On the cyber war front lines: zombie WannaCry is still out there, and Russia jams GPS signals in Finland

Um diesen Artikel auf Deutsch zu lesen, klicken Sie bitte hier 

Pour lire cet article en français, veuillez cliquer ici 

 

 

15 November 2018 (Paris, France) – As my team starts to prepare for the International Cybersecurity Forum (FIC 2019) in Lille, France in January (it is never too early to prepare for an event like this), we are reminded of the advice of David Grout of FireEye:

Cyber threats are always diverse so companies (and nations) must stay vigilant and up-to-date. Pandemic threats such as ransomware and state attacks of cyber espionage must be your biggest focus.

WannaCry, once the greatest cybersecurity calamity in history, now doesn’t work. A website critical to its function is now controlled by civic-minded security researchers, and the fixed deadline to pay the ransom has long passed.

BUT … WannaCry still accounts for 28% of ransomware attacks — the most of any ransomware family.

Fedor Sinitsyn, a senior malware analyst at Kaspersky Lab, sent out an email which summarized a new study they did. The highlights:

The big picture: According to a new study by Kaspersky Lab, the defanged North Korea linked ransomware is still spreading uncontrollably. The spreading mechanism that passed WannaCry from victim to victim that was so virulent in the 2017 attack is still active, even if the ransomware itself isn’t.

The key line: “This is not an uncommon occurrence, as there are multiple currently defunct worms that are still automatically spreading in the wild and infecting unpatched/unprotected machines,” wrote Fedor Sinitsyn.

What exactly is a computer worm? A computer worm is a form of malware, just like its more notorious cousin, the virus. Where a worm differs from a virus is that it typically doesn’t infect or manipulate files on its own. Instead, it simply clones itself over and over again and spreads via a network (say, the Internet, a local area network at home, or a company’s intranet) to other systems where it continues to replicate itself.

In turn, these clones reproduce and spread and, in a very short time period, can quickly infect an enormous number of machines. For instance, it’s estimated that the infamous ILOVEYOU worm infected about 10 percent of the world’s internet-connected computers within just 10 days.

How have computer worms changed? Traditional computer worms were created simply to spread. Left unchecked, they would multiply exponentially and disrupt network bandwidth, but they did not actually alter a system’s functionality. This all changed in 2004 with the arrival of Witty, a worm that attacks the firewall and computer security products of a specific company and is thought to be the first worm to carry a payload (a piece of code designed to do real, tangible damage).

Which takes us back to our good friend David Grout:

This goes back to my mantra, so to speak, that you must stay vigilant and minimize your risk of infection by learning more about how worms function, the most common ways they spread and how you can stop them dead in their tracks. These self-replicating programs that spread just shows you how the physics of cyberspace are wholly different from every other war domain. And it is a war domain.

Because these endlessly replicating systems wiggle their way into poorly protected computers. Indeed, as we know, the worm component of WannaCry ransomware made it possible to wreak havoc on computers around the world, infecting more than 200,000 systems in over 150 countries and holding the infected machines ransom for $300 a pop. Mere weeks later, Petya/NotPetya ransomware used a worm to spread within local networks.

We’ll chat more with David at FIC 2019 in January.

As I have noted in many of my posts, whatever you might think of Russia’s recent antics on the world stage, you have to concede: they have brilliantly exploited information-age tools to confuse audiences about what is truth, what isn’t, and to set their own narrative.

And they are legendary in their campaigns aimed at taking control of routers inside government, critical infrastructure and internet service providers, but also within small and home offices.

So the following story that hit the press this week is no surprise. Finnish Prime Minister Juha Sipila has said the GPS signal in his country’s northern airspace was disrupted during recent Nato war games in Scandinavia. He said he believed the signal had been jammed deliberately and that it was possible Russia was to blame because it had the means to do so. You can read the background story here.

At ground level, GPS signals are incredibly weak, essentially lost in background noise; it’s only by knowing how the signal varies that it can be picked out. In turn, that means you can jam them. The world is awash in random electrical noise. If we tuned our receivers to the GPS frequency and graphed what we picked up, we’d just see a randomly varying line — the earth’s background noise. The GPS signal would be buried in that noise.

That’s why pseudo random code (PRC), one of the ideas behind GPS, can be used as a weapon. It not only acts as a great timing signal … but it also gives us a way to find and “amplify” the very weak satellite signals and grab them/jam them. Here’s how that amplification process works (with a hat tip to Mika Trimble of NavTech who was my house guest in Crete this summer and gave me a tutorial that provided a good, basic understanding of the principles behind GPS without loading me down with too much technical detail):

The pseudo random code (PRC) looks a lot like the background noise but with one important difference: we know the pattern of its fluctuations. What if we compare a section of our PRC with the background noise and look for areas where they’re both doing the same thing? We can divide the signal up into time periods (called “chipping the signal”) and then mark all the periods where they match (i.e. where the background is high when the PRC is high). Since both signals are basically random patterns, probability says that about half the time they’ll match and half the time they won’t.

If we set up a scoring system and give ourselves a point when they match and take away a point when they don’t, over the long run we’ll end up with a score of zero because the -1’s will cancel out the 1’s.

But now if a GPS satellite starts transmitting pulses in the same pattern as our pseudo random code, those signals, even though they’re weak, will tend to boost the random background noise in the same pattern we’re using for our comparison. Background signals that were right on the border of being a “1” will get boosted over the border and we’ll start to see more matches. And our “score” will start to go up.

Even if that tiny boost only puts one in a hundred background pulses over the line, we can make our score as high as we want by comparing over a longer time. If we use the 1 in 100 figure, we could run our score up to ten by comparing over a thousand time periods. If we compared the PRC to pure random noise over a thousand time periods our score would still be zero, so this represents a ten times amplification.

This explanation is a greatly simplified but the basic concept is significant. It means that the system can get away with less powerful satellites and our receivers don’t need big antennas like satellite TV. (You may wonder why satellite TV doesn’t use the same concept and eliminate those big dishes. The reason is speed).

The GPS signal has very little information in it. It’s basically just a timing pulse, so we can afford to compare the signal over many time periods. A TV signal carries a lot of information and changes rapidly. The comparison system would be too slow and cumbersome.

GPS jammers are usually small devices that can overpower or drown out much weaker signals such as GPS or others. Although GPS jammers are illegal in the US, they are easily available online.

NOTE: the horror? Last year there was the case of the jammer at the Newark Airport in the U.S. A simple $30 device was able to take down a state-of-the-art, highly sophisticated landing system at one of the busiest airports in the world. Worse, the device user wasn’t even trying to do so. Imagine what a person who DID intend to do harm could do? Say … Russians?

And remember: GPS is used for much more than just navigation. It’s also the primary source of timing and synchronization in critical infrastructures such as financial, communications, industrial, the power grid, and more. In timing applications, jammers can disrupt the GPS signal, causing the underlying systems to lose their ability to synchronize their internal clocks and, in turn, their ability to stay in sync with the rest of the network. Since many critical infrastructures sectors require synchronization across their network to be within millionths of a second, even short-term GPS outages can have a major impact. Worse, when an outage occurs, there’s typically nothing to indicate that it’s a result of jamming. The GPS signal simply is not received anymore.