05 Feb CVE-2014-0497 – a 0-day vulnerability Vyacheslav Zakorzhevsky
03 Feb A Glimpse Behind "The Mask" GReAT
12 Feb Adobe Flash Player 0-day and HackingTeam's Remote Control System Sergey Golovanov
07 Feb Adobe Incubates Flash Runtime for Firefox Kurt Baumgartner
14 Sep Adobe September 2011 Patch Release Kurt Baumgartner
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.
We reported this to Adobe and it turned out that these ITW exploits targeted a 0-day vulnerability. Today, Adobe released a patch for the vulnerability.
This post provides a technical analysis of the exploits and payload that we discovered.
All in all, we discovered a total of 11 exploits, which work on the following versions of Adobe Flash Player:
All of the exploits exploit the same vulnerability and all are unpacked SWF files. All have identical actionscript code, which performs an operating system version check. The exploits only work under the following Windows versions: XP, Vista, 2003 R2, 2003, 7, 7x64, 2008 R2, 2008, 8, 8x64. Some of the samples also have a check in place which makes the exploits terminate under Windows 8.1 and 8.1 x64.
Operating system version check algorithm
In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.
Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.
During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.
A new-ish Flash exploit has been on the loose for attacks around the web. This time, the attackers have compromised a caregiver site providing support for Tibetan refugee children and are spreading backdoors signed with Winnti stolen certificates delivered with Flash exploits - the compromised web site is the NGO "Tibetan Homes Foundation". Previously, FireEye identified similar "Lady Boyle" related malicious swf exploiting CVE-2013-0634. A notification has been sent to the contacts of the web site, but apparently the malicious footer.swf file is still hosted at the Foundation's web site, so please do not visit it just yet. Also, be sure to update your Flash player to the latest version.
This site certainly appears to be a classic example of a "watering hole" attack. F-Secure pointed out another Lady Boyle watering hole set up against a related Uyghur group, which has been targeted in tandem following the early March World Uyghur Congress. The delivered backdoors are shown to be signed with Winnti-stolen digital certificates in the F-Secure post, including the stolen MGAME certificate.
Here is an example of those same stolen certs reused for the backdoors in the Tibetan Homes Foundation incident. We see both the MGAME cert and the ShenZehn certs signing the backdoors, here are screenshots of the latter:
Our products detect the Flash exploit+payload as Exploit.SWF.CVE-2013-0634.a. Here is a heatmap of our worldwide detections. Note that not all of these detections are Lady Boyle related, I estimate that at least a third of them are:
Other sites hosting the Lady Boyle swf exploit over the past couple of months have included "tibetangeeks.com", who recently cleaned up their site and posted a cooperative plea to their attackers, and "vot.org" or the "Voice of Tibet" which is also cleaned up. Currently cleaned up but previously serving "Exploit.SWF.CVE-2013-0634.a" were Uyghur related sites "istiqlaltv.com" and "maarip.org", with the same "LadyBoyle" swf path as the Tibetan Homes Foundation, i.e.:
So, what we have is an active watering hole campaign implementing a fairly new Flash exploit and abusing digital certificates that were stolen as a part of the ongoing Winnti targeted attack campaigns on game developers and publishers.
Last week, Adobe released a patch for a vulnerability in Flash Player that was being exploited in targeted attacks.
Before reading any further, we recommend you to take a moment make sure you apply this patch. Adobe offers this nifty tool to check that you have the latest version of Flash Player.
If you are running Google Chrome, make sure you have version -24.0.1312.57 m- or later.
Now back to CVE-2013-0633, the critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called -legal- surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from -HackingTeam- marketed as Remote Control System.
The Adobe AIR and Adobe Flash Player Incubator program updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a "sandboxed" version of the 32-bit Flash Player they are calling "Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems". It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.
Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of "offensive research", resulting in a dearth of Itw exploits on Reader X. As in "none" in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as "authplay.dll" in Adobe Reader v8.x and v9.x and the general Flash component "NPSWF32.dll" used by older versions of Microsoft Office and other applications. Adobe X just wasn't hit. IE Protected Mode wasn't hit. Chrome sandboxed Flash wasn't hit. If there are incident handlers out there that saw a different story, please let me know.
In addition to today's Microsoft updates, users of Adobe's Reader and Acrobat software on both Windows and Apple systems need to update their software ASAP. Adobe released Bulletin APSB11-24, addressing at least thirteen memory corruption flaws, and several privilege escalation, logic flaw, and bypass issues.
In today's earlier post about Microsoft's patched vulnerabilities, Excel was highlighted as the target of choice in many targeted attacks. Along those lines, Adobe's Reader and Flash are among the most commonly exploited software applications that are attacked by professional attackers.
In this special edition Ryan Naraine joins David Lenoe, Head of the Product Security Incident Response Team, Adobe, in a discussion about how Adobe is responding to attacks against zero-day vulnerabilities in PDF Reader and Flash Player.
This month's patch Tuesday is a sizable one by any standards, following the quiet Tuesday that my colleague Roel Schouwenberg described last month. Microsoft is patching a total of 34 vulnerabilities in 16 bulletins, MS11-038 through MS11-051. At least eight different Microsoft product lines are updated, and Adobe is coordinating release of Reader, Acrobat, Shockwave and Flash updates as well today.
So we are looking at patching the following programs:
Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, ISA and Adobe Reader, Acrobat, Shockwave and Flash player. More than half of the vulnerabilities being patched exist in the Internet Explorer and Microsoft Excel software components, frequent targets of drive-by and spear phishing attacks.
Most interesting is MS11-050, a single patch that knocks out 11 separate Internet Explorer vulnerabilities, some enabling information disclosure (cookiejacking), memory corruption and remote code execution: CVE-2011-1250, CVE-2011-1251, CVE-2011-1252, CVE-2011-1254, CVE-2011-1255, CVE-2011-1256, CVE-2011-1260, CVE-2011-1261, CVE-2011-1262. The additional VML patch MS11-052 knocks out another Internet Explorer vulnerability, CVE-2011-1266.
Microsoft already pointed out that the Internet Explorer patch addressing "cookiejacking" is not a particularly high risk issue because it is relatively unknown to them as an attack vector, and because there are more substantial social engineering techniques. While those points may be true, now that the techniques are more widely discussed, the risk of them being abused by more attackers goes up as well.
Eight different privately reported vulnerabilities are being patched in Microsoft Excel alone by MS11-045, each of which allow for remote code execution. We are still reviewing why the patch is rated "important" and not critical for the various Excel versions.
The patches that stand out result in remote code execution within Internet Explorer, Office and Silverlight. The recent history of attacks on consumer and corporate users, including the many successful spear phishing and APT attacks should help increase the urgency of these patches.
On the server side in the cloud, Microsoft is patching a vulnerability that could be abused in a DoS attack that could only be staged from within the cloud. MS11-047 is rated an "Important" patch for Windows 2008 versions, correcting a flaw in Hyper-V where a guest could send a malformed packet to the VMBus and result in denial of service on the server. MS11-039 is the Silverlight patch that could not only be used in a remote code execution attack on the client side, but also can be used to remotely run arbitrary code on vulnerable IIS web servers.
At least eight of the nine patches rated "Critical" requires a restart, be prepared for this interruption. We recommend applying all of this month's released patches asap.
The Democratic Party of Hong Kong's website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.
The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as "Exploit.SWF.CVE-2011-0611". The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.
Adobe released its fix for CVE-2011-0609 this afternoon, making good on last week's advisory dealing with the latest Flash zero-day. Kaspersky Lab products detected the variants as "Trojan-Dropper.MSExcel.SWFDrop" this past week.While we questioned the usefulness of Flash functionality within Excel spreadsheet cells last week, attackers were sending out emails containing just these sorts of files. Our Kaspersky Security Network statistics saw very low numbers spread out across the globe, revealing attackers making targeted use of this zero-day attack.