John Pescatore – SANS Director of Emerging Security Trends
To change things up a bit, this week’s Drilldown focuses on two related items (included below) from NewsBites Issue 47. The two items focus on finding vulnerabilities in nontraditional IT: network attached storage (NAS) and other specialized hardware.
The first item details the exploitation of vulnerabilities in photo album and file manager software included with most NAS products sold by QNAP. A researcher notified QNAP of the vulnerabilities in mid-2019, and QNAP released patches in November 2019. As Johannes Ullrich points out, NAS devices are usually difficult to patch and the file manager vulnerability requires a firmware upgrade--increasing the difficulty.
The second item points out that DARPA awarded Synack a contract for a managed bug bounty program. In this program, external researchers will focus on finding exploitable weaknesses in devices developed under DARPA’s System Security Integration Through Hardware and Firmware (SSITH) project that have incorporated secure architectures and tools to protect embedded IoT devices and sensitive databases from common vulnerabilities.
As we pointed out last week, many enterprises are finding it difficult to keep up with the volume of patches in standard Windows-based PCs, servers and applications. This is somewhat counterbalanced by more use of SaaS, where patching is automated by the SaaS vendor. However, there has been rapid growth in the use of specialized hardware (a la “The Internet of Things”) by enterprises, suppliers and now a work-at-home workforce--and attackers are targeting those devices.
When enterprises are evaluating NAS and other specialty devices, evaluation criteria should be heavily weighted toward vendors that show evidence of managed bug bounty programs and products that support automated remote patching. Devices that must be procured that don’t meet those criteria should be isolated in network segments with minimal external connectivity and high levels of monitoring.
Ransomware Attacks Targeting QNAP NAS Devices – Dangerous
(June 5, 2020)
Operators of the eCh0raix ransomware have begun a campaign that targets QNAP NAS devices. The attackers are gaining access to the devices through known vulnerabilities and brute-force password attacks.
If you own a QNAP or similar storage device (e.g., Netgear, Synology, Western Digital), do the following today: (1) Patch. These devices tend to be difficult to patch. You need to be careful not to disrupt any work if users use the device to store documents they work on--or worse, if the device is used as an iSCSI drive in a virtual environment. (2) Make sure that the device is not exposed to the internet. (3) Uninstall all components that are not required to operate the device. These devices often come with a large number of vulnerable web applications preinstalled. Uninstall as many of them as possible. Vendors try to sell these functions based on the number of features bundled with them. It is easy and cheap to add features by adding random open source components to the device. But vendors also often fail to secure these components, and with patching being difficult, these devices will be compromised after some time exposed to the internet.
Update the QNAP OTS and Security Counselor software, use stronger admin passwords, limit network accessibility, disable Telnet and unused SSH services, and enable QNAP snapshot service. Flaws in eCh0raix have been fixed, which neutralized the free decryption option released by BloodDolly.
NAS devices should not be connected to the public networks or hidden by end-to-end application layer encryption.
Read more in:
www.bleepingcomputer.com: Ongoing eCh0raix ransomware campaign targets QNAP NAS devices
www.zdnet.com: QNAP NAS devices targeted in another wave of ransomware attacks
DARPA Announces Bug Bounty Program
(June 8, 2020)
The U.S. Defense Department’s Defense Advanced Research Project Agency (DARPA) has announced a bug bounty program. The focus will be on DARPA's System Security Integration Through Hardware and Firmware (SSITH). Synack, a security company partnering with DARPA for the program, is holding a Capture-the-Flag (CTF) qualifying competition, which runs from June 15-29, 2020. The DARPA bug bounty program runs from July to September 2020.
This will be an interesting one to watch. Good to see DoD building on the success of years of Hack the Pentagon managed bug bounty programs, but this has a different focus than almost all previous bug bounty programs: finding vulnerabilities in specialty hardware. This is badly needed--the vulnerabilities in Apple’s A4 chip and in PC motherboards and basement management controllers have made this very clear. Much more specialized skills are required, but too often, hardware devices have relied on security through obscurity. Programs like this can shine a bright light on why that doesn’t work.
Read more in:
www.darpa.mil: DARPA Announces First Bug Bounty Program to Hack SSITH Hardware Defenses
go.synack.com: FETT Bug Bounty Program with Synack, DARPA, and DDS
www.cyberscoop.com: DARPA invites hackers to break hardware to make it more secure
www.darkreading.com: DARPA Launches Bug Bounty Program
John Pescatore - SANS, Director of Emerging Security Trends