Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

APT28 Exploited Known Vulnerability in Cisco IOS

The US Cybersecurity & Infrastructure Security Agency, the UK National Cyber Security Centre, NSA and FBI have released a joint advisory, detailing the tactics, techniques and procedures used by APT28 in its exploitation of Cisco routers, mainly back in 2021 APT28 is perhaps better known as Fancy Bear, Sofacy or STRONTIUM, although it is officially the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165.

The group was able to exploit CVE-2017-6742, which was fixed back in June 2017 (several years before the exploitation). This vulnerability affects Cisco's implementation of SNMP (Simple Network Management Protocol) v2 in its routers - SNMP v2 has long been known to have weak authentication and in many cases, all that is required is the default community string value of 'public' to be able to query the management information base on a network device.

So, the threat actors simply scanned for routers with weak community strings, and upon discovering one, used CVE-2017-6742 to inject their malware directly into the memory of the router. This means that the malware - called Jaguar Tooth - is non-persistent, but can easily be reinjected whenever required. Once resident in memory, Jaguar Tooth grants telnet access to existing local accounts, and also creates a process called 'Service Policy Lock' which runs a number of show commands, exfiltrating the results over the TFTP protocol:

• show running-config
• show version
• show ip interface brief
• show arp
• show cdp neighbors
• show start
• show ip route
• show flash

The lessons are obvious. First, network devices are an increasingly popular target for threat actors as they allow interception of inbound and outbound traffic; furthermore, they often receive far less scrutiny and monitoring than computers and cannot run the endpoint detection and response tools available for popular operating systems. Hence, the first mitigation has to be a policy of proactive patching - the exploited routers should have been updated four years earlier.

SNMP v1 and v2 should be replaced with more secure protocols, such as NETCONF or RESTCONF, for remote management (and telnet should be disabled!). The joint advisory, coupled with the UK NCSC's two reports, provide a lot more detail.

CISA, APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers, cybersecurity advisory, 18 April 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108.

NCSC, APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers, advisory, 18 April 2023. Available online at https://www.cisa.gov/sites/default/files/2023-04/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers-uk.pdf.

NCSC, Jaguar Tooth, malware analysis report, 18 April 2023. Available online at https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jaguar-tooth/NCSC-MAR-Jaguar-Tooth.pdf.

New Device Advances Quantum Key Distribution

While much hype surrounds the potential of quantum computers, especially for breaking existing public-key cryptography algorithms, other quantum developments continue to provide solutions to the problem. One of these areas is quantum key distribution, which solves the key distribution problem by providing a form of key transfer which is immune to eavesdropping.

The key distribution problem can be simply stated. Alice and Bob wish to communicate over an insecure channel - one on which Eve can eavesdrop. Alice and Bob can solve their problem by encrypting their communication using an algorithm like AES, but in order to do that, they each need to have the same key. If Alice comes up with a random key and sends it to Bob over their insecure channel, Eve will simply intercept the key, and they will be no better off - so how can they exchange or agree on a key without Eve getting hold of it?

Current systems mostly solve this problem using public-key cryptographic algorithms like having Alice 'wrap' the random key using Bob's RSA public key and sending it to him; since Eve does not have Bob's private key - only Bob has that - she cannot learn the key. Or Alice and Bob can use Diffie-Hellman key agreement. But these are the techniques that quantum computers may well break in the not-too-distant future.

Much attention has focused on the use of polarized photons to send a key over a fiber optic cable. Since they only way to figure out the polarization of a photon is to pass it through a polarized filter and detect what comes out, any attempt by Eve (or Mallory, the man-in-the-middle) to do this will either change the polarity of many photons or block them completely, rendering the attack obvious to Alice and Bob. Using a protocol called BB84 with privacy amplification, this technique has already been commercialized and rack-mount devices for quantum key distribution are already available.

However, there's another promising technique waiting in the wings that is completely unobservable by Eve and Mallory, based on quantum entanglement - a phenomenon that Einstein could never come to terms with, calling it "spooky action at a distance". When two subatomic particles are entangled, any change to one of the particles happens to the other, no matter how far apart the particles are, and with no apparent communication between them. In other words, there is nothing for Eve or Mallory to intercept.

Already, scientists in China have demonstrated satellite-based distribution of entangled photon pairs to two locations over 1,000 km apart via two satellite-to-ground downlinks [1]. However, this technique is expensive and still highly experimental; optical fiber will likely remain cheaper for shorter distances. In both cases, the cost of the equipment for generation of entangled photons remains a barrier.

However, a new paper [2] reveals the first photonic device that puts all the circuitry on one chip, combining an optical amplifier built out of indium phosphide - effectively a semiconductor laser that can generate a stream of photons - with a second section containing progressively smaller 'microring resonators', made of silicon nitride, which filter out noise and eventually produce a pair of entangled photons.

The chip, which draws only 3 watts of power, can generate 8,200 pairs of entangled photons per second, at the wavelengths commonly used for fiber optic cables. Although there are still some challenges in the complexity of the manufacturing process and the chip's performance, the fact that it reduces the size of the quantum light source by a factor of 1,000 could accelerate the use of quantum entanglement out of the laboratory and into real-world applications.

The original papers below are, of course, incredibly technical, but the IEEE Spectrum article is much more accessible for the layman.

[1] Yin, J., Cao, Y., Li, Y.-H., Liao, S.-K., Zhang, L., Ren, J.-G., Cai, W.-Q., Liu, W.-Y., Li, B., Dai, H., Li, G.-B., Lu, Q.-M., Gong, Y.-H., Xu, Y., Li, S.-L., Li, F.-Z., Yin, Y.-Y., Jiang, Z.-Q., Li, M., … Pan, J.-W. (2017). Satellite-based entanglement distribution over 1200 kilometers. Science, 356(6343), 1140–1144. https://doi.org/10.1126/science.aan3211.

[2] Mahmudlu, H., Johanning, R., van Rees, A., Khodadad Kashi, A., Epping, J. P., Haldar, R., Boller, K.-J., & Kues, M. (2023). Fully on-chip photonic turnkey quantum source for entangled qubit/qudit state generation. Nature Photonics, 1–7. https://doi.org/10.1038/s41566-023-01193-1.

Gent, Ed,  Entangled Photons Produced Entirely On-Chip: Quantum photonic technology reduced to the size of a coin, IEEE Spectrum, 17 April 2023. Available online at https://spectrum.ieee.org/quantum-entanglement.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.