The New Tricks Of Hackers
Put your hand on your heart and say when was the last time you installed a firmware update on your printer or on your Voice-over-IP telephone? Very few users know that there are software updates for these devices as well. Hackers easily take advantage of this lack of knowledge as demonstrated by security researchers: at the RSA Conference in February 2014, the team of American security expert Ang Cui, a doctorate candidate at the Columbia University in America, showed on stage how easy it is to remotely convert network printers into break-in tools. The White Hat hackers remotely sketched the complete network of a fictitious company and even recorded conversations taking place in the office – without infecting even a single PC or smartphone with malware.
The demonstrated scenario could well be the screenplay for a film: a hacker first infects a network printer, model HP Laserjet 2055. He sends the required malware, camouflaged as a PDF document, to an employee of the target company via email. In principle, it is also possible to send malware to private users, who find spam mails containing infected file attachments in their inbox daily. This PDF file is not an innocent resume of a supposed job applicant; it attacks the printer and if the printer executes the order, the malware infects the operating system (firmware) of the machine. Such attacks have been identified for a good two years now. According to Ang Cui, very few companies or households install firmware updates on their printers. As a result, highly vulnerable devices are out there in the open for hackers to attack – although manufacturers offer updates.
1. Printer makes calls home
Once the malware is active, it builds an encrypted tunnel to a control server and waits for further commands from there. Since the printer has a full-fledged operating system, the hacker can scan the internal network and send the results to himself via the tunnel. If there are VoIP telephones in the network – such as the one used during the demonstration, an Avaya (One X 96x1 series), whose firmware also has loopholes – the attacker infects these with malware too and can thus control them remotely. The result: at the push of a button, the telephone gets converted into a bugging device, which records all conversations in the room as well as telephone calls. The recordings are again smuggled out via the tunnel. To avoid the consumption of unnecessary bandwidth and thus getting noticed by an administrator, the malware can convert the language of the recordings into text documents. Unlike audio files, these take up only a few kilobytes and hence in all probability will go unnoticed in the huge network traffic. As Cui explains, a printer firmware that has been infected with malware can survive further updates and the device can therefore remain infected permanently: the program code that controls the upload of updates is in the firmware that has been modified by the attacker and hence the criminal can control whether the malignant part of the software can be overwritten or omitted by the update. The researchers taught the hacked telephone another astonishing trick with the help of new software.
The hackers used an impressive trick to avoid any outgoing network traffic and yet access the recordings of telephone conversations. In their “Funtenna” concept, the researchers turned the telephones into radio transmitters with the firmware update. The firmware manipulates the line inside the telephone that determines if the receiver is on the cradle, and then turns it into a sender. The radio frequency is up to 30 metres provided that the recipient has an adequately efficient antenna. With a cable antenna of sorts, the researchers could manage a few metres during the demonstration.
2. Remotely controlled DSL routers
The security experts in team Cymru showed how real the risk of an attack on non-PC hardware is by analysing a full-scale attack on European Internet users. As the researchers discovered in the beginning of May, criminal hackers remotely manipulated more than 300,000 routers from different manufacturers, including ASUS, D-Link, Cisco, Linksys, Netgear and TP-Link. No malware was installed, but the hackers could modify the DNS (Domain Name System) settings through various loopholes in the operating systems of the routers.
They changed the entries in a way that the routers asked for a name server controlled by the criminals for every name resolution. This way they could control which website is de facto accessed and loaded by the browser when a URL, for example google. com or chip.com.my, is typed – the perfect basis for accessing substantial login data through well-made copies of banking, e-commerce or social networking sites.
3. SMS to the ATM
The virus experts from Symantec discovered a Trojan called Ploutus on computers that are installed in ATMs. Once active, the first version of the malware waits till a specific 16-digit code has been entered via the numeric keys on the machine and will then spit out the full content of one of the cash boxes. The virus experts have now written on their blog that the latest version of the digital bank robber doesn’t wait for any code to get entered. The advantage of this for the brains behind it is that they no longer need to share the confidential character sequence with their accomplices, who they have engaged for cleaning out the machines. When infecting an ATM, which requires physical access and a boot CD, the criminals also hide a smartphone in the guise of an ATM. Connected via USB to the Windows PC inside the machine, the smartphone communicates with the computer and provides itself with power.
If the mobile phone receives an SMS in a suitable format, it sends a data packet via USB to the computer, where, Ploutus lies in wait for this exact packet. It then reads the command, processes it and spits out the money.
4. Well-known and still in use: ZeuS
ZeuS is also a malware specialised in fishing out data. It is the prime father of all online banking Trojans and now appears in numerous variants in the digital underworld – and on millions of infected PCs worldwide. The speciality of ZeuS & co. is that they smuggle in additional fields in legitimate websites. The malware manipulates the display in the browser on the victim’s PC and inserts a perfectly imitated field in an online banking website for instance, where the user needs to enter, say, his mobile phone number – apparently due to security reasons. The anti-virus manufacturer now warns of another version of the malware, which no longer manipulates only banking sites but also online job portals such as Monster.com or CareerBuilder.
A ZeuS-controlled site appears after the user logs in. Here he is asked to answer various security-related questions, which include questions like “Which was the city of your first job” or “What was your first concert”. With the help of these details, the wirepullers can access other online accounts of the victim, which ask exactly these questions.
5. Now a notebook, now a mere paper weight
There are hacker attacks that use very different methods to extort money: during their talk at the RSA Conference, the security experts physically destroyed an Apple MacBook Pro with modified firmware. It is impossible to save the device by updating the firmware; the only solution is to change the motherboard, which is time-consuming and expensive. By the end of the demonstration, the 13-inch MacBook Pro was reduced to an expensive paper weight: the battery did not charge and an SMC (System Management Controller) reset or pressing the power button did not help. Dmitri Alperovitch, CTO of the security company CrowdStrike, explained that an update destroys the SMC firmware. He and his colleague George Kurtz did not want to divulge the details about the exact modification. They only said that an original Apple firmware was used as basis. They didn’t want to give criminal imitators a template.
However, the researchers fear that, in principle, the attack can work on any modern hardware. The firmware of the ACPI EC (Embedded Controller) probably needs to be attacked to destroy a Windows machine from any manufacturer. In practice, hackers could easily infect any Windows computer with malware and render the computer completely useless. However, this is more difficult when compared to the Apple computers. The reason is that due to the various hardware models, a new bug needs to be written for every version, especially in case of the ACPI-EC types. These controllers are responsible for power management and computer configuration and can thus turn off the fan for instance and thereby easily overheat the PC. This can destroy the computer within a matter of minutes.
6. Hackers do the groundwork for drug runners
The fact that criminal hackers offer their expertise to support organised crime was demonstrated by the Dutch police at the Security Analysts Summit organised by Kaspersky. The scene of crime was the second largest port in Europe. 8.5 million tons of goods disappeared from the port in Antwerp in 2013. The police seized at least one ton: they were drugs from South America, hidden in containers of shipping companies, who knew nothing of these additions to their freight. The identified cocaine alone is worth over 150 million Euros (RM641 million). Before the owners transported their containers, the criminals would pick up the drugs from the port in a cloak-anddagger operation. They learned about the exact location of the containers in the premises by infecting PCs that were used by the transport companies concerned to manage the storage spaces. The criminals shifted up a gear after these infections blew up: according to Peter Zinn from the Dutch police, drug traffickers in the digital underworld hired Belgian hackers. As Zinn narrated during his talk, the hackers were clever enough to manipulate the control system of the automatic loading crane on the port: instead of dropping off the containers with drugs at the control point of the authorities, the crane directly loaded these onto a waiting lorry.
The driver of the lorry, who was in the dark about all this, was later forced to pull over by Kalaschnikov shots and the drugs were unloaded. This time, the crane controls were not manipulated via infected PCs but by mini computers that were smuggled in and hidden in multiple sockets for instance and placed in the offices of the carriers by burglars. Much more than infecting a PC with malware for recording keyboard entries was needed for pulling off this second level of attack: the hackers were evidently familiar with the SCADA (Supervisory Control and Data Acquisition) system, which controls the crane and thus enables its fully automatic operation.
7. Virtual attacks, real consequences Attacks on Supervisory Control and Data Acquisition (SCADA) systems have long been the causes of apocalypse scenarios: power failures, exploding chemical plants, valleys flooded with running off reservoirs, etc. In all these cases, it should be enough to take over and manipulate the system controls, which are facilitated by SCADA hardware and software – say the augurs. Eugene Kaspersky, head of the anti-virus manufacturer Kaspersky, envisages a real threat: “I presume that terrorists are already working with willing hackers to attack critical infrastructure”, Kaspersky said in a conversation. Furthermore: “Critical infrastructure is secured very poorly at present. The engineers responsible for it haven’t understood how inventive and creative the attackers can be. Since decades, they have been hacking checklists and saying that your systems are secure.”