Monthly Archives: March 2017

Payment solutions provider Verifone is reportedly investigating a breach of its internal computer networks dating back to mid-2016 that may have affected a number of businesses running its point-of-sale (POS) terminals.

According to a report by investigative journalist Brian Krebs, the payments giant said the extent of the breach is limited to its corporate network and did not impact its payment services network.

The San Jose, Calif.-based company is the leading manufacturer of payment card terminals in the United States, selling POS systems and services to a range of businesses, including retailers, gas stations and taxis.

In a blog post published Tuesday, Krebs said Verifone sent an “urgent” email to all company staff and contractors on January 23. A copy of the email was obtained by Krebs, which informed employees the company was investigating “an IT control matter” in its environment.

Source: KrebsOnSecurity.com

“As a precaution, we are taking two immediate steps to improve our controls,” wrote Horan. Employees were instructed to “make every effort” to change their passwords that day. The email also announced employees would no longer be able to install additional software onto their desktops or laptops.

In response to the breach reports, Verifone spokesman Andy Payment told Krebs the company learned of the “limited intrusion” earlier this year.

“In January 2017, Verifone’s information security team saw evidence of a limited cyber intrusion into our corporate network. Our payment services network was not impacted. We immediately began work to determine the type of information targeted and executed appropriate measures in response. We believe today that due to our immediate response, the potential for misuse of information is limited.”

It is not yet clear how the company initially detected the incident. However, a source familiar with the matter told Krebs that the email alert sent on Jan. 23 was in response to a notification Verifone received from Visa and MasterCard just days before.

According to the source, Visa and MasterCard were notified that intruders appeared to have been inside Verifone’s network since mid-2016.

In a separate statement, Verifone later added that forensic information revealed the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame.

“We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational,” said Verafone.

For more information, read Krebs’ full report here.

via: tripwire

It is no secret that cybercriminals are becoming dramatically more adept, innovative, and stealthy with each passing day.

While new forms of cybercrime are on the rise, traditional activities seem to be shifting towards more clandestine techniques that involve the exploitation of standard system tools and protocols, which are not always monitored.

The latest example of such attack is DNSMessenger – a new Remote Access Trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers – a technique that makes the RAT difficult to detect onto targeted systems.

The Trojan came to the attention of Cisco’s Talos threat research group by a security researcher named Simpo, who highlighted a tweet that encoded text in a PowerShell script that said ‘SourceFireSux.’ SourceFire is one of Cisco’s corporate security products.

DNSMessenger Attack Is Completely Fileless

Further analysis of the malware ultimately led Talos researchers to discover a sophisticated attack comprising a malicious Word document and a PowerShell backdoor communicating with its command-and-control servers via DNS requests.

 
Distributed through an email phishing campaign, the DNSMessenger attack is completely Fileless, as it does not involve writing files to the targeted system; instead, it uses DNS TXT messaging capabilities to fetch malicious PowerShell commands stored remotely as DNS TXT records.

 
This feature makes it invisible to standard anti-malware defenses.
PowerShell is a powerful scripting language built into Windows that allows for the automation of system administration tasks.

The malicious Word document has been crafted “to appear as if it were associated with a secure e-mail service that is secured by McAfee,” according to a blog post published by Talos researchers Edmund Brumaghin and Colin Grady.

Here’s How the DNSMessenger attack Works:

When opened, the document launches a Visual Basic for Applications (VBA) macro to execute a self-contained PowerShell script in an attempt to run the backdoor onto the target system.

 
What’s interesting? Everything, until this point, is done in memory, without writing any malicious files to the system’s disk.

 
Next, the VBA script unpacks a compressed and sophisticated second stage of PowerShell, which involves checking for several parameters of the target environment, like the privileges of the logged-in user and the version of PowerShell installed on the target system.

This information is then used to ensure persistence on the infected host by changing the Windows Registry and installing a third stage PowerShell script that contains a simple backdoor.

 
The backdoor is being added to the Windows Management Instrumentation (WMI) database, if the victim does have administrative access, allowing the malware backdoor to stay persistent on the system even after a reboot.

 
The backdoor is an additional script that establishes a sophisticated 2-way communications channel over the Domain Name System (DNS) – usually used to look up the IP addresses associated with domain names, but has support for different types of records.

 
The DNSMessenger malware backdoor uses DNS TXT records that, by definition, allows a DNS server to attach unformatted text to a response.

 
The backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code. As part of those requests, it retrieves the domain’s DNS TXT record, which contains further PowerShell commands that are executed but never written to the local system.

 
Now, this “fourth stage” Powershell script is the actual remote control tool used by the malware attacker.

 
This script queries the command-and-control servers via DNS TXT message requests to ask what commands to execute. Any command received is then executed, and the output is communicated back to the C&C server, allowing the attacker to execute any Windows or application commands on the infected system.

 
All attackers need to do is leave malicious commands and instructions inside the TXT records of their domains, which, when queried, is executed via the Windows Command Line Processor, and the output is sent back as another DNS query.

The domains registered by the DNSMessenger RAT are all down, so till now, it is not known that what types of commands the attackers relayed to infected systems. However, the researchers say this particular RAT was used in a small number of targeted attacks.

“This malware sample is an excellent example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting,” the Talos researchers said.

“It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”

This is not the first time when the researchers came across a Fileless malware. At early last month, Kaspersky researchers also discovered fileless malware, that resides solely in the memory of the compromised computers, targeting banks, telecommunication companies, and government organizations in 40 countries.

via:  thehackernews

In the modern world, it isn’t bank robbers we’re worried about – it’s cyber criminals. They can steal consumer information, alter data so that it gives false insights or remains corrupted for months or even years without notice, and even sell valuable intellectual property to the highest bidder, putting companies under.

However, while many understand the importance of cyber security, a new study conducted by IDC proves that very few companies are ready to battle this threat. In fact, IBM says that 68 percent of companies aren’t ready for cyber-attacks, leaving themselves dangerously open out of ignorance, a lack of funds, or an unwillingness to rock the boat by acknowledging a threat.

How are companies unprepared for cyber security threats, and how can they protect themselves?

1.THEY WAIT FOR TRAGEDY TO ACT

No news is good news, but that doesn’t mean you’ll have no news for long. Many companies don’t invest in stronger security simply because they haven’t experienced a breach yet. Why waste the money if you don’t need it, right? However, all it takes is one cyber attack to put your business under, so waiting until tragedy strikes to act is inviting disaster.

Instead, companies should look to their competitors and the measures of security they’re taking. Larger companies are at greater risk and, therefore, take greater precautions, but even if you’re not in their league, taking on these safety measures yourself will fend off the attack that may sink your ship as you grow.

2.THEY TRADE EASE FOR DANGER

Remote work, Bring Your Own Device (BYOD), converged storage and cloud computing is profitable for businesses. Any worker can access vital information from anywhere in the world and then share it with others for smooth collaboration, higher productivity and higher profits. However, by allowing your employees access from anywhere, you’re making the door easier to kick in for hackers.

The solution isn’t to cut off ease of access, and it isn’t to let security lag behind. Instead, companies can protect themselves by refining their working process to leave as few holes as possible in their security. Perhaps cloud computing is a vital tool for a business; they can instead prohibit employees from bringing their own devices to work, so that there is one less potential leak in security. By refining what is allowed to be a threat, productivity can still be high with fewer openings for failure.

3.THEY THINK OF HACKS AS COMPUTERS, NOT PEOPLE

It’s easy to imagine cyber attacks being carried out by bodiless programs, but the fact of the matter is cyber crime is conducted by cyber criminals, people who are constantly learning, becoming more creative and refining their attacks to hit your weak points.

Companies need to acknowledge that the danger is from people and, in turn, hire experts who are best equipped for countering these attacks. By keeping a team of professionals in charge of your data security, you’ll be able to update and fine-tune your processes to stay ahead of more creative attacks and even apply creative fixes that can save you money, time and reputation.

4.THEY’RE NOT READY FOR THE HIT TO THEIR REPUTATION

When a company experiences a data breach, they often think of the numbers – what have they lost, how can they seal the breach, and how are they going to recover financially. However, they neglect to understand the effect it has on their reputation. Consumers lose their sense of security with your business, which as far as they’re concerned has begun hemorrhaging their personal information.

The solution isn’t to buy insurance for data loss, which is something many companies have invested in. The key is to acknowledge the loss of trust you’re experiencing with your consumer base and treat it like any other tragic hit to your company.

Arrange for PR strategies in advance to help lessen the blow and restore confidence in your customers, who are at as much risk from a breach as you are. This is their personal information hanging in the balance; reconnect with them and re-establish a position of authority that will give them faith that your business will handle, compensate and bounce back from the breach.

via:  tripwire

One of the key challenges with what we now call cyber is the shortage of relevant technical cyber skills. This is directly linked to what would seem to be an inability to recognize or accept the real scale of the cyber threat, which is, of course, playing into the hands of the criminals and hackers who are harvesting millions in revenue as a result of their malicious activities.

It was U.S. Defense Secretary Donald Rumsfeld who commented, “There are known knowns. These are things we know that we know, and there are also known unknowns. These are things we know we don’t ‘know’ and then there are the unknown unknowns, which can represent very real and present threats” that are unseen by the conventional eye of security.

It’s these elements of unknowns that pose the highest degree of danger in today’s cyber landscape of complex, interconnected global systems.

Rumsfeld might have arrived at this perspective from an external influence. In his 2007 book The Black Swan: The Impact of the Highly Improbable, essayist Nassim Nicholas Taleb tells of a presentation on uncertainty he was requested to give to the United States Department of Defense shortly before Rumsfeld’s speech. The core message of The Black Swan was (is) that ‘unknown unknowns’ are responsible for the greatest societal change.

It is in this landscape in which some members of the security profession recognize that if they could acquire an understanding of the things we don’t know and which are unknown, they could use these nuggets of isolated intelligence as an early warning system against individuals who practice exploitation and/or compromise.

This group is made up of Cyber Criminals, Hacktivists, Black/Grey Hat Hackers, some specialist members of Law Enforcement, the Intelligence Agencies, and a very small number of imaginative forward-thinking Professionals.

The bottom line is here we are turning Gamekeeper to Poacher in order to adopt the very methodology and applied thinking that is exercised by cyber criminals.

The question is: are the current skill-sets employed by the run-of-mill thinking security profession leaning far too close to the wind of PCI-DSS and other standards, such as the ISO/IEC 27001, and has the industry in the main moved too far away from the pragmatic basics of security?

On the first level, we should be seeking to develop a much more in-depth appreciation and understanding of the technical components of cyber security if we are to fight the good fight on a level playing field. If we don’t, then all may be lost until such time we do.

The second question is as follows: do certifications really make a difference? Well, my answer here is both yes and no. Yes insofar as they prove to some extent that the holder of the said qualification understands the high-level components of IT/cyber security requirements, but no insofar as it takes more than a certification to serve as an effective operational team member.

We should not fool ourselves that just because someone holds a CISSP or other such certification that they know what they are doing in real dirty-hands terms.

As a conclusion, in the current drive to ramp up the level of real-time cyber skills, we need to fight the fight on a level playing field of cyber adversity, and we must balance the professional profile with a proven understanding the back-to-basics of operational security beyond governance and compliance.

However, this must be further facilitated with a level of up-to-date thinking, research and an awareness of the next generation of threats along with the real ability to sniff out those suspicious looking conditions of unknown unknowns before they become known to all.

via:  tripwire

A new tech support scam is using website elements to trick users into thinking their browser has loaded a Microsoft support page.

Like other ruses of the sort, this ploy begins when malicious ads redirect a user to a fake tech support web page. The first thing they see is a pop-up alert warning them that “a virus and spyware” have compromised their computer. Concurrently, the page plays the following audio message:

“Important security alert! Virus intrusions detected on your computer. Your personal data and system files may be at serious risk. All system resources are halted to prevent any damage. Please call customer service immediately to report these threats now.”

The scam website and the dialogue box that pops up when the page loads. (Source: TechNet)

Clicking “OK” usually launches a loop of dialogue boxes. These alerts continue to display until the user navigates away from the site, closes the tab, or calls the fake support number. But this contrivance does something different.

Microsoft’s Malware Protection Center explains the effect of clicking “OK” in a blog post:

“It loads a page with what appears to be a pop-up message containing the same details, including the technical support hotline. You may think at this point you’re just getting the usual dialogue loop. But, upon closer inspection, it’s not really a pop-up message, but a website element of the scam page.”

The website element that appears to be a dialogue box. (Source: TechNet)

This particular element waits until a user clicks anywhere on the screen, at which point in time it goes into full screen mode and loads what appears to be a Microsoft support page. The domain “support.microsoft.com” appears in the address bar. It even comes with a green HTTPS indicator to further lure users.

Just like before, a website element accomplishes this trick. Exiting out of full screen reveals the truth.

The support scam website outside full screen. (Source: TechNet)

Users can protect themselves against this scam by looking out for unexpected full-screen alerts displayed by their browsers. If they come across one of these notifications, they should exit out of full-screen mode. At the same time, users should pay attention to a site’s domain before they click anything on a web page. In the event the domain appears suspicious, they should close out the tab and scan their computers for malware.

via:  tripwire

Users affected by Filecode ransomware can now decrypt their files for free by employing a procedure developed by security researchers.

On 22 February, the security community first learned about Filecode. It’s a form of ransomware that specifically targets Mac users. Filecode introduces itself to a potential victim by masquerading as pirate software including patchers for Adobe Premier Pro and Microsoft Office for Mac. When users run those programs, the ransomware encrypts their files and ultimately displays a ransom note demanding 0.25 Bitcoin (approximately 300 USD) in exchange for the decryption key.

There’s just one problem: Filecode lacks code that allows it to communicate with its command and control (C&C) server. This means the ransomware can’t retrieve the key it used to encrypt a user’s files and send it over to the victim if they pay the ransom. As with many ransomware infections, paying the ransom in this case therefore nets a user a lighter wallet and nothing more.

But there’s hope for Filecode victims yet!

Thomas Reed, director of Mac offerings at Malwarebytes, has developed a procedure with the help of Jérôme Segura and @TheWack0lian that lets users decrypt their files for free. To use the method, victims need five things:

1. A working computer.
2. A good text editor like Xcode or TextWrangler.
3. The command line tools for Xcode.
4. The source code for pkcrack, a zip password recovery tool.
5. An encrypted file and its non-encrypted counterpart. (Users can hopefully obtain the latter from an external device or an email attachment. If not, they can in some cases use the Filecode’s Info.plist file if the ransomware ran in Downloads and as a result encrypted itself.)

The procedure, which is described in full here, requires that a user compile pkcrack. This process first necessitates using the text editor and Xcode’s command line tools to modify a number of pkcrack’s files so that it will compile on macOS. Once the tool successfully compiles, it will yield a series of binaries that the victim can use to extract both the encrypted and non-encrypted files before running pkcrack on the pair.

Here’s an example of what this process looks like.

Reed explains what happens next in a blog post:

“At this point, pkcrack is trying to find the passcode for the encrypted file, but that will not succeed due to the length of the passcode used by the malware. You can force it to cancel and quit by pressing control-C.

“Fortunately, you don’t need the passcode… the three keys it found can be used to decrypt all the other decrypted files. Make a note of those three keys, labeled key0, key1, and key2.”

Users can employ the zipdecrypt binary to decrypt a file using the three keys as well as the encrypted file and its non-encrypted counterpart. They can then employ this same command with other encrypted files. It’ll take a bit of time, but as Reed notes, it does give users time to think about implementing a robust data backup strategy and ransomware prevention strategies in the future.

via:  tripwire

In their ever-increasing aggressiveness to wring even more money out of victims, it’s perhaps no surprise to see some online extortionists creating ransomware targeted against affluent Mac users.

The latest example of Mac ransomware, OSX/Filecoder.E, has been discovered by malware analysts at ESET after it was distributed via BitTorrent distribution sites as cracks to pirate software.

Examples found by the researchers included patchers for Adobe Premier Pro and Microsoft Office for Mac.

When the malicious apps, coded in Swift, are executed a somewhat peculiar transparent dialog is displayed inviting the user to click a “Start” button to (allegedly) begin the process of cracking the commercial software.

Of course, the malware is not doing what it claims at all.

Instead, it is encrypting files on the user’s hard drive and mounted external and network drives using, for its key, a random 25-character string. At the same time, the Filecoder ransomware is dropping a README!.txt file in the victims’ directories, with instructions on how a 0.25 Bitcoin payment (approximately US $280) should be made for the safe recovery of their data.

The message advises that users should leave their computer connected to the internet for 24 hours to ensure that decryption takes place after the ransom has been paid. For those victims who are feeling impatient they can choose a ten minute fast-track option, claims the message, by paying 0.45 BTC (approximately US $510).

ESET’s research team, however, believes that there is no point in paying the ransom as the files can not be decrypted:

There is one big problem with this ransomware: it doesn’t have any code to communicate with any C&C server. This means that there is no way the key that was used to encrypt the files can be sent to the malware operators.

This also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in this case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom when hit by ransomware.

All of which means that I hope you took sensible precautions to backup your data before having your Mac hit by this ransomware. If ransomware isn’t enough of a reason to convince you to make regular secure backups (and it should be) then consider the danger of hard drives failing, the ease with which you might accidentally erase important files, or the risk that your computer is stolen or lost.

Oh, and it should go without saying, that if you’re downloading cracks to pirate commercial software don’t be surprised if you get stung by an online criminal using that disguise as a means to spread their malware.

via:  tripwire

During the past year, you may have noticed a shift in the way IT and security professionals talk about cyber security.

Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk.

The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem, aligned with or, in many cases surpassing other operational risks on enterprises’ priority lists. According to a recent board report, 89 percent of board members say they are very involved in making cyber risk decisions, the majority ranking cyber risk as the highest priority.

A shift in mindset is just the start. Actually executing your strategies and tactics based on risk is a whole different story. To really understand risk, enterprises need to start with identifying their most valued applications, their potential business impact if confidentiality, integrity or availability (CIA) were compromised. From there, there are a couple of different approaches.

Early efforts at calculating a risk adjusted dollar amount to which the business is exposed, also known as “Value At Risk,” was based on traditional financial and operational risk models. It required experts to work with the cyber and business teams to try to guestimate probabilities of particular events and their ability to compromise each application’s CIA. One obstacle to that approach is that there is far too little historical data on which to base such guestimates with any accuracy. The other challenges are that even if you were able to guestimate probabilities with any accuracy, it is only a single point in time, and it is difficult to drill down to a level of detail that can help drive daily decisions and actions beyond generally focusing protection on those applications with the greatest theoretical risk.

A more feasible and actionable approach that is evolving is to use the aforementioned asset data and loss impact information in concert with your existing threat and vulnerability data to understand the potential for compromise and prioritize your activities accordingly. This approach uses actual events occurring within the organization, together with external threat intelligence data, to measure the potential for compromise and estimate loss impacts that can result from those exposures. The benefit to this approach is that is based on actual conditions “on the ground” and can be aggregated/decomposed to drive prioritization decisions from the front line responders all the way up to the board of directors.

How can an Application Value At Risk be used?

Most enterprise security teams do a good job identifying threats and vulnerabilities, too good a job. Security teams are flooded with countless threat alerts and vulnerabilities identified daily. With all that data, prioritizing remediation efforts is the real challenge. The answer is to understand which remediation actions will result in the great reduction in value at risk. By understanding the relationship between remediation actions and results, enterprises can drive a more focused and transparent cyber risk management program, where stakeholders can be held accountable in a measurable way for their actions or lack thereof.

Mapping potential financial loss value to security exposures also enables better decision making by the board. As security has transitioned into a risk management issue, a communication gap between security leaders and boards of directors has also emerged. Whereas security leaders are accustomed to speaking in the language of technology; board members speak the language of risk. However, if security leaders can walk into a boardroom with actual value at risk metrics that show how much money the enterprise could have lost if a vulnerability was not patched and how much the security team reduced that value at risk by taking action, both parties would be speaking the same language. Boards understand financial impact and can make better decisions if they know the potential dollar amount at stake.

In many other parts of the enterprise, risk management methods using financial impact metrics to drive decision-making has been business-as-usual for time and memorial. As the industry shifts to a risk based approach, we will be able to change the conversation from trying to remediate every threat and vulnerability in an effort to protect every application on equal terms, to what actions to take to best minimize the impact of cyber risks on the business.

via:  securityweek

Thousands of MySQL databases are potential victims to a ransom attack that appears to be an evolution of the MongoDB ransack campaign observed a couple months ago, GuardiCore warns.

As part of the attack, unknown actors are brute forcing poorly secured MySQL servers, enumerate existing databases and their tables, stealing them, and creating a new table to instruct owners to pay a 0.2 Bitcoin (around $200) ransom. Paying, the attackers claim, would provide owners with access to their data, but that’s not entirely true, as some databases are deleted without being stolen.

A similar attack came to light in early January, when Victor Gevers, co-founder of GDI Foundation, revealed that thousands of unsecured MongoDB databases were being hijacked, with actors demanding 0.2 Bitcoin for the stolen data. Soon after, other threat actors began hijacking insecure databases, and over 30,000 MongoDB instances fell to the attackers.

With an estimated 35,000 instances exposed to the public Internet, Elasticsearch clusters became targets as well, only to be followed by Hadoop and CouchDB databases within days. Attackers were observed overwriting each other’s ransom notes on the targeted databases, and were no longer copying the original data, but simply deleting it. Victims couldn’t retrieve their data even if they paid the ransom.

Now, MySQL databases are under fire: using online tools, actors search for servers secured with very weak passwords, brute force them to gain access, then replace the databases with their own table containing a ransom note. In some instances, they simply delete the databases without dumping them first, leaving victims with no means to recover the data.

According to the security firm, hundreds of attacks were observed during a 30-hour window starting at midnight on February 12. All attacks were traced to the same IP (109.236.88.20) and were all hosted by worldstream.nl, a Netherlands-based web hosting company, which was notified on the issue a couple of days later. The researchers believe the attackers were using a compromised mail server that also serves as HTTP(s) and FTP server.

Responding to an email inquiry, Ofri Ziv, Research Leader at GuardiCore, told SecurityWeek that the attacks were spread all around the world and didn’t appear to be targeting specific databases. He couldn’t provide an exact estimation of affected databases, but said “we do know of thousands of MySQL servers facing the Internet with weak passwords that are prone to attacks.”

The attacks are strikingly similar with the MongoDB ones, starting with the fact that the attackers are dropping ransom notes named WARNING and PLEASE_READ. However, Ziv says there’s no way to tell for sure whether the same attackers switched to MySQL servers now. “But even if it’s not the case, they were definitely inspired by them,” he told SecurityWeek.

The Bitcoin addresses in the ransom notes show signs of activity, but GuardiCore says that isn’t proof that victims actually paid the ransom. The transactions might have been staged by the actors themselves, in an attempt to encourage victims to pay the ransom.

“Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration,” GuardiCore notes in a blog post.

The security firm notes that every MySQL server facing the Internet is prone to this attack, and advises administrators to ensure their instances are properly secured using strong passwords and mandatory authentication. Further, admins should minimize the Internet facing services, especially those containing sensitive information.

“Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This way your security team could easily alert on new services being accessed from the internet and enforce a policy which fits those servers (e.g. firewall, data restrictions, etc.). Periodic data backup could allow you restore most of your valuable data without the need to interact with the attacker and provide you with a backup plan should a similar attack occurs,” GuardiCore also notes.

via:  securityweek

Rapid7 has added a hardware bridge to its Metasploit penetration testing framework, making it easier for users to analyze Internet of Things (IoT) devices. The company said this enhancement makes Metasploit the first general purpose pentesting tool.

Metasploit has allowed researchers to conduct security assessments using Ethernet communications, but now they will also be able to link the tool directly to the hardware via raw wireless and direct hardware manipulation.

Up until now, the framework could be used for hardware testing by creating custom tools for interaction with the targeted product, which Rapid7 says is a time-consuming and resource-intensive process. The new capability allows users to focus on a more important task: developing exploits.

The first release of the hardware bridge focuses on automotive systems, particularly the Controller Area Network (CAN) bus, but the company plans on adding modules for other types of systems in the upcoming period.

According to Rapid7, pentesters can now use Metasploit to analyze industrial control systems (ICS), IoT hardware and software, and software defined radio (SDR). The company believes the new capability makes Metasploit an ideal tool for conducting hardware-based network research.

“Every wave of connected devices – regardless of whether you’re talking about cars or refrigerators – blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” said Craig Smith, director of transportation research at Rapid7 and developer of the new capability. “We’re working to give security professionals the resources they need to test and ensure the safety of their products — no matter what side of the virtual divide they’re on.”

Metasploit already has more than 1,600 exploits and 3,300 modules, and new components are being developed regularly with the aid of hundreds of contributors. According to the Metasploit Project, 190 people made contributions to the framework last year.

via:  securityweek