13 Apr SyScan 2014 Michael
14 Mar Analysis of, Malware from the MtGox leak archive Sergey Lozhkin
11 Mar Trust. Trust. Trust Roel
10 Mar RootedCON V Vicente Diaz
03 Mar CODE BLUE in Tokyo Michael
06 Feb Encrypted Java Archive Trojan bankers from Brazil Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In the first week of April 2014 we were at “The Symposium on Security for Asia Network" (SyScan), a “geeky” single-track conference located in Singapore.
I liked the friendly atmosphere from the very first slides of the event (as is seen above).
The program covered hardware and software attacks like “Car Hacking”, “Defeating SecureBoot”, “Point-of-Sale”-hacks (“Flappy Bird” injected on a mobile POS device was my favorite), “RFID”-hacks, “Anti-Virus Software” flaws, “Phone hacks”, “OS-Hacks” and a “Linux Memory Forensic” case study amongst others.
All of the presentations were of quite high quality in content and most of the speakers did a nice job presenting their content.
Much beer did flow at the “BarCon” at the end of day one ...
A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.
Over the past week or so I've been to TrustyCon, Jeffrey Carr's town-hall debate on Privacy v National Security and Georgetown's conference on International Engagement on Cyber. All these conferences had trust as a major focal point. Trust in the internet. During the course of the last nine months in particular that trust has been eroded and replaced with suspicion. How do we fix this?
Overall, I really enjoyed some great discussions at these events. The town-hall debate did the best job at getting people from all sides to the table, which is something we need to see more of.
It was five years ago when a group of computer security enthusiasts decided to gather together and organize a security conference mainly for a Spanish-speaking audience.
Last week RootedCon celebrated its fifth birthday, gathering more than 1000 attendees. It is now firmly established as the most important security event in Spain.
On February 17th (MON) - 18th (TUE), 2014 we were at an event in Tokyo called “CODE BLUE”, a new international information security conference originating from Japan.
Even though this conference was being held for the first time, no less than 400 visitors attended, with people coming from about 10 different countries.
The overall atmosphere at the event was kind and friendly and everything seemed to go smooth and swiftly.
Topics on the first day were the keynote by Jeff Moss, followed by presentations about “The Current State of Automotive Security”, “A Security Barrier Device”, “Remote linux exploits” and hard-/software related hard disk matters.
For the Japanese speakers among you there’s a more detailed review of the event here.
This week has been one of the most hectic weeks in a very long time, I've been working day and night to finish everything for the Kaspersky Security Analyst Summit. I was not in the mood for new work because of the very late and hectic nights. I am on my way out from the door to drop off the kids and wife at her parents place and suddenly the phone rings, its Magnus Lindkvist, who was the Security Evangelist at Microsoft in Sweden. It is always nice to talk to Magnus, but this time he had a different tone on his voice, he was not really up for any chit chat, and just asked me if I was close to a computer. The mood for something exciting suddently just came back to me! I was in the game again! :)
As a security researcher, I always have at least one computer running 24/7, he tells me that the largest website in Sweden; Aftonbladet is spreading malware. I quickly up boot my virtual machine, launch Chrome and open the website. Nothing happen... what did I miss? Was Magnus joking? Then on the other side of the phone I hear Magnus say: "You need to use Internet Explorer".
In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.
Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.
During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.
Suits and Spooks Collision DC 2014 wrapped up this week, and I had the opportunity to speak on two panels at the event, "Exploiting End Points, Devices, and the Internet of Things", and "Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?".
"Exploiting End Points, Devices, and the Internet of Things" (Dave Dittrich, Kurt Baumgartner, Remy Baumgarten, and Roel Schoewenberg in Terry McCorkle's absence)
This technology environment of realtime connections, massive data collection and availability of automated daily routines is truly new. Current events demonstrate malware is attacking that environment specifically, and indirectly acting on our everyday routines.
All of these "things", like Google's recent purchase of Nest, the Nike "things", Sonos "things", health care "things", all support administation with Android and iPhone apps, and drive dependency on smartphones and tablets. Both iPhones and Android are demonstrably insecure in many ways. Our concern is attackers pivoting from these devices further into critical infrastructure.
"Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?" (Anup Ghosh, Kurt Baumgartner, Billy Rios)
Researching this topic uncovered complete data leakage across "cloud" customers due to poorly audited and logged partner application for a massive cloud service provider. There are also challenges with maintenance like wiping file systems and maintaining layers of web application security requirements.
The recent openssl.org and .net compromise and resulting defacement demonstrated difficulties in hypervisor management console access and authentication protection.
While hardware features that cloud systems run on may help enable exploitation, there are much lower hanging fruit for attackers to target.
On the offensive side, attackers love the cloud. Incident response is often stymied by cloud providers that will not work with research teams investigating drops, C2 and other criminal assets that private owners would most likely assist with. Quickly spinning up another C2 becomes very easy. An example of targeted attack operations hosting a portion of their infrastructure in the target country is outlined in our NetTraveller report. And finally, cloud computing provides some of the most powerful and cost-effective cracking platform and mass attack platform available.
Some of the discussions regarding the NSA's involvement in the development of DUAL_EC_DRBG and several companies implementing it as a default algorithm in their products became heated but seemed unfinished. While a slew of products support the algorithm, it seems that only a handful use it exclusively or by default. And the question of usage cases remains unanswered.
Other discussions were very interesting, with individuals debating the usefulness of creating a legal framework for organizations to actively defend themselves.
Conference organizer Jeffrey Carr discussed his decision to revoke his talk at the RSA Conference this year. He also made the very interesting note that Blackberry holds the patent on the algorithm, but their response to the situation is entirely mute.
It was a fantastic lineup of speakers to join. Chris Inglis (former Deputy Director at NSA), Christopher Hoff from Juniper, Steve Chabinsky from Crowdstrike, former Navy seals and US Secret Service Technical Security, intel analysts, and others brought informed views to debate, clarify and expand on extraordinary topics. The location unfortunately was hit with winter snow and weather, creating difficulties for speakers coming and going to their next event, but Jeffrey Carr has assembled an event that is definitely not the usual security con.
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared – but we didn’t expect it to happen quite so soon.
That’s because cybercriminals don’t actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers – even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.
Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And it’s turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.