What's old is new again: Part II
An aspect of human nature not explored sufficiently is the lack of memory permanence. There is the distinct length of time people remember major system compromises. After this point, the issues leading up to the compromise, implications for the company, effects for the clients and associates are forgotten. This is not a new phenomenon and has been verified by several retail business breaches. After the breach notification, the sales revenue decreases for a bit, however later rebounds as if nothing ever happened.
There is, unfortunately, the same effect with malware. A programmer with a great idea for new malware creates this, the malware is presented in the wild, the malware works for a bit of time, is red-flagged, and its use is no longer needed. In the environment, we are seeing the old malware getting a new life and being re-introduced, perhaps with a nuance to adjust its signature to avoid notice from the AV providers. A recent example has been macros in Word and Excel. These were a significant issue over a decade ago. These were forgotten as viable issues for a rather significant amount of time until these were re-introduced. These were effective once again for a brief period of time until the new application is noticed, and the cycle begins again. Another incident has occurred with this. Recently, a vulnerability dating back 19 years re-appeared. This affects the RSA implementation with at least eight vendors. This vulnerability has been termed ROBOT, an acronym for Return of Bleichenbacher's Oracle Attack.
When exploited, this allows the others to decrypt and encrypt the RSA function applying the private key which had been configured previously on the TLS servers where the vulnerability was located. This issue was first noted by Daniel Bleichenbacher, a Swiss cryptographer. The vulnerability and subsequent attack are specifically applicable to RSA based PKCS #1 v1.5 encryption as utilized in SSLv2.
This will certainly not be the last attack that will be recycled. This will continue as long as our memories remain short.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.