Of Worms and Vulnerabilities. Three notable cherry-picks in 10 minutes.
Have you been hacked yet?
Yes? Well, …
Security breaches are all over the news. Hardly a day goes by without headlines such as a spicy Company XYZ hacked, offline for two days, approx. $10m damage, a whopping User Account Data leaked — Tens of Thousands of User Credit Card Information Circulating Among the Dark Web, or potentially a more or less unsettling New study warns that smart light bulbs could allow hackers to steal your personal data. The latter might not only contribute to a sly smile, but also foster concern over the usage of specific products.
Although an increasing amount of news articles regarding security threats can be observed and should raise awareness, the number of both end users and companies that fall victim to malware is growing. Often, the upfront work seemed either too complicated or expensive. Avoiding complex passwords appears to be one of the famous main problems of users among others. Companies face even more difficult challenges as they inherit all of their employees’ weaknesses and additionally attract more bad guys who try to secure their “funds” and look for the big fish, possibly by hooking smaller ones first.
In this article, I present to you three security incidents that impressed me, each with its own specific focus. Stuxnet, WannaCry and Heartbleed are briefly outlined as examples of how dangerous, yet subtle some pieces of software can harm your company, your machines or possibly even you.
One of the most common types of malware (malicious software) is the worm — a stand-alone, self-distributing computer program. Besides the famous Morris worm as one of the very first computer worms to ever gain public attention, a sophisticated example of what a worm can do is…
Being only half a megabyte in size, Stuxnet became famous for its attack on an Iranian nuclear facility in 2010. It gained access to the facility via USB according to the most popular theories. An infected USB drive was inserted into a computer and marked the beginning of the end.
Notably, Stuxnet removed itself from said USB drive the moment it infected the machine, leaving no traces of its origin whatsoever. Starting from the freshly infected computer, Stuxnet is able to spread itself within the network and escalate its access rights. Its destination systems are Siemens PLCs which control the machinery (e.g., centrifuges) in the facility.
In addition to covering past traces, this smart worm had multiple methods in place to ensure it stayed undetected at the time of operation. I’m trying not to get too technical here, but it hid from antivirus software by referencing non-existent files. Normally, these would generate error messages. However, Stuxnet hijacked a process which maps these file names to system memory containing the encrypted malicious code pieces. It then decrypted the harmful part on demand. The combination of these two steps allowed Stuxnet to bypass the antivirus software.
But hold on, it becomes even more interesting.
Stuxnet managed to infect many devices within the network and gain sufficient control rights to do as it pleased. Instead of tripling the centrifuges rotation speed and trying to destroy the machinery with a single strike, Stuxnet took its time to ensure it infected enough systems. It then changed the rotation speeds of the centrifuges only slightly and increased the pressure of a gas involved in the enrichment process only by a bit.
Although it did not immediately destroy the machines, these slight changes did not trigger alerts or were recognized as being dangerous by the workers. One of these changes at a time surely would not hurt, but the combination of many slight changes here created a big difference. Stuxnet even recorded and replayed the last seconds of correct functionality on the monitors.
Not a single screen showed a problem, no alert was triggered. No worker standing beneath a centrifuge could see or hear a difference. Rapid, large changes might lead to an automatic safety shutdown or someone pressing a “system security breach” button, immediately powering off the endangered systems. Stuxnet took this into consideration. It chose the — from an attacker point of view — safer and more subtle way, ultimately destroying two fifths of the centrifuges.
Now, the above true story shows how subtle and sophisticated worms can reach their creator’s goals. Likely, the intention here was only to destroy the machinery and not hurt innocent workers. These could see the centrifuges failing when it was too late and seek a safe distance. Immediately raising the rotational speed of the machines might lead to injuries or possibly even worse outcomes which Stuxnet ultimately avoided.
Another famous piece of code focuses on a greater group of potential victims than Stuxnet does: all Windows machines, not only those running within nuclear facilities. Ladies and gentlemen, welcome our next guest:
The cryptoworm WannaCry followed other intentions than Stuxnet. Whilst Stuxnet focused on destroying (parts of) a nuclear facility and might be state-sponsored, WannaCry was about making money and celebrated its uprising in 2017.
Comparable to most other ransomwares, this one also encrypts the hard drive and holds all data for ransom. The lump sum of $300 to $600 (depending on how fast victims reacted) had to be paid in bitcoin, promised the decryption of all files, and therefore the release of the possibly important or even business critical data.
However, other than most ransomwares, WannaCry is not a trojan, but can be classified as a worm: It spread without user interaction, and through that was able to gain even more reach than many other crypto trojans. WannaCry used a Windows exploit called EternalBlue which already had been fixed and patched at the time. However, many users, especially in the business context, did not update their systems in the meantime and still fell victim to this worm.
Public resources such as BBC pointed out the ransom should not be paid and payment might not lead to the desired effect. However, many transactions to the attacker’s bitcoin wallets could be observed within the few days before being emergency-patched, totaling more than a hundred thousand US-Dollar at the time.
Almost a quarter million infected devices, a six-digit USD of ransom payments and total damages in the hundreds of millions later, the EternalBlue exploit was eliminated through an emergency patch by Microsoft. Although this did not recover the damages already done, it protected all patched systems from being infected in the future.
The next vulnerability affected even more users than WannaCry did and was existent for an even longer duration. Meet…
Our final troublemaker is called Heartbleed and was neither a worm nor a trojan. It was a bug in 2012’s OpenSSL protocol update which enabled potential attackers to steal normally protected data. It has not been fixed for two more years and was publicly discovered and fixed in April 2014. The Heartbleed vulnerability ranks as one of my top three, because it potentially affects everyone using the internet: it did not target an explicit operating system, but a protocol used for communication.
Heartbleed enabled an attacker to retrieve the encryption keys of the server’s traffic. This means said attacker could listen to the victim’s connections and decrypt them entirely, or even pretend to be the server and play man-in-the-middle (i.e., communicating with victims, leaving them with no hint it actually is the attacker responding). The entire communication between the victim and most common websites could be eavesdropped. The best thing: the end user could do nothing about it.
Heartbleed abused a function of the OpenSSL protocol. To verify the server is still active, a user sent a phrase to the server and requested the first N letters of this phrase to be sent back, with N usually being the length of the phrase. This worked well as a verification, and could be abused even better.
Consider the following situation: You tell the server to sent back the first 30 letters of the phrase “dog”. You would expect an error or only receiving the three existing letters. However, servers using the affected version of OpenSSL would now send back “dog” and all the following symbols in memory up to the requested amount. Our output might look like this: “dogChristiansMasterKeyIs123456”. (P.S.: It’s not, probably)
The following xkcd comic does a great job in further depiction of the scenario:
Imagine the possibilities an attacker abusing Heartbleed had for two years. Login information, credit card details, online banking PIN — nothing is protected by the otherwise strong encryption of all internet traffic nowadays. Fun fact: The name Heartbleed originates from the name of the feature’s initial implementation — Heartbeat.
I hope this article presents past issues in security in an understable way. Some attacks use highly sophisticated methods, possibly years of engineering and precise planning; others work as simple as “send me the first 300 letters of the following phrase: potato”.
Thank you for reading. I want to close with a possibly familiar question and a final thought:
Have you been hacked yet?
To put it with the famous words of former FBI director Robert Mueller:
There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.
Some recommended readings and sources:
Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon