English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
0.6
 

The emergence of small groups of cyber-mercenaries available for hire to perform surgical hit and run operations.

The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.

Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.

Since 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this is a relatively small group of attackers that are going after the supply chain -- targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan.

0.5
 

For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian - mail.bg.
  • The compilation path string contained Korean hieroglyphs.

The complete path found in the malware presents some of the Korean strings:

D:\rsh\공격\UAC_dll(완성)\Release\test.pdb

The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:

D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb

We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:

The Sejong Institute
                               The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy.                               
 
0.3
 

NetTraveler, which we described in depth in a previous post, is an APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler (also known as ‘Travnet’ or “Netfile”) include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

During the last week, several spear-phishing e-mails were sent to multiple Uyghur activists. Here’s an example:

0.1
 

Last week, GReAT LatAm participated in the 3rd Latin American Security Analysts Summit, which took place in Cancun, Mexico.

0.6
 

A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary, so let's dive in.

The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.

The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year. You can see the 4681 exploit code in the image above along with code setting the jvm SecurityManager to null to disable Java's policy checks and then running the Payload.main method. The Payload.main Follow me on Twitter method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking.com (59.188.239.46).

This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423.

UPDATE 2013.08.13: The CN version of the site at "xizang-zhiye(dot)org" appears to be cleaned up and has not been serving any malicious code that I can find over the past day. The administrators appear to have cleaned everything up on early Tuesday their time/later Monday "western" time and there are no indications of any return since. We will continue to monitor the site for signs of compromise.

comments      Link
0
 

According to surveys conducted in Europe and the United States, company employees spend up to 30% of their working hours on private affairs. By multiplying the hours spent on non-business-related things by the average cost of the working hour, the analysts estimate the costs to companies amounting to millions of dollars a year. Indirect losses may be even higher. If these employees – inadvertently or otherwise – assist hack attacks or identity theft, cause reputational damage or infringe copyright, the costs could be even greater.

The fact is that employees often use office computers to communicate on social networking sites, share links to online entertainment, or download files from suspicious resources. At the same time cybercriminals are actively using social networking sites for phishing and the distribution of malware. Many personal blogs, entertainment sites, file sharing services, torrent trackers, and files downloaded from them are infected. Passwords to email accounts are regularly hacked or stolen.

This article describes some problems which may arise from the improper use of office computers and demonstrate how to prevent similar incidents in the corporate network.

Targeted attacks

The threats that users face every day usually target mass audiences so the antivirus solution on their computers is enough to prevent most accidents. Targeted attacks are different: they are performed secretly, often using a non-standard approach; they are highly sophisticated and well organized. To achieve their goals the fraudsters use the most effective weapon to exploit any available software or social vulnerability.

0.3
 

As promised in Microsoft's July Advance Notification, Microsoft ships seven security bulletins this month (MS13-052 - MS13-058). At least 34 CVE are being patched. Six of the Security Bulletins are rated "critical" due to remote code execution issues. The vulnerabilities being fixed this month enable RCE across all versions of Windows operating systems, but most of these serious flaws have all been privately reported and there is no indication that they are publicly known or exploited yet. Some however, are publicly known and drew attention from a number of exploit developers.
The kernel mode vulnerability, CVE-2013-3172 is publicly known, along with another kernel mode bug publicly disclosed by Tavis Ormandy in May. Unfortunately, an exploit abusing that vulnerability was touched up by another contributor and then already integrated into metasploit for public distribution and use.
It's also interesting that the update for the kernel mode TrueType Font Parsing CVE-2013-3129 bug effects code paths in seven different software packages (Office, Lync, Visual Studio, .NET, Silverlight, and "Windows components") updated separately by Security Bulletins MS13-052, MS13-053, and MS13-054.

Internet Explorer receives the bulk of attention, with sixteen RCE bugs and one "information disclosure" bug all fixed up in one tidy bulletin, MS13-055. All of these but one are memory corruption issues, and all versions of IE across all operating systems are effected by one or another of these RCE issues.

Serious issues in multiple graphics components are being addressed this month.

Serious memory corruption flaw CVE-2013-3174 is being fixed in DirectShow that enables RCE across all supported Windows OS. DirectShow handles multimedia streaming, and the software mishandles .gif files, an ancient file format designed back in the day of 8-bit video, Windows 3.1 and x486. The major issue here is that this RCE exists across all versions of Windows.

A WMV decoding flaw is implemented in several dlls (wmvdecod.dll, wmvdmod.dll, and wmv9vcm.dll) that enables RCE. The dlls support Windows Media Player and the Windows Media Fomat Runtime across all versions of Windows except the server code installs. But, some administrators may have enabled the optional "Desktop Experience" and installed these dlls. These dlls are not all installed on each OS by default, so not all systems require MS13-056 DirectShow update.

TrueType font parsing, the software functionality attacked in targeted attacks including the Duqu campaign and currently a part of the Blackhole exploit kit, again enables exploitation of another vulnerability in kernel mode graphics handling component GDI+. This bug also exists across all versions of Windows.

The metasploit code attacking CVE-2013-3172 and patched with MS13-053 is currently limited to escalation of privilege, but with all the interest, this one may soon publicly become full RCE. Considering that the bug was publicly circulated in May, it is great to see Microsoft finally roll out a full patch for this one, because in addition to this month's TrueType handling fix, this win32k.sys vulnerability enables RCE across all versions of the Windows OS, including Windows 2012 core server installations.

.NET and Silverlight are being patched with one bulletin, and a couple of the bugs are publicly known.

Comment      Link
0.9
 

Over the last few years, we have been monitoring a cyber-espionage campaign that has successfully compromised more than 350 high profile victims in 40 countries. The main tool used by the threat actors during these attacks is NetTraveler, a malicious program used for covert computer surveillance.

The name “NetTraveler” comes from an internal string which is present in early versions of the malware: “NetTraveler Is Running!” This malware is used by APT actors for basic surveillance of their victims. Earliest known samples have a timestamp of 2005, although references exist indicating activity as early as 2004. The largest number of samples we observed were created between 2010 and 2013.


The NetTraveler builder icon

0.4
 

Jumcar” is the name we have given to a family of malicious code developed in Latin America – particularly in Peru – and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries
0.3
 

While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict for that vulnerability and it would have been hardly possible to spot that particular site between tons of other places where various malicious Java applications were detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in statistics among not so many search results. Well, to be honest it was a false positive in terms of search criteria, but in this case it was a lucky mistake.

The infectious website was an Internet resource named - minjok.com and it turned out to be a news site in Korean and English languages covering mostly political events around the Korean peninsula. We notified an editor of this site about the compromise and although he has not responded, the site got closed after a while.

This is how minjok.com is described at http://www.northkoreatech.org/the-north-korean-website-list/minjok-tongshin/:


Description of minjok.com