Tag Archives: data theft

HP audio driver contained keylogger

Late last week it was announced the security firm Swiss security firm ModZero had responsibly disclosed (defined) to HP back in early April 2017 their discovery of an audio driver (Conexant HD Audio) containing a keylogger. The driver is known to be present on 28 HP devices (listed here).

Conexant also creates drivers to Asus, Lenovo and Dell, at this time it is not clear if they use the same driver (security analysts have been unable to discover any other devices using the affected driver).

How can I tell if my HP (or other device) is affected by this vulnerability?
This BleepingComputer article explains how to check for this vulnerability.

Why should this vulnerability be considered important?
The affected audio driver (versions 1.0.0.31 up to and including 1.0.0.46) contained the issue with the issue first being created in December 2015. Thus it has the potential to have gathered a vast quantity of information since this time.

Not only does the driver record key presses (using a low-level keyboard input hook (defined)) but the driver exposes the OutputDebugString and MapViewOfFile APIs (API, defined). The OutputDebugString API enables any running application to capture keystrokes while MapViewOfFile enables any framework or application with access to MapViewOfFile API to do the same.

Since the unencrypted keystrokes are stored in a text file, forensic investigators with access to the log file (stored at C:\Users\Public\MicTray.log) could potentially recover previously saved sensitive data (a reboot or power of the device clears the file). When backups of the affected systems are performed previous versions of this file would contain further captured (and potentially sensitive) information.

Since our keyboards are used to enter all kinds of sensitive information,  emails, chat/instant message conversations, social media posts, credit card numbers etc., this vulnerability could have serious consequences If the log contents were to be obtained by cyber criminals. The file might also contain credentials (usernames/passwords for the above mentioned activities.

From the information disclosed about this vulnerability, there is evidence to suggest the driver uploads/sends the information it gathers within that log to HP, Conexant or anyone else. However if you are creating unencrypted backups within a corporate, small business or consumer environment this file over time will contain more and more information gathered over time. If someone knew you create these backups and knew where to look within them (assuming they are not encrypted), they could gather significant volumes of sensitive information.

How can I protect myself from this vulnerability?
After ModZero disclosed this information to HP, HP made available a driver update (version 10.0.931.90) which removes the keylogging behavior. Moreover, the driver update will be made available via Windows Update for both 2016 and 2015 HP devices. HP Vice President Mike Nash clarified the logging feature of the driver was simply debugging code (defined) inadvertently left within the driver.

If you followed the steps above to check if your device was vulnerable but there is no driver update available, the same BleepingComputer article describes how to mitigate the vulnerability.

Thank you.

Cisco Networking Devices Compromised by SYNful Knock Attack

Update: 23rd September 2015:
The 2 blog posts mentioned below that were written by FireEye found that the SYNful Knock had affected at least 14 routers in countries such as Mexico, Ukraine, India, and the Philippines. However joint research carried out by Cisco and Shadowserver has shown that 199 unique IP addresses are exhibiting SYNful Knock behavior.

ShadowServer’s result are shown within this blog post (which contains further advice on how to prevent this attack affecting your Cisco routers). They intend to keep these statistics updated as time progresses.

In addition, Cisco has created a page regarding SYNful Knock containing useful resources on how to detect and prevent this attack. Their blog post also mentions a Snort Rule (an IPS (defined)) which can be used to detect this attack.

I hope that above additional resources are useful to you in protecting/remediating your network.
Thank you.

=======================
Original Post:
=======================
Last week a series of blog posts were published by FireEye which provide in-depth technical details of an attack named “SYNful Knock”.

In a previous blog post I mentioned that Cisco had released security updates to address an issue that would allow an attacker to install a compromised/tampered with version of the Cisco IOS operating system on Cisco networking devices. SYNful Knock is a very similar attack that carries out those actions to replace the legitimate Cisco IOS with one that can be completely controlled by the attacker by their inclusion of a backdoor (defined).

Why Should This Issue Be Considered Serious?
The exact purpose of this attack is not clear but the result of replacing the legitimate Cisco IOS with a version controlled by an attacker will allow them to conduct surveillance on the data passing through the network device, control all functions/settings of the device as well as using these devices as highly stealthy “beachheads” with which to launch further attacks. Attackers can also direct legitimate users to spoofed websites, carry out data theft and/or denial of service attacks (defined) since your routers could be made to no longer carry out their role/function.

In addition, due to the above mentioned stealthy nature of this attack, it is more difficult than usual to detect whether your Cisco networking devices have been compromised. As noted in this article, Tony Lee of FireEye mentions that this attack is not likely to be the first and only time the Cisco IOS is modified in a stealthy manner and that very similar attacks and more sophisticated attacks are likely to occur in the future.

Moreover this attack affects multiple Cisco networking devices, specifically:

Cisco 1841 router
Cisco 2811 router
Cisco 3825 router

As noted by FireEye, it is very likely that further devices are vulnerable to this attack due to similarities throughout Cisco’s networking devices and since they share the same IOS operating system.

How Can I Protect Myself From This Issue?
FireEye have dedicated a blog post detailing methods used to detect if your Cisco devices are compromised.

If this is the case, they recommend re-imaging your Cisco device with a clean IOS image obtained from Cisco. You can verify that the image is clean “as intended” by checking that the hash value (defined) from Cisco matches the hash value of the image that you have downloaded.

Furthermore FireEye recommend hardening your devices against future attacks of this nature.

Most importantly as noted by FireEye make sure that if you have to re-image a router that it’s settings are customized to meet your needs and that default usernames and passwords are not used.

Finally, it is believed that this attack occurs due to compromised credentials (username and password) being used to initially access the router to carry out the attack or that the credentials are left at the default settings. However as again noted by FireEye if you know that your router did not use default credentials you may need to begin sweeping every device on your network looking for signs of compromise since the attack will most likely have already come from a compromised system/device within your network.

The Mitigation section of FireEye’s second blog post provides a link to a whitepaper to share among your incident response team should a network sweep become necessary.

Thank you.