Slashdot Mirror
Eastern European Banks Were Attacked Via Backdoors Directly Connected To Local Networks, Report Finds (securelist.com)
An anonymous reader writes: Karspesky security researcher Sergey Golovanov writes about recent cybertheft incidents involving hardware backdoors planted by criminals. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks, which caused damage estimated in the tens of millions of dollars. Hardware backdoors are cheap and immune to antivirus. A firmware modified OpenWrt based router can provide covert remote access, painless packet captures, and secure VPN connections with the flip of a switch. Will a flashlight and a ladder be common tools of computer security someday? After the cybercriminals entered a organization's building, connected a device to the local network and scanned the local network seeking to gain access to the resources, they proceeded to stage three. "Here they logged into the target system and used remote access software to retain access," writes Golovanov. "Next, malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks (PDF) and PowerShell, they were able to avoid whitelisting technologies and domain policies. If they encountered a whitelisting that could not be bypassed, or PowerShell was blocked on the target computer, the cybercriminals used impacket, and winexesvc.exe or psexec.exe to run executable files remotely."
Quit looking to the authorities to design the best world for you. They don't know what they're doing.
I totally understand why a company would want to put all remote offices into a private company VPN, but it sure seems like it opens them up to physical attacks like this in a way they would not be otherwise... maybe companies should work harder to make everything a worker needs accessible via the internet at large and have a more protected domain that is harder to attack - physical as well as network-wise.
That would help improve the life of remote workers also, as a happy byproduct.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The authors of OpenWRT are authoritative by virtue of their works.
These Big Banks are authoritative by decree of the Men-with-Guns, and their rotten produce proves again and again that this decree is nonsensical.
Authority is earned, not imposed.
"Will a flashlight and a ladder be common tools of computer security someday?" - Aren't they outside of your IT budget already if you're not even employing people to do even visual security audits?
I'm a back door man
The men don't know
But the little girls understand
Lol. VPN's "open them up" to physical attacks? That's moronic from first thought to you typing it.
Windows never followed the least privilege principle.
So to recap, your excuse for not having proper local basic security hardware audits is... to put that in the cloud? Are you even serious lol.
Will a flashlight and a ladder be common tools of computer security someday?
Oh boy. I have a book you really need to read.
BeauHD still not k-rad.
visual security audits at each office?
and with some building lease agreements it's the building maintenance job to work on stuff that needs an ladder.
There shouldn't be anywhere that you're swinging a ladder around critical network hardware without management. If you're too small to have actual security make monetary sense, you are too small to offer secure offerings.
This goes for banks, developers, credit bureaus, anything. There is no security if people have access to back-end hardware or core networking.
If you're running a real network serving more than 5 people without IDS of some kind, you are not in a professional environment, you are a ripe pineapple and here comes the pen.
Security 101, deny unauthorized hardware from connecting to the local network, either hardwired or via WIFI. Especially when having anything to do with banks. Going cheap never works well with networking that should be "secure".
Switches and access points are pretty trivial to setup to deny access.
Bank computers should be using I2P networking. Devices not part of the trusted systems are left out.
There are other implementations for keeping workstations on different LANs than non-approved devices. Basically, any unknown device would be placed onto a printer network hoping to limit damage and access. That printer network should never have internet access without an authenticated login.
Alas, I don't work in bank network security, and they probably shouldn't be using network equipment designed in China.
Umm any responsible network manager has been doing this for at least 2 decades.
Dot1x with appropriate profiling. We donâ(TM)t allow goofball hardware on our network for a good reason. Any goofball hardware that a vendor needs is stuck on a separate VRF instance.
The point is, you can't trust something just because it is on the LAN.
I agree but how long does that ever really hold in any large company?
Over time a LOT of stuff will grow in any company to lazily trust the LAN, or at least they sure will not think about attacks from that vector nearly as hard as the firewall guys.
If you have to make those things open to outside use the whole chain gets a lot more thought applied as to access security. Otherwise server after server gets thrown up with minimal access protection because it is already "protected" by the company firewall.
You can't just wave your hands and say you need to understand you shouldn't trust something just because it's within the LAN, because that ignores how people behave in reality over time. No security team at any company has enough power or funds or people to actually enforce that idea.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I realize I probably didn't make that quite clear enough for the syrupy mind of an AC - so I will explain...
I'm talking about cases where whole remote offices are set up on a VPN. Offer easier to get into satellite offices than main HQ, and not nearly as carefully monitored. Then you have access to the internal network if you leave something attached to any one of a number of hardwired ports probably laying about, near a plug...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Your rebuttal about vagueness is a straw man argument.
These are slashdot comments, not peer-reviewed philosophy papers. The OP is quite clear to anyone who isn't looking to split hairs or argue over terminology.
So to recap, your excuse for not having proper local basic security hardware audits is.
When did that go away? You still need to do that anyway.
to put that in the cloud?
Um - I realize being an AC you may not quite understand this, but "the cloud" is just servers. Anything I was talking about is servers, so it's already on "the cloud" regardless of what I am suggesting - I'm merely talking about enabling access to servers (which again were always there being servers) outside the firewall, rather than presuming people on the VPN should get in more easily.
There was one company I was at that took it a bit too far the other way though - they actually had some servers I could *only* access when not on the company VPN! Now that was interesting, but I think too far.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Unfortunately, even 802.1x is susceptible to a Man in the Middle attack (a la Duckwall at Defcon "A bridge too far"), where a device is inserted in between the legitimate device, and the switch in bridging mode, and configured to generate traffic that looks like it was originated from the victim itself.
I think the original point is that having an office VPN gateway means that any devices on the local network are automatically able to make use of the VPN gateway to access other systems, whereas individual VPN endpoints on each PC is less easy to take advantage.
When you design a network, some basic concepts can really help when it comes to security. If you use a locked down DHCP system where the hardware MAC address of all approved machines is used, you assign an IP address from the DHCP server ONLY to those machines that are supposed to be there. New equipment must have that MAC address logged. Locking access to select IP addresses, and testing any connected equipment for MAC addresses that are not known would find the unauthorized devices.
So, who designed the networks used at the banks? Do they even understand how to set things up so most internal devices are limited in what other devices they can connect to(router rules)?
Yes, there will always be the potential for security to be violated, but the technology IS available that would make it much more difficult, as long as you have talented technical people who actually understand security.
This is why you only enable switch ports for authorized devices. plug in what ever you want, without me there to enable the port on the switch your device is gonna be pretty useless.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Not possible, I was told backdoors werw for law enforcement to to keep the world safe
Check out this video:
https://youtu.be/r-7lUgpemqc
Along with showing how this is done, heâ(TM)s a great speaker.
Min
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
A thug isn't necessarily an authority.