appear to have downloaded business documents, but the company said it’s not sure which data was breached. “At this time, there is no indication that the security of any Citrix product or service was compromised,” Stan Black, Citrix CSIO.

Interestingly enough, security firm Resecurity claims that the attack against Citrix began on October 15, 2018, used a list of nearly 32,000 user accounts, and is connected to Iranian interests.  Resecurity claim, the Iranian-linked group known as IRIDIUM has hit more than 200 government agencies, oil and gas companies and technology companies including Citrix.

Resecurity has provided a number of IOCs, including the following IPs:

Source IPs:

  • 178.131.21[].19[] (Iran)
  • 5.115.23[].11[] (Iran)
  • 5.52.14[].23[] (Iran)

Used proxies:

  • 23.237.104.90 – Canada (VPN)
  • 194.59.251.12 – USA (VPN)
  • 185.244.214.198 – Poland
  • 138.201.142.113 – Germany
  • 92.222.252.193 – France (Nov 29, 2018)
  • 51.15.240.100 – France (Dec 7, 2018) x 3 times
  • 185.220.70.135 – Germany (Dec 7, 2018) x 5 times

To read the complete Resecurity blog post, which is quote good and full of great IOCs, please visit – https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/

 

Stryker not fit for combat?

A recent report released by the US Department of Defense Office of the Director of Test and Evaluation (DOT&E) has issued a report detailing vulnerabilities in the Stryker Dragoon war-fighting platform. Recommendations from the DOT&E are to ‘Correct or mitigate cyber vulnerabilities for the platform and government-furnished equipment.’

My Recommendation: Immediately pull all affected rolling stock from active utility until any contemplated investigation is completed along with full remediation and/or mitigation. Thoroughly investigate all systems with or without connectivity, and test for any form of vulnerability from standalone sabotage to suspected electronic warfare perspectives (including ‘cyberattacks’, network attacks, radio-telephony and coherent light attacks, or stand-alone one-off opportunistic aggressor-delivered attacks) utilizing both automated and non-automated code review, network packet analysis, operating system examination, etcetera. All of this accomplished with the full rigor that can be brought to bear on this problematic deployment by the most powerful defense organization on Earth. Time to get this platform squared-away before letting or most valueable assets (our warfighters) loose on these lethal machines.”

Apparently, the platform, which includes the much anticipated 30mm canon was hacked during a recent NATO exercise. It is most likely that the hack was directed at the Stryker’s data-sharing, navigation, or digital communications capabilities. Affecting any of these systems, or adding false or confusing information into the networks, could greatly affect US forces in combat. These vehicles use GPS, as well as a GPS-enabled systems referred to as Blue Force Trackers that provide their relative position to hostile forces, but more importantly when they are in proximity to friendly forces, which can help prevent blue-on-blue or friendly fire incidents. 

Interesting Traffic Analysis Related to Google Network Issues

Hello All. Just came across a recent post Ameet Naik from ThousandEyes. This was information from a recent Google outage and traffic information they analyzed from their endpoint product.

“ThousandEyes noticed issues connecting to G Suite, a critical application for our organization. Reviewing ThousandEyes Endpoint Agent stats, we noticed this was impacting all users at the ThousandEyes office. The outage not only affected G Suite, but also Google Search as well as Google Analytics. What caught our attention was that traffic to Google was getting dropped at China Telecom. Why would traffic from a San Francisco office traversing to Google go all the way to China? We also noticed a
Russian ISP in the traffic path, which definitely sparked some concerns.”

The full post is available on ThousandEyes’ blog site – https://blog.thousandeyes.com/internet-vulnerability-takes-down-google/

Public Power Magazine

I want to send a huge thanks to the American Public Power Association for allowing me to contribute with others on a recent article called Drones, AI, IoT, and the brave new world of cybersecurity talking about the various cyber disruptors affecting everyday life, especially the electric utilities and their use of next generation smart meters and other IoT devices. The APPA have a fabulous editorial and content staff and they were a blast to work with. I will also be keynoting at their Cybersecurity Summit on November 13-14, 2018 in Austin, TX. #PublicPower