Category: Blockchain

 

from: https://cointelegraph.com/news/us-doj-charges-7-russian-intelligence-officers-with-crypto-funded-hacking-attacks

 

 

 

[UPDATED SEVERAL TIMES FROM DIFFERENT SOURCES – SCROLL DOWN
You find all relevant reporting on the matter on this page;
including the implant built into the server’s Ethernet connector at a US Telecom company.]

 

The Chinese military surreptitiously inserted tiny microchips no larger than single grains of rice into servers on local assembly lines in order to gain access to data networks run by U.S. government agencies ranging from the Department of Defense to the Central Intelligence Agency, according to an explosive investigation from Bloomberg.

• A three-year investigation by U.S. government officials found that servers assembled for startup Elemental Technologies by San Jose-based company Supermicro reportedly contained tiny microchips “inserted at factories run by manufacturing subcontractors in China,” Bloomberg reported.
• The chips, independently discovered by engineers at Amazon and Apple in 2015, purportedly allowed hackers to “create a stealth doorway into any network that included the altered machines,” per Bloomberg, a Trojan horse that gave hackers a direct line into any sensitive network.
• Elemental servers assembled by Supermicro are “found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships,” per Bloomberg, and the revelation prompted DoD officials at the time to request a small group of technologists “to think about creating commercial products that could detect hardware implants.”
• “Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing,” Bloomberg reports. “NASA, both houses of Congress, and the Department of Homeland Security have also been customers.”
• News of the years-long infiltration of secure networks through the lowest levels of the global industrial supply chain  — China still manufactures the majority of the raw tech behind the world’s mobile phones and personal computers — reflects not just a coup for the Chinese intelligence community, but an alarming vulnerability of the U.S. industrial base.
• Technologist Joe Grand put it best in an interview with Bloomberg: “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow … Hardware is just so far off the radar, it’s almost treated like black magic.”

August Cole, a coauthor of the novel “Ghost Fleet” — which features an eerily similar scenario involving Chinese chips hidden inside an F-35 that ruin its stealth capabilities, wrote on Twitter, “Hey Siri, what is my #ghostfleet moment of the day?”

from: https://taskandpurpose.com/china-hacking-microchips-dod-cia/

 

 

 

In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. Based in Portland, Ore., Elemental made software for compressing massive video files and formatting them for different devices. Its technology had helped stream the Olympic Games online, communicate with the International Space Station, and funnel drone footage to the Central Intelligence Agency. Elemental’s national security contracts weren’t the main reason for the proposed acquisition, but they fit nicely with Amazon’s government businesses, such as the highly secure cloud that Amazon Web Services (AWS) was building for the CIA.

To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

There are two ways for spies to alter the guts of computer equipment. One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden. The other method involves seeding changes from the very beginning.

One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”

But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

In emailed statements, Amazon (which announced its acquisition of Elemental in September 2015), Apple, and Supermicro disputed summaries of Bloomberg Businessweek’s reporting. “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon wrote. “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote. “We remain unaware of any such investigation,” wrote a spokesman for Supermicro, Perry Hayes. The Chinese government didn’t directly address questions about manipulation of Supermicro servers, issuing a statement that read, in part, “Supply chain safety in cyberspace is an issue of common concern, and China is also a victim.” The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment.

The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

The ramifications of the attack continue to play out. The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result. Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.

How the Hack Worked, According to U.S. Officials

 

Back in 2006, three engineers in Oregon had a clever idea. Demand for mobile video was about to explode, and they predicted that broadcasters would be desperate to transform programs designed to fit TV screens into the various formats needed for viewing on smartphones, laptops, and other devices. To meet the anticipated demand, the engineers started Elemental Technologies, assembling what one former adviser to the company calls a genius team to write code that would adapt the superfast graphics chips being produced for high-end video-gaming machines. The resulting software dramatically reduced the time it took to process large video files. Elemental then loaded the software onto custom-built servers emblazoned with its leprechaun-green logos.

Elemental servers sold for as much as $100,000 each, at profit margins of as high as 70 percent, according to a former adviser to the company. Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.

Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government. Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.

Supermicro had been an obvious choice to build Elemental’s servers. Headquartered north of San Jose’s airport, up a smoggy stretch of Interstate 880, the company was founded by Charles Liang, a Taiwanese engineer who attended graduate school in Texas and then moved west to start Supermicro with his wife in 1993. Silicon Valley was then embracing outsourcing, forging a pathway from Taiwanese, and later Chinese, factories to American consumers, and Liang added a comforting advantage: Supermicro’s motherboards would be engineered mostly in San Jose, close to the company’s biggest clients, even if the products were manufactured overseas.

Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

The company’s pitch to customers hinges on unmatched customization, made possible by hundreds of full-time engineers and a catalog encompassing more than 600 designs. The majority of its workforce in San Jose is Taiwanese or Chinese, and Mandarin is the preferred language, with hanzi filling the whiteboards, according to six former employees. Chinese pastries are delivered every week, and many routine calls are done twice, once for English-only workers and again in Mandarin. The latter are more productive, according to people who’ve been on both. These overseas ties, especially the widespread use of Mandarin, would have made it easier for China to gain an understanding of Supermicro’s operations and potentially to infiltrate the company. (A U.S. official says the government’s probe is still examining whether spies were planted inside Supermicro or other American companies to aid the attack.)

With more than 900 customers in 100 countries by 2015, Supermicro offered inroads to a bountiful collection of sensitive targets. “Think of Supermicro as the Microsoft of the hardware world,” says a former U.S. intelligence official who’s studied Supermicro and its business model. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

Well before evidence of the attack surfaced inside the networks of U.S. companies, American intelligence sources were reporting that China’s spies had plans to introduce malicious microchips into the supply chain. The sources weren’t specific, according to a person familiar with the information they provided, and millions of motherboards are shipped into the U.S. annually. But in the first half of 2014, a different person briefed on high-level discussions says, intelligence officials went to the White House with something more concrete: China’s military was preparing to insert the chips into Supermicro motherboards bound for U.S. companies.

The specificity of the information was remarkable, but so were the challenges it posed. Issuing a broad warning to Supermicro’s customers could have crippled the company, a major American hardware maker, and it wasn’t clear from the intelligence whom the operation was targeting or what its ultimate aims were. Plus, without confirmation that anyone had been attacked, the FBI was limited in how it could respond. The White House requested periodic updates as information came in, the person familiar with the discussions says.

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally. Government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one U.S. official. This created an invaluable opportunity for intelligence agencies and the FBI—by then running a full investigation led by its cyber- and counterintelligence teams—to see what the chips looked like and how they worked.

The chips on Elemental servers were designed to be as inconspicuous as possible, according to one person who saw a detailed report prepared for Amazon by its third-party security contractor, as well as a second person who saw digital photos and X-ray images of the chips incorporated into a later report prepared by Amazon’s security team. Gray or off-white in color, they looked more like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.

Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. “Hardware attacks are about access,” as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity. “The hardware opens whatever door it wants,” says Joe FitzPatrick, founder of Hardware Security Resources LLC, a company that trains cybersecurity professionals in hardware hacking techniques.

U.S. officials had caught China experimenting with hardware tampering before, but they’d never seen anything of this scale and ambition. The security of the global technology supply chain had been compromised, even if consumers and most companies didn’t know it yet. What remained for investigators to learn was how the attackers had so thoroughly infiltrated Supermicro’s production process—and how many doors they’d opened into American targets.

Unlike software-based hacks, hardware manipulation creates a real-world trail. Components leave a wake of shipping manifests and invoices. Boards have serial numbers that trace to specific factories. To track the corrupted chips to their source, U.S. intelligence agencies began following Supermicro’s serpentine supply chain in reverse, a person briefed on evidence gathered during the probe says.

As recently as 2016, according to DigiTimes, a news site specializing in supply chain research, Supermicro had three primary manufacturers constructing its motherboards, two headquartered in Taiwan and one in Shanghai. When such suppliers are choked with big orders, they sometimes parcel out work to subcontractors. In order to get further down the trail, U.S. spy agencies drew on the prodigious tools at their disposal. They sifted through communications intercepts, tapped informants in Taiwan and China, even tracked key individuals through their phones, according to the person briefed on evidence gathered during the probe. Eventually, that person says, they traced the malicious chips to four subcontracting factories that had been building Supermicro motherboards for at least two years.

As the agents monitored interactions among Chinese officials, motherboard manufacturers, and middlemen, they glimpsed how the seeding process worked. In some cases, plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.

The investigators concluded that this intricate scheme was the work of a People’s Liberation Army unit specializing in hardware attacks, according to two people briefed on its activities. The existence of this group has never been revealed before, but one official says, “We’ve been tracking these guys for longer than we’d like to admit.” The unit is believed to focus on high-priority targets, including advanced commercial technology and the computers of rival militaries. In past attacks, it targeted the designs for high-performance computer chips and computing systems of large U.S. internet providers.

Provided details of Businessweek’s reporting, China’s Ministry of Foreign Affairs sent a statement that said “China is a resolute defender of cybersecurity.” The ministry added that in 2011, China proposed international guarantees on hardware security along with other members of the Shanghai Cooperation Organization, a regional security body. The statement concluded, “We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.”

The Supermicro attack was on another order entirely from earlier episodes attributed to the PLA. It threatened to have reached a dizzying array of end users, with some vital ones in the mix. Apple, for its part, has used Supermicro hardware in its data centers sporadically for years, but the relationship intensified after 2013, when Apple acquired a startup called Topsy Labs, which created superfast technology for indexing and searching vast troves of internet content. By 2014, the startup was put to work building small data centers in or near major global cities. This project, known internally as Ledbelly, was designed to make the search function for Apple’s voice assistant, Siri, faster, according to the three senior Apple insiders.

Documents seen by Businessweek show that in 2014, Apple planned to order more than 6,000 Supermicro servers for installation in 17 locations, including Amsterdam, Chicago, Hong Kong, Los Angeles, New York, San Jose, Singapore, and Tokyo, plus 4,000 servers for its existing North Carolina and Oregon data centers. Those orders were supposed to double, to 20,000, by 2015. Ledbelly made Apple an important Supermicro customer at the exact same time the PLA was found to be manipulating the vendor’s hardware.

Project delays and early performance problems meant that around 7,000 Supermicro servers were humming in Apple’s network by the time the company’s security team found the added chips. Because Apple didn’t, according to a U.S. official, provide government investigators with access to its facilities or the tampered hardware, the extent of the attack there remained outside their view.

 

 

American investigators eventually figured out who else had been hit. Since the implanted chips were designed to ping anonymous computers on the internet for further instructions, operatives could hack those computers to identify others who’d been affected. Although the investigators couldn’t be sure they’d found every victim, a person familiar with the U.S. probe says they ultimately concluded that the number was almost 30 companies.

That left the question of whom to notify and how. U.S. officials had been warning for years that hardware made by two Chinese telecommunications giants, Huawei Corp. and ZTE Corp., was subject to Chinese government manipulation. (Both Huawei and ZTE have said no such tampering has occurred.) But a similar public alert regarding a U.S. company was out of the question. Instead, officials reached out to a small number of important Supermicro customers. One executive of a large web-hosting company says the message he took away from the exchange was clear: Supermicro’s hardware couldn’t be trusted. “That’s been the nudge to everyone—get that crap out,” the person says.

Amazon, for its part, began acquisition talks with an Elemental competitor, but according to one person familiar with Amazon’s deliberations, it reversed course in the summer of 2015 after learning that Elemental’s board was nearing a deal with another buyer. Amazon announced its acquisition of Elemental in September 2015, in a transaction whose value one person familiar with the deal places at $350 million. Multiple sources say that Amazon intended to move Elemental’s software to AWS’s cloud, whose chips, motherboards, and servers are typically designed in-house and built by factories that Amazon contracts from directly.

A notable exception was AWS’s data centers inside China, which were filled with Supermicro-built servers, according to two people with knowledge of AWS’s operations there. Mindful of the Elemental findings, Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says. (Amazon denies that AWS knew of servers found in China containing malicious chips.)

China has long been known to monitor banks, manufacturers, and ordinary citizens on its own soil, and the main customers of AWS’s China cloud were domestic companies or foreign entities with operations there. Still, the fact that the country appeared to be conducting those operations inside Amazon’s cloud presented the company with a Gordian knot. Its security team determined that it would be difficult to quietly remove the equipment and that, even if they could devise a way, doing so would alert the attackers that the chips had been found, according to a person familiar with the company’s probe. Instead, the team developed a method of monitoring the chips. In the ensuing months, they detected brief check-in communications between the attackers and the sabotaged servers but didn’t see any attempts to remove data. That likely meant either that the attackers were saving the chips for a later operation or that they’d infiltrated other parts of the network before the monitoring began. Neither possibility was reassuring.

When in 2016 the Chinese government was about to pass a new cybersecurity law—seen by many outside the country as a pretext to give authorities wider access to sensitive data—Amazon decided to act, the person familiar with the company’s probe says. In August it transferred operational control of its Beijing data center to its local partner, Beijing Sinnet, a move the companies said was needed to comply with the incoming law. The following November, Amazon sold the entire infrastructure to Beijing Sinnet for about $300 million. The person familiar with Amazon’s probe casts the sale as a choice to “hack off the diseased limb.”

As for Apple, one of the three senior insiders says that in the summer of 2015, a few weeks after it identified the malicious chips, the company started removing all Supermicro servers from its data centers, a process Apple referred to internally as “going to zero.” Every Supermicro server, all 7,000 or so, was replaced in a matter of weeks, the senior insider says. (Apple denies that any servers were removed.) In 2016, Apple informed Supermicro that it was severing their relationship entirely—a decision a spokesman for Apple ascribed in response to Businessweek’s questions to an unrelated and relatively minor security incident.

That August, Supermicro’s CEO, Liang, revealed that the company had lost two major customers. Although he didn’t name them, one was later identified in news reports as Apple. He blamed competition, but his explanation was vague. “When customers asked for lower price, our people did not respond quickly enough,” he said on a conference call with analysts. Hayes, the Supermicro spokesman, says the company has never been notified of the existence of malicious chips on its motherboards by either customers or U.S. law enforcement.

Concurrent with the illicit chips’ discovery in 2015 and the unfolding investigation, Supermicro has been plagued by an accounting problem, which the company characterizes as an issue related to the timing of certain revenue recognition. After missing two deadlines to file quarterly and annual reports required by regulators, Supermicro was delisted from the Nasdaq on Aug. 23 of this year. It marked an extraordinary stumble for a company whose annual revenue had risen sharply in the previous four years, from a reported $1.5 billion in 2014 to a projected $3.2 billion this year.

One Friday in late September 2015, President Barack Obama and Chinese President Xi Jinping appeared together at the White House for an hourlong press conference headlined by a landmark deal on cybersecurity. After months of negotiations, the U.S. had extracted from China a grand promise: It would no longer support the theft by hackers of U.S. intellectual property to benefit Chinese companies. Left out of those pronouncements, according to a person familiar with discussions among senior officials across the U.S. government, was the White House’s deep concern that China was willing to offer this concession because it was already developing far more advanced and surreptitious forms of hacking founded on its near monopoly of the technology supply chain.

In the weeks after the agreement was announced, the U.S. government quietly raised the alarm with several dozen tech executives and investors at a small, invite-only meeting in McLean, Va., organized by the Pentagon. According to someone who was present, Defense Department officials briefed the technologists on a recent attack and asked them to think about creating commercial products that could detect hardware implants. Attendees weren’t told the name of the hardware maker involved, but it was clear to at least some in the room that it was Supermicro, the person says.

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge. Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” one of the people present in McLean says. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

 

 

from: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

 

 

‘We Have No Way Of Addressing This’: Ex-NSA Scientist Reacts To China Sneaking Microchips Into DoD Servers

 

After an explosive Bloomberg report revealed that China was surreptitiously inserting small microchips into servers that later ended up being used by the Department of Defense, CIA, and many large American companies, an ex-NSA scientist warned there was “no way of addressing this risk” from a strategic standpoint.

“We can find a couple of them, but we’re not gonna find the next generation version,” said Dave Aitel, a former computer scientist for the National Security Agency now working as the Chief Security Technical Officer for Cyxtera. “That makes it very hard to trust computers in general.”

U.S. government investigators found that servers assembled by American companies contained motherboards — made by Chinese subcontractors — with tiny microchips that could allow hackers to “create a stealth doorway into any network that included the altered machines,” according to Bloomberg.

“They are literally in between the layers of the board,” Aitel said, adding that in order to see it, “you would have to take a board, strip it down, and X-ray it” to find the suspect chip.

“That’s just not a thing we should expect corporations to be able to do, even the biggest organizations.”

The machines are found inside DoD data centers, on Navy warships, and at the CIA, the site reported.

The Pentagon declined to comment on whether the suspect chips were found on DoD networks, citing operational security reasons. Still, Department spokeswoman Heather Babb told Task & Purpose, the U.S. military “has policies in place to address software assurance and supply chain risk management, as well as established security standards to ensure all procured commercial products and services are rigorously inspected for security vulnerabilities. As threats within the cyberspace domain change, DOD looks for solutions that provide more capability.”

“The protection of the National Security Innovation Base is a priority for the Department. Working closely with Congress and private industry, DOD is already advancing to elevate security within the supply chain,” she added.

China isn’t the only nation-state working to infiltrate hardware as a means to hack its enemies. The U.S. does much the same thing — intercepting network hardware and secretly installing beacons that call back to NSA — except it doesn’t seem to get or can legally force the cooperation of the factory making the product.

China doesn’t seem to have that problem.

“The question becomes can we move to a trusted supply chain or not?” Aitel asked. He added that “tin foil” hat thinking that foreign-made hardware should be treated as suspect isn’t so conspiratorial after all.

Still, he did offer some more positive news: “The good news is we caught it, and we’re on it,” Aitel said. “That’s actually phenomenally good news. That does send a message of deterrence. That does send a message that you can’t get away with it.”

President Barack Obama and Chinese President Xi Jinping agreed in 2015 that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” and said they would work together on other cybersecurity issues.

This latest disclosure of cyber-espionage adds fuel to the fire that China has clearly violated the agreement, which the Trump administration accused Beijing of doing earlier this year.

Aitel said it was more than likely that DoD and other governmental organizations were pulling the suspect servers if they haven’t done so already. Still, the risk will likely remain as long as the hardware is not manufactured in the U.S.

 

from: https://taskandpurpose.com/china-hacking-microchips-nsa-reaction/

 

 

Ready for information about what may be one of the largest corporate espionage programs from a nation-state? The Chinese government managed to gain access to the servers of more than 30 U.S. companies, including Apple, according to an explosive report from Bloomberg published today.

Bloomberg reports that U.S-based server motherboard specialist Supermicro was compromised in China where government-affiliated groups are alleged to have infiltrated its supply chain to attach tiny chips, some merely the size of a pencil tip, to motherboards which ended up in servers deployed in the U.S.

The goal, Bloomberg said, was to gain an entry point within company systems to potentially grab IP or confidential information. While the micro-servers themselves were limited in terms of direct capabilities, they represented a “stealth doorway” that could allow China-based operatives to remotely alter how a device functioned to potentially access information.

Once aware of the program, the U.S. government spied on the spies behind the chips but, according to Bloomberg, no consumer data is known to have been stolen through the attacks. Even still, this episode represents one of the most striking espionage programs from the Chinese government to date.

The story reports that the chips were discovered and reported to the FBI by Amazon, which found them during due diligence ahead of its 2015 acquisition of Elemental Systems, a company that held a range of U.S. government contracts, and Apple, which is said to have deployed up to 7,000 Supermicro servers at peak. Bloomberg reported that Amazon removed them all within a one-month period. Apple did indeed cut ties with Supermicro back in 2016, but it denied a claim from The Information which reported at the time that it was based on a security issue.

Amazon, meanwhile, completed the deal for Elemental Systems — reportedly worth $500 million — after it switched its software to the AWS cloud. Supermicro, meanwhile, was suspended from trading on the Nasdaq in August after failing to submit quarterly reports on time. The company is likely to be delisted once the timeframe for an appeal is over.

Amazon, Apple, Supermicro and China’s Ministry of Foreign Affairs all denied Bloomberg’s findings with strong and lengthy statements — a full list of rebuttals is here. The publication claims that it sourced its information using no fewer than 17 individuals with knowledge of developments, including six U.S. officials and four Apple “insiders.”

 

from: https://techcrunch.com/2018/10/04/china-reportedly-infiltrated-apple-and-other-us-companies-using-spy-chips-on-servers/

 

 

Chinesische Spionage

Apple und Amazon sollen Spionagechips in Servern gefunden haben

Dutzende US-Unternehmen und Regierungseinrichtungen haben Server eingesetzt, die vom selben Hersteller stammen: Supermicro. Doch deren Platinen waren einem Medienbericht zufolge in China manipuliert worden.

 

 

Donnerstag, 04.10.2018   14:40 Uhr

 

Eine Einheit der chinesischen Armee soll dafür gesorgt haben, dass winzige Spionagechips in Tausenden Servern für große Unternehmen wie Amazon und Apple verbaut wurden. Diese Chips, zum Teil so klein wie die Spitze eines Bleistifts, sollen einen heimlichen Verbindungsaufbau zu den Tätern und das unbemerkte Nachladen von Code ermöglicht haben. Das berichtet “Bloomberg Businessweek” unter Berufung auf insgesamt 17 anonyme Informanten aus Unternehmens- und US-Regierungskreisen. Dem gegenüber stehen scharfe Dementis von Amazon, Apple, dem Hersteller der Server und der chinesischen Regierung.

Gefunden wurden die Chips dem Bericht zufolge sowohl von Amazon, als auch von Apple selbst, und zwar auf den Hauptplatinen von Servern, die das in Kalifornien beheimatete Unternehmen Supermicro zusammenbaut oder von Auftragsfirmen zusammenbauen lässt. Diese Auftragshersteller, das erste Glied der Lieferkette, befänden sich im Fall von Supermicro in China. Dort sollen Militärs die Manager bestochen oder bedroht haben, bis diese einwilligten, die Bauteile in das Design der Platinen einzuschmuggeln und zu verbauen.

Zu den betroffenen US-Kunden von Supermicro gehörten “fast 30 Unternehmen”, neben Apple und Amazon auch eine große Bank und mehrere Auftragnehmer der US-Regierung.

Apple: “Wir haben niemals bösartige Chips gefunden”

Amazons Cloudsparte teilte auf Anfrage von “Bloomberg” allerdings mit, es sei unwahr, dass man von der kompromittierten Lieferkette wusste. Apple schrieb: “Wir haben niemals bösartige Chips, manipulierte Hardware oder in Servern versteckte Schwachstellen gefunden”. In ihren vollständigen Dementis führen beide Unternehmen das länger und unmissverständlich aus.

Die insgesamt 17 Quellen der Journalisten widersprechen dieser Darstellung. Sie konnten der Zeitung detailliert darlegen, wie Amazon und Apple die Chips unabhängig voneinander im Jahr 2015 fanden.

Im Fall von Amazon geschah das angeblich bei einer externen Überprüfung von Servern der Firma Elemental, die eine spezielle Software zum Komprimieren und Formatieren von Videos entwickelt hatte und zusammen mit passenden Supermicro-Servern verkaufte, unter anderem an das US-Verteidigungsministerium, die CIA und die US-Marine. Elemental galt damals als möglicher Übernahmekandidat für Amazon, das deshalb die Sicherheitsüberprüfung veranlasst hatte.

Apple beendete 2016 Geschäftsbeziehungen zu Supermicro

Später kaufte Amazon das Start-up zwar wirklich auf, doch kompromittierte Supermicro-Server sollen nur in Amazons chinesischen Cloudzentren zum Einsatz gekommen sein, bis dessen Inventar wieder an ein einheimisches Unternehmen verkauft wurde. An anderen Standorten wollte Amazon nur Elementals Software einsetzen – auf den eigenen Maschinen.

Apple indes habe nach seinem eigenen Fund innerhalb weniger Wochen rund 7000 Supermicro-Server ersetzt, heißt es. Auch das bestreitet das Unternehmen, allerdings räumt es ein, 2016 alle Geschäftsbeziehungen zu Supermicro beendet zu haben, wenn auch aus einem anderen Grund, der etwas mit einem “vergleichsweise kleinen Sicherheitsproblem” zu tun gehabt habe.

Das Ziel der Chinesen sei ein dauerhafter Zugang zu Unternehmens- und Regierungsnetzwerken sowie Geschäftsgeheimnissen gewesen, sagte eine Quelle aus Regierungskreisen “Bloomberg”. Die entsprechenden Untersuchungen dauerten bis heute an.

 

from: http://www.spiegel.de/netzwelt/web/apple-und-amazon-laut-medienbericht-spionagechips-in-servern-gefunden-a-1231543.html

 

 

Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary… or it’s not, and a lot of people screwed up.

To recap, Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful countries.

Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations. Apple also released its own standalone statement later in the day, as did Supermicro. You don’t see that very often unless they think they have nothing to hide. You can — and should — read the statements for yourself.

Welcome to the murky world of national security reporting.

I’ve covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories — including the U.S. government’s covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens.

Even with this story, my gut is mixed.

Where reporters across any topic and beat try to seek the truth, tapping information from the intelligence community is near impossible. For spies and diplomats, it’s illegal to share classified information with anyone and can be — and is — punishable by time in prison.

As a security reporter, you’re either incredibly well sourced or downright lucky. More often than not it’s the latter.

Naturally, people are skeptical of this “spy chip” story. On one side you have Bloomberg’s decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources — some inside the government and out — and presenting enough evidence to present a convincing case.

On the other, the sources are anonymous — likely because the information they shared wasn’t theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say “a source familiar with the matter” because it weakens the story. It’s the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves — though transparently published in full by Bloomberg — are not bulletproof in outright rejection of the story’s claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance — turning the story from an evidence-based report into a “he said, she said” situation.

That puts the onus on the reader to judge Bloomberg’s reporting. Reporters can publish the truth all they want, but ultimately it’s down to the reader to believe it or not.

In fairness to Bloomberg, chief among Apple’s complaints is a claim that Bloomberg’s reporters were vague in their questioning. Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.

Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark. Assuming there was an active espionage investigation into the alleged actions of a foreign government, you can bet that only a handful of people at these companies will be even cursorily aware of the situation. U.S. surveillance and counter-espionage laws restrict who can be told about classified information or investigations. Only those who need to be in the know are kept in a very tight loop — typically a company’s chief counsel. Often their bosses, the chief executive or president, are not told to avoid making false or misleading statements to shareholders.

It’s worth casting your mind back to 2013, days after the first Edward Snowden documents were published.

In the aftermath of the disclosure of PRISM, the NSA’s data pulling program that implicated several tech companies — including Apple, but not Amazon — the companies came out fighting, vehemently denying any involvement or connection. Was it a failure of reporting? Partially, yes. But the companies also had plausible deniability by cherry picking what they rebuffed. Despite a claim by the government that PRISM had “direct access” to tech companies’ servers, the companies responded that this wasn’t true. They didn’t, however, refute indirect access — which the companies wouldn’t be allowed to say in any case.

Critics of Bloomberg’s story have rightfully argued for more information — such as more technical data on the chip, its design and its functionality. Rightfully so — it’s entirely reasonable to want to know more. Jake Williams, a former NSA hacker turned founder of Rendition Infosec, told me that the story is “credible,” but “even if it turns out to be untrue, the capability exists and you need to architect your networks to detect this.”

I was hesitant to cover this at first given the complexity of the allegations and how explosive the claims are without also seeking confirmation. That’s not easy to do in an hour when Bloomberg’s reporters have been working for the best part of a year. Assuming Bloomberg did everything right — a cover story on its magazine, no less, which would have gone through endless editing and fact-checking before going to print — the reporters likely hit a wall and had nothing more to report, and went to print.

But Bloomberg’s delivery could have been better. Just as The New York Times does — even as recently as its coverage of President Trump’s tax affairs, Bloomberg missed an opportunity to be more open and transparent in how it came to the conclusions that it did. Journalism isn’t proprietary. It should be open to as many people as possible. If you’re not transparent in how you report things, you lose readers’ trust.

That’s where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you — and I — have to put a lot of trust and faith in Bloomberg and its reporters.

And in this day and age where “fake news” is splashed around wrongly and unfairly, for the sake of journalism, my only hope is they’re not wrong.

 

from: https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/

 

Supply Chain Security is the Whole Enchilada, But Who’s Willing to Pay for It?

 

From time to time, there emerge cybersecurity stories of such potential impact that they have the effect of making all other security concerns seem minuscule and trifling by comparison. Yesterday was one of those times. Bloomberg Businessweek on Thursday published a bombshell investigation alleging that Chinese cyber spies had used a U.S.-based tech firm to secretly embed tiny computer chips into electronic devices purchased and used by almost 30 different companies. There aren’t any corroborating accounts of this scoop so far, but it is both fascinating and terrifying to look at why threats to the global technology supply chain can be so difficult to detect, verify and counter.

In the context of computer and Internet security, supply chain security refers to the challenge of validating that a given piece of electronics — and by extension the software that powers those computing parts — does not include any extraneous or fraudulent components beyond what was specified by the company that paid for the production of said item.

In a nutshell, the Bloomberg story claims that San Jose, Calif. based tech giant Supermicro was somehow caught up in a plan to quietly insert a rice-sized computer chip on the circuit boards that get put into a variety of servers and electronic components purchased by major vendors, allegedly including Amazon and Apple. The chips were alleged to have spied on users of the devices and sent unspecified data back to the Chinese military.

It’s critical to note up top that Amazon, Apple and Supermicro have categorically denied most of the claims in the Bloomberg piece. That is, their positions refuting core components of the story would appear to leave little wiggle room for future backtracking on those statements. Amazon also penned a blog post that more emphatically stated their objections to the Bloomberg piece.

Nevertheless, Bloomberg reporters write that “the companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation.”

The story continues:

Today, Supermicro sells more server motherboards than almost anyone else. It also dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards—its core product—are nearly all manufactured by contractors in China.

Many readers have asked for my take on this piece. I heard similar allegations earlier this year about Supermicro and tried mightily to verify them but could not. That in itself should be zero gauge of the story’s potential merit. After all, I am just one guy, whereas this is the type of scoop that usually takes entire portions of a newsroom to research, report and vet. By Bloomberg’s own account, the story took more than a year to report and write, and cites 17 anonymous sources as confirming the activity.

Most of what I have to share here is based on conversations with some clueful people over the years who would probably find themselves confined to a tiny, windowless room for an extended period if their names or quotes ever showed up in a story like this, so I will tread carefully around this subject.

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

That example gives a whole new meaning to the term “supply chain,” doesn’t it? If Bloomberg’s reporting is accurate, that’s more or less what we’re dealing with here in Supermicro as well.

But here’s the thing: Even if you identify which technology vendors are guilty of supply-chain hacks, it can be difficult to enforce their banishment from the procurement chain. One reason is that it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today.

Take, for instance, the problem right now with insecure Internet of Things (IoT) devices — cheapo security cameras, Internet routers and digital video recorders — sold at places like Amazon and Walmart. Many of these IoT devices have become a major security problem because they are massively insecure by default and difficult if not also impractical to secure after they are sold and put into use.

For every company in China that produces these IoT devices, there are dozens of “white label” firms that market and/or sell the core electronic components as their own. So while security researchers might identify a set of security holes in IoT products made by one company whose products are white labeled by others, actually informing consumers about which third-party products include those vulnerabilities can be extremely challenging. In some cases, a technology vendor responsible for some part of this mess may simply go out of business or close its doors and re-emerge under different names and managers.

Mind you, there is no indication anyone is purposefully engineering so many of these IoT products to be insecure; a more likely explanation is that building in more security tends to make devices considerably more expensive and slower to market. In many cases, their insecurity stems from a combination of factors: They ship with every imaginable feature turned on by default; they bundle outdated software and firmware components; and their default settings are difficult or impossible for users to change.

We don’t often hear about intentional efforts to subvert the security of the technology supply chain simply because these incidents tend to get quickly classified by the military when they are discovered. But the U.S. Congress has held multiple hearings about supply chain security challenges, and the U.S. government has taken steps on several occasions to block Chinese tech companies from doing business with the federal government and/or U.S.-based firms.

Most recently, the Pentagon banned the sale of Chinese-made ZTE and Huawei phones on military bases, according to a Defense Department directive that cites security risks posed by the devices. The U.S. Department of Commerce also has instituted a seven-year export restriction for ZTE, resulting in a ban on U.S. component makers selling to ZTE.

Still, the issue here isn’t that we can’t trust technology products made in China. Indeed there are numerous examples of other countries — including the United States and its allies — slipping their own “backdoors” into hardware and software products.

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States.

Even if the U.S. government and Silicon Valley somehow mustered the funding and political will to do that, insisting that products sold to U.S. consumers or the U.S. government be made only with components made here in the U.S.A. would massively drive up the cost of all forms of technology. Consumers would almost certainly balk at buying these way more expensive devices. Years of experience has shown that consumers aren’t interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply.

Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

“Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the end product,” Schneier wrote in an opinion piece published earlier this year in The Washington Post. “No one wants to even think about a US-only anything; prices would multiply many times over. We cannot trust anyone, yet we have no choice but to trust everyone. No one is ready for the costs that solving this would entail.”

The Bloomberg piece also addresses this elephant in the room:

“The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

Another huge challenge of securing the technology supply chain is that it’s quite time consuming and expensive to detect when products may have been intentionally compromised during some part of the manufacturing process. Your typical motherboard of the kind produced by a company like Supermicro can include hundreds of chips, but it only takes one hinky chip to subvert the security of the entire product.

Also, most of the U.S. government’s efforts to police the global technology supply chain seem to be focused on preventing counterfeits — not finding secretly added spying components.

Finally, it’s not clear that private industry is up to the job, either. At least not yet.

“In the three years since the briefing in McLean, no commercially viable way to detect attacks like the one on Supermicro’s motherboards has emerged—or has looked likely to emerge,” the Bloomberg story concludes. “Few companies have the resources of Apple and Amazon, and it took some luck even for them to spot the problem. ‘This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,’ one of the people present in McLean says. ‘You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.’”

For my part, I try not to spin my wheels worrying about things I can’t change, and the supply chain challenges definitely fit into that category. I’ll have some more thoughts on the supply chain problem and what we can do about it in an interview to be published next week.

But for the time being, there are some things worth thinking about that can help mitigate the threat from stealthy supply chain hacks. Writing for this week’s newsletter put out by the SANS Institute, a security training company based in Bethesda, Md., editorial board member William Hugh Murray has a few provocative thoughts:

1. Abandon the password for all but trivial applications. Steve Jobs and the ubiquitous mobile computer have lowered the cost and improved the convenience of strong authentication enough to overcome all arguments against it.
2. Abandon the flat network. Secure and trusted communication now trump ease of any-to-any communication.
3. Move traffic monitoring from encouraged to essential.
4. Establish and maintain end-to-end encryption for all applications. Think TLS, VPNs, VLANs and physically segmented networks. Software Defined Networks put this within the budget of most enterprises.
5. Abandon the convenient but dangerously permissive default access control rule of “read/write/execute” in favor of restrictive “read/execute-only” or even better, “Least privilege.” Least privilege is expensive to administer but it is effective. Our current strategy of “ship low-quality early/patch late” is proving to be ineffective and more expensive in maintenance and breaches than we could ever have imagined.

 

from: https://krebsonsecurity.com/2018/10/supply-chain-security-is-the-whole-enchilada-but-whos-willing-to-pay-for-it/

 

 

04 OCT 2018

Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?

 

Analysis Chinese government agents sneaked spy chips into Super Micro servers used by Amazon, Apple, the US government, and about 30 other organizations, giving Beijing’s snoops access to highly sensitive data, according to a bombshell Bloomberg report today.

The story, which has been a year in the making and covers events it says happened three years ago, had a huge impact on the markets: the company at the center of the story, San Jose-based Super Micro, saw its share price drop by nearly 50 per cent; likewise Apple’s share price dropped by just under two per cent, and Amazon’s dropped by more than two per cent.

But the article has been strongly denied by the three main companies involved: Apple, Amazon, and Super Micro. Each has issued strong and seemingly unambiguous statements denying the existence and discovery of such chips or any investigation by the US intelligence services into the surveillance implants.

These statements will have gone through layers of lawyers to make sure they do not open these publicly traded corporations to lawsuits and securities fraud claims down the line. Similarly, Bloomberg employs veteran reporters and layers of editors, who check and refine stories, and has a zero tolerance for inaccuracies.

So which is true: did the Chinese government succeed in infiltrating the hardware supply chain and install spy chips in highly sensitive US systems; or did Bloomberg’s journalists go too far in their assertions? We’ll dig in.

The report

First up, the key details of the exclusive. According to the report, tiny microchips that were made to look like signal conditioning couplers were added to Super Micro data center server motherboards manufactured by sub-contractors based in China.

Those spy chips were not on the original board designs, and were secretly added after factory bosses were pressured or bribed into altering the blueprints, it is claimed. The surveillance chips, we’re told, contained enough memory and processing power to effectively backdoor the host systems so that outside agents could, say, meddle with the servers and exfiltrate information.

The Bloomberg article is not particularly technical, so a lot of us are having to guesstimate how the hack worked. From what we can tell, the spy chip was designed to look like an innocuous component on the motherboard with a few connector pins – just enough for power and a serial interface, perhaps. One version was sandwiched between the fiberglass layers of the PCB, it is claimed.

The spy chip could have been placed electrically between the baseboard management controller (BMC) and its SPI flash or serial EEPROM storage containing the BMC’s firmware. Thus, when the BMC fetched and executed its code from this memory, the spy chip would intercept the signals and modify the bitstream to inject malicious code into the BMC processor, allowing its masters to control the BMC.

The BMC is a crucial component on a server motherboard. It allows administrators to remotely monitor and repair machines, typically over a network, without having to find the box in a data center, physically pull it out of the rack, fix it, and re-rack it. The BMC and its firmware can be told to power-cycle the server, reinstall or modify the host operating system, mount additional storage containing malicious code and data, access a virtual keyboard and terminal connected to the computer, and so on. If you can reach the BMC and its software, you have total control over the box.

With the BMC compromised, it is possible the alleged spies modified the controller’s firmware and/or the host operating system and software to allow attackers to connect in or allow data to flow out. We’ve been covering BMC security issues for a while.

Here is Bloomberg’s layman explanation for how that snoop-chip worked: the component “manipulated the core operating instructions that tell the server what to do as data move across a motherboard… this happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow.”

There are a few things to bear in mind: one is that it should be possible to detect weird network traffic coming from the compromised machine, and another is that modifying BMC firmware on the fly to compromise the host system is non-trivial but also not impossible. Various methods are described, here.

“It is technically plausible,” said infosec expert and US military veteran Jake Williams in a hastily organized web conference on Thursday morning. “If I wanted to do this, this is how I’d do it.”

The BMC would be a “great place to put it,” said Williams, because the controller has access to the server’s main memory, allowing it to inject backdoor code into the host operating system kernel. From there, it could pull down second-stage spyware and execute it, assuming this doesn’t set off any firewall rules.

A third thing to consider is this: if true, a lot of effort went into this surveillance operation. It’s not the sort of thing that would be added to any Super Micro server shipping to any old company – it would be highly targeted to minimize its discovery. If you’ve bought Super Micro kit, it’s very unlikely it has a spy chip in it, we reckon, if the report is correct. Other than Apple and Amazon, the other 30 or so organizations that used allegedly compromised Super Micro boxes included a major bank and government contractors.

A fourth thing is this: why go to the bother of smuggling another chip on the board, when a chip already due to be placed in the circuitry could be tampered with during manufacture, using bribes and pressure? Why not switch the SPI flash chip with a backdoored one – one that looks identical to a legit one? Perhaps the disguised signal coupler was the best way to go.

And a fifth thing: the chip allegedly fits on a pencil tip. That it can intercept and rewrite data on the fly from SPI flash or a serial EEPROM is not impossible. However, it has to contain enough data to replace the fetched BMC firmware code, that then alters the running operating system or otherwise implements a viable backdoor. Either the chip pictured in Bloomberg’s article is incorrect and just an illustration, and the actual device is larger, or there is state-of-the-art custom semiconductor fabrication involved here.

 

One final point: you would expect corporations like Apple and Amazon to have in place systems that detect not only unexpected network traffic, but also unexpected operating system states. It should be possible that alterations to the kernel and the stack of software above it should set off alarms during or after boot.

Bloomberg claims the chip was first noticed in 2015 in a third-party security audit of Super Micro servers that was carried out when Amazon was doing due diligence into a company called Elemental Technologies that it was thinking of acquiring. Elemental used Super Micro’s servers to do super-fast video processing.

Big problem

Amazon reported what it found to the authorities and, according to Bloomberg, that “sent a shudder” through the intelligence community because similar motherboards were in use “in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.”

Around the same time, Apple also found the tiny chips, according to the report, “after detecting odd network activity and firmware problems.” Apple contacted the FBI and gave the agency access to the actual hardware. US intelligence agencies then tracked the hardware components backwards through the supply chain, and used their various spying programs to sift through intercepted communications, eventually ending up with a focus on four sub-contracting factories in China.

According to Bloomberg, the US intelligence agencies were then able to uncover how the seeding process worked: “Plant managers were approached by people who claimed to represent Super Micro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.”

This explanation seemingly passes the sniff test: it fits what we know of US intelligence agencies investigative approaches, their spy programs, and how the Chinese government works when interacting with private businesses.

The report then provides various forms of circumstantial evidence that adds weight to the idea that this all happened by pointing to subsequent actions of both Apple and Amazon. Apple ditched Super Micro entirely as a supplier, over the course of just a few weeks, despite planning to put in a massive order for thousands of motherboards. And Amazon sold off its Beijing data center to its local partner, Beijing Sinnet, for $300m.

 

from: https://www.theregister.co.uk/2018/10/04/supermicro_bloomberg/

 

 

07 SEP 2018

Supermicro wraps crypto-blanket around server firmware to hide it from malware injectors

 

Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers.

Security biz Eclypsium today said a weakness in the mechanism for updating a BMC’s firmware could be abused by an attacker to install and run malicious code that would be extremely difficult to remove.

A BMC is typically installed directly onto the motherboard of a server where it is able to directly control and manage the various hardware components of the server independent of the host and guest operating systems. It can also repair, alter, or reinstall the system software, and is remotely controlled over a network or dedicated channel by an administrator. It allows IT staff to manage, configure, and power cycle boxes from afar, which is handy for people looking after warehouses of machines.

Because BMCs operate at such a low level, they are also valuable targets for hackers.

In this case, Eclypsium says the firmware update code in Supermicro’s BMCs don’t bother to cryptographically verify whether or not the downloaded upgrade was issued by the manufacturer, leaving them vulnerable to tampering. The bug could be exploited to execute code that would then be able to withstand OS-level antivirus tools and reinstalls.

To do this, an attacker already on the data center network, or otherwise able to access the controllers, would need to intercept the firmware download, meddle with it, and pass it on to the hardware that will then blindly install it. Alternatively, a miscreant able to eavesdrop on and fiddle with internet traffic feeding into an organization could tamper with the IT team’s BMC firmware downloads, which again would be accepted by the controller.

“We found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage,” says Eclypsium.

“This effectively allows the attacker to load modified code onto the BMC.”

In addition to running malware code beneath the OS level, the researchers said the flaw could also be used to permanently brick the BMC or even the entire server. Even worse, a potential attack wouldn’t even necessarily require physical access to the server itself.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium warned.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

Fortunately, Eclypsium says it has already reported the bug to Supermicro, who responded by adding signature verification to the firmware update tool, effectively plugging this vulnerability. Admins are being advised to get in touch with their Supermicro security contacts to get the fix in place.

 

from: https://www.theregister.co.uk/2018/09/07/supermicro_bmcs_hole/

 

 

18 OCT 2018

Supply Chain Security 101: An Expert’s View

 

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.

 

 

Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

Brian Krebs (BK): Do you think Uncle Sam spends enough time focusing on the supply chain security problem? It seems like a pretty big threat, but also one that is really hard to counter.

Tony Sager (TS): The federal government has been worrying about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology industry and didn’t have this massive internationalization of the technology supply chain.

But even then there were people who saw where this was all going, and there were some pretty big government programs to look into it.

BK: Right, the Trusted Foundry program I guess is a good example.

TS: Exactly. That was an attempt to help support a U.S.-based technology industry so that we had an indigenous place to work with, and where we have only cleared people and total control over the processes and parts.

BK: Why do you think more companies aren’t insisting on producing stuff through code and hardware foundries here in the U.S.?

TS: Like a lot of things in security, the economics always win. And eventually the cost differential for offshoring parts and labor overwhelmed attempts at managing that challenge.

BK: But certainly there are some areas of computer hardware and network design where you absolutely must have far greater integrity assurance?

TS: Right, and this is how they approach things at Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they’ve looked at is this whole business of whether someone might sneak something into the design of a nuclear weapon.

The basic design principle has been to assume that one person in the process may have been subverted somehow, and the whole design philosophy is built around making sure that no one person gets to sign off on what goes into a particular process, and that there is never unobserved control over any one aspect of the system. So, there are a lot of technical and procedural controls there.

But the bottom line is that doing this is really much harder [for non-nuclear electronic components] because of all the offshoring now of electronic parts, as well as the software that runs on top of that hardware.

BK: So is the government basically only interested in supply chain security so long as it affects stuff they want to buy and use?

TS: The government still has regular meetings on supply chain risk management, but there are no easy answers to this problem. The technical ability to detect something wrong has been outpaced by the ability to do something about it.

BK: Wait…what?

TS: Suppose a nation state dominates a piece of technology and in theory could plant something inside of it. The attacker in this case has a risk model, too. Yes, he could put something in the circuitry or design, but his risk of exposure also goes up.

Could I as an attacker control components that go into certain designs or products? Sure, but it’s often not very clear what the target is for that product, or how you will guarantee it gets used by your target. And there are still a limited set of bad guys who can pull that stuff off. In the past, it’s been much more lucrative for the attacker to attack the supply chain on the distribution side, to go after targeted machines in targeted markets to lessen the exposure of this activity.

BK: So targeting your attack becomes problematic if you’re not really limiting the scope of targets that get hit with compromised hardware.

TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting.

BK: Can you talk about some of the things the government has typically done to figure out whether a given technology supplier might be trying to slip in a few compromised devices among an order of many?

TS: There’s this concept of the “blind buy,” where if you think the threat vector is someone gets into my supply chain and subverts the security of individual machines or groups of machines, the government figures out a way to purchase specific systems so that no one can target them. In other words, the seller doesn’t know it’s the government who’s buying it. This is a pretty standard technique to get past this, but it’s an ongoing cat and mouse game to be sure.

BK: I know you said before this interview that you weren’t prepared to comment on the specific claims in the recent Bloomberg article, but it does seem that supply chain attacks targeting cloud providers could be very attractive for an attacker. Can you talk about how the big cloud providers could mitigate the threat of incorporating factory-compromised hardware into their operations?

TS: It’s certainly a natural place to attack, but it’s also a complicated place to attack — particularly the very nature of the cloud, which is many tenants on one machine. If you’re attacking a target with on-premise technology, that’s pretty simple. But the purpose of the cloud is to abstract machines and make more efficient use of the same resources, so that there could be many users on a given machine. So how do you target that in a supply chain attack?

BK: Is there anything about the way these cloud-based companies operate….maybe just sheer scale…that makes them perhaps uniquely more resilient to supply chain attacks vis-a-vis companies in other industries?

TS: That’s a great question. The counter positive trend is that in order to get the kind of speed and scale that the Googles and Amazons and Microsofts of the world want and need, these companies are far less inclined now to just take off-the-shelf hardware and they’re actually now more inclined to build their own.

BK: Can you give some examples?

TS: There’s a fair amount of discussion among these cloud providers about commonalities — what parts of design could they cooperate on so there’s a marketplace for all of them to draw upon. And so we’re starting to see a real shift from off-the-shelf components to things that the service provider is either designing or pretty closely involved in the design, and so they can also build in security controls for that hardware. Now, if you’re counting on people to exactly implement designs, you have a different problem. But these are really complex technologies, so it’s non-trivial to insert backdoors. It gets harder and harder to hide those kinds of things.

BK: That’s interesting, given how much each of us have tied up in various cloud platforms. Are there other examples of how the cloud providers can make it harder for attackers who might seek to subvert their services through supply chain shenanigans?

TS: One factor is they’re rolling this technology out fairly regularly, and on top of that the shelf life of technology for these cloud providers is now a very small number of years. They all want faster, more efficient, powerful hardware, and a dynamic environment is much harder to attack. This actually turns out to be a very expensive problem for the attacker because it might have taken them a year to get that foothold, but in a lot of cases the short shelf life of this technology [with the cloud providers] is really raising the costs for the attackers.

When I looked at what Amazon and Google and Microsoft are pushing for it’s really a lot of horsepower going into the architecture and designs that support that service model, including the building in of more and more security right up front. Yes, they’re still making lots of use of non-U.S. made parts, but they’re really aware of that when they do. That doesn’t mean these kinds of supply chain attacks are impossible to pull off, but by the same token they don’t get easier with time.

BK: It seems to me that the majority of the government’s efforts to help secure the tech supply chain come in the form of looking for counterfeit products that might somehow wind up in tanks and ships and planes and cause problems there — as opposed to using that microscope to look at commercial technology. Do you think that’s accurate?

TS: I think that’s a fair characterization. It’s a logistical issue. This problem of counterfeits is a related problem. Transparency is one general design philosophy. Another is accountability and traceability back to a source. There’s this buzzphrase that if you can’t build in security then build in accountability. Basically the notion there was you often can’t build in the best or perfect security, but if you can build in accountability and traceability, that’s a pretty powerful deterrent as well as a necessary aid.

BK: For example….?

TS: Well, there’s this emphasis on high quality and unchangeable logging. If you can build strong accountability that if something goes wrong I can trace it back to who caused that, I can trace it back far enough to make the problem more technically difficult for the attacker. Once I know I can trace back the construction of a computer board to a certain place, you’ve built a different kind of security challenge for the attacker. So the notion there is while you may not be able to prevent every attack, this causes the attacker different kinds of difficulties, which is good news for the defense.

BK: So is supply chain security more of a physical security or cybersecurity problem?

TS: We like to think of this as we’re fighting in cyber all the time, but often that’s not true. If you can force attackers to subvert your supply chain, they you first off take away the mid-level criminal elements and you force the attackers to do things that are outside the cyber domain, such as set up front companies, bribe humans, etc. And in those domains — particularly the human dimension — we have other mechanisms that are detectors of activity there.

BK: What role does network monitoring play here? I’m hearing a lot right now from tech experts who say organizations should be able to detect supply chain compromises because at some point they should be able to see truckloads of data leaving their networks if they’re doing network monitoring right. What do you think about the role of effective network monitoring in fighting potential supply chain attacks.

TS:  I’m not so optimistic about that. It’s too easy to hide. Monitoring is about finding anomalies, either in the volume or type of traffic you’d expect to see. It’s a hard problem category. For the US government, with perimeter monitoring there’s always a trade off in the ability to monitor traffic and the natural movement of the entire Internet towards encryption by default. So a lot of things we don’t get to touch because of tunneling and encryption, and the Department of Defense in particular has really struggled with this.

Now obviously what you can do is man-in-the-middle traffic with proxies and inspect everything there, and the perimeter of the network is ideally where you’d like to do that, but the speed and volume of the traffic is often just too great.

BK: Isn’t the government already doing this with the “trusted internet connections” or Einstein program, where they consolidate all this traffic at the gateways and try to inspect what’s going in and out?

TS: Yes, so they’re creating a highest volume, highest speed problem. To monitor that and to not interrupt traffic you have to have bleeding edge technology to do that, and then handle a ton of it which is already encrypted. If you’re going to try to proxy that, break it out, do the inspection and then re-encrypt the data, a lot of times that’s hard to keep up with technically and speed-wise.

BK: Does that mean it’s a waste of time to do this monitoring at the perimeter?

TS: No. The initial foothold by the attacker could have easily been via a legitimate tunnel and someone took over an account inside the enterprise. The real meaning of a particular stream of packets coming through the perimeter you may not know until that thing gets through and executes. So you can’t solve every problem at the perimeter. Some things only because obvious and make sense to catch them when they open up at the desktop.

BK: Do you see any parallels between the challenges of securing the supply chain and the challenges of getting companies to secure Internet of Things (IoT) devices so that they don’t continue to become a national security threat for just about any critical infrastructure, such as with DDoS attacks like we’ve seen over the past few years?

TS: Absolutely, and again the economics of security are so compelling. With IoT we have the cheapest possible parts, devices with a relatively short life span and it’s interesting to hear people talking about regulation around IoT. But a lot of the discussion I’ve heard recently does not revolve around top-down solutions but more like how do we learn from places like the Food and Drug Administration about certification of medical devices. In other words, are there known characteristics that we would like to see these devices put through before they become in some generic sense safe.

BK: How much of addressing the IoT and supply chain problems is about being able to look at the code that powers the hardware and finding the vulnerabilities there? Where does accountability come in?

TS: I used to look at other peoples’ software for a living and find zero-day bugs. What I realized was that our ability to find things as human beings with limited technology was never going to solve the problem. The deterrent effect that people believed someone was inspecting their software usually got more positive results than the actual looking. If they were going to make a mistake – deliberately or otherwise — they would have to work hard at it and if there was some method of transparency, us finding the one or two and making a big deal of it when we did was often enough of a deterrent.

BK: Sounds like an approach that would work well to help us feel better about the security and code inside of these election machines that have become the subject of so much intense scrutiny of late.

TS: We’re definitely going through this now in thinking about the election devices. We’re kind of going through this classic argument where hackers are carrying the noble flag of truth and vendors are hunkering down on liability. So some of the vendors seem willing to do something different, but at the same time they’re kind of trapped now by the good intentions of open vulnerability community.

The question is, how do we bring some level of transparency to the process, but probably short of vendors exposing their trade secrets and the code to the world? What is it that they can demonstrate in terms of cost effectiveness of development practices to scrub out some of the problems before they get out there. This is important, because elections need one outcome: Public confidence in the outcome. And of course, one way to do that is through greater transparency.

BK: What, if anything, are the takeaways for the average user here? With the proliferation of IoT devices in consumer homes, is there any hope that we’ll see more tools that help people gain more control over how these systems are behaving on the local network?

TS: Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond ability of small businesses to grapple with this. It’s in fact outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.

It’s now almost impossible to for consumers to buy electronics stuff that isn’t Internet-connected. The chipsets are so cheap and the ability for every device to have its own Wi-Fi chip built in means that [manufacturers] are adding them whether it makes sense to or not. I think we’ll see more security coming into the marketplace to manage devices. So for example you might define rules that say appliances can talk to the manufacturer only. 

We’re going to see more easy-to-use tools available to consumers to help manage all these devices. We’re starting to see the fight for dominance in this space already at the home gateway and network management level. As these devices get more numerous and complicated, there will be more consumer oriented ways to manage them. Some of the broadband providers already offer services that will tell what devices are operating in your home and let users control when those various devices are allowed to talk to the Internet.

 

Since Bloomberg’s story broke, The U.S. Department of Homeland Security and the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ, both came out with statements saying they had no reason to doubt vehement denials by Amazon and Apple that they were affected by any incidents involving Supermicro’s supply chain security. Apple also penned a strongly-worded letter to lawmakers denying claims in the story.

Meanwhile, Bloomberg reporters published a follow-up story citing new, on-the-record evidence to back up claims made in their original story.

 

from: https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/

 

 

09 OCT 2018 – Bloomberg Follow-Up

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

 

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

 

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.

Supermicro, based in San Jose, California, gave this statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”

Bloomberg News first contacted Supermicro for comment on this story on Monday at 9:23 a.m. Eastern time and gave the company 24 hours to respond.

Supermicro said after the earlier story that it “strongly refutes” reports that servers it sold to customers contained malicious microchips. China’s embassy in Washington did not return a request for comment Monday. In response to the earlier Bloomberg Businessweek investigation, China’s Ministry of Foreign Affairs didn’t directly address questions about the manipulation of Supermicro servers but said supply chain security is “an issue of common concern, and China is also a victim.”

Supermicro shares plunged 41 percent last Thursday, the most since it became a public company in 2007, following the Bloomberg Businessweek revelations about the hacked servers. They fell as much as 27 percent on Tuesday after the latest story.

The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

Based on his inspection of the device, Appleboum determined that the telecom company’s server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the `Silicon Valley of Hardware,’ and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.

The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company’s technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. It’s not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.

AT&T Inc. spokesman Fletcher Cook said, “These devices are not part of our network, and we are not affected.” A Verizon Communications Inc. spokesman said “we’re not affected.”

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time. 

In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been “aware of an issue” connected to Supermicro products since June.  Trond Ovstedal, a spokesman for the agency, later added to that statement, saying the agency was alerted to the concerns by someone who had heard of them via Bloomberg’s news gathering efforts. In its initial statement, the authority couldn’t confirm the details of Bloomberg’s reporting, but said that it has recently been in dialogue with partners over the issue.

Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.  

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

 

from: https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found-in-u-s-telecom

 

 

 

 

Israel’s national securities regulator is now using blockchain to improve data integrity
for its messaging system, online voting, and critical reports storage.

 

 

from: https://cointelegraph.com/news/israel-securities-authority-turns-to-blockchain-for-improving-cybersecurity

 

 

 

Huge impact in the Blockchain space, where Telegram is so popular: recon made easy.
Having the IP allows for much easier wallet- and crypto-jacking hacks / attacks
(also sad: with a $2 billion ICO, this is the best quality they can offer?).

 

A vulnerability in Telegram Desktop results in the end-user public and private IP addresses being leaked during a call, a security researcher has discovered.

A cloud-based instant messaging and voice-over-IP service, Telegram was designed to provide users with secure communication capabilities, as messages are heavily encrypted and can self-destruct.

Tracked as CVE-2018-17780, the newly discovered issue affects Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on Windows, and is the result of a default, unsafe behavior where peer-to-peer (P2P) connections are accepted from clients outside of the My Contacts list.

Security researcher Dhiraj Mishra discovered that a default setting where Telegram clients used P2P connections while initiating a call could result in the user’s IP address being leaked.

Additional connection options are available in Settings > Privacy and security > Calls > peer-to-peer, but there was no option for setting “P2P > nobody” in tdesktop and Telegram for Windows, thus causing a privacy issue, the researcher says.

According to Mishra, a user’s IP address could leak on Telegram for Android as well, provided that the option hasn’t been set to “Settings > Privacy and security > Calls > peer-to-peer > nobody.” However, the Android client does provide the option.

To trigger the vulnerability in tdesktop, one would simply need to launch the application and initiate a call to another user, as the client would leak the IP address during call initialization.

The bug manifests itself even for incoming calls, with the recipient being able to view the public/private IP address of the caller in logs. The IP leaks even if the call is made from a Windows Phone.

“Not only the MTProto Mobile Protocol fails here in covering the IP address, rather such information can also be used for OSINT,” the researcher notes.

[Open-Source INTelligence = OSINT: is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources). It is not related to open-source software or public intelligence. — see also: https://en.wikipedia.org/wiki/Open-source_intelligence — TJACK]

Telegram Desktop 1.3.17 beta and v1.4.0 are no longer impacted. The vulnerability has been addressed with the addition of an option for setting P2P to Nobody/My contacts. Mishra received a €2000 ($2300) bug bounty reward for the discovery.

 

from: https://www.securityweek.com/telegram-leaks-user-ip-addresses

 

 

 

Through five new startup programs, Cyber NYC is the city’s bold plan to dominate cybersecurity this century

Empires rise and fall, and none more so than business empires. Whole industries that once dominated the planet are just a figment in memory’s eye, while new industries quietly grow into massive behemoths.

New York City has certainly seen its share of empires. Today, the city is a global center of finance, real estate, legal services, technology, and many, many more industries. It hosts the headquarters of roughly 10% of the Fortune 500, and the metro’s GDP is roughly equivalent to that of Canada.

So much wealth and power, and all under constant attack. The value of technology and data has skyrocketed, and so has the value of stealing and disrupting the services that rely upon it. Cyber crime and cyber wars are adding up: according to a report published jointly between McAfee and the Center for Strategic and International Studies, the costs of these operations are in the hundreds of billions of dollars – and New York’s top industries such as financial services bear the brunt of the losses.

Yet, New York City has hardly been a bastion for the cybersecurity industry. Boston and Washington DC are far stronger today on the Acela corridor, and San Francisco and Israel have both made huge impacts on the space. Now, NYC’s leaders are looking to build a whole new local empire that might just act as a bulwark for its other leading ecosystems.

Today, the New York City Economic Development Corporation (NYCEDC) announced the launch of Cyber NYC, a $30 million “catalyzing” investment designed to rapidly grow the city’s ecosystem and infrastructure for cybersecurity.

 

 

James Patchett, CEO of NYCEDC, explained in an interview with TechCrunch that cybersecurity is “both an incredible opportunity and also a huge threat.” He noted that “the financial industry has been the lifeblood of this city for our entire history,” and the costs of cybercrime are rising quickly. “It’s a lose-lose if we fail to invest in the innovation that keeps the city strong” but “it’s a win if we can create all of that innovation here and the corresponding jobs,” he said.

The Cyber NYC program is made up of a constellation of programs:

• Partnering with Jerusalem Venture Partners, an accelerator called Hub.NYC will develop enterprise cybersecurity companies by connecting them with advisors and customers. The program will be hosted in a nearly 100,000 square foot building in SoHo.
• Partnering with SOSA, the city will create a new, 15,000 square foot Global Cyber Center co-working facility in Chelsea, where talented individuals in the cyber industry can hang out and learn from each other through event programming and meetups.
• With Fullstack Academy and Laguardia Community College, a Cyber Boot Camp will be created to enhance the ability of local workers to find jobs in the cybersecurity space.
• Through an “Applied Learning Initiative,” students will be able to earn a “CUNY-Facebook Master’s Degree” in cybersecurity. The program has participation from the City University of New York, New York University, Columbia University, Cornell Tech, and iQ4.
• With Columbia University’s Technology Ventures, NYCEDC will introduce a program called Inventors to Founders that will work to commercialize university research.

 

 

In addition to Facebook, other companies have made commitments to the program, including Goldman Sachs, MasterCard, PricewaterhouseCoopers, and edX.org. Two Goldman execs, Chief Operational Risk Officer Phil Venables and Chief Information Security Officer Andy Ozment, have joined the initiative’s advisory boards.

The NYCEDC estimates that there are roughly 6,000 cybersecurity professionals currently employed in New York City. Through these programs, it estimates that the number could increase by another 10,000. Patchett said that “it is as close to a no-brainer in economic development because of the opportunity and the risk.”

From Jerusalem to New York

To tackle its ambitious cybersecurity goals, the NYCEDC is partnering with two venture firms, Jerusalem Venture Partners (JVP) and SOSA, with significant experience investing, operating, and growing companies in the sector.

Jerusalem-based JVP is an established investor that should help founders at Hub.NYC get access to smart capital, sector expertise, and the entrepreneurial experience needed to help their startups scale. JVP invests in early-, late-, and growth-stage companies focused on cybersecurity, big data, media, and enterprise software.

 

 

Erel Margalit, who founded the firm in 1993, said that “If you look at what JVP has done … we create ecosystems.” Working with Jerusalem’s metro government, Margalit and the firm pioneered a number of institutions such as accelerators that turned Israel into an economic powerhouse in the cybersecurity industry. His social and economic work eventually led him to the Knesset, Israel’s unicameral legislature, where he served as an MP from 2015-2017 with the Labor Party.

Israel is a very small country with a relative dearth of large companies though, a huge challenge for startups looking to scale up. “Today if you want to build the next-generation leading companies, you have to be not only where the ideas are being brewed, but also where the solutions are being [purchased],” Margalit explained. “You need to be working with the biggest customers in the world.”

That place, in his mind, is New York City. It’s a city he has known since his youth – he worked at Moshe’s Moving IN NYC while attending Columbia as a grad student where he got his PhD in philosophy. Now, he can pack up his own success from Israel and scale it up to an even larger ecosystem.

Since its founding, JVP has successfully raised $1.1 billion across eight funds, including a $60 million fund specifically focused on the cybersecurity space. Over the same period, the firm has seen 32 successful exits, including cybersecurity companies CyberArk (IPO in 2014) and CyActive (Acquired by PayPal in 2013).

JVP’s efforts in the cybersecurity space also go beyond the investment process, with the firm recently establishing an incubator, known as JVP Cyber Labs, specifically focused on identifying, nurturing and building the next wave of Israeli cybersecurity and big data companies.

On average, the firm has focused on deals in the $5-$10 million range, with a general proclivity for earlier-stage companies where the firm can take a more hands-on mentorship role. Some of JVP’s notable active portfolio companies include Source Defense, which uses automation to protect against website supply chain attacks, ThetaRay, which uses big data to analyze threats, and Morphisec, which sells endpoint security solutions.

Opening up innovation with SOSA

The self-described “open-innovation platform,” SOSA is a global network of corporations, investors, and entrepreneurs that connects major institutions with innovative startups tackling core needs.

SOSA works closely with its partner startups, providing investor sourcing, hands-on mentorship and the physical resources needed to achieve growth. The group’s areas of expertise include cybersecurity, fintech, automation, energy, mobility, and logistics. Though headquartered in Tel Aviv, SOSA recently opened an innovation lab in New York, backed by major partners including HP, RBC, and Jefferies.

With the eight-floor Global Cyber Center located in Chelsea, it is turning its attention to an even more ambitious agenda. Uzi Scheffer, CEO of SOSA, said to TechCrunch in a statement that “The Global Cyber Center will serve as a center of gravity for the entire cybersecurity industry where they can meet, interact and connect to the finest talent from New York, the States, Israel and our entire global network.”

 

 

With an already established presence in New York, SOSA’s local network could help spur the local corporate participation key to the EDC’s plan, while SOSA’s broader global network can help achieve aspirations of turning New York City into a global cybersecurity leader.

It is no coincidence that both of the EDC’s venture partners are familiar with the Israeli cybersecurity ecosystem. Israel has long been viewed as a leader in cybersecurity innovation and policy, and has benefited from the same successful public-private sector coordination New York hopes to replicate.

Furthermore, while New York hopes to create organic growth within its own local ecosystem, the partnerships could also benefit the city if leading Israeli cybersecurity companies look to relocate due to the limited size of the Israeli market.

Big plans, big results?

While we spent comparatively less time discussing them, the NYCEDC’s educational programs are particularly interesting. Students will be able to take classes at any university in the five-member consortium, and transfer credits freely, a concept that the NYCEDC bills as “stackable certificates.”

Meanwhile, Facebook has partnered with the City University of New York to create a professional master’s degree program to train up a new class of cybersecurity leaders. The idea is to provide a pathway to a widely-respected credential without having to take too much time off of work. NYCEDC CEO Patchett said, ”you probably don’t have the time to take two years off to do a masters program,” and so the program’s flexibility should provide better access to more professionals.

Together, all of these disparate programs add up to a bold attempt to put New York City on the map for cybersecurity. Talent development, founder development, customer development – all have been addressed with capital and new initiatives.

 

 

Yet, despite the time that NYCEDC has spent to put all of these partners together cohesively under one initiative, the real challenge starts with getting the community to participate and build upon these nascent institutions. “What we hear from folks a lot of time,” Patchett said to us, is that “there is no community for cyber professionals in New York City.” Now the buildings have been placed, but the people need to walk through the front doors.

The city wants these programs to be self-sustaining as soon as possible. “In all cases, we don’t want to support these ecosystems forever,” Patchett said. “If we don’t think they’re financially sustainable, we haven’t done our job right.” He believes that “there should be a natural incentive to invest once the ecosystem is off the ground.”

As the world encounters an ever-increasing array of cyber threats, old empires can falter – and new empires can grow. Cybersecurity may well be one of the next great industries, and it may just provide the needed defenses to ensure that New York City’s other empires can live another day.

 

from: https://techcrunch.com/2018/10/02/nyc-wants-to-build-a-cyber-army/

 

 

 

 

Triffin Dilemma refers to the conflicting interests between national and global monetary policy for a country whose currency is used as the world’s reserve.
(more on that below)

 

Cryptocurrencies could serve as a possible solution to disparities currently faced by the U.S. dollar, an economist with the Federal Reserve Bank of St. Louis said Tuesday.

During an hour-long question-and-answer session, the Federal Reserve Bank of St. Louis – one of 12 regional banks that make up the U.S. central banking system – answered questions on Twitter with economist David Andolfatto, who is a vice president in the bank’s research division.

During the session, one user asked whether cryptocurrencies can be used to solve the 50-year-old Triffin Dilemma, which refers to the conflicting interests between national and global monetary policy for a country whose currency is used as the world’s reserve.

Specifically, it refers to the U.S. dollar, which has been considered a world reserve currency for decades. In order to maintain this role, the U.S. must incur a trade deficit.

When posed the Triffin Dilemma question, Andolfatto responded:

“The Triffin Dilemma refers to the double-edged sword of possessing a currency that serves as the world reserve currency. If a private cryptocurrency were to replace a given world reserve currency, this would eliminate the dilemma for that currency.”

Other questions asked during the session ranged from whether Andolfatto thought a cryptocurrency could replace the U.S. dollar or whether the Federal Reserve is likely to ever consider monetary policy in terms of cryptocurrencies.

The economist demurred on both counts, noting that cryptocurrencies are essentially private monies, and therefore not something that would fall under the central bank’s purview.

Moreover, because there is “no need for decentralized consensus based record keeping” for the dollar, he does not see it being replaced with a cryptocurrency.

Andolfatto also does not see the demand for cryptocurrencies supplanting the demand for existing reserve currencies, he added.

 

from: https://www.coindesk.com/brazil-moves-to-probe-banks-after-crypto-exchanges-denied-services/

 

 

How The Triffin Dilemma Affects Currencies

By Brent Radcliffe | October 26, 2011

 

In October 1959, a Yale professor sat in front of Congress’ Joint Economic Committee and calmly announced that the Bretton Woods system was doomed. The dollar could not survive as the world’s reserve currency without requiring the United States to run ever-growing deficits. This dismal scientist was Belgium-born Robert Triffin, and he was right. The Bretton Woods system collapsed in 1971, and today the dollar’s role as the reserve currency has the United States running the largest current account deficit in the world.

For much of the 20th century, the U.S. dollar was the currency of choice. Central banks and investors alike bought dollars to hold as foreign exchange reserves, and with good reason. The U.S. had a stable political climate, did not experience the ravages of world wars like Europe had and had a steadily growing economy that was large enough to absorb shocks.

By “agreeing” to have its currency used as a reserve currency, a country pins its hands behind its back. In order to keep the global economy chugging along, it may have to inject large amounts of currency into circulation, driving up inflation at home. The more popular the reserve currency is relative to other currencies, the higher its exchange rate and the less competitive domestic exporting industries become. This causes a trade deficit for the currency-issuing country, but makes the world happy. If the reserve currency country instead decides to focus on domestic monetary policy by not issuing more currency then the world is unhappy. (To know more about the relationship between trade and currency, read: Global Trade And The Currency Market. )

Reserve Currency Paradox
Becoming a reserve currency presents countries with a paradox. They want the “interest-free” loan generated by selling currency to foreign governments, and the ability to raise capital quickly, because of high demand for reserve currency-denominated bonds. At the same time they want to be able to use capital and monetary policy to ensure that domestic industries are competitive in the world market, and to make sure that the domestic economy is healthy and not running large trade deficits. Unfortunately, both of these ideas – cheap sources of capital and positive trade balances – can’t really happen at the same time.

This is the Triffin dilemma, named after Robert Triffin, an economist who wrote of the impending doom of the Bretton Woods system in his 1960 book “Gold and the Dollar Crisis: The Future of Convertibility.” He pointed out that the years of pumping dollars into the world economy through post-war programs, such as the Marshall Plan, was making it increasingly difficult to stick to the gold standard. In order to maintain the standard, the country had to both instill international confidence by having a current account surplus while also having a current account deficit by providing immediate access to gold.

Issuing a reserve currency means that monetary policy is no longer a domestic-only issue – it’s international. Governments have to balance the desire to keep unemployment low and economic growth steady with its responsibility to make monetary decisions that will benefit other countries. The reserve currency status is, thus, a threat to national sovereignty.

Another Reserve Currency
What would happen if another currency, such as China’s yuan, were to become the world’s reserve currency of choice? The dollar would likely depreciate relative to other currencies, which could boost exports and lower the trade deficit. The bigger issue, however, would be an increase in borrowing costs as demand for a constant flow of dollars tapered off, which could have a severe impact on the ability of the U.S. to repay its debt or fund domestic programs. China, on the other hand, will have to quickly modernize a financial system, long lamented for protecting its export-led industries, through currency manipulation. Demand for yuan convertibility means that China’s central bank would have to relax regulations relating to yuan-denominated bonds.

There is another possibility for reducing the pressures countries face trying to maintain reserve currency status: a new international monetary system. This isn’t a new idea, having been floated for several decades as a potential solution. One possibility is the special drawing right, type of reserve asset maintained by a global institution, such as the International Monetary Fund (IMF). While this is not a currency, it does represent a claim by other countries on foreign exchange assets. A more radical idea would be to create a global currency, a concept pushed by John Maynard Keynes, with a value based on gold or based on the mechanizations of a global central bank. This is probably the more complex solution available, and does present problems relating to sovereignty, stability and administration. After all, how can you hold an organization accountable that is voluntary? (To gain more knowledge about IMF, check out: An Introduction To The International Monetary Fund (IMF).

The Bottom Line
In the short-term, the prospect of a reserve currency replacing the dollar is slim to none. Despite the economic and political problems facing the United States its “safe haven” status is hard to beat, especially in light of the plight of the euro. It is hard to parse out what exactly would happen if the dollar were to be overtaken by another currency, and it is equally difficult to predict what budgetary and austerity measures in Europe and the United States will do to the global economy in the coming years.

 

from: https://www.investopedia.com/financial-edge/1011/how-the-triffin-dilemma-affects-currencies.aspx

TUTORIAL: The US Federal Reserve: Introduction

 

 

 

A new patent awarded to tech giant IBM highlights how blockchain tech might play a role in monitoring security breaches within computer networks.

First filed in September 2017 and awarded Tuesday by the U.S. Patent and Trademark Office (USPTO), the patent outlines how a network of monitors connected to a blockchain platform can log events on the network, including potential intrusions. While attackers may try to hide signs of their work on one monitor, having multiple backups of that information will help ensure that such events are still logged, according to IBM.

“On a computer system or network, data may be monitored for many different purposes. Data monitoring may identify problems, observe conditions or track metrics by logging the events of a given computer system or network,” the patent states. Securing such data is critical for a company.

To that end, Big Blue notes that companies may set up a system of devices to monitor attempted intrusions on the distributed network, using node consensus to flag any irregularities.

The patent explains:

“Having synchronized monitors set up in a blockchain configuration ensures consensus among the monitors. Since one monitor alone cannot alter the event log in the past or cannot fake the event log in the future, if one monitor is hacked, then there may be no consensus among the synchronized monitors and the event may not get written into the log.”

The sensors allow consensus by passing the same information to more than one monitor. When monitors are validating information, if data for an event or transaction does not match, then one monitor may have been compromised.

In such an event, this “may alert the monitor security program of inconsistent data,” which in turn warns the system administrators that there is an issue.

Using blockchain technology to highlight irregularities in this way, would therefore “create a less vulnerable network” according to IBM.

 

from: https://www.coindesk.com/ibm-wins-patent-for-blockchain-based-network-security-system/

 

 

 

One Small Step for the Web…

I’ve always believed the web is for everyone. That’s why I and others fight fiercely to protect it. The changes we’ve managed to bring have created a better and more connected world. But for all the good we’ve achieved, the web has evolved into an engine of inequity and division; swayed by powerful forces who use it for their own agendas.

Today, I believe we’ve reached a critical tipping point, and that powerful change for the better is possible — and necessary.

This is why I have, over recent years, been working with a few people at MIT and elsewhere to develop Solid, an open-source project to restore the power and agency of individuals on the web.

Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way.

Solid is a platform, built using the existing web. It gives every user a choice about where data is stored, which specific people and groups can access select elements, and which apps you use. It allows you, your family and colleagues, to link and share data with anyone. It allows people to look at the same data with different apps at the same time.

Solid unleashes incredible opportunities for creativity, problem-solving and commerce. It will empower individuals, developers and businesses with entirely new ways to conceive, build and find innovative, trusted and beneficial applications and services. I see multiple market possibilities, including Solid apps and Solid data storage.

Data should empower you

Solid is guided by the principle of “personal empowerment through data” which we believe is fundamental to the success of the next era of the web. We believe data should empower each of us.

Imagine if all your current apps talked to each other, collaborating and conceiving ways to enrich and streamline your personal life and business objectives? That’s the kind of innovation, intelligence and creativity Solid apps will generate.

With Solid, you will have far more personal agency over data — you decide which apps can access it.

Injecting momentum

In 2009, I said, “The web as I envisaged it we have not seen yet.” That was because people were using the web just for documents, not for the data of a big web-wide computer. Since then, we have seen a wave of open data, but not of read-write data. For example, much open government data is produced through a one-way pipeline, so we can only view it. With Solid, it becomes a read-write web where users can interact and innovate, collaborate and share.

Meanwhile though, there is a wave of concern, and related energy, desperate for change. People want to have a web they can trust. People want apps that help them do what they want and need to do — without spying on them. Apps that don’t have an ulterior motive of distracting them with propositions to buy this or that. People will pay for this kind of quality and assurance. For example, today people pay for storage in places like Dropbox. There is a need for Solid, and the different, beneficial approach it will provide.

It is going to take a lot of effort to build the new Solid platform and drive broad adoption but I think we have enough energy to take the world to a new tipping point.

So I have taken a sabbatical from MIT, reduced my day-to-day involvement with the World Wide Web Consortium (W3C) and founded a company called inrupt where I will be guiding the next stage of the web in a very direct way. Inrupt will be the infrastructure allowing Solid to flourish. Its mission is to provide commercial energy and an ecosystem to help protect the integrity and quality of the new web built on Solid.

There are many examples of open-source efforts that have benefited hugely from the contribution of a well-resourced company. While the open-source community provides initiative and a deep source of innovation, everyday web users as well as businesses often look for applications and services from a commercial entity that also provides technical support and vital, ancillary business services.

I believe this same model will be critical to the success of Solid. Inrupt’s success is totally aligned to Solid’s success. My partner and inrupt co-founder is John Bruce, an experienced business leader with the skills to execute on my vision for Solid. We share the same passion for creating a better and more balanced web.

Together, Solid and inrupt will provide new experiences benefitting every web user — and that are impossible on the web today. Where individuals, developers and businesses create and find innovative, life- and business-enriching, applications and services. Where we all find trusted services for storing, securing and managing personal data.

I’m incredibly optimistic for this next era of the web.

I’ll still be acting as Founder and Director of W3C, the Web Foundation and the Open Data Institute as these are vital components for protecting what has been — and what will come. Inrupt, a W3C member, uses many existing standards and is part of the standards-building community. The Web Foundation advocates for data rights as part of its mission to advance a free and open web that benefits humanity. And the Open Data Institute’s drive to make data as open as possible while respecting privacy is very relevant. I wear many hats and when I’m working in each capacity, I’ll always try to act according to the interests of that organization.

These are very exciting times. I will be committed to steering the direction of Solid, and developing its future governance. Inrupt will do many things: its first priority will be the Solid ecosystem. With the right values and a foundational corporate infrastructure, we will build beneficial systems that work for everyone.

The future is still so much bigger than the past.

Follow our work here at inrupt and Solid

Read inrupt’s CEO’s blog post: “A New World of Opportunity”

Follow inrupt on Twitter

Questions? Email: info@inrupt.com

from: https://medium.com/@timberners_lee/one-small-step-for-the-web-87f92217d085

see also: https://solid.inrupt.com/docs

 

 

 

The evolving IoT botnet is able to compromise an impressive array of architectures.

 

A new botnet which specializes in the compromise of Internet of Things (IoT) devices has been discovered which contains unprecedented levels of sophistication.

The botnet, dubbed Torii, is a cut above both the Mirai and QBot variants, according to researchers from Avast, as it possesses sophistication “a level above anything we have seen before.”

First discovered by a security researcher that goes under the Twitter handle VessOnSecurity, a strain of Torii was detected after hitting one of the researcher’s honeypots.

 

 

“The script is quite sophisticated, unlike the usual Mirai crap,” Vess tweeted. “The author is not your average script kiddie Mirai modder.”

Avast’s examination of the botnet revealed that Torii has likely been developed by someone with a thorough understanding of how botnets operate, rather than taking the bolt-on approach we have seen through recent Mirai variants, made possible after the public release of the IoT botnet’s source code in 2016.

The security firm says that Torii differs not only in terms of sophistication but also the variety of “advanced techniques” it uses.

“[Torii] comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication,” Avast says.

The botnet, believed to have been in operation since 2017, also has targeting capabilities not often seen in botnet variants. The system is able to infect architectures including MIPS, ARM, x86, x64, PowerPC, and SuperH, among others.

The discovery of the botnet was based on Telnet attacks emerging from Tor exit nodes. The botnet is able to take advantage of the use of weak credentials in IoT devices to compromise systems before executing a shell script which attempts to detect the architecture of a target device, before downloading an appropriate malware payload.

Torii will utilize a variety of commands, “wget”, “ftpget”, “ftp”, “busybox wget,” or “busybox ftpget,” to ensure payload delivery.

If binaries cannot be downloaded via HTTP, the botnet will use the FTP protocol. In the latter case, the botnet will use credentials embedded in the shell script to connect to an FTP server via an IP which is still active at the time of writing.

The binaries are droppers for the second payload, both of which are persistent.

Torii uses at least six methods to maintain persistence on a compromised device and runs all of them at the same time:

• Automatic execution via injected code into ~\.bashrc
• Automatic execution via “@reboot” clause in crontab
• Automatic execution as a “System Daemon” service via systemd
• Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
• Automatic execution via modification of the SELinux Policy Management
• Automatic execution via /etc/inittab

The second-stage payload then executes. This is the main botnet which is able to connect to the operator’s command-and-control (C2) server — of which at least three addresses are in operation — exfiltrate data, encrypt communication, and utilize anti-debugging techniques.

Torii communicates with its C2 via TCP port 443, however, Avast considers this “as a deception” as the TLS protocol is not in use. Rather, the botnet “takes advantage of [the] common use of this port for HTTPS traffic.”

The botnet is sophisticated, but despite potentially being active since last year, does not behave like a standard botnet involved in Distributed Denial-of-Service (DDoS) attacks or cryptojacking, and its overall purpose is still a mystery.

At the time of discovery, VirusTotal did not flag up two of the botnet’s executables as malicious. However, at the time of writing, 19 antivirus engines now detect one of the files, whereas another is only detected by five engines.

 

from: https://www.zdnet.com/article/meet-torii-a-new-iot-botnet-far-more-sophisticated-than-mirai/

 

Torii botnet – Not another Mirai variant

New, more sophisticated IoT botnet targets a wide range of devices

 

Introduction

2018 has been a year where the Mirai and QBot variants just keep coming. Any script kiddie now can use the Mirai source code, make a few changes, give it a new Japanese-sounding name, and then release it as a new botnet.

Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.

Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.

Instead, it comes with a quite rich set of features for exfiltration of (sensitive) information, modular architecture capable of fetching and executing other commands and executables and all of it via multiple layers of encrypted communication.

Furthermore, Torii can infect a wide range of devices and it provides support for a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, and others. Definitely, one of the largest sets we’ve seen so far.

As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer.

We would like to give credit to @VessOnSecurity, who actually tweeted about a sample of this strain hitting his telnet honeypot last week.

According to this security researcher, telnet attacks have been coming to his honeypot from Tor exit nodes, so we decided to name this botnet strain “Torii”.

In this post, we will describe what we know about this strain so far, how it is spreading, what are its stages, and we will depict some of its features.

The analysis is still ongoing and further findings will be included in blog post updates.

 

Now, let’s start with the infection vector.

Analysis of the initial shell script

The infection chain starts with a telnet attack on the weak credentials of targeted devices followed by execution of an initial shell script. This script looks quite different from typical scripts that IoT malware uses in that it is far more sophisticated.

The script initially tries to discover the architecture of the targeted device and then attempts to download the appropriate payload for that device.The list of architectures that Torii supports is quite impressive: including devices based on x86_64, x86, ARM, MIPS, Motorola 68k, SuperH, PPC – with various bit-width and endianness. This allows Torii to infect a wide range of devices running on these very common architectures.

 

The malware uses several commands to download binary payloads by executing the following commands: “wget”, “ftpget”, “ftp”, “busybox wget”, or “busybox ftpget”. It uses multiple commands to maximize the likelihood that it can deliver the payload.

If  the binaries cannot be downloaded via the HTTP protocol with “wget”  or “busybox wget” commands, it will use FTP.  When the FTP protocol is being used, it requires authentication. Credentials are nicely provided in the script:

Username:     u="<redacted>"
Password:      p="<redacted>"

Port for FTP:  po=404

By connecting to the FTP server, there is quite a lot going on:

 

Full torii directory structure:
https://cdn2.hubspot.net/hubfs/486579/torii_directory_structure.txt

 

Among other things, the server contains logs from the NGINX and FTP servers, payload samples, a bash script that directs the infected devices to this very machine where the malware is hosted, and more. We’ll discuss what we found in these logs at the end of this post, but first let’s take a look at all the samples that are hosted there.

Analysis of the 1st stage payload (dropper)

Once the script determines which architecture the target device it is running on, it downloads and executes the appropriate binary from the server. All of these binary files are in the ELF file format. While analyzing these payloads, we found that they are all very similar and are “just” droppers of the second stage payload. What is notable is that they use several methods to make the second stage persistent on the target device. Let’s look deeper into the details below.

For our description, we’ll focus on the x86 sample with the SHA256 hash:

0ff70de135cee727eca5780621ba05a6ce215ad4c759b3a096dd5ece1ac3d378.

String Obfuscation

First we tried to de-obfuscate the sample, so we delved into some of the text strings to look for clues on how the malware works. The vast majority of text strings in the 1st and 2nd stage are encrypted by a simple XOR-based encryption and they are decrypted during runtime when a particular string is needed. You can use the following IDA Python script for decryption:

Install 2nd Stage ELF File

The core functionality of the first stage is to install another ELF file, the second stage executable, which is contained within the first ELF file.

The file is installed into a pseudo-random location that is generated by combining a predefined location from a fixed list:

• “/usr/bin”
• “/usr/lib”
• $HOME_PATH
• “/system/xbin”
• “/dev”
• $LOCATION_OF_1ST_STAGE
• “/var/tmp”
• “/tmp”

and a filename from another list:

• “setenvi“
• “bridged“
• “swapper“
• “natd“
• “lftpd“
• “initenv“
• “unix_upstart“
• “mntctrd“
• etc.

Putting these two items together creates the destination file path.

Make the 2nd Stage Persistent

Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence. It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

1. 1. Automatic execution via injected code into ~\.bashrc
   2. Automatic execution via “@reboot” clause in crontab
   3. Automatic execution as a “System Daemon” service via systemd
   4. Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
   5. Automatic execution via modification of the SELinux Policy Management
   6. Automatic execution via /etc/inittab

And, finally, it executes the dropped inner ELF –  the second stage payload.

Analysis of the 2nd stage payload (bot)

The second stage payload is a full-fledged bot capable of executing commands from its master (CnC).  It also contains other features such as simple anti-debugging techniques, data exfiltration, multi-level encryption of communication, etc.

Furthermore, many functions found in the second stage are the same as in the first, making it  highly likely they are both created by the same author(s).

The code inside of the first stage payload is almost identical in all the versions. This is however not true in the case of the second stage where we find differences among the binaries for various hardware architectures. To describe the core functionality that can be found in most of the versions, we will once again take a look on x86 code found in the sample with SHA256 hash:  5c74bd2e20ef97e39e3c027f130c62f0cfdd6f6e008250b3c5c35ff9647f2abe.

Anti-Analysis Methods

The anti-analysis methods in this malware are not as advanced as we are accustomed to seeing in Windows or mobile malware, but they are improving.

• It uses the simple anti-analysis method of a 60 seconds sleep() after execution, which probably tries to circumvent simple sandboxes.
• Furthermore, it tries to randomize the process name via prctl(PR_SET_NAME) call to something like “\[[a-z]{12,17}\]” (regular expression) in order to avoid detection of blacklisted process names.
• Finally, the authors are trying to make the analysis harder by stripping the symbols from executables. When we first downloaded the samples from the aforementioned server 104.237.218.85, they all contained symbols, which made their analysis easier. It is interesting to note that a few days later these files were replaced by their stripped versions. No other differences were found between these two versions, leading us to believe that the authors are taking continual action to further protect their executables against analysis.

CnC Servers

As we already said, this component is a bot that communicates with a master CnC server. The addresses of the CnCs are once again encrypted by the aforementioned XOR-based cipher. It seems that each Torii version contains 3 CnC addresses. The campaign that is currently running tries to get commands from CnC servers running at:

• top.haletteompson.com
• cloud.tillywirtz.com
• trade.andrewabendroth.com

It tries to communicate with the first domain from the list and moves to the next one if it fails. In the case of failure, it also tries to resolve the domain name via Google DNS 8.8.8.8.

 

 

These three domain names have resolved to IP 66.85.157.90 since September 15, 2018. Some other domains hosted on the same IP are also quite suspicious:

cloud.tillywirtz.com
dushe.cc
editor.akotae.com
press.eonhep.com
web.reeglais.com
psoriasiafreelife.win
q3x1u.psoriasiafreelife.win
server.blurayburnersoftware.com
top.haletteompson.com
trade.andrewabendroth.com
www.bubo.ccwww.dushe.cc

That so many strange looking domains are hosted at one IP address raises concern. Furthermore, the CnC domain names resolved to a different IP address (184.95.48.12) before that.

 

 

Some more digging turned up another set of ELF samples belonging to Torii with three different CnC addresses:

• press.eonhep.com
• editor.akotae.com
• web.reeglais.com

They all resolved to the same IP (184.95.48.12) in the past and, for example “press.eonhep.com” was using this IP since December 8, 2017. Therefore, we think that this strain has been in existence since at least December 2017 and quite possibly longer.

CnC Communication

The second stage communicates with these CnC servers via TCP port 443 as well as further encryption layers. It is interesting to note that it uses port 443 as a deception, as it doesn’t communicate using TLS but takes advantage of common use of this port for HTTPS traffic. Each message (including replies) forms a structure we call a “message envelope” and each envelope is AES-128 encrypted and there is a MD5 checksum of the content to ensure it hasn’t been modified or corrupted. Furthermore, each envelope contains a stream of messages where each message is encrypted by a simple XOR-based encryption, which is different than the one used to obfuscate the strings. It isn’t as strong as it looks as the decryption keys are included in the communication.

 

 

Torii also exfiltrates the following information while connecting to a CnC server:

• Hostname
• Process ID
• Path to second stage executable
• All MAC addresses found in /sys/class/net/%interface_name%/address + its MD5 hash – this forms some kind of unique victim ID, allowing the bad actor to fingerprint and catalog devices more easily. It is also stored in local files with strange names such as GfmVZfJKWnCheFxEVAzvAMiZZGjfFoumtiJtntFkiJTmoSsLtSIvEtufBgkgugUOogJebQojzhYNaqyVKJqRcnWDtJlNPIdeOMKP, VFgKRiHQQcLhUZfvuRUqPKCtcrjmhtKcYQorAWhqAuZuWfQqymGnWiiZAsljnyNlocePAOHaKHvGoNXMZfByomZqEMbtkOEzQkQq, XAgHrWKSKyJktzLCMcEqYqfoeUBtgodeOjLgfvArTLeOkPSyRxqrpvFWRhRYvVcLeNtMKTdgFhwrypsRoIiDeObVxTTuOVfSkzgx, etc.
• Details found by uname() call, including sysname, version, release, and machine.
• Outputs of the following commands designed to gain yet more information on the target device:

id 2>/dev/null
uname -a 2>/dev/null
whoami 2>/dev/null
cat /proc/cpuinfo 2>/dev/null
cat /proc/meminfo 2>/dev/null
cat /proc/version 2>/dev/null
cat /proc/partitions 2>/dev/null
cat /etc/*release /etc/issue  2>/dev/null

CnC Commands

While analyzing the code, we’ve found that the bot component is communicating with the CnC with active polling in an endless loop, always asking its CnC whether there are any commands to execute. After receiving a command, it replies with the results of the command execution. Each message envelope has a value specifying which type of command it brings. The same value is used for reply. We have uncovered the following command types:

 

• 0xBB32 – Store a file from CnC to a local drive:
  • Receive:
    1. Filepath where to store content from CnC
    2. Content
    3. MD5 checksum of content
  • Reply:
    1. File path where the file was stored
    2. Error code
• 0xA16D – Receive value of timeout to be used for CnC polling:
  • Receive:
    1. DWORD with number of minutes to sleep between CnC contacts
  • Reply:
    1. Message with code 66

 

• 0xAE35 – Execute a given command in a desired shell interpreter and send outputs back to CnC:
  • Receive:
    1. Command to execute in shell (sh -c “exec COMMAND”)
    2. WORD with execution timeout in seconds (max 60 seconds)
    3. String with a path to shell interpreter (optional)
  • Reply:
    1. String with outputs (stdout + stderr) of command execution
• 0xA863 – Store a file from CnC to a given path, change its flags to “rwxr-xr-x” to make it executable and then execute it:
  • Receive:
    1. File path where to store content from CnC
    2. Content
    3. MD5 checksum of content
  • Reply:
    1. File path where the file was stored
    2. Return code from execution of that file
• 0xE04B – Check that the given file exists on a local system and return its size:
  • Receive:
    1. Filepath to check
  • Reply:
    1. File path
    2. File size
• 0xF28C – Read N bytes from offset O of selected file F and send them to CnC:
  • Receive:
    1. File path to file (F) to read from
    2. QWORD offset (O) where to start reading
    3. DWORD number (N) of bytes to read
  • Reply:
    1. File content
    2. Offset
    3. Size of bytes read
    4. MD5 checksum of read content
• 0xDEB7 – Delete a specified file
  • Receive:
    1. Name of a file to delete
  • Reply:
    1. Error code
• 0xC221 – Download a file from the given URL
  • Receive:
    1. Path where to a store file
    2. URL
  • Reply:
    1. File path
    2. URL
• 0xF76F – Get address of a new CnC server and start communication with it.
  • Receive:
    1. ?
    2. New domain name
    3. New port
    4. ?
  • Reply:
    1. Repeat the received information
• 0x5B77, 0x73BF, 0xEBF0, and probably other codes – Some kind of communication to ping or get a heartbeat on the target device to ensure the communication partner that the communication channel is working):
  • Receive:
    1. Everything received is ignored
  • Reply:
    1. Repeat the received information

Analysis of the sm_packed_agent

While we were investigating the server, we found another interesting binary we managed to get from the FTP server that is called “sm_packed_agent”. We don’t have any evidence that is has been used on the server, but its versatility suggests that it could be used to send any remote command desired to the target device. It contains a GO-written application packed using UPX when unpacked, it has a few interesting strings that suggests it has server-like capabilities:

 

 

Underneath, it uses the following 3rd party libraries:Code Reuse

Possible name of source code:

Some of these libraries are abusing a BSD licence, which requires redistribution of copyright notice. Apparently Torii’s authors don’t care about copyright infringement.

Functionality

The functionality of the sm_agent is as follows:

• Takes one parameter on cmdline -p with port number
• Initializes crypto, loads TLS and keys + cert
• Creates server and listening for TLS connection
• Awaits commands encoded in BSON format
• Command handler inside knows these commands:
  • 1: Monitor_GO_agent__Agent_GetSystemInfo
  • 2: Monitor_GO_agent__Agent_GetPerformanceMetrics
  • 7: Monitor_GO_agent__Agent_ExecCmdWithTimeout
    this command seems to be able to run any arbitrary OS command read from BSON payload.

TLS encryption, certificates and keys:

• Agent uses ChaCha20-Poly1305 stream cipher for TLS
• Keys and certs in the same directory
• Self signed certificate of authority ca.crt with name Mayola Mednick
• client.crt issued by ca.crt for Dorothea Gladding
• server.crt + server.key issued by ca.crt for Graham Tudisco

Certificates are self-signed and obviously using fake names.

Start-agent.sh

This  script is to kill any previous instances of start sm_packed_agent and run it on TCP port 45709 and re-run it again in case it fails.

 

 

It is not yet known how Torii authors are using this service, but it is incredibly versatile and could be used to run any command on the device. And because this application is written in GO, it can be easily recompiled to run on virtually any architecture. Taking into account that this file is running on a  malware distribution machine, it is quite possible that it is a backdoor or even a service to orchestrate multiple machines.

Analysis of Logs From the Server 104.237.218.85

Finally, we took a look at the logs we found for both the Nginx server and the FTP server. Such access log can help us understand how many clients actually were infected by Torii or tried to download it.

As we write this blog, Torii authors have already disabled FTP and Nginx logging (more on that below), but looking at the logs that are available, we can generate some simple statistics.

A total of 206 unique IPs connected to the server on September 7th, 8th, 19th, and 20th according to the logs on the server.

It looks like one IP 38.124.61.111 connected to the server 1 056 393 times!

By looking into the logs, it seems that someone actually ran DirBuster-1.0-RC1, trying to figure out what is going on. Brute force DirBuster is used to guess directories/filenames on the web server and generates a large number of requests. It is quite unfortunate if this scan originated from a researcher as there are more elegant approaches in the case of a sophisticated malware like Torii.

By scanning the ports of IP 38.124.61.111, we can see that there are a few ports open:

 

 

On port 27655, there is an SSH banner which states:

“SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3” It looks like this box is running Raspbian.  If you are behind this, write us.

Other logs that are available to us are FTP server logs.

There are a few clients that connected and downloaded some files that are not on the FTP server anymore:

Sat Sep  8 08:31:24 2018 1 128.199.109.115 6 /media/veracrypt1/nginx/md/zing.txt b _ o r md ftp 0 * c

According to logs we were able to analyze, a total of 592 unique clients were downloading files from this server over a period of a few days. It’s important to remember that once the target device receives the payload, it stops connecting to the download server and connects to the CnC server. Therefore, we are likely seeing a snapshot of new devices that were recruited into this botnet over the period of time for which we have log files.

Additionally, there are 8 clients that were using both the HTTP server and the FTP server, which could be the case if downloading using HTTP failed for some reason, or if Torii authors were testing functionality of the bash script or a server set up

We cannot speculate about what we do not have evidence for, but this server could be just one of a number of servers infecting new target devices, and only further investigation will reveal the true scope of this botnet. Given the level of sophistication of the malware we researched, it would seem likely that it is designed to map and control a large number of diverse devices.

Conclusion

Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before. Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but  by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use. Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer.

 

from: https://blog.avast.com/new-torii-botnet-threat-research