logo Overkill Security

Monthly Digest. 2024 / 06

Welcome ‎to‏ ‎the ‎next ‎edition ‎of ‎our‏ ‎Monthly ‎Digest,‏ ‎your‏ ‎one-stop ‎resource ‎for‏ ‎staying ‎informed‏ ‎on ‎the ‎most ‎recent‏ ‎developments,‏ ‎insights, ‎and‏ ‎best ‎practices‏ ‎in ‎the ‎ever-evolving ‎field ‎of‏ ‎security.‏ ‎In ‎this‏ ‎issue, ‎we‏ ‎have ‎curated ‎a ‎diverse ‎collection‏ ‎of‏ ‎articles,‏ ‎news, ‎and‏ ‎research ‎findings‏ ‎tailored ‎to‏ ‎both‏ ‎professionals ‎and‏ ‎casual ‎enthusiasts. ‎Our ‎digest ‎aims‏ ‎to ‎make‏ ‎our‏ ‎content ‎is ‎both‏ ‎engaging ‎and‏ ‎accessible. ‎Happy ‎reading

Check ‎out‏ ‎PDF‏ ‎at ‎the‏ ‎end ‎of‏ ‎post

A.   ‎AntiPhishStack

The ‎paper ‎titled ‎«LSTM-based‏ ‎Stacked‏ ‎Generalization ‎Model‏ ‎for ‎Optimized‏ ‎Phishing» ‎discusses ‎the ‎escalating ‎reliance‏ ‎on‏ ‎revolutionary‏ ‎online ‎web‏ ‎services, ‎which‏ ‎has ‎introduced‏ ‎heightened‏ ‎security ‎risks,‏ ‎with ‎persistent ‎challenges ‎posed ‎by‏ ‎phishing ‎attacks.

Phishing,‏ ‎a‏ ‎deceptive ‎method ‎through‏ ‎social ‎and‏ ‎technical ‎engineering, ‎poses ‎a‏ ‎severe‏ ‎threat ‎to‏ ‎online ‎security,‏ ‎aiming ‎to ‎obtain ‎illicit ‎user‏ ‎identities,‏ ‎personal ‎account‏ ‎details, ‎and‏ ‎bank ‎credentials. ‎It’s ‎a ‎primary‏ ‎concern‏ ‎within‏ ‎criminal ‎activity,‏ ‎with ‎phishers‏ ‎pursuing ‎objectives‏ ‎such‏ ‎as ‎selling‏ ‎stolen ‎identities, ‎extracting ‎cash, ‎exploiting‏ ‎vulnerabilities, ‎or‏ ‎deriving‏ ‎financial ‎gains.

The ‎study‏ ‎aims ‎to‏ ‎advance ‎phishing ‎detection ‎with‏ ‎operating‏ ‎without ‎prior‏ ‎phishing-specific ‎feature‏ ‎knowledge. ‎The ‎model ‎leverages ‎the‏ ‎capabilities‏ ‎of ‎Long‏ ‎Short-Term ‎Memory‏ ‎(LSTM) ‎networks, ‎a ‎type ‎of‏ ‎recurrent‏ ‎neural‏ ‎network ‎that‏ ‎is ‎capable‏ ‎of ‎learning‏ ‎order‏ ‎dependence ‎in‏ ‎sequence ‎prediction ‎problems. ‎It ‎leverages‏ ‎the ‎learning‏ ‎of‏ ‎URLs ‎and ‎character-level‏ ‎TF-IDF ‎features‏ ‎symmetrically, ‎enhancing ‎its ‎ability‏ ‎to‏ ‎combat ‎emerging‏ ‎phishing ‎threats.

B.‏   ‎NSA’s ‎panic. ‎AdaptTactics

The ‎document ‎titled‏ ‎«cyber‏ ‎actors ‎adapt‏ ‎tactics ‎for‏ ‎initial ‎cloud ‎access» ‎released ‎by‏ ‎the‏ ‎National‏ ‎Security ‎Agency‏ ‎(NSA) ‎warns‏ ‎of ‎use‏ ‎of‏ ‎cyber ‎actors‏ ‎have ‎adapted ‎their ‎tactics ‎to‏ ‎gain ‎initial‏ ‎access‏ ‎to ‎cloud ‎services,‏ ‎as ‎opposed‏ ‎to ‎exploiting ‎on-premise ‎network‏ ‎vulnerabilities.

This‏ ‎shift ‎is‏ ‎in ‎response‏ ‎to ‎organizations ‎modernizing ‎their ‎systems‏ ‎and‏ ‎moving ‎to‏ ‎cloud-based ‎infrastructure.‏ ‎The ‎high-profile ‎cyber ‎campaigns ‎like‏ ‎the‏ ‎SolarWinds‏ ‎supply ‎chain‏ ‎compromise ‎are‏ ‎now ‎expanding‏ ‎to‏ ‎sectors ‎such‏ ‎as ‎aviation, ‎education, ‎law ‎enforcement,‏ ‎local ‎and‏ ‎state‏ ‎councils, ‎government ‎financial‏ ‎departments, ‎and‏ ‎military ‎organizations.

The ‎stark ‎reality‏ ‎is‏ ‎that ‎to‏ ‎breach ‎cloud-hosted‏ ‎networks, ‎these ‎actors ‎need ‎only‏ ‎to‏ ‎authenticate ‎with‏ ‎the ‎cloud‏ ‎provider, ‎and ‎if ‎they ‎succeed,‏ ‎the‏ ‎defenses‏ ‎are ‎breached.‏ ‎The ‎document‏ ‎highlights ‎a‏ ‎particularly‏ ‎disconcerting ‎aspect‏ ‎of ‎cloud ‎environments: ‎the ‎reduced‏ ‎network ‎exposure‏ ‎compared‏ ‎to ‎on-premises ‎systems‏ ‎paradoxically ‎makes‏ ‎initial ‎access ‎a ‎more‏ ‎significant‏ ‎linchpin.

1) Key ‎findings

·        Adaptation‏ ‎to ‎Cloud‏ ‎Services: Cyber ‎actors ‎have ‎shifted ‎their‏ ‎focus‏ ‎from ‎exploiting‏ ‎on-premises ‎network‏ ‎vulnerabilities ‎to ‎directly ‎targeting ‎cloud‏ ‎services.‏ ‎This‏ ‎change ‎is‏ ‎a ‎response‏ ‎to ‎the‏ ‎modernization‏ ‎of ‎systems‏ ‎and ‎the ‎migration ‎of ‎organizational‏ ‎infrastructure ‎to‏ ‎the‏ ‎cloud.

·        Authentication ‎as ‎a‏ ‎Key Step: To ‎compromise‏ ‎cloud-hosted ‎networks, ‎cyber ‎actors‏ ‎must‏ ‎first ‎successfully‏ ‎authenticate ‎with‏ ‎the ‎cloud ‎provider. ‎Preventing ‎this‏ ‎initial‏ ‎access ‎is‏ ‎crucial ‎for‏ ‎stopping ‎from ‎compromising ‎the ‎target.

·        Expansion‏ ‎of‏ ‎Targeting: Cyber‏ ‎actors ‎have‏ ‎broadened ‎their‏ ‎targeting ‎to‏ ‎include‏ ‎sectors ‎such‏ ‎as ‎aviation, ‎education, ‎law ‎enforcement,‏ ‎local ‎and‏ ‎state‏ ‎councils, ‎government ‎financial‏ ‎departments, ‎and‏ ‎military ‎organizations. ‎This ‎expansion‏ ‎indicates‏ ‎a ‎strategic‏ ‎diversification ‎of‏ ‎targets ‎for ‎intelligence ‎gathering.

·        Use ‎of‏ ‎Service‏ ‎and ‎Dormant‏ ‎Accounts: it ‎highlights‏ ‎that ‎cyber ‎actors ‎have ‎been‏ ‎observed‏ ‎using‏ ‎brute ‎force‏ ‎attacks ‎to‏ ‎access ‎service‏ ‎and‏ ‎dormant ‎accounts‏ ‎over ‎the ‎last ‎12 ‎months.‏ ‎This ‎tactic‏ ‎allows‏ ‎to ‎gain ‎initial‏ ‎access ‎to‏ ‎cloud ‎environments.

·        Sophistication ‎of ‎cyber‏ ‎actors: The‏ ‎cyber ‎actors‏ ‎can ‎execute‏ ‎global ‎supply ‎chain ‎compromises, ‎such‏ ‎as‏ ‎the ‎2020‏ ‎SolarWinds ‎incident.

·        Defense‏ ‎through ‎Cybersecurity ‎Fundamentals: The ‎advisory ‎emphasizes‏ ‎that‏ ‎a‏ ‎strong ‎baseline‏ ‎of ‎cybersecurity‏ ‎fundamentals ‎can‏ ‎defend‏ ‎against ‎cyber‏ ‎actors. ‎For ‎organizations ‎that ‎have‏ ‎transitioned ‎to‏ ‎cloud‏ ‎infrastructure, ‎protecting ‎against‏ ‎TTPs ‎for‏ ‎initial ‎access ‎is ‎presented‏ ‎as‏ ‎a ‎first‏ ‎line ‎of‏ ‎defense.

C.   ‎NSA’s ‎panic. ‎Ubiquiti

Routers ‎to‏ ‎Facilitate‏ ‎Cyber ‎Operations»‏ ‎released ‎by‏ ‎the ‎Federal ‎Bureau ‎of ‎Investigation‏ ‎(FBI),‏ ‎National‏ ‎Security ‎Agency‏ ‎(NSA), ‎US‏ ‎Cyber ‎Command,‏ ‎and‏ ‎international ‎partners‏ ‎warns ‎of ‎use ‎of ‎compromised‏ ‎Ubiquiti ‎EdgeRouters‏ ‎to‏ ‎facilitate ‎malicious ‎cyber‏ ‎operations ‎worldwide.

The‏ ‎popularity ‎of ‎Ubiquiti ‎EdgeRouters‏ ‎is‏ ‎attributed ‎to‏ ‎their ‎user-friendly,‏ ‎Linux-based ‎operating ‎system, ‎default ‎credentials,‏ ‎and‏ ‎limited ‎firewall‏ ‎protections. ‎The‏ ‎routers ‎are ‎often ‎shipped ‎with‏ ‎insecure‏ ‎default‏ ‎configurations ‎and‏ ‎do ‎not‏ ‎automatically ‎update‏ ‎firmware‏ ‎unless ‎configured‏ ‎by ‎the ‎user.

The ‎compromised ‎EdgeRouters‏ ‎have ‎been‏ ‎used‏ ‎by ‎APT28 ‎to‏ ‎harvest ‎credentials,‏ ‎collect ‎NTLMv2 ‎digests, ‎proxy‏ ‎network‏ ‎traffic, ‎and‏ ‎host ‎spear-phishing‏ ‎landing ‎pages ‎and ‎custom ‎tools.‏ ‎APT28‏ ‎accessed ‎the‏ ‎routers ‎using‏ ‎default ‎credentials ‎and ‎trojanized ‎OpenSSH‏ ‎server‏ ‎processes.‏ ‎With ‎root‏ ‎access ‎to‏ ‎the ‎compromised‏ ‎routers,‏ ‎the ‎actors‏ ‎had ‎unfettered ‎access ‎to ‎the‏ ‎Linux-based ‎operating‏ ‎systems‏ ‎to ‎install ‎tooling‏ ‎and ‎obfuscate‏ ‎their ‎identity.

APT28 ‎also ‎deployed‏ ‎custom‏ ‎Python ‎scripts‏ ‎on ‎the‏ ‎compromised ‎routers ‎to ‎collect ‎and‏ ‎validate‏ ‎stolen ‎webmail‏ ‎account ‎credentials‏ ‎obtained ‎through ‎cross-site ‎scripting ‎and‏ ‎browser-in-the-browser‏ ‎spear-phishing‏ ‎campaigns. ‎Additionally,‏ ‎they ‎exploited‏ ‎a ‎critical‏ ‎zero-day‏ ‎elevation-of-privilege ‎vulnerability‏ ‎in ‎Microsoft ‎Outlook ‎(CVE-2023-23397) ‎to‏ ‎collect ‎NTLMv2‏ ‎digests‏ ‎from ‎targeted ‎Outlook‏ ‎accounts ‎and‏ ‎used ‎publicly ‎available ‎tools‏ ‎to‏ ‎assist ‎with‏ ‎NTLM ‎relay‏ ‎attacks

D.   ‎NSA’s ‎panic. ‎SOHO

The ‎exploitation‏ ‎of‏ ‎insecure ‎SOHO‏ ‎routers ‎by‏ ‎malicious ‎cyber ‎actors, ‎particularly ‎state-sponsored‏ ‎groups,‏ ‎poses‏ ‎a ‎significant‏ ‎threat ‎to‏ ‎individual ‎users‏ ‎and‏ ‎critical ‎infrastructure.‏ ‎Manufacturers ‎are ‎urged ‎to ‎adopt‏ ‎secure ‎by‏ ‎design‏ ‎principles ‎and ‎transparency‏ ‎practices ‎to‏ ‎mitigate ‎these ‎risks, ‎while‏ ‎users‏ ‎and ‎network‏ ‎defenders ‎are‏ ‎advised ‎to ‎implement ‎best ‎practices‏ ‎for‏ ‎router ‎security‏ ‎and ‎remain‏ ‎vigilant ‎against ‎potential ‎threats.

The ‎root‏ ‎causes‏ ‎of‏ ‎insecure ‎SOHO‏ ‎routers ‎are‏ ‎multifaceted, ‎involving‏ ‎both‏ ‎technical ‎vulnerabilities‏ ‎and ‎lapses ‎in ‎secure ‎design‏ ‎and ‎development‏ ‎practices‏ ‎by ‎manufacturers, ‎as‏ ‎well ‎as‏ ‎negligence ‎on ‎the ‎part‏ ‎of‏ ‎users ‎in‏ ‎maintaining ‎router‏ ‎security.

·        Widespread ‎Vulnerabilities: A ‎significant ‎number ‎of‏ ‎vulnerabilities,‏ ‎totaling ‎226,‏ ‎have ‎been‏ ‎identified ‎in ‎popular ‎SOHO ‎router‏ ‎brands.‏ ‎These‏ ‎vulnerabilities ‎range‏ ‎in ‎severity‏ ‎but ‎collectively‏ ‎pose‏ ‎a ‎substantial‏ ‎security ‎risk.

·        Outdated ‎Components: Core ‎components ‎such‏ ‎as ‎the‏ ‎Linux‏ ‎kernel ‎and ‎additional‏ ‎services ‎like‏ ‎VPN ‎in ‎these ‎routers‏ ‎are‏ ‎outdated. ‎This‏ ‎makes ‎them‏ ‎susceptible ‎to ‎known ‎exploits ‎for‏ ‎vulnerabilities‏ ‎that ‎have‏ ‎long ‎since‏ ‎been ‎made ‎public.

·        Insecure ‎Default ‎Settings: Many‏ ‎routers‏ ‎come‏ ‎with ‎easy-to-guess‏ ‎default ‎passwords‏ ‎and ‎use‏ ‎unencrypted‏ ‎connections. ‎This‏ ‎can ‎be ‎easily ‎exploited ‎by‏ ‎attackers.

·        Lack ‎of‏ ‎Secure‏ ‎Design ‎and ‎Development: SOHO‏ ‎routers ‎often‏ ‎lack ‎basic ‎security ‎features‏ ‎due‏ ‎to ‎insecure‏ ‎design ‎and‏ ‎development ‎practices. ‎This ‎includes ‎the‏ ‎absence‏ ‎of ‎automatic‏ ‎update ‎capabilities‏ ‎and ‎the ‎presence ‎of ‎exploitable‏ ‎defects,‏ ‎particularly‏ ‎in ‎web‏ ‎management ‎interfaces.

·        Exposure‏ ‎of ‎Management‏ ‎Interfaces: Manufacturers‏ ‎frequently ‎create‏ ‎devices ‎with ‎management ‎interfaces ‎exposed‏ ‎to ‎the‏ ‎public‏ ‎internet ‎by ‎default,‏ ‎often ‎without‏ ‎notifying ‎the ‎customers ‎of‏ ‎this‏ ‎frequently ‎unsafe‏ ‎configuration.

·        Lack ‎of‏ ‎Transparency ‎and ‎Accountability: There ‎is ‎a‏ ‎need‏ ‎for ‎manufacturers‏ ‎to ‎embrace‏ ‎transparency ‎by ‎disclosing ‎product ‎vulnerabilities‏ ‎through‏ ‎the‏ ‎CVE ‎program‏ ‎and ‎accurately‏ ‎classifying ‎these‏ ‎vulnerabilities‏ ‎using ‎the‏ ‎Common ‎Weakness ‎Enumeration ‎(CWE) ‎system

·        Neglect‏ ‎of ‎Security‏ ‎in‏ ‎Favor ‎of ‎Convenience‏ ‎and ‎Features:‏ ‎Manufacturers ‎prioritize ‎ease ‎of‏ ‎use‏ ‎and ‎a‏ ‎wide ‎variety‏ ‎of ‎features ‎over ‎security, ‎leading‏ ‎to‏ ‎routers ‎that‏ ‎are ‎«secure‏ ‎enough» ‎right ‎out ‎of ‎the‏ ‎box‏ ‎without‏ ‎considering ‎the‏ ‎potential ‎for‏ ‎exploitation.

·        User ‎Negligence: Many‏ ‎users,‏ ‎including ‎IT‏ ‎professionals, ‎do ‎not ‎follow ‎basic‏ ‎security ‎practices‏ ‎such‏ ‎as ‎changing ‎default‏ ‎passwords ‎or‏ ‎updating ‎firmware, ‎leaving ‎routers‏ ‎exposed‏ ‎to ‎attacks.

·        Complexity‏ ‎in ‎Identifying‏ ‎Vulnerable ‎Devices: Identifying ‎specific ‎vulnerable ‎devices‏ ‎is‏ ‎complex ‎due‏ ‎to ‎legal‏ ‎and ‎technical ‎issues, ‎complicating ‎the‏ ‎process‏ ‎of‏ ‎mitigating ‎these‏ ‎vulnerabilities.

E.   ‎Detection‏ ‎of ‎Energy‏ ‎Consumption‏ ‎Cyber ‎Attacks‏ ‎on ‎Smart ‎Devices

The ‎paper ‎«Detection‏ ‎of ‎Energy‏ ‎Consumption‏ ‎Cyber ‎Attacks ‎on‏ ‎Smart ‎Devices»‏ ‎emphasizes ‎the ‎rapid ‎integration‏ ‎of‏ ‎IoT ‎technology‏ ‎into ‎smart‏ ‎homes, ‎highlighting ‎the ‎associated ‎security‏ ‎challenges‏ ‎due ‎to‏ ‎resource ‎constraints‏ ‎and ‎unreliable ‎networks.

·        Energy ‎Efficiency: it ‎emphasizes‏ ‎the‏ ‎significance‏ ‎of ‎energy‏ ‎efficiency ‎in‏ ‎IoT ‎systems,‏ ‎particularly‏ ‎in ‎smart‏ ‎home ‎environments ‎for ‎comfort, ‎convenience,‏ ‎and ‎security.

·        Vulnerability: it‏ ‎discusses‏ ‎the ‎vulnerability ‎of‏ ‎IoT ‎devices‏ ‎to ‎cyberattacks ‎and ‎physical‏ ‎attacks‏ ‎due ‎to‏ ‎their ‎resource‏ ‎constraints. ‎It ‎underscores ‎the ‎necessity‏ ‎of‏ ‎securing ‎these‏ ‎devices ‎to‏ ‎ensure ‎their ‎effective ‎deployment ‎in‏ ‎real-world‏ ‎scenarios.

·        Proposed‏ ‎Detection ‎Framework: The‏ ‎authors ‎propose‏ ‎a ‎detection‏ ‎framework‏ ‎based ‎on‏ ‎analyzing ‎the ‎energy ‎consumption ‎of‏ ‎smart ‎devices.‏ ‎This‏ ‎framework ‎aims ‎to‏ ‎classify ‎the‏ ‎attack ‎status ‎of ‎monitored‏ ‎devices‏ ‎by ‎examining‏ ‎their ‎energy‏ ‎consumption ‎patterns.

·        Two-Stage ‎Approach: The ‎methodology ‎involves‏ ‎a‏ ‎two-stage ‎approach.‏ ‎The ‎first‏ ‎stage ‎uses ‎a ‎short ‎time‏ ‎window‏ ‎for‏ ‎rough ‎attack‏ ‎detection, ‎while‏ ‎the ‎second‏ ‎stage‏ ‎involves ‎more‏ ‎detailed ‎analysis.

·        Lightweight ‎Algorithm: The ‎paper ‎introduces‏ ‎a ‎lightweight‏ ‎algorithm‏ ‎designed ‎to ‎detect‏ ‎energy ‎consumption‏ ‎attacks ‎on ‎smart ‎home‏ ‎devices.‏ ‎This ‎algorithm‏ ‎is ‎tailored‏ ‎to ‎the ‎limited ‎resources ‎of‏ ‎IoT‏ ‎devices ‎and‏ ‎considers ‎three‏ ‎different ‎protocols: ‎TCP, ‎UDP, ‎and‏ ‎MQTT.

·        Packet‏ ‎Reception‏ ‎Rate ‎Analysis: The‏ ‎detection ‎technique‏ ‎relies ‎on‏ ‎analyzing‏ ‎the ‎packet‏ ‎reception ‎rate ‎of ‎smart ‎devices‏ ‎to ‎identify‏ ‎abnormal‏ ‎behavior ‎indicative ‎of‏ ‎energy ‎consumption‏ ‎attacks.

These ‎benefits ‎and ‎drawbacks‏ ‎provide‏ ‎a ‎balanced‏ ‎view ‎of‏ ‎the ‎proposed ‎detection ‎framework’s ‎capabilities‏ ‎and‏ ‎limitations, ‎highlighting‏ ‎its ‎potential‏ ‎for ‎improving ‎smart ‎home ‎security.

1) Benefits

·        Lightweight‏ ‎Detection‏ ‎Algorithm: The‏ ‎proposed ‎algorithm‏ ‎is ‎designed‏ ‎to ‎be‏ ‎lightweight,‏ ‎making ‎it‏ ‎suitable ‎for ‎resource ‎constrained ‎IoT‏ ‎devices. ‎This‏ ‎ensures‏ ‎that ‎the ‎detection‏ ‎mechanism ‎does‏ ‎not ‎overly ‎burden ‎the‏ ‎devices‏ ‎it ‎aims‏ ‎to ‎protect.

·        Protocol‏ ‎Versatility: The ‎algorithm ‎considers ‎multiple ‎communication‏ ‎protocols‏ ‎(TCP, ‎UDP,‏ ‎MQTT), ‎enhancing‏ ‎its ‎applicability ‎across ‎various ‎types‏ ‎of‏ ‎smart‏ ‎devices ‎and‏ ‎network ‎configurations.

·        Two-Stage‏ ‎Detection Approach: The ‎use‏ ‎of‏ ‎a ‎two-stage‏ ‎detection ‎approach ‎(short ‎and ‎long-time‏ ‎windows) ‎improves‏ ‎the‏ ‎accuracy ‎of ‎detecting‏ ‎energy ‎consumption‏ ‎attacks ‎while ‎minimizing ‎false‏ ‎positives.‏ ‎This ‎method‏ ‎allows ‎for‏ ‎both ‎quick ‎initial ‎detection ‎and‏ ‎detailed‏ ‎analysis.

·        Real-Time ‎Alerts: The‏ ‎framework ‎promptly‏ ‎alerts ‎administrators ‎upon ‎detecting ‎an‏ ‎attack,‏ ‎enabling‏ ‎quick ‎response‏ ‎and ‎mitigation‏ ‎of ‎potential‏ ‎threats.

·        Effective‏ ‎Anomaly Detection: By ‎measuring‏ ‎packet ‎reception ‎rates ‎and ‎analyzing‏ ‎energy ‎consumption‏ ‎patterns,‏ ‎the ‎algorithm ‎effectively‏ ‎identifies ‎deviations‏ ‎from ‎normal ‎behavior, ‎which‏ ‎are‏ ‎indicative ‎of‏ ‎cyberattacks.

2) Drawbacks

·        Limited ‎Attack‏ ‎Scenarios: The ‎experimental ‎setup ‎has ‎tested‏ ‎only‏ ‎specific ‎types‏ ‎of ‎attacks,‏ ‎which ‎limit ‎the ‎generalizability ‎of‏ ‎the‏ ‎results‏ ‎to ‎other‏ ‎potential ‎attack‏ ‎vectors ‎not‏ ‎covered‏ ‎in ‎the‏ ‎study.

·        Scalability ‎Concerns: While ‎the ‎algorithm ‎is‏ ‎designed ‎to‏ ‎be‏ ‎lightweight, ‎its ‎scalability‏ ‎in ‎larger,‏ ‎more ‎complex ‎smart ‎home‏ ‎environments‏ ‎with ‎numerous‏ ‎devices ‎and‏ ‎varied ‎network ‎conditions ‎may ‎require‏ ‎further‏ ‎validation.

·        Dependency ‎on‏ ‎Baseline ‎Data: The‏ ‎effectiveness ‎of ‎the ‎detection ‎mechanism‏ ‎relies‏ ‎on‏ ‎accurate ‎baseline‏ ‎measurements ‎of‏ ‎packet ‎reception‏ ‎rates‏ ‎and ‎energy‏ ‎consumption. ‎Any ‎changes ‎in ‎the‏ ‎normal ‎operating‏ ‎conditions‏ ‎of ‎the ‎devices‏ ‎could ‎affect‏ ‎the ‎baseline, ‎potentially ‎leading‏ ‎to‏ ‎false ‎positives‏ ‎or ‎negatives.

·        Resource‏ ‎Constraints: Despite ‎being ‎lightweight, ‎the ‎algorithm‏ ‎still‏ ‎requires ‎computational‏ ‎resources, ‎which‏ ‎might ‎be ‎a ‎challenge ‎for‏ ‎extremely‏ ‎resource-limited‏ ‎devices. ‎Continuous‏ ‎monitoring ‎and‏ ‎analysis ‎could‏ ‎also‏ ‎impact ‎the‏ ‎battery ‎life ‎and ‎performance ‎of‏ ‎these ‎devices.

F.‏   ‎MediHunt

The‏ ‎paper ‎«MediHunt: ‎A‏ ‎Network ‎Forensics‏ ‎Framework ‎for ‎Medical ‎IoT‏ ‎Devices»‏ ‎addresses ‎the‏ ‎need ‎for‏ ‎robust ‎network ‎forensics ‎in ‎Medical‏ ‎Internet‏ ‎of ‎Things‏ ‎(MIoT) ‎environments,‏ ‎particularly ‎focusing ‎on ‎MQTT ‎(Message‏ ‎Queuing‏ ‎Telemetry‏ ‎Transport) ‎networks.‏ ‎These ‎networks‏ ‎are ‎commonly‏ ‎used‏ ‎in ‎smart‏ ‎hospital ‎environments ‎for ‎their ‎lightweight‏ ‎communication ‎protocol.‏ ‎It‏ ‎highlights ‎the ‎challenges‏ ‎in ‎securing‏ ‎MIoT ‎devices, ‎which ‎are‏ ‎often‏ ‎resource-constrained ‎and‏ ‎have ‎limited‏ ‎computational ‎power. ‎The ‎lack ‎of‏ ‎publicly‏ ‎available ‎flow-based‏ ‎MQTT-specific ‎datasets‏ ‎for ‎training ‎attack ‎detection ‎systems‏ ‎is‏ ‎mentioned‏ ‎as ‎a‏ ‎significant ‎challenge.

The‏ ‎paper ‎presents‏ ‎MediHunt‏ ‎as ‎an‏ ‎automatic ‎network ‎forensics ‎solution ‎designed‏ ‎for ‎real-time‏ ‎detection‏ ‎of ‎network ‎flow-based‏ ‎traffic ‎attacks‏ ‎in ‎MQTT ‎networks. ‎It‏ ‎aims‏ ‎to ‎provide‏ ‎a ‎comprehensive‏ ‎solution ‎for ‎data ‎collection, ‎analysis,‏ ‎attack‏ ‎detection, ‎presentation,‏ ‎and ‎preservation‏ ‎of ‎evidence. ‎It ‎is ‎designed‏ ‎to‏ ‎detect‏ ‎a ‎variety‏ ‎of ‎TCP/IP‏ ‎layers ‎and‏ ‎application‏ ‎layer ‎attacks‏ ‎on ‎MQTT ‎networks. ‎It ‎leverages‏ ‎machine ‎learning‏ ‎models‏ ‎to ‎enhance ‎the‏ ‎detection ‎capabilities‏ ‎and ‎is ‎suitable ‎for‏ ‎deployment‏ ‎on ‎resource‏ ‎constrained ‎MIoT‏ ‎devices.

Unlike ‎many ‎network ‎forensics ‎frameworks,‏ ‎MediHunt‏ ‎is ‎specifically‏ ‎designed ‎for‏ ‎the ‎MIoT ‎domain. ‎This ‎specialization‏ ‎allows‏ ‎it‏ ‎to ‎address‏ ‎the ‎unique‏ ‎challenges ‎and‏ ‎requirements‏ ‎of ‎medical‏ ‎IoT ‎devices, ‎such ‎as ‎resource‏ ‎constraints ‎and‏ ‎the‏ ‎need ‎for ‎real-time‏ ‎attack ‎detection.

1) Benefits

·        Real-time‏ ‎Attack ‎Detection: MediHunt ‎is ‎designed‏ ‎to‏ ‎detect ‎network‏ ‎flow-based ‎traffic‏ ‎attacks ‎in ‎real-time, ‎which ‎is‏ ‎crucial‏ ‎for ‎mitigating‏ ‎potential ‎damage‏ ‎and ‎ensuring ‎the ‎security ‎of‏ ‎MIoT‏ ‎environments.

·        Comprehensive‏ ‎Forensic ‎Capabilities: The‏ ‎framework ‎provides‏ ‎a ‎complete‏ ‎solution‏ ‎for ‎data‏ ‎collection, ‎analysis, ‎attack ‎detection, ‎presentation,‏ ‎and ‎preservation‏ ‎of‏ ‎evidence. ‎This ‎makes‏ ‎it ‎a‏ ‎robust ‎tool ‎for ‎network‏ ‎forensics‏ ‎in ‎MIoT‏ ‎environments.

·        Machine ‎Learning‏ ‎Integration: By ‎leveraging ‎machine ‎learning ‎models,‏ ‎MediHunt‏ ‎enhances ‎its‏ ‎detection ‎capabilities.‏ ‎The ‎use ‎of ‎a ‎custom‏ ‎dataset‏ ‎that‏ ‎includes ‎flow‏ ‎data ‎for‏ ‎both ‎TCP/IP‏ ‎layer‏ ‎and ‎application‏ ‎layer ‎attacks ‎allows ‎for ‎more‏ ‎accurate ‎and‏ ‎effective‏ ‎detection ‎of ‎a‏ ‎wide ‎range‏ ‎of ‎cyber-attacks.

·        High ‎Performance: The ‎framework‏ ‎has‏ ‎demonstrated ‎high‏ ‎performance, ‎with‏ ‎F1 ‎scores ‎and ‎detection ‎accuracy‏ ‎exceeding‏ ‎0.99 ‎and‏ ‎indicates ‎that‏ ‎it ‎is ‎highly ‎reliable ‎in‏ ‎detecting‏ ‎attacks‏ ‎on ‎MQTT‏ ‎networks.

·        Resource ‎Efficiency: Despite‏ ‎its ‎comprehensive‏ ‎capabilities,‏ ‎MediHunt ‎is‏ ‎designed ‎to ‎be ‎resource-efficient, ‎making‏ ‎it ‎suitable‏ ‎for‏ ‎deployment ‎on ‎resource-constrained‏ ‎MIoT ‎devices‏ ‎like ‎Raspberry ‎Pi.

2) Drawbacks

·        Dataset ‎Limitations: While‏ ‎MediHunt‏ ‎uses ‎a‏ ‎custom ‎dataset‏ ‎for ‎training ‎its ‎machine ‎learning‏ ‎models,‏ ‎the ‎creation‏ ‎and ‎maintenance‏ ‎of ‎such ‎datasets ‎can ‎be‏ ‎challenging.‏ ‎The‏ ‎dataset ‎needs‏ ‎to ‎be‏ ‎regularly ‎updated‏ ‎to‏ ‎cover ‎new‏ ‎and ‎emerging ‎attack ‎scenarios.

·        Resource ‎Constraints: Although‏ ‎MediHunt ‎is‏ ‎designed‏ ‎to ‎be ‎resource-efficient,‏ ‎the ‎inherent‏ ‎limitations ‎of ‎MIoT ‎devices,‏ ‎such‏ ‎as ‎limited‏ ‎computational ‎power‏ ‎and ‎memory, ‎can ‎still ‎pose‏ ‎challenges.‏ ‎Ensuring ‎that‏ ‎the ‎framework‏ ‎runs ‎smoothly ‎on ‎these ‎devices‏ ‎without‏ ‎impacting‏ ‎their ‎primary‏ ‎functions ‎can‏ ‎be ‎difficult.

·        Complexity‏ ‎of‏ ‎Implementation: Implementing ‎and‏ ‎maintaining ‎a ‎machine ‎learning-based ‎network‏ ‎forensics ‎framework‏ ‎can‏ ‎be ‎complex. ‎It‏ ‎requires ‎expertise‏ ‎in ‎cybersecurity ‎and ‎machine‏ ‎learning,‏ ‎which ‎may‏ ‎not ‎be‏ ‎readily ‎available ‎in ‎all ‎healthcare‏ ‎settings.

·        Dependence‏ ‎on ‎Machine‏ ‎Learning ‎Models: The‏ ‎effectiveness ‎of ‎MediHunt ‎heavily ‎relies‏ ‎on‏ ‎the‏ ‎accuracy ‎and‏ ‎robustness ‎of‏ ‎its ‎machine‏ ‎learning‏ ‎models. ‎These‏ ‎models ‎need ‎to ‎be ‎trained‏ ‎on ‎high-quality‏ ‎data‏ ‎and ‎regularly ‎updated‏ ‎to ‎remain‏ ‎effective ‎against ‎new ‎types‏ ‎of‏ ‎attacks.

·        Scalability ‎Issues: While‏ ‎the ‎framework‏ ‎is ‎suitable ‎for ‎small-scale ‎deployments‏ ‎on‏ ‎devices ‎like‏ ‎Raspberry ‎Pi,‏ ‎scaling ‎it ‎up ‎to ‎larger,‏ ‎more‏ ‎complex‏ ‎MIoT ‎environments‏ ‎may ‎present‏ ‎additional ‎challenges.‏ ‎Ensuring‏ ‎consistent ‎performance‏ ‎and ‎reliability ‎across ‎a ‎larger‏ ‎network ‎of‏ ‎devices‏ ‎can ‎be ‎difficult

G.‏   ‎Fuxnet

The ‎Blackjack‏ ‎hacking ‎group, ‎purportedly ‎linked‏ ‎to‏ ‎Ukrainian ‎intelligence‏ ‎services, ‎has‏ ‎claimed ‎responsibility ‎for ‎a ‎cyberattack‏ ‎that‏ ‎allegedly ‎compromised‏ ‎emergency ‎detection‏ ‎and ‎response ‎capabilities ‎in ‎Moscow‏ ‎and‏ ‎its‏ ‎surrounding ‎areas.‏ ‎This ‎group‏ ‎has ‎been‏ ‎associated‏ ‎with ‎previous‏ ‎cyberattacks ‎targeting ‎internet ‎providers ‎and‏ ‎military ‎infrastructure.‏ ‎Their‏ ‎most ‎recent ‎claim‏ ‎involves ‎an‏ ‎attack ‎on ‎Moscollector, ‎a‏ ‎company‏ ‎responsible ‎for‏ ‎constructing ‎and‏ ‎monitoring ‎underground ‎water, ‎sewage, ‎and‏ ‎communications‏ ‎infrastructure.

Regarding ‎the‏ ‎infection ‎methods,‏ ‎the ‎Fuxnet ‎malware ‎appears ‎to‏ ‎have‏ ‎been‏ ‎designed ‎to‏ ‎target ‎sensor-gateways‏ ‎and ‎potentially‏ ‎disable‏ ‎them, ‎as‏ ‎well ‎as ‎to ‎fuzz ‎sensors,‏ ‎which ‎could‏ ‎lead‏ ‎to ‎their ‎malfunction‏ ‎or ‎destruction.

·        Unverified‏ ‎Claims: Team82 ‎and ‎Claroty ‎have‏ ‎not‏ ‎been ‎able‏ ‎to ‎confirm‏ ‎the ‎claims ‎made ‎by ‎the‏ ‎Blackjack‏ ‎group ‎regarding‏ ‎the ‎impact‏ ‎of ‎their ‎cyberattack ‎on ‎the‏ ‎government’s‏ ‎emergency‏ ‎response ‎capabilities‏ ‎or ‎the‏ ‎extent ‎of‏ ‎the‏ ‎damage ‎caused‏ ‎by ‎the ‎Fuxnet ‎malware.

·        Discrepancy ‎in‏ ‎Reported ‎Impact: The‏ ‎Blackjack‏ ‎group ‎initially ‎claimed‏ ‎to ‎have‏ ‎targeted ‎2,659 ‎sensor-gateways, ‎with‏ ‎about‏ ‎1,700 ‎being‏ ‎successfully ‎attacked.‏ ‎However, ‎Team82's ‎analysis ‎of ‎the‏ ‎data‏ ‎leaked ‎by‏ ‎Blackjack ‎suggests‏ ‎that ‎only ‎a ‎little ‎more‏ ‎than‏ ‎500‏ ‎sensor ‎gateways‏ ‎were ‎actually‏ ‎impacted ‎by‏ ‎the‏ ‎malware. ‎The‏ ‎claim ‎of ‎having ‎destroyed ‎87,000‏ ‎sensors ‎was‏ ‎also‏ ‎clarified ‎by ‎Blackjack,‏ ‎stating ‎that‏ ‎they ‎disabled ‎the ‎sensors‏ ‎by‏ ‎destroying ‎the‏ ‎gateways ‎and‏ ‎using ‎M-Bus ‎fuzzing, ‎rather ‎than‏ ‎physically‏ ‎destroying ‎the‏ ‎sensors.

·        M-Bus ‎Fuzzing: The‏ ‎Blackjack ‎group ‎utilized ‎a ‎dedicated‏ ‎M-Bus‏ ‎fuzzer‏ ‎within ‎the‏ ‎Fuxnet ‎malware’s‏ ‎code ‎to‏ ‎fuzz‏ ‎the ‎sensors.‏ ‎This ‎technique ‎was ‎aimed ‎at‏ ‎disabling ‎the‏ ‎sensors,‏ ‎but ‎the ‎exact‏ ‎number ‎of‏ ‎sensors ‎that ‎were ‎«fried»‏ ‎or‏ ‎permanently ‎damaged‏ ‎as ‎a‏ ‎result ‎of ‎this ‎fuzzing ‎is‏ ‎unknown‏ ‎due ‎to‏ ‎the ‎network‏ ‎being ‎taken ‎down ‎and ‎access‏ ‎to‏ ‎the‏ ‎sensor-gateways ‎being‏ ‎disabled.

·        Lack ‎of‏ ‎Direct ‎Evidence: Direct‏ ‎evidence‏ ‎to ‎confirm‏ ‎the ‎extent ‎of ‎the ‎damage‏ ‎or ‎the‏ ‎impact‏ ‎on ‎emergency ‎detection‏ ‎and ‎response‏ ‎capabilities ‎is ‎lacking ‎(including‏ ‎targeted‏ ‎Moscollector).

·        Clarification ‎from‏ ‎Blackjack: Following ‎the‏ ‎publication ‎of ‎Team82's ‎initial ‎analysis,‏ ‎the‏ ‎Blackjack ‎group‏ ‎reached ‎out‏ ‎to ‎provide ‎updates ‎and ‎clarifications,‏ ‎particularly‏ ‎challenging‏ ‎the ‎contention‏ ‎that ‎only‏ ‎around ‎500‏ ‎sensor-gateways‏ ‎had ‎been‏ ‎impacted. ‎They ‎emphasized ‎that ‎the‏ ‎JSON ‎files‏ ‎made‏ ‎public ‎were ‎only‏ ‎a ‎sample‏ ‎of ‎the ‎full ‎extent‏ ‎of‏ ‎their ‎activity.


Предыдущий Следующий
Все посты проекта

Подарить подписку

Будет создан код, который позволит адресату получить бесплатный для него доступ на определённый уровень подписки.

Оплата за этого пользователя будет списываться с вашей карты вплоть до отмены подписки. Код может быть показан на экране или отправлен по почте вместе с инструкцией.

Будет создан код, который позволит адресату получить сумму на баланс.

Разово будет списана указанная сумма и зачислена на баланс пользователя, воспользовавшегося данным промокодом.

Добавить карту
0/2048