Racoon Attack 🦝

A team of academics has disclosed today a theoretical attack on the TLS cryptographic protocol that can be used to decrypt the HTTPS connection between users and servers and read sensitive communications.

Named Raccoon, the attack has been described as “really hard to exploit” and its underlying conditions as “rare.”

The Raccoon attack is, at its base, a timing attack, where a malicious third-party measures the time needed to perform known cryptographic operations in order to determine parts of the algorithm.

The target is the Diffie-Hellman key exchange process, with the aim being to recover several bytes of information.

“In the end, this helps the attacker to construct a set of equations and use a solver for the Hidden Number Problem (HNP) to compute the original premaster secret established between the client and the server,” .

All servers that use the Diffie-Hellman key exchange in setting up TLS connections are vulnerable to attacks.

This is a server-side attack and cannot be performed on a client, such as browsers. The attack also needs to be executed for each client-server connection in part, and cannot be used to recover the server’s private key and decrypt all connections at once.

Servers that use the Diffie-Hellman key exchange and TLS 1.2 and below are considered vulnerable. DTLS is also impacted.

TLS 1.3 is considered safe.

“The vulnerability is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable,”.

“(The attacker) needs to be close to the target server to perform high precision timing measurements. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection.

Attacker would need to do to break modern cryptographic primitives like AES, the attack does not look complex anymore.

“But still, a real-world attacker will probably use other attack vectors that are simpler and more reliable than this attack,”

While the attack has been deemed hard to exploit, some vendors have done their due diligence and released patches. Microsoft (CVE-2020-1596), Mozilla, OpenSSL (CVE-2020-1968), and F5 Networks (CVE-2020-5929) have released security updates to block Raccoon attacks.

Netwalker electrified pakistan

K-Electric, the sole electricity provider for Karachi, Pakistan, has suffered a Netwalker ransomware attack that led to the disruption of billing and online services.

K-Electric is Pakistan’s largest power supplier, serving 2.5 million customers and employing over 10 thousand people.

Starting yesterday, K-Electric customers have been unable to access the online services for their account.

To resolve this issue, K-Electric appears to be trying to reroute users through a staging site, but are currently having difficulties.

Tthe cyberattack occurred on the morning of September 7th and is disrupting K-Electric’s online billing services and not the supply of power.

In a Tor payment page seen by BleepingComputer, the ransomware operators demand a $3,850,000 ransom payment. If a ransom is not paid within another seven days, the ransom will increase to $7.7 million.

The Tor payment site also includes a ‘Stolen data’ page that states the Netwalker operator stole unencrypted files from K-Electric before performing the attack. This page does not reveal how much or what data was stolen.

Since the summer of 2019, Netwalker has been actively infecting victims. It wasn’t until March 2020, when the threat actors began recruiting skilled hackers and focusing entirely on enterprise networks, that we began to see widespread attacks.

According to a report by McAfee, this change in tactics has led to the ransomware gang earning $25 million in just five months.

Indian cyberspace to get new security policy

India will soon have a new cyber security policy, announced Prime Minister Narendra Modi in his speech on India’s 74th Independence Day Saturday.

Modi said that his government is aware of the threats emanating from cyber space and how they had the potential to impact India’s society, economy and development.

“Cyber security is a very important aspect, which cannot be ignored. The government is alert on this and is working on a new, robust policy,” he added.

The announcement was made in the backdrop of the government’s initiative to connect 1.5 lakh gram panchayats through optical fibre network, thereby increasing the country’s internet connectivity.

Policy needed to check increase in cyber crime

Modi said that when there is an increase in internet connectivity, cyber crime activity will also increase rapidly. This will happen with online transactions, data phishing activities and, therefore, a cyber security policy is a must to control cyber-related crimes.

“When the internet comes, there is always an increase in cyber crime risk. So we will soon come up with a new cyber security policy,” Modi added.

The Internet Crime Report for 2019, released by the USA’s Internet Crime Complaint Centre of the Federal Bureau of Investigation, has revealed that India stands third in the world among top 20 countries that are victims of internet crimes.

The report said that most cyber crime cases registered were for the motive of fraud, followed by sexual exploitation and causing disrepute.

What will the policy deliver?

The main aim of this policy will be to protect information and information infrastructure in cyberspace and build capabilities to prevent and respond to cyber threats, said a government official.

The policy will work on reducing vulnerabilities and minimising damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.

"The objective is to create a secure cyber ecosystem in the country,” he said.

Moreover, the policy aims at enhancing the protection of India’s critical information infrastructure.

“This policy will enable protection of information and also effectively safeguard citizen’s data, (thereby) minimising chances of data theft and bringing down cyber crime in the process,” he said.

Apart from keeping cyber crime in check, the policy will also work on cracking down upon “misinformation being spread”.

According to a second government official, during the border tensions at the Line of Actual Control, Chinese and Pakistani social media activists had seemingly started campaigns on social media to allegedly spread misinformation against India.

“Spreading of such misinformation for propaganda also needs to be checked and will be a focus of the policy,” .

Defend Rather than attack ..when unfazed with Advanced Attacks

To hold your own against nation-state-grade attacks, you must think and act differently.
It used to be that when cyber professionals heard the term “nation-state,” a clear picture came to mind of countries — China, Russia, Iran, North Korea, and even the US — hiding behind the computer using keyboard strokes to attack one another’s critical infrastructure, banking systems, utilities, and more.

A slight but important shift on that term is changing what businesses deal with daily. Nation-state-grade attacks use the same tools and techniques that countries employ to attack each other, but might not be state-sponsored. This puts businesses of all shapes, sizes, and focuses square in the crosshairs of highly sophisticated attacks.

Upping the Game

When Shadow Brokers, a mysterious hacking group that first appeared in summer 2016, published cyber tools created by the National Security Agency (NSA), the nation-state game changed. No longer was it only that countries were directly attacking each other or sponsoring attackers to do so on their behalf.

Now these tools that are capable of creating chaos, cost tens of millions of dollars to develop, and were used only by the most sophisticated cyber pros in the world were available for a few hundred dollars on the Dark Web. Hackers with less skill are able to up their game by easily purchasing and using these highly advanced tools against business targets of all sizes. In short, nation-state hacking tools have created nation-state level attackers and increased the threat against any business in any market in the world.

Defending Like an Attacker

Organizations today use cyber best practices and are compliant where they need to be — important steps that are not providing enough security. Our cybersecurity budgets are no longer never-ending, which requires us to be efficient and smart. We must prioritize our programs in a way that allows us to take calculated risks. And the only way to do that is to think like an attacker.

To do so, we have to figure out how to be less vulnerable, period. By putting up the right defense, we can exhaust the attackers so they move on. While it’s important to be as secure as possible, what’s more valuable is to be more secure than other businesses. An attacker is going to take the path of least resistance; if you can block enough holes to frustrate him/her, the likelihood they will move on to another target increases.

We need to take the normal considerations into account — things like vulnerability, budget, business impact analyses, etc. — but also need to understand how our holes and weaknesses come together to help attackers achieve their objectives. It’s only then that we can look at those weaknesses in contact and resolve them in a meaningful way.

Specific Set of Cyber Skills

It sounds simple to think like an attacker, but it’s an extremely difficult task that requires a specific set of skills. I’ve broken it down into four elements a typical organization should put in place to not only prevail against nation-state-grade attacks but become the new wave of cyber sophistication themselves:

Build your team.

If possible, hire highly sophisticated people to your own cybersecurity team that were formerly attackers or part of a nation-state intelligence organization. This can be challenging given that only a small percentage of US government attackers leave before retirement, and those that do are extremely expensive.

Create a “defender offensive” methodology.

This approach must come from an attacker’s point of view. It’s not enough to just identify holes or weaknesses. You have to have a plan for how to prioritize those issues so you can focus on — and solve — the ones that make you the most vulnerable. If your team comes up with 100 vulnerabilities and prioritizes them equally, nothing is going to be resolved in a meaningful way.

Think holistically.

Treat your organization as the complex entity it is. The cybersecurity team must think holistically and partner with various departments such as HR and supply chain to understand as many risks as possible.

Automate where you can.

Relieving the mundane day-to-day work that your security analysts experience every day is the goal of automation. By automating what you can, you can focus your human defenders on squashing threats from your human attackers.