03 Mar CODE BLUE in Tokyo Michael
06 Feb Encrypted Java Archive Trojan bankers from Brazil Dmitry Bestuzhev
06 Feb Largest Website in Sweden Spreading Malicious Code David Jacoby
03 Feb A Glimpse Behind "The Mask" GReAT
23 Jan Suits and Spooks Collision DC 2014 Kurt Baumgartner
11 Dec The inevitable move - 64-bit ZeuS has come enhanced with Tor Dmitry Tarakanov
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
On February 17th (MON) - 18th (TUE), 2014 we were at an event in Tokyo called “CODE BLUE”, a new international information security conference originating from Japan.
Even though this conference was being held for the first time, no less than 400 visitors attended, with people coming from about 10 different countries.
The overall atmosphere at the event was kind and friendly and everything seemed to go smooth and swiftly.
Topics on the first day were the keynote by Jeff Moss, followed by presentations about “The Current State of Automotive Security”, “A Security Barrier Device”, “Remote linux exploits” and hard-/software related hard disk matters.
For the Japanese speakers among you there’s a more detailed review of the event here.
This week has been one of the most hectic weeks in a very long time, I've been working day and night to finish everything for the Kaspersky Security Analyst Summit. I was not in the mood for new work because of the very late and hectic nights. I am on my way out from the door to drop off the kids and wife at her parents place and suddenly the phone rings, its Magnus Lindkvist, who was the Security Evangelist at Microsoft in Sweden. It is always nice to talk to Magnus, but this time he had a different tone on his voice, he was not really up for any chit chat, and just asked me if I was close to a computer. The mood for something exciting suddently just came back to me! I was in the game again! :)
As a security researcher, I always have at least one computer running 24/7, he tells me that the largest website in Sweden; Aftonbladet is spreading malware. I quickly up boot my virtual machine, launch Chrome and open the website. Nothing happen... what did I miss? Was Magnus joking? Then on the other side of the phone I hear Magnus say: "You need to use Internet Explorer".
In early 2013, we announced our research on RedOctober, a cyberespionage operation focusing on diplomatic institutions. In June 2013, we published our research on NetTraveler, and in September, our research on the Kimsuky attacks.
Our analysis of all these different APT operations indicated an unique use of languages, that offer clues regarding some of the people behind these operations. If the comments in the Flame C&C were written in English, artifacts in RedOctober indicated Russian speakers, NetTraveler indicated Chinese natives. Finally, Kimsuky indicated Korean speaking authors, which we linked to North Korea.
During the past months we have been busy analysing yet another sophisticated cyberespionage operation which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation "The Mask" for reasons to be explained later.
Suits and Spooks Collision DC 2014 wrapped up this week, and I had the opportunity to speak on two panels at the event, "Exploiting End Points, Devices, and the Internet of Things", and "Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?".
"Exploiting End Points, Devices, and the Internet of Things" (Dave Dittrich, Kurt Baumgartner, Remy Baumgarten, and Roel Schoewenberg in Terry McCorkle's absence)
This technology environment of realtime connections, massive data collection and availability of automated daily routines is truly new. Current events demonstrate malware is attacking that environment specifically, and indirectly acting on our everyday routines.
All of these "things", like Google's recent purchase of Nest, the Nike "things", Sonos "things", health care "things", all support administation with Android and iPhone apps, and drive dependency on smartphones and tablets. Both iPhones and Android are demonstrably insecure in many ways. Our concern is attackers pivoting from these devices further into critical infrastructure.
"Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?" (Anup Ghosh, Kurt Baumgartner, Billy Rios)
Researching this topic uncovered complete data leakage across "cloud" customers due to poorly audited and logged partner application for a massive cloud service provider. There are also challenges with maintenance like wiping file systems and maintaining layers of web application security requirements.
The recent openssl.org and .net compromise and resulting defacement demonstrated difficulties in hypervisor management console access and authentication protection.
While hardware features that cloud systems run on may help enable exploitation, there are much lower hanging fruit for attackers to target.
On the offensive side, attackers love the cloud. Incident response is often stymied by cloud providers that will not work with research teams investigating drops, C2 and other criminal assets that private owners would most likely assist with. Quickly spinning up another C2 becomes very easy. An example of targeted attack operations hosting a portion of their infrastructure in the target country is outlined in our NetTraveller report. And finally, cloud computing provides some of the most powerful and cost-effective cracking platform and mass attack platform available.
Some of the discussions regarding the NSA's involvement in the development of DUAL_EC_DRBG and several companies implementing it as a default algorithm in their products became heated but seemed unfinished. While a slew of products support the algorithm, it seems that only a handful use it exclusively or by default. And the question of usage cases remains unanswered.
Other discussions were very interesting, with individuals debating the usefulness of creating a legal framework for organizations to actively defend themselves.
Conference organizer Jeffrey Carr discussed his decision to revoke his talk at the RSA Conference this year. He also made the very interesting note that Blackberry holds the patent on the algorithm, but their response to the situation is entirely mute.
It was a fantastic lineup of speakers to join. Chris Inglis (former Deputy Director at NSA), Christopher Hoff from Juniper, Steve Chabinsky from Crowdstrike, former Navy seals and US Secret Service Technical Security, intel analysts, and others brought informed views to debate, clarify and expand on extraordinary topics. The location unfortunately was hit with winter snow and weather, creating difficulties for speakers coming and going to their next event, but Jeffrey Carr has assembled an event that is definitely not the usual security con.
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared – but we didn’t expect it to happen quite so soon.
That’s because cybercriminals don’t actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers – even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.
Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And it’s turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.
Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!
This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.
It’s december. While it’s getting colder and people prepare and shop for christmas, here in Bergen, a city in Norway, experts from several countries come together talking about Passwords – something you’re using while buying christmas presents online for example – at the PasswordsCon. This one held at the University of Bergen in the Auditorium Pi.
After the discovery of a major breach at Adobe recently some would perhaps have expected a bigger number of CVEs to get patched this round. It will be interesting to see how the breach will affect patch cycles in the coming months.
Microsoft's November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated "important". This month's MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.
The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call "DeputyDog". As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it "just another watering hole" may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don't know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don't think that I have ever seen "CreateRemoteThread" used to deliver a payload in a significant exploit.
At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with "information disclosure", which enable exploit developers to advance their exploit code further into process space and are serious issues.
Surprisingly, Microsoft is patching code in their WordPerfect converter "wpft532.cnv" for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn't expect to write about stack BoF in their code at the end of 2013, but hey, it's tricky stuff.
More about this month's patches can be found at the Microsoft site.