Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Suits and Spooks Collision DC 2014 wrapped up this week, and I had the opportunity to speak on two panels at the event, "Exploiting End Points, Devices, and the Internet of Things", and "Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?".
"Exploiting End Points, Devices, and the Internet of Things" (Dave Dittrich, Kurt Baumgartner, Remy Baumgarten, and Roel Schoewenberg in Terry McCorkle's absence)
This technology environment of realtime connections, massive data collection and availability of automated daily routines is truly new. Current events demonstrate malware is attacking that environment specifically, and indirectly acting on our everyday routines.
All of these "things", like Google's recent purchase of Nest, the Nike "things", Sonos "things", health care "things", all support administation with Android and iPhone apps, and drive dependency on smartphones and tablets. Both iPhones and Android are demonstrably insecure in many ways. Our concern is attackers pivoting from these devices further into critical infrastructure.
"Is the Cloud and Virtualization an Attacker’s Dream or Nightmare?" (Anup Ghosh, Kurt Baumgartner, Billy Rios)
Researching this topic uncovered complete data leakage across "cloud" customers due to poorly audited and logged partner application for a massive cloud service provider. There are also challenges with maintenance like wiping file systems and maintaining layers of web application security requirements.
The recent openssl.org and .net compromise and resulting defacement demonstrated difficulties in hypervisor management console access and authentication protection.
While hardware features that cloud systems run on may help enable exploitation, there are much lower hanging fruit for attackers to target.
On the offensive side, attackers love the cloud. Incident response is often stymied by cloud providers that will not work with research teams investigating drops, C2 and other criminal assets that private owners would most likely assist with. Quickly spinning up another C2 becomes very easy. An example of targeted attack operations hosting a portion of their infrastructure in the target country is outlined in our NetTraveller report. And finally, cloud computing provides some of the most powerful and cost-effective cracking platform and mass attack platform available.
Some of the discussions regarding the NSA's involvement in the development of DUAL_EC_DRBG and several companies implementing it as a default algorithm in their products became heated but seemed unfinished. While a slew of products support the algorithm, it seems that only a handful use it exclusively or by default. And the question of usage cases remains unanswered.
Other discussions were very interesting, with individuals debating the usefulness of creating a legal framework for organizations to actively defend themselves.
Conference organizer Jeffrey Carr discussed his decision to revoke his talk at the RSA Conference this year. He also made the very interesting note that Blackberry holds the patent on the algorithm, but their response to the situation is entirely mute.
It was a fantastic lineup of speakers to join. Chris Inglis (former Deputy Director at NSA), Christopher Hoff from Juniper, Steve Chabinsky from Crowdstrike, former Navy seals and US Secret Service Technical Security, intel analysts, and others brought informed views to debate, clarify and expand on extraordinary topics. The location unfortunately was hit with winter snow and weather, creating difficulties for speakers coming and going to their next event, but Jeffrey Carr has assembled an event that is definitely not the usual security con.
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated "Critical" and another six are rated "Important". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.
Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another "use after free", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!
This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.
Microsoft's November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated "important". This month's MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.
The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call "DeputyDog". As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it "just another watering hole" may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don't know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don't think that I have ever seen "CreateRemoteThread" used to deliver a payload in a significant exploit.
At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with "information disclosure", which enable exploit developers to advance their exploit code further into process space and are serious issues.
Surprisingly, Microsoft is patching code in their WordPerfect converter "wpft532.cnv" for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn't expect to write about stack BoF in their code at the end of 2013, but hey, it's tricky stuff.
More about this month's patches can be found at the Microsoft site.
Microsoft's 2013 Treehouse of Horror Bulletins include a long list of fixes for memory corruption vulnerabilities effecting mostly previous versions of the software, and not the latest versions. Of immediate interest to most Windows users are the critical vulnerabilities being patched in Internet Explorer, multiple Windows drivers, and the .Net Framework which even effects the latest versions of Windows 8 and Windows Server 2012. Systems administrators at organizations also may pay immediate attention to the critical vulnerabilities in the Windows Common Control Library patched by MS13-083, which enables server side ASP.NET webapp exploitation on 64 bit systems. MS13-080 through MS13-087 include four Bulletins rated critical and four Bulletins rated Important addressing 26 vulnerabilities.
Much of the list of ghoulish October Bulletins appears to be similar to September's list, but the news of note this month is that the Internet Explorer vulnerabilities CVE-2013-3893 and CVE-2013-3897 are being exploited as a part of targeted attacks. We have been monitoring the situation in Japan and southeastern asia, where attackers have been using exploits that succesfully pop Internet Explorer versions 8 and 9.
It's somewhat surprising that the Office vulnerabilities effecting Office 2003 and 2007 are only being rated "important" this month being patched with MS13-084, MS13-085, and MS13-086, considering that Microsoft Excel and Word have been leading vectors of spearphishing attacks for the past year or so. The vulnerabilities enable remote code execution on systems where the user is duped into opening the attachment.
Interesting and unusual is this month's Windows Common Control Library vulnerability effecting only x64 ASP.NET web applications. Attackers may send a pre-authentication web request to web applications attacking integer overflow vulnerability CVE-2013-3195 enabling remote code execution. System admins following best practices may end up with process running on their web servers with local user rights.
Full ghastly October Bulletin details on Microsoft's Technet site here. Microsoft's Update software is a convenient and easy way to update your system software every month. If you are running Microsoft software, please go ahead and do so now.
Microsoft releases a long list of security bulletins this month on the server and client side, patching a longer list of vulnerabilities in this month's array of technologies. Only four of the bulletins are rated "critical" this month: Internet Explorer, a variety of built-in Windows components, and Sharepoint and Office Web Services. Thirteen security bulletins are released in total, patching almost fifty vulnerabilities. Mostly every one of this month's vulnerabilities were reported privately, other than the XSS vulnerability in Sharepoint, which Microsoft claims would be difficult to exploit. In all likelihood, at some point Windows folks will have to reboot following download and install of around 100Mb of system updates this month.
For mass exploitation purposes, the most problematic issues have to do with Internet Explorer, with working exploits likely being developed in the near future to attack these memory corruption vulnerabilities. These are the sort of things that can happen to anyone online, so all Windows users should address them asap. These ten vulnerabilities enable remote code execution across all supported versions of IE across all Windows clients and servers, so most likely, they will receive immediate attention from the offensive security global peanut gallery.
On the targeted attack side, Sharepoint and Web Office Service administrators need to be aware of the critical vulnerabilities addressed with the large cumulative update MS013-067. Flaws in this code base enable RCE that could be exploited with the spear phishing techniques very commonly and effectively in use.
Also problematic from both perspectives is this interesting Outlook update, which patches a flaw in Outlook 2007 and 2010 S/MIME handling. It can be triggered in preview mode, which seems to make this the first severe, potentially wormable issue seen in Outlook in years. Patch immediately.
The long list of important updates are presented at Microsoft's Technet site here.
Today, Microsoft released a set of eight security Bulletins (MS13-059 through MS13-066) for a broad variety of vulnerable technologies and exploit categories. The critical vulnerabilities are not known to be exploited publicly at the time of Bulletin release. The more interesting Bulletins this month address RCE and EoP vulnerabilities in Internet Explorer, Windows components, and yet again Exchange/OWA components licensed from Oracle. Also included in this month's release are fixes for RPC, kernel drivers, Active Directory, and the networking stack.
MS13-059 is the priority update to roll out across Windows clients, as it fixes nine critical memory corruption vulnerabilities (that look like use-after-free to me) in IE6, IE7, IE8, IE9, IE10 and even IE11 preview on Windows 8.1 preview, along with XSS due to flawed Kanji font handling and flawed code in the "Windows Integrity Mechanism", which is used for sandboxing apps like Internet Explorer, Adobe Reader and Google Chrome. On Windows server, the maximum severity is "Moderate" and doesn't effect "Server Core" installations at all. Admins need to refer to the severity ratings and maximum impact table to prioritize server patch deployments, but those that need to prioritize patch deployments probably shouldn't surf the web from these types of systems anyway.
MS13-060 corrects code in the Unicode Scripts Processor implementing OpenType font handling, a format developed by Microsoft and Adobe over the past decade built on top of the TrueType format, in USB10.dll. This dll is used by Windows and all sorts of third party applications to handle right-to-left scripts like Arabic and Hebrew, and other complex fonts like Indian and Thai scripts too. The vulnerability is a user mode vulnerability that effects only Windows XP SP 2 and 3 (64 bit too) and Windows 2003 versions. These types of systems continue to be widely deployed, especially in government and critical infrastructure systems around the world. Exploits may be delivered via spearphish, as in the Duqu incident, or via a web page for a browser like Internet Explorer, as in Duqu copycat malcode like the Blackhole exploit pack that continues to be widely distributed and highly active.
Another interesting update includes MS13-061 that patches code in third party components built by Oracle and licensed by Microsoft for Outlook Web Access on Exchange Server 2007, 2010, and 2013. Applying the patch will not require a system reboot, but it will restart related Exchange services. The interesting thing about this critical set of issues is that they enable exploitation of the WebReady Document Viewing and Data Loss Prevention features on OWA for code execution not on the client system, but on the server itself with LocalService credentials. So a client system browsing code sent to their email account can remotely execute code on the server in the service's context, which is very problematic.
Please review the set and update ASAP. While most of the vulnerabilities this month were privately reported, these present high risk opportunities and the Exchange issues and exploitation are publicly known.
A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary, so let's dive in.
The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.
The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year. You can see the 4681 exploit code in the image above along with code setting the jvm SecurityManager to null to disable Java's policy checks and then running the Payload.main method. The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking.com (126.96.36.199).
This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423.
UPDATE 2013.08.13: The CN version of the site at "xizang-zhiye(dot)org" appears to be cleaned up and has not been serving any malicious code that I can find over the past day. The administrators appear to have cleaned everything up on early Tuesday their time/later Monday "western" time and there are no indications of any return since. We will continue to monitor the site for signs of compromise.
Blackhat 2013 day 2 brought 0day, a sad remembrance of young researcher Barnaby Jack, and ICS/SCADA security vulnerabilities and review.Highlights of day 2 included a mind blowing talk from Mateusz "j00ru" Jurczyk and Gynvael Coldwind, further exploring the kernel level double fetch vulnerability research that attracted interest since at least 2008. It is interesting stuff considering buffer overflow code is particularly well audited, but race conditions simply are not. Race conditions like these enable EoP exploitation and other severe potential attacks. The two developed the Bochspwn framework to implement CPU level OS instrumentation to locate double fetch vulnerabilities, and have been cranking out substantial findings in the Windows and Linux kernel since. They dropped Windows 8 0day (although, reported to Microsoft) with yet more discoveries, releasing their Bochspwn project code during their talk "Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns". It's interesting that the FreeBSD code they examined has been audited before and thus doesn't maintain these bugs, while Linux and Windows pours out related issues.
They are hoping that folks can port the code to assess interesting and exotic embedded platforms and contribute to the body of work. Unfortunately, a second part of their work, Hyperpwn, presented some unexpected technical challenges in the structure of the memory regions they are most interested in, and it was not ready for primetime. Research is like that, and the talk was fantastic without it. Their work also happened to win a well deserved "Most Innovative Research" Pwnie the night before.
"SCADA Device Exploitation" highlighted a large dependency in attacking ICS environments - "it's all about the pivot". Meaning, ICS environments are best infiltrated from the backoffice and down through the reporting and control ennvironment, historian servers and other Windows resources, potentially to the PLCs themselves. A later talk, "Compromising Industrial Environments from 40 Miles Away", chipped away at that myth by exposing poor and insecure crypto implementations in various, heavily used ICS products. In addition, realities of present day ICS implementations certainly do not follow the generic network maps positioning PLC's buried layers down in the network. Network resources are distributed, and operations and implementations poor and messy . But they had other interesting points and demos. They pointed out OPC as a DCOM based technology used "everywhere in the process control industry", resulting in tons of firewall ports allowing access across LANs, and that 93,793 insecure Modbus based ICS services were listening on ports directly connected to the internet in 2012. They then demoed weaknesses in often used PLC devices, forcing a pump to overflow a tank while the reporting HMI claimed devices were operating properly, in another throwback to the Stuxnet incident.
"Compromising Industrial Environments from 40 Miles Away" outlined impressive audits of several unnamed vendors' commonly used SCADA devices, showing that authentication and crypto schemes on these devices frequently fail to deliver on the marketing messages these vendors' pitch. ICS radio encryption can enable remote access to insecure Modbus based devices, and the speakers demoed an animated small tank explosion. The guys even identified remote memory corruption 0day in a remote gateway device, resulting in system freeze, a significant problem in ICS environments.
Of course, Barnaby Jack's slot "Implantable Medical Devices: Hacking Humans" was not replaced. Instead, the room was used to celebrate Jack and his work as an inspiration, a colleague, a friend and authentic hacker. The night before he was awarded the only "Pwnie for Lifetime Achievement", "Awarded to those of us who have moved on to bigger and better things."
Cheers to looking forward to another gathering in 2014...
This year's Blackhat 2013 conference started off with a surprisingly detailed presentation from General Keith Alexander on his recently exposed programs, including even screenshots of what looked like a Windows XP GUI that an analyst would see when examining phone call metadata.
Alexander's keynote can be boiled down to a few points: 1. the program is built on identifying terrorist communications activity around the world and eventually tying these communications back to individuals in the US. In 2012, the program produced reports on under 500 total phone numbers in the US. 2. the communications intercept programs are under intense review, including a four year review by the Senate that found no wrongdoing within employee activities of the program (one of the things that makes the US program different from other countries is the rigid accountability regime) 3. every other country in the world has some form of legal communications intercept program. Unfortunately, there weren't terribly many technical details or discussion of technical details. Mostly, discussion of any technical details revolved around limiting NSA analysts' access to the data. But, he handled questions from the audience along with some pretty intense heckling.
Interesting talks included an examination of the new Blackberry 10 OS attack surface from Ralf Weinmann, one of the two individuals that exploited the Blackberry Torch at Pwn2Own 2011. While he was pretty impressed with their build tools, he found the collection of Adobe Air, QT and Python running on top of their new QNX OS "weird". He discussed potential privilege escalation issues and QUIP, a so-called forensics service hidden away in the OS.
Other interesting talks included reviews of UEFI and BIOS level attacks, with bootkits and rootkits effective on Windows 8 systems demonstrated. It was interesting that these attacks focused on individual vendor implementations of firmware and handling. A team from Mitre demonstrated PoC called "Flea", "Tick" and "Flash Hopper", attacking Dell firmware packages. The code even persisted on the system across signed BIOS updates. Impressive stuff.
The guys behind Maltego delivered a new release of their research and data visualization tool, adding collaborative features like XMPP for real time chat and data synch'ing. They also put on display its integration with various reconnaissance and attack tools they call "Teeth" and "Kingfisher", upping its offensive security capabilities. The tool can now scan and identify web services and accordingly apply brute force, SQLi and other web app attacks.
Afaik, no 0day was publicly dropped at any of the talks this year. Coordinated disclosure seemed to be used by all the researchers that I am aware of, so far this year.
Internet Explorer receives the bulk of attention, with sixteen RCE bugs and one "information disclosure" bug all fixed up in one tidy bulletin, MS13-055. All of these but one are memory corruption issues, and all versions of IE across all operating systems are effected by one or another of these RCE issues.
Serious issues in multiple graphics components are being addressed this month.
Serious memory corruption flaw CVE-2013-3174 is being fixed in DirectShow that enables RCE across all supported Windows OS. DirectShow handles multimedia streaming, and the software mishandles .gif files, an ancient file format designed back in the day of 8-bit video, Windows 3.1 and x486. The major issue here is that this RCE exists across all versions of Windows.
A WMV decoding flaw is implemented in several dlls (wmvdecod.dll, wmvdmod.dll, and wmv9vcm.dll) that enables RCE. The dlls support Windows Media Player and the Windows Media Fomat Runtime across all versions of Windows except the server code installs. But, some administrators may have enabled the optional "Desktop Experience" and installed these dlls. These dlls are not all installed on each OS by default, so not all systems require MS13-056 DirectShow update.
TrueType font parsing, the software functionality attacked in targeted attacks including the Duqu campaign and currently a part of the Blackhole exploit kit, again enables exploitation of another vulnerability in kernel mode graphics handling component GDI+. This bug also exists across all versions of Windows.
The metasploit code attacking CVE-2013-3172 and patched with MS13-053 is currently limited to escalation of privilege, but with all the interest, this one may soon publicly become full RCE. Considering that the bug was publicly circulated in May, it is great to see Microsoft finally roll out a full patch for this one, because in addition to this month's TrueType handling fix, this win32k.sys vulnerability enables RCE across all versions of the Windows OS, including Windows 2012 core server installations.
.NET and Silverlight are being patched with one bulletin, and a couple of the bugs are publicly known.