Where does this term Backdoors come from?

A lot of cyber security terminology uses common terms that relate to the real-world. In the real-world, a backdoor is usually the door of a house or building that is around the side or the back. This door cannot seen from the front of the building.

In cyber security terminology?

In cyber security terms a backdoor is a way in that is unseen, into an appliance or device or to a network.

Back in #WeekendWisdom number 61, I talked about a backdoor to a set of firewalls. This was where the manufacturer had put in place a hardcoded password. This password enabled them to be able to sign into those firewalls through the backdoor.

What way can hackers use Backdoors?

But hackers tend to use a bit more sophisticated methods to establish their backdoors. If they break into your network they usually want to try and keep their access on there. So they will usually install some program, some piece of software on one of the devices on the network to establish what we call a persistent connection, where they can just keep coming back.

That’s just a piece of software that opens up a backdoor. Sets up a communication with the outside world that the hacker controls and that they can use to come back in and continue doing whatever they want to do on your network.

So that’s what a backdoor is in cyber security terms.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 075 Backdoors appeared first on L2 Cyber Security Solutions Ltd..

What is this Zyxel Backdoor you are talking about?

Just after Christmas, Zyxel networks revealed that some of their firewalls and Wi-Fi access point controllers had been discovered to have a hard-coded user ID and password which would enable anybody who could connect to that device, to be able to sign into it and take control of it.

Now because it’s a hard coded user ID and password, it’s not possible to change that on the device itself. So since then Zyxel has released some updates for their firmware, for those devices. Here is the link to their website, so you can go and find out if you have a device that is affected.

https://www.zyxel.com/support/CVE-2020-29583.shtml

I’m not sure whether I have one of those?

But this then begs the question. Do you know if you have a Zyxel device on your network?

If you remember waaaaay back in #WeekendWisdom number 1, I talked about needing to have an inventory of all of your hardware so that you could quickly go and find, if you hear a report like this, you say “Do I have Zyxel equipment?” … check the inventory … and then if you do have it, you know you have to take action.

So it’s really important to know what devices you have connected to your network.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 061 Zyxel Backdoor appeared first on L2 Cyber Security Solutions Ltd..

Actually Avast was not the company that had been breached. It was a company called Piriform, who were the original creators of CCleaner. Avast bought Piriform in July 2017, but Piriform were already compromised at that time. I’ll take you through the timeline, explain what a backdoor is and what you should do if you were affected.

Update – 21st September 2017:

Cisco have been continuing to analyse what went on and have discovered that this backdoor may have been used to target specifically named Corporations, namely Intel, Microsoft, Samsung, Sony, HTC, VMWare, Linksys, Cisco, Vodafone and more. They analysed the controlling server which law enforcement shut down and found that at least 20 machines had some malicious software downloaded to them (what they refer to as “Stage 2 Payloads”). This number could possibly rise, as this is an active investigation.

While this appears to be a targeted attack, I would still urge extreme caution. If you used the compromised version of CCleaner, please do follow the suggestions below, which will mitigate any risk of compromise.

The remainder of this article below remains as originally posted.

Timeline of events:

• First week in July: It would seem this was when hackers compromised Piriform’s development systems.
• July 18: Avast buys Piriform, the company that created CCleaner.
• August 15: CCleaner version 5.33 is released. The CCleaner 5.33.6162 installer includes the backdoor, but this only works on 32-bit systems.
• August 24: CCleaner Cloud version 1.07.3191 is released and this also includes the backdoor.
• September 12: A company called Morphisec had detected some unusual activity around CCleaner 5.33 and so they notified Avast and also Cisco. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
• September 14: Cisco tells Avast what it has found and also around the same time they had taken some steps to prevent the backdoor from being effective.
• September 15: Following a collaboration between Avast and law enforcement, the evil doers server that controlled the backdoor was shut down. Avast releases a clean version of CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the backdoor.
• September 18: The incident comes to public attention, following Avast, Cisco and Morphisec reports.

A backdoor might not sound dangerous, but it is:

What happened in this case was the bad guys managed to gain access to Piriform’s software development systems and they implanted computer code that created a backdoor in CCleaner. This went undetected and so the compromised version of CCleaner, version 5.33 was released. People would have downloaded this, or updated to it, as paid versions of CCleaner have an automatic update feature.

So the backdoor in this case, effectively meant that version of CCleaner would have occasionally made contact with servers on the internet controlled by the bad guys and look for for new instructions. The hackers could have put any malicious code they want on these servers, and this would have almost certainly affected the victims machine, regardless of the protections that were in place (Antivirus, Firewalls, etc.). They could have loaded Ransomware onto the victim or something that would have stolen banking credentials.

What you should do if you were affected:

Avast recommend simply installing version 5.34 will remove the nasty backdoor. Cisco’s detailed write-up doesn’t offer much in the way of guidance, but their work on this pretty much hobbled the malicious software.

However, looking at the timeline, the infected software was available from 15th August and nothing was detected until 12th September. So that’s 27 days where this thing could have been doing something evil. There’s no evidence to say that anything had happened, but there’s no evidence that nothing happened. It’s possible that other malicious software has been deployed on affected machines.

I would therefore be of the view that any machine that had this software installed, is potentially still compromised. The safest course of action is to wipe the machine and reset to factory settings. I would also change any passwords for e-mail, banking, social media and other online services. Maybe even bite the bullet and give your online accounts the best protection possible. I know this is a pain in the ass, but because there is uncertainty, I wouldn’t take the risk,

I had the free version 5.32 of CCleaner installed on my personal desktop, so I don’t need to worry. I might wait for the dust to settle before I upgrade it though.

The post Draughty Backdoor in popular application. appeared first on L2 Cyber Security Solutions Ltd..