Microsoft's November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated "important". This month's MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.
The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call "DeputyDog". As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it "just another watering hole" may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don't know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don't think that I have ever seen "CreateRemoteThread" used to deliver a payload in a significant exploit.
At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with "information disclosure", which enable exploit developers to advance their exploit code further into process space and are serious issues.
Surprisingly, Microsoft is patching code in their WordPerfect converter "wpft532.cnv" for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn't expect to write about stack BoF in their code at the end of 2013, but hey, it's tricky stuff.
More about this month's patches can be found at the Microsoft site.
Back in March 2012 we teamed up with Crowdstrike, the Honeynet Project and Dell SecureWorks in disabling the second version of the Hlux/Kelihos-Botnet. We thought that now would be a good time for an update on what has happened to that sinkhole-server over the last 19 months.
What we see now is what we expected. The botnet is getting smaller and smaller - victims have been disinfecting or reinstalling their PCs over time. At the moment we're counting about 1000 unique bots on average per month:
Due to the botnetís peer-to-peer-design, there could still exist an independent subset of the initial botnet which never connected to our sinkhole. But we think that the bot-count for any such subset would have evolved in a similar way, because most likely the bot-herders would leave them alone as well and concentrate on establishing "Hlux 3".
Most of the bots are still running under Windows XP. But we also saw some bots running under Windows Server 2008:
Most of the infected clients are located in Poland:
The group behind Hlux is known to be adept at quickly renewing their illegal infrastructure. Since the group is also known to be behind the Waledac botnet, we think that this is unlikely to be the last we hear about this gang.
Last but not least, a quick review about the story of Hlux/Kelihos:
In September 2011 we performed the first takedown of Hlux. The criminals responsible for that botnet didnīt show a major interest in taking counter-measures - they abandoned the botnet to its fate (of being under our control now) and immediately began to build a new botnet. So after a short time, Hlux 2 appeared on the radar and we did it again - poisoning the p2p-network to sinkhole it. And again, the criminals quickly rebuilt their botnet and Hlux 3 was born - within 20 minutes! In March 2013 the bad guys were faced with a new shutdown operation - initiated and performed live at the RSA Conference 2013 by our friends over at Crowdstrike.
As Bitcoin reached an all-time high of $327/BTC, news about yet another huge robbery hit the world of crypto-currencies. One of the relatively new “Bitcoin banking” services named inputs.io claimed it has been compromised by hackers. The attackers were able to penetrate the server on October 23 and 26 and transfer 4100 BTC (approximately US$1.2 million). According to “Tradefortress”, the service owner, the attackers used old email accounts together with a password reset technique: “They were able to bypass two-factor authorization due to a flaw on the server host side”.
Right now it is not possible to confirm that this was a real hack, and not merely a site owner scamming customers. But it is not the first time this has happened - there were a number of similar incidents in recent years on many different bitcoin storage and exchange services. Examples include, in May and July 2012, the Bitconica theft (approx. 58,000 bitcoins stolen), Linode hacks in March 2012 (approx. 46,000 bitcoins stolen) and Bitfloor Theft in September 2012 (approx. 24,000 bitcoins stolen).
All this accidents happened because of silly mistakes made by service operators. Bitfloor was robbed because its unencrypted wallet backup was mistakenly stored on some of the servers. The Bitconica theft occured when a top privileged email account was compromised giving the cybercriminals access to Bitconica’s rackspace server where the wallet was kept. There are hundreds of similar examples.
Bitcoin is a secure and viable currency, but its security ultimately depends on its users. If users are unable to establish the security of their own wallets they definitely will lose them.
The best strategy for storing and using Bitcoins securely is “Don’t keep all of your eggs in the same basket”. Use different approaches for short-term and long-term storage. The most flexible solutions are usually the least secure ones as well. You don’t want to keep all of your bitcoins on your mobile or Blockchain wallet for instance - but just enough for weekly use. At the end of the week, you can top-up your Bitcoins from your long-term storage, the one which is secured.
If you own a couple of Bitcoins, then the most important thing is how to keep them safe. Here’s a couple of tips from our side based on personal experience and watching cybercriminals at work.
First of all – the Bitcoins should not be kept in online stock exchange services or banks that are new and untrustworthy. Keep in mind that most of these services are anonymous; owners are only known by nicknames so most likely, you will not be able to get a refund of your money if something bad happens. Even if a service has a perfect reputation, it could also be compromised like any ordinary bank. To store your Bitcoins, you can use an open-source “offline” bitcoin client like Electrum or Armory. These encrypt your wallet with a strong password and protect it, ensuring that only you have access to your crypto-currency.
Passphrases for your bitcoin wallets and online storages should be complex as possible – use open source password generating software.
Once you have your bitcoins in an “offline” wallet, secured by a strong password, make sure your PC is protected with a good, solid antivirus and your PC has the latest software updates installed. If you have a huge amount of bitcoins - you should keep them in a wallet on a PC that is not connected to the Internet at all!
Some say Bitcoins will bring down governments or even the society as we know it; others advocate it as the solution to all our financial problems. To be honest, when it comes to Bitcoins, nobody knows what the future will bring. One thing is for sure, though - cybercriminals are highly interested into stealing your hard earned crypto-currencies, so we’re likely to see more attacks in the future.
On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.
Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.
Fragment of WinDbg shellcode execution
The exploits that we had access to can be divided into two groups according to the shellcodes used in them.
The third security conference called ZeroNights conference has quickly grown into the largest security events in Russia. The conference first started in St Petersburg in 2011 with presentations from respectable speakers that included Dave Aitel and The Grugq. This year, ZeroNights had 800+ visitors, including quite a few English speakers and not surprisingly the presentations of Russian speakers were simultaneously translated in English for all.
The HITB (Hack In The Box) SecConf2013 was held from 14-17 October 2013 in Kuala Lumpur, Malaysia. On 14-15, they provided us with hands-on technical training about exploits, web hacking, penetration testing and building a secure web/mobile app. On 16-17, we had a conference with three tracks; Commsec village, Hackweekday and Capture The Flag Weapons of Mass Destruction: War of the World (referred to as "CTF WMD:WotW").
Since we published our first blog post about the mobile Trojan Trojan-SMS.AndroidOS.Svpeng, the cybercriminals have improved its functionalities. Now Svpeng is capable of phishing as well, trying to harvest the financial data of users.
When a user launches the banking application of one of Russia’s largest banks, the Trojan substitutes the opened window with a phishing window, designed to steal the victim’s login and password for the online banking system:
The data the user enters is sent to the cybercriminals.
Last week, Google has released the 4.4 (KitKat) version of their omni-popular Android OS. Between the improvements, some have noticed several security-related changes. So, how much more secure is Android 4.4?
When talking about Android 4.4 (KitKat) major security improvements, they can be divided into 2 categories:
1. Digital certificates Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.
2. OS hardening SELinux is now running in enforcing mode, instead of permissive mode. This helps enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. Android 4.4 comes compiled with FORTIFY_SOURCE set at level 2, making buffer overflow exploits harder to implement.