Schneier on Security
A blog covering security and security technology.
« NSA-O-Matic |
| PowerLocker uses Blowfish »
January 17, 2014
STUCCOMONTANA: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL) STUCCOMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card.
(TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process on the target operating system. The vector of attack is the modification of the target's BIOS. The modification will add the necessary software to the BIOS and modify its software to execute the SIERRAMONTANA implant at the end of its native System Management Mode (SMM) handler.
(TS//SI//REL) STUCCOMONTANA must support all modern versions of JUNOS, which is a version of FreeBSD customized by Juniper. Upon system boot, the JUNOS operating system is modified in memory to run the implant, and provide persistent kernel modifications to support implant execution.
(TS//SI//REL) STUCCOMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper T-Series routers.
Unit Cost: $
Status: (U//FOUO) STUCCOMONTANA under development and is expected to be released by 30 November 2008.
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Posted on January 17, 2014 at 2:06 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The same MO again:
1. BIOS hack
2. A second implant to make the hack persistent and call home with the data stream.
3. SMM pawned
4. Juniper Edge router with Juno OS
Again, the reboot of the router would seem to be the indication of an infection. Even on Microsquish Servers if there is a reboot a window pops up asking for a reason (a hint to check the system for infection). I would assume other vendors have that function also.
I see a huge opportunity for Anti-Virus vendors to get into BIOS AV products. Also, I have a feeling that someone is playing fast a loose at Juniper. I can only shake my head in disgust.
Here is awkward non-denial:
“Juniper Networks recently became aware of, and is currently investigating, alleged security compromises of technology products dated from 2008 and made by a number of companies, including Juniper. We take allegations of this nature very seriously and are working actively to address any possible exploit paths. As a company that consistently operates with the highest of ethical standards, we are committed to maintaining the integrity and security of our products. We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps.
”The alleged security compromises included indications of "software implants" and a method for installing malicious code in BIOS. Juniper Networks is not aware of any such BIOS implants in our products and has not assisted anyone in the creation of such implants.
”Juniper maintains a Secure Development Lifecycle, and it is against Juniper policy to intentionally include "backdoors" that would potentially compromise our products or put our customers at risk.
”Juniper will continue to aggressively investigate this report as we do all reports of potential vulnerabilities in our products, and will continue to notify our customers according to our Security Incident Response Team policies.
”In 2008 Juniper published this Advisory related to ScreenOS Firmware Image Authenticity Notification”
Identifying their command-control-and-exfiltration protocol on the network could help find broken firewalls and discourage NSA from accessing the already-broken ones. It could be used by other TAO products, too. There are challenges:
* The protocol might (or might not!) be hard to detect. Connections might use standard ports like HTTP or ping. Imagine checking for incoming connections where hash(remote host, remote port, timestamp, secret)=0x0000, or complicated port-knocking-type setups.
* Even if you recognize the protocol, you probably can't do really interesting things like remove implants remotely, because the actual meaningful content would be encrypted/authenticated.
* Who knows how many or few firewalls are actually broken right now.
* Of those firewalls, who knows how many have a persistence implant (rather than just getting broken anew on reboot).
* Now that this is public, they might've stopped communicating with and/or removed the implant from all or some target routers, to avoid discovery.
Getting a copy of the implant would be a huge win. Looking at BIOSes of routers from major service providers in as low-level a way as possible is about all I can think of.
I'd almost bet that the NSA's key hardened strategic targets--the governments/militaries who are not close US allies--have known the general shape of this for a long time. If Congress was right to be skeptical about Huawei equipment, then they might well have learned it by watching what we did to them. Allies + US citizens, on the other hand, only find out now.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..