Cybersecurity, Cybercrime and moreBaltic Sea Parliamentary Conference (BSPC), Greifswald 2024Prof. Dr.-Ing. Andreas NoackIntroduction Cybercrime Current Incidents Conclusion ReferencesWho am I?Prof. Dr.-Ing. Andreas NoackVitaBorn 1982, married with 3 childrenApplied Computer Sciences (B.Sc.)IT Security (M.Sc. and PhD)Since 2011 Professor for CommunicationNetworks and IT Security atUniversity of Applied Sciences StralsundMisc: Founder and Head of Stralsunder IT-Sicherheitskonferenz (since 2012),Head of Institute for Secure Mobile Communication (ISMK), Book author (2x),Digitization ambassador of Mecklenburg-Vorpommern, Judo trainerCybersecurity 2 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow important is Cybersecurity?”Cybersecurity Ventures expects global cybercrime costs to grow by 15percent per year over the next five years, reaching $10.5 trillion USDannually by 2025 [...]more profitable than the global trade of allmajor illegal drugs combined . ”– Steve Morgan (Cybercrime Magazine) [12], November 2020Surprised?You should not be, because it is at least since 2004 like that! [6]Cybersecurity 3 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow important is Cybersecurity?”Cybersecurity Ventures expects global cybercrime costs to grow by 15percent per year over the next five years, reaching $10.5 trillion USDannually by 2025 [...]more profitable than the global trade of allmajor illegal drugs combined . ”– Steve Morgan (Cybercrime Magazine) [12], November 2020Surprised?You should not be, because it is at least since 2004 like that! [6]Cybersecurity 3 / 17Introduction Cybercrime Current Incidents Conclusion References... and how companies are dealing with it.+ Companies begin to invest moreon cybersecurity. Many companies(42% in germany) spend 10-20%of their IT budget on security [11].–However, cybersecurity budgetgrowth is less then cybercrimecost growth (15%).Image: Techtarget.com [1], November 2023Cybersecurity 4 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesWho is the attacker?Main Interests Quality Main TargetsSecret Services Espionage, Influence Gov/BusTerrorists Terrorism, Funding EverythingOrganizedCrimeFinancial Gain Bus(Political)Hacker GroupsFame, Political Statements GovIndividuals /Script KiddiesFame, Fun Gov/BusGov = Government, Bus = BusinessNote : The individual quality may vary. There are even more subtle hacker distinctions in literature, see e.g. [10].Cybersecurity 5 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesCyber Kill Chain (CKC) and collaboration of hackersImage: Lockheed Martin [8, 7]Professional hackers like secret services andorganized crime have professionalworkflows/processes!They use undiscovered exploits ( zero days )Systems can be infected for several yearsbefore capitalization (APT)Division of labor : Usually severalhackers/hacker groups are involved in oneattack!With Cybercrime-as-a-Service (CaaS) there iseven a black market for selling/buying hacks,malware and more.Cybersecurity 6 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesCyber Kill Chain (CKC) and collaboration of hackersImage: Lockheed Martin [8, 7]Professional hackers like secret services andorganized crime have professionalworkflows/processes!They use undiscovered exploits ( zero days )Systems can be infected for several yearsbefore capitalization (APT)Division of labor : Usually severalhackers/hacker groups are involved in oneattack!With Cybercrime-as-a-Service (CaaS) there iseven a black market for selling/buying hacks,malware and more.Cybersecurity 6 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesSome numbers and connectionsLinux is used widely used on the internet [13]96.3% of the top million web servers run LinuxLinux runs 90% of the cloudMost Linux servers provide a remotemaintenance system that allows secureaccess via internet:OpenSSH ( Secure Shell).Source: https://www.openssh.com/The following malicious backdoor was mounted in XZ Utils , a library ofsystemd that is responsible for launching OpenSSH on many systems.Cybersecurity 7 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesSome numbers and connectionsLinux is used widely used on the internet [13]96.3% of the top million web servers run LinuxLinux runs 90% of the cloudMost Linux servers provide a remotemaintenance system that allows secureaccess via internet:OpenSSH ( Secure Shell).Source: https://www.openssh.com/The following malicious backdoor was mounted in XZ Utils , a library ofsystemd that is responsible for launching OpenSSH on many systems.Cybersecurity 7 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesSome numbers and connectionsLinux is used widely used on the internet [13]96.3% of the top million web servers run LinuxLinux runs 90% of the cloudMost Linux servers provide a remotemaintenance system that allows secureaccess via internet:OpenSSH ( Secure Shell).Source: https://www.openssh.com/The following malicious backdoor was mounted in XZ Utils , a library ofsystemd that is responsible for launching OpenSSH on many systems.Cybersecurity 7 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesThe disaster that almost happend: XZ UtilsMajor Supply Chain Attack discovered by Microsoft Engineer Andres FreundFreund discovered a major supply chain attack onXZ Utils on29 March 2024 .XZ Utils systemd OpenSSHused by launchesA hidden backdoorwas injected into the downloadable artifacts of XZ Utils thattakes over OpenSSH (remote control of Linux systems) !The vulnerability reference tag CVE-2024-3094 was assigned [2][4][5].Some background information on XZ UtilsAn open source file compression library (like ZIP), used by many other projects(e.g. systemd)Has been maintained by single developer Lasse Collin in his spare time.Cybersecurity 8 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesThe disaster that almost happend: XZ UtilsMajor Supply Chain Attack discovered by Microsoft Engineer Andres FreundFreund discovered a major supply chain attack onXZ Utils on29 March 2024 .XZ Utils systemd OpenSSHused by launchesA hidden backdoorwas injected into the downloadable artifacts of XZ Utils thattakes over OpenSSH (remote control of Linux systems) !The vulnerability reference tag CVE-2024-3094 was assigned [2][4][5].Some background information on XZ UtilsAn open source file compression library (like ZIP), used by many other projects(e.g. systemd)Has been maintained by single developer Lasse Collin in his spare time.Cybersecurity 8 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow does the backdoor work technically?a (32 bit) b (32 bit) c (64 bit)Hidden in N value (then invalid) of CA signing key:ChaCha20 encrypted with first 32 bytes of attacker’s ED448 public keyattacker’s digital ED448 signature (114 byte)unused? (14 bit) x (1 bit) y (1 bit)unknown (8 bit) unknown (8 bit)commandexecuted on victim (ends with \x00 byte)unknown (8 bit)Backdoor protocol according to Weems [3]Crypto handling on infected systemDo the following only if a fake CA key isdetected ( a⋅b+c≤3):Hidden content is decrypted andattacker’s digital signature isverified .If successful, the maliciouscommand is executed withroot/admin rights!What does that mean?Only one attacker (owner of ED448 secret key ) is able to use the backdoor.Backdoor happens in authentication phase →no traces are left on the victim.Full control over the victim (root/admin rights)!Cybersecurity 9 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow does the backdoor work technically?a (32 bit) b (32 bit) c (64 bit)Hidden in N value (then invalid) of CA signing key:ChaCha20 encrypted with first 32 bytes of attacker’s ED448 public keyattacker’s digital ED448 signature (114 byte)unused? (14 bit) x (1 bit) y (1 bit)unknown (8 bit) unknown (8 bit)commandexecuted on victim (ends with \x00 byte)unknown (8 bit)Backdoor protocol according to Weems [3]Crypto handling on infected systemDo the following only if a fake CA key isdetected ( a⋅b+c≤3):Hidden content is decrypted andattacker’s digital signature isverified .If successful, the maliciouscommand is executed withroot/admin rights!What does that mean?Only one attacker (owner of ED448 secret key ) is able to use the backdoor.Backdoor happens in authentication phase →no traces are left on the victim.Full control over the victim (root/admin rights)!Cybersecurity 9 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow does the backdoor work technically?a (32 bit) b (32 bit) c (64 bit)Hidden in N value (then invalid) of CA signing key:ChaCha20 encrypted with first 32 bytes of attacker’s ED448 public keyattacker’s digital ED448 signature (114 byte)unused? (14 bit) x (1 bit) y (1 bit)unknown (8 bit) unknown (8 bit)commandexecuted on victim (ends with \x00 byte)unknown (8 bit)Backdoor protocol according to Weems [3]Crypto handling on infected systemDo the following only if a fake CA key isdetected ( a⋅b+c≤3):Hidden content is decrypted andattacker’s digital signature isverified .If successful, the maliciouscommand is executed withroot/admin rights!What does that mean?Only one attacker (owner of ED448 secret key ) is able to use the backdoor.Backdoor happens in authentication phase →no traces are left on the victim.Full control over the victim (root/admin rights)!Cybersecurity 9 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow could that attack happen?A major social engineering campaign over three years!Target : Lasse Collin,single developer of XZUtilsPseudonym Jia Tan(JiaT75) was registeredin2021Jia Tan contributedseveral minor fixesImage by Thomas Roccia on X[14]Jia Tan, supported by several unknown accounts, put pressure on Lasse Colin totake control of the repositoryThe backdoor was hidden in unsuspicious tests and given to Linux distributorsCybersecurity 10 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesHow could that attack happen?A major social engineering campaign over three years!Target : Lasse Collin,single developer of XZUtilsPseudonym Jia Tan(JiaT75) was registeredin2021Jia Tan contributedseveral minor fixesImage by Thomas Roccia on X[14]Jia Tan, supported by several unknown accounts, put pressure on Lasse Colin totake control of the repositoryThe backdoor was hidden in unsuspicious tests and given to Linux distributorsCybersecurity 10 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesConsequences of the attackGood newsThe attack became known shortly before some major Linux distributors (e.g. Ubuntu24.04) unknowingly installed the backdoor!Though, some cutting-edge Linux distributions have been affected for a few days [5]:Fedora Rawhide, Debian Testing+Unstable, openSUSE T umbleweed, Kali, Arch/Manjaro...Bad newsThere are similar attacks on other projects [9] and probably also some successfulattacks that are still unknown. /Cybersecurity 11 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesConsequences of the attackGood newsThe attack became known shortly before some major Linux distributors (e.g. Ubuntu24.04) unknowingly installed the backdoor!Though, some cutting-edge Linux distributions have been affected for a few days [5]:Fedora Rawhide, Debian Testing+Unstable, openSUSE T umbleweed, Kali, Arch/Manjaro...Bad newsThere are similar attacks on other projects [9] and probably also some successfulattacks that are still unknown. /Cybersecurity 11 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesConsequences of the attackGood newsThe attack became known shortly before some major Linux distributors (e.g. Ubuntu24.04) unknowingly installed the backdoor!Though, some cutting-edge Linux distributions have been affected for a few days [5]:Fedora Rawhide, Debian Testing+Unstable, openSUSE T umbleweed, Kali, Arch/Manjaro...Bad newsThere are similar attacks on other projects [9] and probably also some successfulattacks that are still unknown. /Cybersecurity 11 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesConclusion and lessons learnedWhat can possibly go wrong? (Cybercrime)Nowadays, attackers run very sophisticated cyber attacks.Attacks can be prepared and carried out over many years .Social Engineering is a very (or most?) powerful attack vector.What can we do now? (Cybersecurity)We need more security awareness (...like this talk ,)Support for Open Source developers is necessary to improve security.Consider social engineering in security monitoring tools now!Cybersecurity 12 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesConclusion and lessons learnedWhat can possibly go wrong? (Cybercrime)Nowadays, attackers run very sophisticated cyber attacks.Attacks can be prepared and carried out over many years .Social Engineering is a very (or most?) powerful attack vector.What can we do now? (Cybersecurity)We need more security awareness (...like this talk ,)Support for Open Source developers is necessary to improve security.Consider social engineering in security monitoring tools now!Cybersecurity 12 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesSource: Stralsund Old TownThank you for your attention!Cybersecurity 13 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesReferences I[1] Alissa Irei. Cybersecurity budgets lose momentum in uncertain economy . 2023. URL :https://www.techtarget.com/searchsecurity/feature/Cybersecurity-budget-trends .[2] Andreas Proschofsky. Wie die Computerwelt gerade haarscharf an einerSicherheitskatastrophe vorbeigeschrammt ist . 2024. URL :https://www.derstandard.de/story/3000000213960/wie-die-computerwelt-gerade-haarscharf-an-einer-sicherheitskatastrophe-vorbeigeschrammt-ist .[3] Anthony Weems. amlweems/xzbot: notes, honeypot, and exploit demo for the xzbackdoor (CVE-2024-3094) . 2024. URL :https://github.com/amlweems/xzbot .Diese Folie wird veröffentlicht. 14 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesReferences II[4] Bruce Schneier. Backdoor in XZ Utils That Almost Happened . 2024. URL :https://www.schneier.com/blog/archives/2024/04/backdoor-in-xz-utils-that-almost-happened.html .[5] Bundesamt für Sicherheit in der Informationstechnik (BSI). Kritische Backdoor inXZ für Linux . 2024. URL :https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-223608-1032.pdf .[6] DER SPIEGEL. US-Expertin: Cybercrime macht mehr Geld als Drogenhandel . 2005.URL :https://www.spiegel.de/netzwelt/web/us-expertin-cybercrime-macht-mehr-geld-als-drogenhandel-a-387394.html .[7] Eric M Hutchins, Michael J Cloppert, Rohan M Amin, et al. “Intelligence-drivencomputer network defense informed by analysis of adversary campaigns andintrusion kill chains”. In: Leading Issues in Information Warfare & SecurityResearch 1.1 (2011), p. 80.Diese Folie wird veröffentlicht. 15 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesReferences III[8] Lockheed Martin. Cyber Kill Chain . 2024. URL :https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html .[9] Martin Holland. xz-Attacke: Hinweise auf ähnliche Angriffsversuche bei dreiJavaScript-Projekten . 2024. URL :https://www.heise.de/news/xz-Attacke-Hinweise-auf-aehnliche-Angriffsversuche-bei-drei-JavaScript-Projekten-9687246.html .[10] Panda Security. 14 Types of Hackers to Watch Out For . 2023. URL :https://www.pandasecurity.com/en/mediacenter/14-types-of-hackers-to-watch-out-for/ .Diese Folie wird veröffentlicht. 16 / 17Introduction Cybercrime Current Incidents Conclusion ReferencesReferences IV[11] Statista Research Department. What is the percentage of the proportion of the ITsecurity budget in relation to the total IT budget in your company? 2023. URL :https://www.statista.com/statistics/1363143/it-security-budget-companies-germany/ .[12] Steve Morgan. Cybercrime To Cost The World $10.5 Trillion Annually By 2025 . 2020.URL :https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/ .[13] Steven Vaughan-Nichols. Linux has over 3% of the desktop market? It’s morecomplicated than that . 2023. URL :https://www.zdnet.com/article/linux-has-over-3-of-the-desktop-market-its-more-complicated-than-that/ .[14] Thomas Roccia. The level of sophistication of the XZ attack is very impressive! 2024.URL :https://twitter.com/fr0gger_/status/1774342248437813525 .Diese Folie wird veröffentlicht. 17 / 17
