Exploiting the Firewall Beachhead: A History of Backdoors Into Critical Infrastructure

Sitting at the edge of the network and rarely configured or monitored for active compromise, the firewall today is a vulnerable target for persistent and targeted attacks.

There is no network security technology more ubiquitous than the firewall. With nearly three decades of deployment history and a growing myriad of corporate and industrial compliance policies mandating its use, no matter how irrelevant you may think a firewall is in preventing today's spectrum of cyber threats, any breached corporation found without the technology can expect to be hung, drawn, and quartered by both shareholders and industry experts alike.

With the majority of north-south network traffic crossing ports associated with HTTP and SSL, corporate firewalls are typically relegated to noise suppression — filtering or dropping network services and protocols that are not useful or required for business operations.

From a hacker's perspective, with most targeted systems providing HTTP or HTTPS services, firewalls have rarely been a hindrance to breaching a network and siphoning data.

What many people fail to realize is that the firewall is itself a target of particular interest — especially to sophisticated adversaries. Sitting at the very edge of the network and rarely configured or monitored for active compromise, the firewall represents a safe and valuable beachhead for persistent and targeted attacks.

The prospect of gaining a persistent backdoor to a device through which all network traffic passes is of insurmountable value to an adversary — especially to foreign intelligence agencies. Just as all World War I combatant sides sent intelligence teams into the trenches to find enemy telegraph lines and splice-in eavesdropping equipment, or the tunnels that were constructed under the Berlin Wall in the early 1950s to enable U.K. and U.S. spy agencies to physically tap East German phone lines, today's communications traverse the Internet, making the firewall a critical junction for interception and eavesdropping.

The physical firewall has long been a target for compromise, particularly for embedded backdoors. Two decades ago, the U.S. Army sent a memo warning of backdoors uncovered in the Checkpoint firewall product by the NSA with advice to remove it from all DoD networks. In 2012, a backdoor was placed in the Fortinet firewalls and products running their FortiOS operating system. That same year, the Chinese network appliance vendor Huawei was banned from all U.S. critical infrastructure by the federal government after numerous backdoors were uncovered. And most recently, Juniper alerted customers to the presence of unauthorized code and backdoors in some of its firewall products — dating back to 2012.

State-sponsored adversaries, when unable to backdoor a vendor's firewall through the front-door, are unfortunately associated with paying for weaknesses and flaws to be introduced — making it easier to exploit at a later date. For example, it is largely reported that the U.S. government paid OpenBSD developers to backdoor their IPsec networking stack in 2001, and in 2004, $10 million was reportedly paid to RSA by the NSA to ensure that the flawed Dual_EC_DRBG pseudo-random number-generating algorithm be the default for its BSAFE cryptographic toolkit.

If those vectors were not enough, as has been shown through the Snowden revelations in 2013 and the Shadow Brokers data drop of 2016, government agencies have a continuous history of exploiting vulnerabilities and developing backdoor toolkits that specifically target firewall products from the major international infrastructure vendors. For example, the 2008 NSA Tailored Access Operations (TAO) catalogue provides details of the available tools for taking control of Cisco PIX and ASA firewalls, Juniper NetScreen or SSG 500 series firewalls, and Huawei Eudemon firewalls.

Last but not least, we should not forget the inclusion of backdoors designed to aid law enforcement — such as "lawful intercept" functions — which, unfortunately, may be controlled by an attacker, as was the case in the Greek wire-tapping case of 2004-2005 that saw a national carrier's interception capabilities taken over by an unauthorized technical adversary.

As you can see, there is a long history of backdoors and threats that specifically target the firewall technologies the world deploys as the first-pass for security to all corporate networks. So is it any surprise that as our defense-in-depth strategy gets stronger, and newer technologies maintain a closer eye on the threats that operate within all corporate networks, that the firewall becomes an even more valuable and softer target for compromise?

Firewalls are notoriously difficult to protect. We hope that they blunt the attacks from all attackers with the (obviously false) expectation that they themselves are not vulnerable to compromise. Now, as we increasingly move into the cloud, we are arguably more exposed than ever to backdoors and exploitation of vulnerable firewall technologies.

Whether tasked with protecting the perimeter or operations within the cloud, organizations need increased vigilance when monitoring their firewalls for compromise and backdoors. As a security professional, you should ensure you have a defensible answer for "How would you detect the operation of a backdoor within your firewall?"

Written by Gunter Ollmann, Chief Security Officer at Vectra

Follow CircleID on Twitter

More under: Cyberattack, Security

Posted in circleid | Tagged , | Comments Off on Exploiting the Firewall Beachhead: A History of Backdoors Into Critical Infrastructure

Security Firm Denies Yahoo Hackers State-Sponsored Group

TwitterLinkedInFacebookEmail

An information-security firm says the hackers who stole at least 500 million records from Yahoo Inc. two years ago are criminals who are selling access to the database, and not a state-sponsored group as Yahoo contends. The firm, InfoArmor Inc., appears to have access to portions of the Yahoo database.

The post Security Firm Denies Yahoo Hackers State-Sponsored Group appeared first on GigaLaw.

Posted in gigalaw | Tagged | Comments Off on Security Firm Denies Yahoo Hackers State-Sponsored Group

Some Chinese Hackers Pursue Local, Not International, Targets

TwitterLinkedInFacebookEmail

The typical image of Chinese hackers is of operatives working for or with the tacit approval of the government, targeting valuable or sensitive data at foreign companies or government agencies. While there are plenty of those, many in China — like hackers elsewhere — also target the laptop of their ex-boss or the smartphone of the guy in front of them at the coffee shop.

The post Some Chinese Hackers Pursue Local, Not International, Targets appeared first on GigaLaw.

Posted in gigalaw | Tagged | Comments Off on Some Chinese Hackers Pursue Local, Not International, Targets

Facebook Disables, Restores Accounts for Palestinian Journalists

TwitterLinkedInFacebookEmail

Facebook disabled several prominent Palestinian journalists’ accounts, following user reports that they were violating Facebook standards. Facebook later reinstated their accounts, blaming their removal on an error: “The pages were removed in error and restored as soon as we were able to investigate,” a Facebook spokesperson said, using an excuse that didn’t need dusting off, since Facebook has offered variations of it at least four times in past six months.

The post Facebook Disables, Restores Accounts for Palestinian Journalists appeared first on GigaLaw.

Posted in gigalaw | Tagged | Comments Off on Facebook Disables, Restores Accounts for Palestinian Journalists

Syrian Electronic Army Hacker Pleads Guilty in U.S. Court

TwitterLinkedInFacebookEmail

A computer hacker sympathetic to Syrian President Bashar al-Assad’s government pleaded guilty for his role as a middleman in an extortion scheme targeting U.S. media outlets and governments, the U.S. Department of Justice said. It said in a statement that Peter Romar, 37, was a member of the Syrian Electronic Army hacking group and had joined an operation to infiltrate computers of Assad’s “perceived detractors” in the media, U.S. government and other governments.

The post Syrian Electronic Army Hacker Pleads Guilty in U.S. Court appeared first on GigaLaw.

Posted in gigalaw | Tagged | Comments Off on Syrian Electronic Army Hacker Pleads Guilty in U.S. Court