Episode 56: From Vulnerability to Execution: A Ransomware Story
When it comes to ransomware, the typical coverage of an attack involves who was attacked, and how much the attackers demanded. But rarely is the attackers process shared. In this episode, we welcome Sophos VP of Managed Threat Operations Mat Gangwer tell a particular ransomware story. He takes us through an attack attributed to new ransomware cell Atom Silo. First, we start with the unpatched vulnerability. Then, we hear what the attackers did once they got in. And finally, we discuss the execution of the attack. Oh, and extra finally, we discuss what you can do to avoid a similar fate.
In headlines, hear about the Facebook/Instagram/WhatsApp outage(s). And then, get the scoop on the Twitch breach. Finally, we learn why burnout is yet another factor working against cybersecurity careers.
How to listen
Listen to Ping – A Firewalls.com Podcast using the player above…
Missed our previous episodes? You can get them anywhere you listen to podcasts, or go to our full episode list.
Learn even more about network security through our blog, which features new content every week, and our knowledge hub.
New episodes are usually released every other Wednesday. Have a special request for a topic or a question for our network engineers to address? Email us at email@example.com and it could be on our next show. Thanks in advance for any listens, follows, subscribes, reviews, comments, shares, and generally spreading the word!
The world of cyber security and classic Hellenistic Greece are colliding. We are speaking, of course, about the Orpheus’ Lyre security hole making rounds in security news. We’re sounding the Gjallarhorn in hopes that you’ll join us down in the info sec underworld as we discover what three-headed dogs, Thrace, and the granddaddy of the modern guitar have in common with your network.
Setting the Stage – the Classical Age
Orpheus – First mentioned by a sixth-century epic poet named Ibycus and later made famous by Thebian lyric poet Pindar, Orpheus is an epic hero popular in ancient Greek myth. Orpheus is known as a legendary musician with the ability to trick, persuade, and charm his way around obstacles thanks to his supernatural lyre playing. The lyre, which is how the ancient Romans played Wonderwall at insulae parties, is a predecessor of the guitar often mistaken for a harp.
The most famous story of Orpheus is that of rescuing his wife, Eurydice, from the underworld. When Eurydice is attacked by a satyr (mischievous goat-man played by Danny Devito in Disney’s “Hercules”), she falls into a pit of vipers, is bitten on the heel, and succumbs to their venom. Stricken with grief, Orpheus plays a song so mournful that the gods themselves are moved to tears. They offer him advice: descend into the underworld yourself and strike a deal to get Eurydice back. Orpheus descends into the underground, soon finding himself face-to-face with the ferocious Cerberus, guardian of the gates into the underworld. Orpheus tames Cerberus with some hot lyre riffs and snags an appointment with Hades, lord of the underworld, to successfully negotiate the return of Eurydice to the world of the living. Unfortunately, the tale takes a turn south from there with Orpheus falling for the classic religious no-no of “looking behind you” while fleeing. Because he peeks back over his shoulder during their exit from the underworld despite clear warning from Hades, Eurydice vanishes forever. Orpheus is later torn apart by a wandering band of vicious feral women upset by Orpheus snubbing their favored rock n roll god.
Cerberus – The hound of hell, three-headed guardian of the underworld, son of Tartarus-bound Typhon and Echidna. Cerberus has made cameos in “Harry Potter & the Philosopher’s Stone”, several Disney movies, and most every RPG game with a summoning system. This tri-skulled canine is among the most prominent icons for gatekeeping and security around. In the legends of Orpheus, Cerberus succumbs to the honey-sweet grooves of a lyre to allow the legendary musician to pass where countless others had failed.
Heimdallr – Heimdallr and his namesake are only peripheral references in our story, so let’s make this quick. Heimdallr is a Norse god that carries a giant horn, Gjallarhorn, and is said to be an ever-vigilant sentry watching for the inevitable approach of Ragnarok, which is like a Rammstein music video version of the apocalypse.
Setting the Stage – The Information Age
Orpheus’ Lyre – Orpheus’ Lyre is the name given to an exploit present in the Kerberos network security protocol. A patch for Orpheus’ Lyre was published with the Windows July 2017 security patches.
Kerberos – Kerberos is a security protocol that has been utilized by Windows for over 20 years. Kerberos is a “ticket” system in terms of security. Rather than exchanging unique authentications between the several servers that you may request access to, Kerberos acts as a central authority, distributing “server tickets” that come pre-written with encrypted data detailing what server you requested access to, how long your authentication is valid, and more. Think of Kerberos as the guy whose only job is tear your ticket stub off at the movie theater. You can go buy your movie tickets at the will-call desk, on Fandango, or from the sketchy guy out front who for some reason has 60 extra tickets to “The Emoji Movie.” But if you want into a screening room (server), you must stop at the kiosk in the lobby and have your ticket checked.
Heimdal – Heimdal is one of two common variants of Kerberos. The other variant, MIT Kerberos, was developed by the Massachusetts Institute of Technology and is leveraged by Windows for a majority of network security uses while Heimdal Kerberos is generally supported by smaller operating systems. While the July 2017 Windows security patch addressed exploits in MIT Kerberos, Heimdal Kerberos is still at risk. Look for patches for Heimdal to be released by Apple in the future.
How does it work?
Great, so some cyber attackers came up with clever pet names for their project. What’s this thing actually do?
Keep in mind the analogy above in regard to Kerberos being the primary ticket-checker of a Windows network security apparatus. Since these are packets of encrypted data, however, let’s add that these tickets are being transported in opaque envelopes. When a data packet approaches Kerberos, the security protocol opens the envelope, records the information inside, and routes the packet to its destination. However, there’s a bit of a catch. Some of that data, seemingly innocuous stuff like which server you’re traveling to, is also written on the outside of the envelope in plain text.
So what if someone could convince the ticket-checker, Kerberos, that the plain text data scribbled on the outside of the envelop is actually the secure data encrypted inside? Or, in the case of Orpheus’ Lyre, enough data to receive a positive authentication and gain open-ended access to a server. Now you have a packet slipping past the ticket-checker carrying an envelope with mysterious contents. And you know what happens when someone figures out how to sneak something around gateway security!
For reasons unknown to the modern world, when Kerberos was designed long ago, they felt the need to duplicate some data from inside the packet and paste it as plain text on the outside of the packet. The Orpheus’ Lyre exploit takes advantage of this short-sighted slip by convincing Kerberos that the plain text authentication data (which can be easily modified) is, in fact, the encrypted data inside, which cannot be modified. In short, Orpheus’ Lyre takes advantage of the fact that Kerberos will be forced to choose between two sets of similar data and the exploit influences Kerberos to choose the version that attackers are able to modify.
So the attacker buys a movie ticket for “The Emoji Movie” at 8:00 pm. He grabs an eraser and snubs out the modifiable data on the envelop and writes “Dunkirk” at 8:30. He approaches Kerberos, the ticket-checker, flashes him the modified data in a convincing manner, and strolls on into the lobby. Now that the attacker is granted access, they are free to mosey about the corridors, popping their head into whatever screening room they feel like.
Or, to carry the theme of Greek mythology, Orpheus descends into the underworld and charms Cerberus, the hell hound, with his magical lyre and is free to traipse around the land of the dead at his leisure.
How do we keep Orpheus and his Lyre out?
Luckily, Microsoft has done most of the leg work for you. The Windows July 2017 patch CVE-2017-8495 includes a fix for Orpheus’ Lyre, at least in regards to MIT Kerberos. If you do not use Windows, keep an eye peeled for a patch coming down the pipe from Apple. As long as you are a good cyber security warrior and keep your security patches updated, you should be fine!
Looking for a hell-hound of your own to guard your network?