I will start off this week’s discussion regarding wireless with an article that describes how a Las Vegas casino was hacked because of a fish tank that was connected to the Internet, and also a hack in which “smart pads” connected to insecure Wifi were used as the entry point.
https://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html
For this week, find another example that demonstrates how wireless networks were the entry point in a successful breach / attack.
Nicholas Fabrizio says
Title: Russia’s ‘Fancy Bear’ Hackers Used Leaked NSA Tool to Target Hotel Guests
URL: https://www.wired.com/story/fancy-bear-hotel-hack/
In August 2017, a Russian hacker group called “Fancy Bear” hacked a hotels Wi-Fi and began spying on customers’ computers. This hotel was known for having high-value travelers and it is believed this attack was associated with the Russian military intelligence. The attackers used the leaked NSA hacking tool called EternalBlue to help gain a foothold in the hotel’s network. The group also used a tool called Responder which allowed them to covertly get connecting computers to return credentials without the user’s knowledge. The investigating security firm FireEye mentions in the article that even if the victims were using a VPN they still could have been exploited by the Responder hacking tool. Lastly, the security suggests the safest approach is to bring your own wireless hotspot and avoid using the hotel’s Wi-Fi.
Zhuofu Wang says
Hi Nicholas,
Thanks for your sharing.
I think most people will use the wifi provided by the hotel without hesitation. If this is used by hackers, it will cause serious consequences. This article also mentioned that even if the victims use the VPN, they still can’t prevent hackers from exploiting, which is interesting.
Nicholas Fabrizio says
I also found it interesting that a VPN would not have help mitigate the risk here. It sounds like the tool being used called Responder not only allows network traffic to be viewed, but can request credentials. The article mentions the tool can “impersonate friendly entities with a fake authentication process, fooling the victim machine into transmitting its network username and password” which is why a VPN won’t help.
Anthony Wong says
Hi Nicholas,
I wrote an article about hotel’s being the victim of a Wi-Fi attack as well. I thought it was interesting that the Responder tool could bypass the VPN. That my was initial thoughts on mitigating the risk. Besides bringing your own wireless hotspot, any thoughts on other controls that could have prevented this?
Zhuofu Wang says
I think there is a risk as long as it is connected to a wifi access point. Because you don’t know who used what security protocol to provide you with the network. There seems to be no effective method other than using your own wireless hotspot.
Nicholas Fabrizio says
Hi Anthony,
The only other thoughts I have on how to prevent this besides using a wireless hotspot and a vpn would be to possibly use a virtual machine that can delete after your stay at the hotel. Also, make sure no sensitive information is on the device or being transmitted over the network.
Candace T Nelson says
Hi Nick,
I decided to research whether hotel Wi-Fi security has improved since 2017 and came across a warning issued by the FBI on October 8, 2020. Hotels have begun offering daytime room reservations for employees who wanted to work somewhere other than their homes during the pandemic. The warning focused on the need for guests to exercise caution when using hotels Wi-Fi.
The warning said: “While this option may be appealing, accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks. Malicious actors can exploit inconsistent or lax hotel Wi-Fi security and guests’ security complacency to compromise the work and personal data of hotel guests. Following good cyber security practices can minimize some of the risks associated with using hotel Wi-Fi for telework.”
The FBI went on to point out associated weaknesses, e.g. there are no industry standards regarding secure Wi-Fi access in hotels, guests have no control over – or visibility into – hotel network infrastructures, equipment may be out of date (hence more susceptible to vulnerabilities), and there are no guarantees that firmware is being updated or that default passwords have been changed. While the FBI did not say that such attacks have occurred, they cautioned that the threats could come from either cybercriminals or nation-state actors.
The FBI recommended that guests use a reputable VPN and their phone’s wireless hotspot in lieu of the hotel Wi-Fi, which is consistent with the article you wrote about and our classmates’ comments. It is unfortunate that hotel Wi-Fi security has not improved over the past 2+ years.
https://nationalinterest.org/blog/techland/fbi-warns-cyber-security-risk-workers-hotel-wi-fi-170362#:~:text=%E2%80%9CMalicious%20actors%20can%20exploit%20inconsistent,Wi%2DFi%20for%20telework.%E2%80%9D
Amelia Safirstein says
Thanks for the article, Candace! Unfortunately, I think that the average professional wouldn’t know to research for information like this before working from a hotel. Hopefully, companies are making an effort to keep their employees informed but I’m sure it’s difficult to keep up with all of the increasing, creative ways that bad actors take advantage of the COVID-19 world.
Zhuofu Wang says
Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims
URL: https://thehackernews.com/2020/02/emotet-malware-wifi-hacking.html
The trojan Emotet got a new attack vector, it can use impacted devices to attack other victims, who are connected to the same Wi-Fi network environment. The researcher at Binary Defense said this trojan has a “Wi-Fi spreader” module, when the device has been impacted, it can be used to scan Wi-Fi networks, then find other victims who connected to these Wi-Fi. After this module got the information about the Wi-Fi, it will launch a worm and try to connect to this Wi-Fi by using two internal password lists.
“There ain’t no such thing as a free lunch.” We need to be cautious about public free wifi access points. Most of the time, using your own mobile phone hotspot or wireless hotspot wii be a better choice.
Bryan Garrahan says
Thanks for sharing Zhoufu. I found it interesting when the article stated that Emotet wifi spreader went undetected for almost two years. I was hoping the article would provide some detail around how or who was able to detect the malware. That being said, going undetected for the amount of time that it did is impressive and thighlights the skills of the responsible attackers.
Nicholas Fabrizio says
I agree with you it is really interesting the wifi spreader module was able to go undetected for so long. This malware is a prime example why it is important to make sure wifi passwords are long and not easily guessable to help prevent against brute force attacks.
Zhuofu Wang says
Agree. Long and complex passwords are more resistant to brute force cracking, but the disadvantage in daily life is that it is difficult to remember long and plural passwords. Although there are some password saving tools/plugins, how to make sure that they are not targeted by hackers.
Zhuofu Wang says
Another interesting thing is the source of the list of passwords owned by the attacker. I am curious how the attacker obtained such a large number of passwords. This should not be the randomly generated passwords, but the passwords that have actually been used.
Kelly Sharadin says
Probably purchased password lists from stolen breach data.
Zhuofu Wang says
Make sense. Maybe these kinds of password lists are circulating in the black market.
Amelia Safirstein says
Absolutely! It’s imperative that users avoid using the same password for multiple accounts or at the very least, update all accounts if one is involved in a breach.
Candace T Nelson says
Good point, Bryan –
I am ALWAYS curious about how incidents are detected, whether it be a control deficiency, a financial fraud, or a cybersecurity breach. I conducted a little more research and encountered a BleepingComputer article on the same topic that was published a few weeks later. Although author Sergiu Gatlin did not disclose how the Emotet wifi spreader was detected, he did provide the following clues:
“Recently, the malware was delivered during late January in a malspam campaign that used the recent Coronavirus global health crisis as bait. Also in January, the Cybersecurity and Infrastructure Security Agency (CISA) warned of increased activity related to targeted Emotet attacks. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also issued a warning on the dangers posed by Emotet attacks, saying that the malware “provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware.”
Additionally, CISA reported that the following serious outcomes may result if Emotet infections are not immediately addressed (note my references to two out of three components of the CIA security model):
• Loss of sensitive or proprietary information (Confidentiality)
• Disruption to operations (Availability)
• Financial losses
• Reputational harm
https://www.bleepingcomputer.com/news/security/emotet-actively-using-upgraded-wifi-spreader-to-infect-victims/
Kelly Sharadin says
Great article – had an incident with a potential Emotet on a mac device so in someways the threat is neutralized but I tried to argue that if it got out into the environment we’ll have trouble. This new module confirms my concern.
Bryan Garrahan says
The Kr00k vulnerability, found back in February, allowed hackers to intercept and decrypt wireless network packets in over a billion devices that contained Broadcom and Cypress wifi chips. Products used on a daily basis by consumers from brands such as Amazon, Apple, and Samsung were noted as containing the vulnerable wifi chips. The article states, “The attack relies on the fact that when a device suddenly gets disconnected from the wireless network, the Wi-Fi chip clears the session key in the memory and set it to zero, but the chip inadvertently transmits all data frames left in the buffer with an all-zero encryption key even after the disassociation. Therefore, an attacker in near proximity to vulnerable devices can use this flaw to repeatedly trigger disassociations by sending deauthentication packets over the air to capture more data frames, “potentially containing sensitive data, including DNS, ARP, ICMP, HTTP, TCP, and TLS packets.” It appears that Apple deployed patches pretty quickly in order to mitigate the risk for its users. After doing some additional research, I wasn’t able to locate any news or articles regarding some of the other manufacturer’s approach to patching Krook. Is anyone else able to find anything?
Bryan Garrahan says
Link to the article below:
https://thehackernews.com/2020/02/kr00k-wifi-encryption-flaw.html
Anthony Wong says
Hi Bryan,
Thanks for sharing. I was able to find some advisories about mid-way through the web page in the URL below. I read the advisories from ASUS, Cisco, and Samsung, and it appears they also released patches to fix the Krook vulnerability. I thought it was a great response from ASUS and Cisco by performing analysis on their products and specifically calling out which devices would be vulnerable.
URL:
https://www.eset.com/int/kr00k/
Kelly Sharadin says
A former classmate I met through my previous courses introduced me to ASUS routers and the custom merlin firmware – I agree I think ASUS is a great product.
https://www.asuswrt-merlin.net/
Anthony Wong says
Yup, agreed. I have a few ASUS routers myself.
Zhuofu Wang says
Agree. Especially the Merlin system, it has many great features, and you can also add custom components. But compared to the official original firmware, merlin is slightly unstable, so it needs to be restarted regularly.
Bryan Garrahan says
Thanks for sharing those Anthony. It appears action was taken pretty quickly by companies such as Cisco and Samsung (2-3 weeks from when the vulnerability was found).
Candace T Nelson says
Hi Bryan,
I also came across a Meraki customer advisory dated April 2020 wherein CISCO disclosed that certain products from the Meraki MR and MX product families used chips that were impacted by the kr00k vulnerability.
https://meraki.cisco.com/blog/cisco-meraki-customer-advisories/
Then, on October 5, 2020, CISCO released a Vulnerability Summary that included the following update regarding the fix: “We have applied Broadcom’s supplied fix internally to our firmware, but we are still testing to ensure stability and performance. We are unfortunately limited in our ability to provide specific dates on when these fixes will become generally available, this page will be updated as additional information becomes available.”
Regarding mitigation, CISCO stated that: “There are no mitigations for this vulnerability, a firmware upgrade is required.”
https://documentation.meraki.com/General_Administration/Privacy_and_Security/FullMAC_Wi-Fi_chipsets_vulnerability_(kr00k)
Bryan Garrahan says
Thanks Candace – let’s hope Broadcom product user’s upgraded their firmware.
Kelly Sharadin says
The Firefox web browser app (before version 80) on Android had a vulnerability involving SSDP, which allowed attackers to execute remote commands on the target’s device. Firefox android app utilizes the Simple Service Discovery Protocol which acts as a network scanner looking for other devices on the network. Attackers were able to exploit this vulnerability by “replacing the location of the XML file in the response packets” (Dark Reading, 2020), tricking the target’s Firefox browsers into connecting to the attacker’s malicious server. This attack demonstrates the compound effect of manipulating vulnerabilities in both wifi and web apps resulting in an attacker leveraging these combined vulnerabilities with relatively minimal effort and maximum results. The article includes a proof of concept, which I also appreciate.
https://thehackernews.com/2020/09/firefox-android-wifi-hacking.html?&web_view=true
Anthony Wong says
Wow definitely low requirements needed for Android user to be a victim of an attack. I’d be curious to see if attackers are able to escalate their privileges and move beyond the Firefox browser and compromise the entire phone.
Kelly Sharadin says
Well they’re getting them to connect to C2 servers where they can continue to drop malware where lateral movement can occur. So I would think the goal would be to compromise the entire phone to extract whatever content is on or to keep persistence or simply to capture traffic going across the browser.
Zhuofu Wang says
The open-source of the android system also makes attackers prefer to exploit it. This article also mentioned that “it could have been used in a way similar to phishing attacks”. From another perspective, the phishing attacks are really “time-tested”.
Kelly Sharadin says
Agreed as I always say open-source is both a blessing and an curse. On one hand we have customization and accessibility but on the other hand so do attackers 😉
Candace T Nelson says
Thank you for posting about this vulnerability, Kelly – I have an Android and planned to visit Verizon tomorrow, so now I have another mission to accomplish while there. I was recently disappointed during a visit to Verizon during which I asked about the possibility that my phone had become infected and the Rep basically said the only way I can resolve the issue for sure would be to purchase a new smart phone. Not exactly what I consider to be adequate customer service 🙁
Anthony Wong says
In 2015, threat actors were exploiting a vulnerability with ANTLabs InnGate routers, which that are commonly used in public places such as hotels and convention centers. The vulnerability is a result of poor authentication controls and would “give an attacker full read and write access to the file system of an ANTLabs’ InnGate device”. The attackers focused on C-suite executives and other high valued travelers staying at luxurious hotels. Attackers can infect Wi-Fi users with malware or steal data from any devices connected to the public network. At the time the article was written, 277 routers in 29 different countries were affected. ANTLabs immediately worked on a patch after it was aware of the vulnerability.
URLs:
https://www.consumeraffairs.com/news/hackers-breach-public-wi-fi-at-multiple-hotels-and-convention-centers-033015.html
https://thehackernews.com/2015/03/hacking-hotel-wifi-network.html
Kelly Sharadin says
Awesome example Anthony. Just this previous week I was combing through ATP logs and I saw a chief (insert role here) connecting to a variety of untrusted hotel networks. The malware on the system was a from a phishing mail but coupled with poor security habits of connecting to unknown networks that device was ALL the way messed up.
Anthony Wong says
In Nicholas’s post this week, he mention a risk technique to avoid public Wi-Fi’s are to bring your own personal hotspot. Would a member from your team reach out to the executive and provide cyber training on connecting to untrusted hotel networks?
Thank you for sharing a real situation you saw at your day job.
Bryan Garrahan says
Similar to most other companies each of our employees too are required to complete an annual cyber security training. However, I don’t recall if it provides ways to stay secure during during travel (which it probably should). The structure of my organization does not require much travel for staff and senior level employees so I believe there could be additional training requirements for higher level executive positions who do often travel.
Candace T Nelson says
In the February 2, 2020 article titled Hackers are hijacking smart building access systems to launch DDoS attacks, Zero day contributor Catalin Cimpanu reported that hackers began exploiting a known common injection flaw vulnerability (CVE-2019-7256) associated with the Linear eMerge E3 (“E3”) access control system. A product of Nortek Security & Control (“NSC”), E3 is installed in corporate headquarters, factories and industrial parks to control access to doors and rooms by employees and visitors based on their access codes or smart cards.
SonicWall researchers said this vulnerability “is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges. A remote, unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request.” Hackers are exploiting this vulnerability to take over devices, download and install malware, and then launch DDoS attacks on other targets. The attacks began on January 9, 2020 and tens of thousands of hits were being seen daily in over 100 countries, with the most attacks being observed in the US.
The good news is that there are only 2,375 Internet-accessible E3 devices registered. The bad news is that ten E3 vulnerabilities were disclosed in May 2019, including six that had a vulnerability severity score of 9.8 or 10 out of 10, yet NSC failed to provide patches.
https://www.zdnet.com/article/hackers-are-hijacking-smart-building-access-systems-to-launch-ddos-attacks/
Nicholas Fabrizio says
Hi Candace,
Thank you for sharing this article. It is surprising to hear that Nortek Security & Control have not provided patches to these vulnerabilities, especially since there are known attacks being conducted on their devices. I’d imagine this news would be impacting their business financially as companies are probably going to steer away from their products knowing their response time with patches on such high level vulnerabilities is poor.
Amelia Safirstein says
A Hacker was able to figure out a couple’s WiFi password, found unsecured Nest devices on their network. They then used the Nest devices to scare the couple. The bad actor/prankster turned the heat up to 90 degrees and spoke to the couple through the Nest camera.
https://www.fox6now.com/news/felt-so-violated-milwaukee-couple-warns-hackers-are-outsmarting-smart-homes