Attackers continue to take advantage of the Sandworm vulnerability by using an exploit that bypasses its patch to send compromised PowerPoint documents as email attachments.
Attackers circumvent patch for Windows Sandworm vulnerability
Scammers pose as company execs in wire transfer spam campaign
Innocent-looking payment requests could result in financial loss for companies as finance department employees targeted with fraudulent emails.
Trojan.Poweliks: A threat inside the system registry
Trojan.Poweliks is a unique threat because it is located in a registry key on compromised computers.
Spin.com visitors served malware instead of music
On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website spin.com was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the askmen.com compromise back in June.
At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.
Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise
How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.
Figure 2. Injected iframe on compromised spin.com website
When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.
Figure 3. Rig EK searches for driver files used by security software products
The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551)
- Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
- Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0497)
- Microsoft Silverlight Double Deference Remote Code Execution Vulnerability (CVE-2013-0074)
- Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
- Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
- Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2013-7331)
Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).
Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:
Intrusion prevention
- Web Attack: Exploit Toolkit Website 47
- Web Attack: Malicious Executable Download 2
- Web Attack: MSIE CVE-2013-2551 3
- Web Attack: Rig Exploit Kit Website 5
- Web Attack: Rig Exploit Kit Website 9
- Web Attack: Rig Exploit Kit Website 4
- Web Attack: Rig Exploit Kit Website 21
- Web Attack: MSIE XMLDOM ActiveX CVE-2013-7331 2
- Web Attack: MSIE XMLDOM ActiveX CVE-2013-7331
- Web Attack: Malicious Exploit Kit Silverlight Exploit 2
Antivirus
OSX.Wirelurker: Avoid pirated Mac OS X applications, untrusted Apple computers
Symantec Security Response is currently investigating OSX.Wirelurker, a threat that targets Apple computers running Mac OS X and Apple devices running iOS. WireLurker can be used to steal information from compromised iOS devices.
Figure. Maiyadi App Store
WireLurker was discovered on the Maiyadi App Store, a third-party app store in China. The threat is Trojanized into pirated Mac OS X applications. Once a pirated application has been downloaded onto a computer running OS X, WireLurker will spread to any iOS device connected to that computer with a USB cable. WireLurker can then install malicious applications, even if the iOS device is not jailbroken.
Symantec protection
Symantec detects WireLurker as:
Here are some steps Mac users can take to avoid malware like OSX.Wirelurker:
- Do not download pirated Mac OS X applications from third-party app stores
- Avoid connecting iOS devices to unknown or untrusted computers
- Install security software on Mac OS X computers
When tech support scams meet Ransomlock
What’s true for businesses is also true for scams and malware, to remain successful they must evolve and adapt. Sometimes ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again they too borrow ideas from each other. We recently came across an example of this when we discovered a technical-support phone scam that uses a new ransomware variant (Trojan.Ransomlock.AM) that locks the user’s computer and tricks them into calling a phone number to get technical help to resolve the issue.
A game of two halves:
Ransomware
Ransomware can be divided into two main categories: Ransomware that simply locks the compromised computer’s screen (Trojan.Ransomlock), and ransomware that encrypts files found on the compromised computer (Trojan.Ransomcrypt, Trojan.Cryptowall, Trojan.Cryptolocker etc.).
This year we’ve observed a major role reversal in the ransomware landscape with the cryptomalware variants overtaking the ransomlock variants in prevalence. Ransomlock variants may have lost the lead to cryptomalware variants, but they are by no means out of the game and from time-to-time we do observed newcomers that add a fresh twist to the screen-locking business model.
Figure 1. Top ten ransomware detections as of 11-07-14
Technical support scams
Technical support scams are definitely not new and have been around for quite some time now. In these scams, the crooks cold call random people, often claiming to be a well-known software company, and try to convince them that their computers are full of critical errors or malware. The end goal is to get onto the victim’s computer using a remote-access tool in order to convince users of problems, as well as to entice the victim into buying fake repair tools in order to fix the non-existent problems. The Federal Trade Commission states that this type of scam is one of the fastest growing cyberscams and several high-profile arrests have been made in recent times in a crackdown on the cybercriminals responsible. Technical support scams rely on potential victims being cold called and this can mean a lot of work for the scammers; however, some cybercriminals have now overcome this and have figured out a way to get the victims to call them.
When scams merge
We recently came across Trojan.Ransomlock.AM that, like its predecessors, locks the compromised computer’s screen. The locked screen displays a blue screen of death (BSoD) error message, but this is no ordinary BSoD!
In this BSoD, the message claims that the computer’s health is critical and a problem is detected and it asks the user to call a technical support number.
For the sake of research, we made a call to the number to see just what these crooks are up to.
Figure 2. Fake BSoD lock screen
According to the support engineer we spoke to, named “Brian,” the technical support company is called “Falcon Technical Support.” Once the number has been called, the scam follows the same modus operandi as most technical support scams; however, the most interesting thing here is the use of ransomware in order to get the user to call the scammers. Once the call has been made, the scammers have everything they need to convince the user their computer is infected with malware…because it is infected with Trojan.Ransomlock.AM.
Figure 3. The scammers get a bright idea
Trojan.Ransomlock.AM
Trojan.Ransomlock.AM has been observed being distributed and bundled with a grayware installer (detected as Downloader). This installer offers to install grayware applications such as SearchProtect and SpeedUPMyPc.
Upon execution, it installs the grayware as advertised but it also drops another file named preconfig.exe, which is the malware installer (detected as Trojan.Dropper). This second installer adds an entry on the infected computer so that when it restarts it will execute the final payload (diagnostics.exe) which is Trojan.Ransomlock.AM.
Trojan.Ransomlock.AM needs an internet connection to perform its dirty deeds. The malware first needs to send information from the compromised computer to the command-and-control (C&C) server, such as the hostname, IP address, screen resolution, and a random number. In exchange, the C&C server sends back the correct size image file to fit the whole screen. The information collected will also give the crooks a useful jump start when trying to convince the user their computer is in trouble, which other technical support scammers do not have. The malware, stolen information, and BSoD lock screen all help to strengthen the scammers’ social-engineering capabilities.
Fortunately, Trojan.Ransomlock.AM was first seen in September and does not have a high prevalence; however, as with any threat, this can quickly change. According to our telemetry, the threat is currently limited to the United States.
Symantec protection
Trojan.Ransomlock.AM is far from the most complex or resilient ransomware we’ve seen and is in fact very simple. The compromised computer may look locked but users can simply follow these steps to unlock the screen:
- Simultaneously press the Ctrl+Alt+Delete keys on the keyboard
- Open Task Manager
- Search for the malware name (it should be diagnostics.exe) and end the process
- When the screen is unlocked, go to the registry editor by clicking on the Start button, then Run, and typing REGEDIT
- Delete the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Diagnostics" = "[PATH TO MALWARE]"
- You should also delete the file folder from the directory
Users of Symantec products can simply perform a full scan to safely remove Trojan.Ransomlock.AM.
Symantec has the following detections in place to protect against this threat:
Antivirus detections
Symantec advises users to be extra careful when calling or receiving a call from a technical call center. Users should be cautious and always check the company’s identity. If you need assistance with a computer-related issue, contact a reputable bricks-and-mortar computer repair shop or your IT support team if it’s your work computer that is affected.
Countdown to Zero Day—Did Stuxnet escape from Natanz?
Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.
Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”
In chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.
“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.”
This is a different story from the one that David Sanger’s sources painted in his New York Times article and in his book “Confront and Conceal”. Sanger states:
“. . . an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed [Stuxnet] to escape Iran’s Natanz plant and sent it around the world on the Internet.”
So which is right? Did Stuxnet originate outside of Natanz and spread all over the world with the hopes of eventually entering Natanz? Or did Stuxnet start inside of Natanz and accidentally escape due to a programming error?
Tracing the spread of Stuxnet
We actually covered how Stuxnet originated in a blog post in February 2011. Let’s start with whether it is possible to track Stuxnet’s origin back to specific companies in Iran.
Normally, it would not be possible to state with 100 percent accuracy where an infection started. However, in the case of Stuxnet version 1.x, the attackers left a trail behind which allows analysts to trace the specific genealogy of each sample. This is possible because every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected. As Stuxnet spreads from computer to computer, the list grows and grows. By examining this list, we can trace back from one entry to the next, extracting computer information from each entry. These are the breadcrumbs we can follow to get back to the original compromised computers.
What do the breadcrumbs look like?
Each entry in the list looks like the data shown in the following image. Although this may not make sense at first, by analyzing the code within Stuxnet, we can find out what each number represents.
Figure 2. List entry of compromised computers
Among other information, the computer name, domain name, date, and IP address are stored in each entry. We can extract information from previous data, which is shown in the following image.
Figure 3. Details stored in each entry
By looking at each entry in the list embedded in any sample, we can see how the threat moved from one computer to the next. The real computer names and domains have been anonymized.
Figure 4. List of compromised computers from one sample shows how Stuxnet spread
In the previous image, we can see Stuxnet’s path through the first six compromised computers. This information was extracted from one sample. When we look at the first six infections from a different sample, we get the following path.
Figure 5. List of compromised computers from another sample shows different movement pattern
The two samples’ first four entries are the same but after that, the samples moved in two different directions. At the fifth step, one sample compromised a computer on the WORKGROUP domain while the other sample compromised a computer on the MSHOME network.
Using this data, we graphed the spread of Stuxnet infections. See pages eight to ten of our Stuxnet whitepaper for more details.
Figure 6. Spread of Stuxnet infections
Many computers and domains used generic names that do not provide much insight into the targets. For example, WORKGROUP and MSHOME—two default workgroup names—appear very frequently in the breadcrumb logs. However, we were able to identify all of the places where Stuxnet infections originated, and they were all in Iran.
The verdict
So did Stuxnet spread into Natanz as Zetter says or escape out of Natanz as Sanger reported?
Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz. In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work.
This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz.
Unfortunately, these breadcrumbs are only available for Stuxnet version 1.x. There was at least one previous version of Stuxnet released, version 0.5 (which we analyzed in our whitepaper), for which this infection path information is not available.
While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article. As a result, it is unlikely the 0.5 version is the subject of his article.
To make up your own mind, you should read Kim Zetter’s “Countdown to Zero Day”, which is out today.
Microsoft Patch Tuesday – November 2014
Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft's summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-nov
The following is a breakdown of the issues being addressed this month:
MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)
Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.
Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352) MS Rating: Important
A remote code execution vulnerability exists in the context of the current user that is caused when a user downloads, or receives, and then opens a specially crafted Microsoft Office file that contains OLE objects.
MS14-065 Cumulative Security Update for Internet Explorer (3003057)
Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6349) MS Rating: Important
An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.
Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6350) MS Rating: Important
An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.
Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340) MS Rating: Important
An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.
Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345) MS Rating: Important
An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.
Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346) MS Rating: Important
An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.
Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323) MS Rating: Important
An information disclosure vulnerability exists when Internet Explorer does not properly restrict access to the clipboard of a user who visits a website. The vulnerability could allow data stored on the Windows clipboard to be accessed by a malicious site. An attacker could collect information from the clipboard of a user if that user visits the malicious site.
Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339) MS Rating: Important
A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, which could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack.
MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)
Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) MS Rating: Critical
A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets.
MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)
MSXML Remote Code Execution Vulnerability (CVE-2014-4118) MS Rating: Critical
A remote code execution vulnerability exists when Microsoft XML Core Services (MSXML) improperly parses XML content, which can corrupt the system state in such a way as to allow an attacker to run arbitrary code. The vulnerability could allow a remote code execution if a user opens a specially crafted file or webpage.
MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)
Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333) MS Rating: Important
A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.
Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334) MS Rating: Important
A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.
Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335) MS Rating: Important
A remote code execution vulnerability exists in the context of the local user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.
MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)
TCP/IP Elevation of Privilege Vulnerability (CVE-2014-4076) MS Rating: Important
An elevation of privilege vulnerability exists in the Windows TCP/IP stack (tcpip.sys, tcpip6.sys) that is caused when the Windows TCP/IP stack fails to properly handle objects in memory during IOCTL processing.
MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)
Windows Audio Service Vulnerability (CVE-2014-6322) MS Rating: Important
An elevation of privilege vulnerability exists in the Windows audio service component that could be exploited through Internet Explorer. The vulnerability is caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges.
MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)
TypeFilterLevel Vulnerability (CVE-2014-4149) MS Rating: Important
An elevation of privilege vulnerability exists in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.
MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)
SharePoint Elevation of Privilege Vulnerability (CVE-2014-4116) MS Rating: Important
An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize page content in SharePoint lists. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.
MS14-074 Vulnerability in Remote Desktop Protocol could allow Security Feature Bypass (3003743)
Remote Desktop Protocol (RDP) Failure to Audit Vulnerability (CVE-2014-6318) MS Rating: Important
A security feature bypass vulnerability exists in Remote Desktop Protocol (RDP) when RDP does not properly log failed logon attempts. The vulnerability could allow an attacker to bypass the audit logon security feature. The security feature bypass by itself does not allow an arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability.
MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)
IIS Security Feature Bypass Vulnerability (CVE-2014-4078) MS Rating: Important
A security feature bypass vulnerability exists in Internet Information Services (IIS) that is caused when incoming web requests are not properly compared against the 'IP and domain restriction' filtering list.
MS14-077 Vulnerability in Active Directory Federation Services could allow Information Disclosure (3003381)
Active Directory Federation Services Information Disclosure Vulnerability (CVE-2014-6331) MS Rating: Important
An information disclosure vulnerability exists when Active Directory Federation Services (AD FS) fails to properly log off a user. The vulnerability could allow an unintentional information disclosure.
MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)
Microsoft IME (Japanese) Elevation of Privilege Vulnerability (CVE-2014-4077) MS Rating: Moderate
An elevation of privilege vulnerability exists in Microsoft IME for Japanese that is caused when a vulnerable sandboxed application uses Microsoft IME (Japanese).
MS14-079 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)
Denial of Service in Windows Kernel Mode Driver Vulnerability (CVE-2014-6317) MS Rating: Moderate
A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory.
More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
Operation CloudyOmega: Ichitaro zero-day and ongoing cyberespionage campaign targeting Japan
JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. The Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2014-7247) is being actively exploited in the wild to specifically target Japanese organizations.
The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Exp.CVE-2014-7247. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell; however, all payloads aim to steal confidential information from the compromised computer.
The content of the emails vary depending on the business interest of the targeted recipient’s organization; however, all are about recent political events associated with Japan. Opening the malicious attachment with Ichitaro will drop the payload and display the document. Often such exploitation attempts crash and then relaunch the document viewer to open a clean document in order to trick users into believing it is legitimate. In this particular attack, opening the document and dropping the payload are done without crashing Ichitaro and, as such, users have no visual indications as to what is really happening in the background.
CloudyOmega
As Security Response previously discussed, unpatched vulnerabilities being exploited is nothing new for Ichitaro. However, during our investigation of this Ichitaro zero-day attack, we discovered that the attack was in fact part of an ongoing cyberespionage campaign specifically targeting various Japanese organizations. Symantec has named this attack campaign CloudyOmega. In this campaign, variants of Backdoor.Emdivi are persistently used as a payload. All attacks arrive on the target computers as an attachment to email messages. Mostly the attachments are in a simple executable format with a fake icon. However, some of the files exploit software vulnerabilities, and the aforementioned vulnerability in Ichitaro software is only one of them. This group’s primary goal is to steal confidential information from targeted organizations. This blog provides insights into the history of the attack campaign, infection methods, malware payload, and the group carrying out the attacks.
Timeline
The first attack of the campaign can be traced back to at least 2011. Figure 1 shows the targeted sectors and the number of attacks carried out each year. The perpetrators were very cautious launching attacks in the early years with attacks beginning in earnest in 2014. By far, the public sector in Japan is the most targeted sector hit by Operation CloudyOmega. This provides some clue as to who the attack group is.
Figure 1. Targeted sectors and number of attacks
Attack vector
Email is the predominant infection vector used in this campaign.
Figure 2. Sample email used in attack campaign
Figure 2 is an example of an email used in recent attacks prior to those exploiting the Ichitaro zero-day vulnerability. The emails include password-protected .zip files containing the malware. Ironically, the attackers follow security best practices by indicating in the first email that the password will be sent to the recipient in a separate email. This is merely to trick the recipient into believing the email is from a legitimate and trustworthy source. The body of the email is very short and claims the attachment includes a medical receipt. The email also requests that the recipient open the attachment on a Windows computer. The file in the attachment has a Microsoft Word icon but, as indicated within Windows Explorer, it is an executable file.
Figure 3. Attached “document” is actually a malicious executable file
Payload
The malicious payload is Backdoor.Emdivi, a threat that opens a back door on the compromised computer. The malware is exclusively used in the CloudyOmega attack campaign and first appeared in 2011 when it was used in an attack against a Japanese chemical company. Emdivi allows the remote attacker executing the commands to send the results back to the command-and-control (C&C) server through HTTP.
Each Emdivi variant has a unique version number and belongs to one of two types: Type S and Type T. The unique version number is not only a clear sign that Emdivi is systematically managed, but it also acts as an encryption key. The malware adds extra words to the version number and then, based on this, generates a hash, which it uses as an encryption key.
Both Emdivi Type S and Type T share the following functionality:
- Allow a remote attacker to execute code through HTTP
- Steal credentials stored by Internet Explorer
Type T is primarily used in Operation CloudyOmega, has been in constant development since the campaign was first launched in 2011, and is written in the C++ programing language. Type T employs techniques to protect itself from security vendors or network administrators. Important parts of Type T, such as the C&C server address it contacts and its protection mechanisms, are encrypted. Type T also detects the presence of automatic analysis systems or debuggers, such as the following:
- VirtualMachine
- Debugger
- Sandbox
Type S, on the other hand, was used only twice in the attack campaign. Type S is a .NET application based on the same source code and shared C&C infrastructure as Type T. However, protection mechanisms and encryption, essential features for threat survival, are not present in Type S. One interesting trait of Type S is that it uses Japanese sentences that seem to be randomly taken from the internet to change the file hash. For instance, in the example shown in Figure 4, it uses a sentence talking about the special theory of relativity.
Figure 4. Japanese text used by Emdivi Type S variant
Who is Emdivi talking to?
Once infected, Emdivi connects to hardcoded C&C servers using the HTTP protocol.
So far, a total of 50 unique domains have been identified from 58 Emdivi variants. Almost all websites used as C&C servers are compromised Japanese websites ranging from sites belonging to small businesses to personal blogs. We discovered that 40 out of the 50 compromised websites, spread across 13 IP addresses, are hosted on a single cloud-hosting service based in Japan.
Figure 5. Single IP hosts multiple compromised websites
The compromised sites are hosted on various pieces of web server software, such as Apache and Microsoft Internet Information Services (IIS), and are on different website platforms. This indicates that the sites were not compromised through a vulnerability in a single software product or website platform. Instead, the attacker somehow penetrated the cloud service itself and turned the websites into C&C servers for Backdoor.Emdivi.
The compromised cloud hosting company has been notified but, at the time of writing, has not replied.
Symantec offers two IPS signatures that detect and block network communication between infected computers and the Emdivi C&C server:
Zero-day and links to other cybercriminal groups
During our research, multiple samples related to this attack campaign were identified and allowed us to connect the dots, as it were, when it came to CloudyOmega's connections to other attack groups.
In August 2012, the CloudyOmega attackers exploited the zero-day Adobe Flash Player and AIR 'copyRawDataTo()' Integer Overflow Vulnerability (CVE-2012-5054) in an attack against a high-profile organization in Japan. The attackers sent a Microsoft Word file containing a maliciously crafted SWF file that exploited the vulnerability. Once successfully exploited, the file installed Backdoor.Emdivi. As CVE-2012-5054 was publicly disclosed in the same month, the attack utilized what was, at the time, a zero-day exploit.
Interestingly, the Flash file that was used in an Emdivi attack in 2012 and the one used in the LadyBoyle attack in 2013 look very similar.
Figure 6 shows the malformed SWF file executing LadyBoyle() code that attempts to exploit the Adobe Flash Player CVE-2013-0634 Remote Memory Corruption Vulnerability (CVE-2013-0634). The Flash file seems to have been created using the same framework used by the CloudyOmega group, but with a different exploit.
Figure 6. Malformed SWF file used in the LadyBoyle campaign in February 2013
Both attacks use a .doc file containing an Adobe Flash zero-day exploit that is used to install a back door. No other evidence connects these two different campaigns; however, as described previously in Symantec Security Response’s Elderwood blog, it is strongly believed that a single parent organization has broken into a number of subgroups that each target a particular industry.
In terms of the latest attack on Ichitaro, we collected a dozen samples of JTD files, all of which are exactly the same except for their payload. The parent organization, it would seem, supplied the zero-day exploit to the different subgroups as part of an attack toolkit and each group launched a separate attack using their chosen malware. This is why three different payloads (Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell) were observed in the latest zero-day attack.
Figure 7. Parent group sharing zero-day exploit
Conclusion
Operation CloudyOmega was launched by an attack group that has communication channels with other notorious attack groups including Hidden Lynx and the group responsible for LadyBoyle. CloudyOmega has been in operation since 2011 and is persistent in targeting Japanese organizations. With the latest attack employing a zero-day vulnerability, there is no indication that the group will stop their activities anytime soon. Symantec Security Response will be keeping a close eye on the CloudyOmega group.
Protection summary
It is highly recommended that customers using Ichitaro products apply any patches as soon as possible.
Symantec offers the following protection against attacks associated with Operation CloudyOmega:
AV
IPS
Update– November 14, 2014: The detection Bloodhound.Exploit.557 was renamed Exp.CVE-2014-7247 and the blog was edited accordingly.
The four most important online security events of 2014
With such an array of security incidents in 2014—from large-scale data breaches to vulnerabilities in the very foundation of the web—it’s difficult to know which to prioritize. Which developments were merely interesting and which speak of larger trends in the online security space? Which threats are remnants from the past and which are the indications for what the future holds?
The following are four of the most important developments in the online security arena over the past year, what we learned (or should have learned) from them, and what they portend for the coming year.
The discovery of the Heartbleed and ShellShock/Bash Bug vulnerabilities
In spring 2014, the Heartbleed vulnerability was discovered. Heartbleed is a serious vulnerability in OpenSSL, one of the most common implementations of the SSL and TLS protocols and used across many major websites. Heartbleed allows attackers to steal sensitive information, such as login credentials, personal data, or even decryption keys, that can lead to the decryption of secure communications.
Then, in early fall, a vulnerability was found in Bash, a common component known as a shell, which is included in most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is, itself, based around Unix).
Known as ShellShock or the Bash Bug, this vulnerability allows an attacker to not only steal data from a compromised computer, but also to gain control over the computer itself, potentially providing them with access to other computers on the network.
Heartbleed and ShellShock turned the spotlight on the security of open-source software and how it is at the core of so many systems that we rely on for e-commerce. For vulnerabilities in proprietary software, we just need to rely on a single vendor to provide a patch. However, when it comes to open-source software, that software may be integrated into any number of applications and systems. This means that an administrator has to depend on a variety of vendors to supply patches. With ShellShock and Heartbleed, there was a lot of confusion regarding the availability and effectiveness of patches. Hopefully this will serve as a wake-up call for how we need greater coordinated responses to open-source vulnerabilities, similar to the MAPP program.
Moving forward, new threats like these will continue to be discovered in open-source programs. But while this is potentially a rich, new area for attackers, the greatest risk continues to come from vulnerabilities that are known, but where the appropriate patches aren’t being applied. This year’s Internet Security Threat Report showed that 77 percent of legitimate websites had exploitable vulnerabilities. So, yes, in 2015 we'll see attackers using Heartbleed or ShellShock, but there are hundreds of other unpatched vulnerabilities that hackers will continue to exploit with impunity.
Coordinated cyberespionage and potential cybersabotage: Dragonfly and Turla
The Dragonfly group, which appears to have been in operation since at least 2011, initially targeted defense and aviation companies in the US and Canada, before shifting its focus mainly to energy firms in early 2013. Capable of launching attacks through several different vectors, its most ambitious attack campaign compromised a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This gave the attackers full access to systems where this software was installed. While this provided the attackers with a beachhead into target organizations in order to carry out espionage activities, many of these systems were running ICS programs used to control critical infrastructure such as petroleum pipelines and energy grids. While no cybersabotage was seen in these attacks, no doubt the attackers had the ability and could have launched such attacks at any time. Perhaps they chose to lie in wait and were interrupted before they could move on.
Dragonfly also used targeted spam email campaigns and watering-hole attacks to infect targeted organizations. Similarly, the group behind the Turla malware also uses a multi-pronged attack strategy to infect victims through spear-phishing emails and watering hole attacks. The watering hole attacks display extremely targeted compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. The attackers would also save their most sophisticated surveillance tools for high-value targets. Turla’s motives are different to Dragonfly, however. The Turla attackers are carrying out long-term surveillance against embassies and government departments, a very traditional form of espionage.
Both the Dragonfly and Turla campaigns bear the hallmarks of state-sponsored operations, displaying a high degree of technical capability and resources. They are able to mount attacks through multiple vectors and compromised numerous third-party websites, with their apparent purpose being cyberespionage—and sabotage as a secondary capability for Dragonfly.
These campaigns are just examples of the many espionage campaigns we see on an almost daily basis. This is a global problem and shows no sign of abating, with attacks such as Sandworm also leveraging a number of zero-day vulnerabilities. Given the evidence of deep technical and financial resources these attacks are very likely state-sponsored.
Credit cards in the crosshairs
The lucrative business of selling stolen credit or debit card data on the black market makes these cards a prime target for bad guys. 2014 saw several high-profile attacks targeting point-of-sale (POS) systems to obtain consumers’ payment card information. One factor making the US a prime target is the failure to adopt the chip-and-PIN system, known as EMV (Europay, MasterCard and VISA), which offers more security than magnetic stripe-based cards. The attacks used malware which can steal the information from the payment card’s magnetic stripe as it is read by the computer and before it is encrypted. This stolen information can then be used to clone that card. Because EMV card transaction information is uniquely encoded every time, it's harder for criminals to pick up useful payment data pieces and use them again for another purchase. However, EMV cards are just as susceptible to being used for fraudulent online purchases.
Apple Pay, which basically turns your mobile phone into a “virtual wallet” by using near-field communication (NFC) technology, was also launched in 2014. NFC is a type of communication that involves wirelessly transmitting data from one hardware device to another physical object nearby, in this case a cash register.
While NFC payment systems have been around for a while now, we expect to see an uptick in consumer adoption of this technology in the coming year, as more smartphones support the NFC standard. It’s worth noting that while NFC systems are more secure than magnetic stripes, there is still a possibility of hackers exploiting them, although this would require the bad guys to target individual cards and wouldn’t result in large scale breaches or theft like we have seen in the US. However, the payment technology used won’t protect against retailers who aren’t storing payment card data securely, they’ll still need to be vigilant in protecting stored data.
Increased collaboration with law enforcement
Now, for a bit of good news: 2014 saw many examples of international law enforcement teams taking a more active and aggressive stance on cybercrime by increasingly collaborating with the online security industry to take down cybercriminals.
Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry-level hackers right up to sophisticated cybercriminal groups. In May of 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on the use of Blackshades (also known as W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, providing information that allowed the agency to track down those suspected of involvement.
Just one month later, the FBI, the UK's National Crime Agency, and a number of international law enforcement agencies, working in tandem with Symantec and other private sector parties, significantly disrupted two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. This resulted in the FBI seizing a large amount of infrastructure used by both threats.
While these takedowns are part of an ongoing effort, we won’t see cybercrime disappearing overnight. Both private industry and law enforcement will need to continue to cooperate to have long-lasting impact. As the rate and sophistication of cyberattacks grows, we expect to see a continuation of this trend of collaboration to track down cybercriminals and stop them in their tracks.
So, there you have it, my take on the four most important online security events of 2014. Of course, there’s still a few weeks left before we ring in 2015, so we may yet see other events arise, but you can trust that Symantec is here and that we’ve got your back, no matter what the future may bring!
Annual G20 summit is attractive target for Flea attack group
Each year, as world leaders come together to discuss a variety of global economic issues at the G20 summit, organizations with a vested interest in the event are the recipients of malicious emails from threat actors.
This year, the summit will be held in Brisbane, Australia on November 15 and 16 and a specific attack group, which we call Flea, has been circulating malicious emails throughout 2014 in anticipation of the event. Targets include an international economic organization as well as a group connected to multiple monetary authorities. Once the attackers have compromised their target’s computers, they identify and steal valuable information from them.
Who is the Flea attack group?
The Flea attackers have been active since at least 2010 when they sent a decoy document to target those interested in the G20 Summit held in Seoul, South Korea that year. They have typically targeted European governments, global military organizations, and financial institutions. Flea uses one particular attack tool, detected as Infostealer.Hoardy, which can open a back door, run shell commands, and upload and download files on the compromised computer.
The attackers’ primary motivation is to steal information from targeted officials. They typically send spear-phishing emails with malicious attachments to compromise their intended victims’ computers. The content of these messages usually centers on an international event or theme that is of interest to their targets, such as nuclear issues, the Olympics, and major political conferences. They may also disguise these emails as job applications and send them to HR departments of targeted firms. Once the malware infects their target’s computers, the threat gives the attackers the ability to carry out reconnaissance on the compromised computers and identify and exfiltrate valuable information.
The Flea attack group carries out new attacks every four to eight months, suggesting that the group only wishes to steal information over a short amount of time. Flea’s attack tools also indicate that the group is not interested in laterally moving across compromised networks to reach other targets.
Figure 1. Flea attacks since 2010
Current G20 summit campaign
The Flea group has been circulating two G20-themed emails in the run-up to this weekend’s summit. The subject of one of these emails posits, “What exactly is the point of the G20 in Australia?” The email includes a malicious Word document that attempts to exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) on vulnerable computers.
Another email relates to a G20 document that is of interest to financial institutions. Following each meeting between finance ministers and central bank governors, a communiqué is released which includes G20 policy discussions and commitments. The Flea attackers know about these documents and have been circulating emails with the subject “Communiqué Meeting of G20 Finance Ministers and Central Bank” along with a malicious Word document similar to the one previously discussed.
In each of these examples, the malicious Word documents have been used to deploy Infostealer.Hoardy. A non-malicious Word document is also opened up on the compromised computer to ensure that the recipient doesn’t suspect that anything is amiss.
Figure 2. Non-malicious Word document
The attackers have sent these emails to multiple targets, including an international economic organization and a group connected to multiple monetary authorities. These targets have an interest in what is discussed at the G20 summit and some may have delegations attending the event. It gives the attackers a major opportunity to steal valuable data from their targets by enticing them with G20-themed communications.
Future G20-themed attacks
The Flea attack group isn’t the only threat to worry about during G20 summits. Threat actors have always found the G20 summit an opportune time to target individuals within governments and financial and economic development organizations. Prior to last year’s summit in Saint Petersburg, Russia, we observed a campaign using the Poison Ivy remote access Trojan (RAT) to target multiple groups. These targeted organizations should expect more of the same during future G20 summits. Different threat actors will no doubt continue to use organizations’ interests in the G20 summit to target them again in the coming years.
Protection
Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. Symantec detects the malware used in these latest G20-themed attacks as Infostealer.Hoardy.
Indicators of compromise
MD5s:
- 026936afbbbdd9034f0a24b4032bd2f8
- 069aeba691efe44bfdc0377cd58b16ae
- 072af79bb2705b27ac2e8d61a25af04b
- 09b5f55ce2c73883c1f168ec34d70eb9
- 153b035161c8f50e343f143d0f9d327f
- 277487587ae9c11d7f4bd5336275a906
- 2a3da83f4037ad82790b2a6f86e28aa2
- 2df1fd8d73c39dbdbb0e0cdc6dbd70de
- 34252b84bb92e533ab3be2a075ab69ac
- 4c46abe77c752f21a59ee03da0ad5011
- 4c86634100493f0200bbdaf75efa0ebe
- 56dd30a460cdd3cf0c5356558550e160
- 5cc39185b302cc446c503d34ce85bab7
- 5ee64f9e44cddaa7ed11d752a149484d
- 5ee81c755aa668fc12a9cbcbab51912f
- 5ff0cb0184c2bcfbda32354f68ca043c
- 62af361228a14b310042e69d6bab512c
- 649691e1d367721f0ff899fd31133915
- 6af82418fa391ea1c5b9a568cb6486b1
- 6cb633b371700d1bd6fde49ab38ca471
- 703c9218e52275ad36147f45258d540d
- 727ef86947f5e109435298e077296a42
- 745355bbb33c63ebc87d0c021eebbf67
- 777aab06646701c2c454db5c06982646
- 7fd4dcc3ae97a5cd2d229b63f1daa4b6
- 82b1712156c5af50e634914501c24fb1
- 89495d7f2f79848693f593ea8385c5cd
- 8aebcd65ac4a8c10f0f676a62241ca70
- 8c7cf7baaf20fe9bec63eb8928afdb41
- 8c8d6518910bc100e159b587a7eb7f8d
- 98f58f61f4510be9c531feb5f000172f
- a8d6302b5711699a3229811bdad204ca
- aa0126970bab1fa5ef150ca9ef9d9e2e
- abe4a942cb26cd87a35480751c0e50ae
- b391d47b37841741a1817221b946854a
- b68a16cef982e6451ddf26568c60833d
- b9c47a5ccd90fda2f935fc844d73c086
- be58180f4f7ee6a643ab1469a40ffbca
- c2c1bc15e7d172f9cd386548da917bed
- c50116a3360eec4721fec95fe01cf30e
- c718d03d7e48a588e54cc0942854cb9e
- d03d53f3b555fe1345df9da63aca0aaf
- da9f870ef404c0f6d3b7069f51a3de70
- e0abc2e1297b60d2ef92c8c3a0e66f14
- e4d8bb0b93f5da317d150f039964d734
- e75527a20bb75aa9d12a4d1df19b91fa
- e8c26a8de33465b184d9a214b32c0af8
- ecc1167a5f45d72c899303f9bbe44bbc
- feec98688fe3f575e9ee2bd64c33d646
- 14e79a4db9666e0070fe745551a2a73e
- 2fc6827c453a95f64862638782ffeb9d
- 4f2cc578e92cdf21f776cbc3466bad10
- b2c51b84a0ebb5b8fc13e9ff23175596
- cc92b45a6568845de77426382edf7eb0
- 05f854faef3a47b0b3d220adee5ccb45
- db8e651a2842c9d40bd98b18ea9c4836
- 15302b87fe0e4471a7694b3bc4ec9192
- 9ee87ad0842acf7fc0413f2889c1703e
- 836ea5f415678a07fd6770966c208120
- ea12d6f883db4415d6430504b1876dc6
- 88e869f7b628670e16ce2d313aa24d64
Command-and-control servers:
- g20news.ns01[.]us
- news.studenttrail[.]com
- skyline.ns1[.]name
- www.trap.dsmtp[.]com
- ftp.backofficepower[.]com
- news.freewww[.]info
- blackberry.dsmtp[.]com
- adele.zyns[.]com
- windowsupdate.serveuser[.]com
- officescan.securitynh[.]com
- cascais.epac[.]to
- www.errorreporting.sendsmtp[.]com
- www.sumba.freetcp[.]com
- google.winfy[.]info
- cname.yahoo.sendsmtp[.]com
- mail.yahoo.sendsmtp[.]com
- update.msntoole[.]com
- expo2010.zyns[.]com
- win7.sixth[.]biz
- ensun.dyndns[.]org
- www.spaces.ddns[.]us
- blog.strancorproduct[.]info
- belgiquede[.]com
- brazil.queretara[.]net
- facebook.proxydns[.]com
- windows.serveusers[.]com
POS malware: Potent threat remains for retailers
As Americans gear up for another holiday shopping season, the threat posed by point-of-sale malware remains high. More than a year after the discovery of the first major attacks against POS networks, many US retailers are still vulnerable to this type of attack and are likely to remain so until the complete transition to more secure payment card technologies in 2015.
While some retailers have enhanced security by implementing encryption on their POS terminals, others have not and retailers will continue to be a low-hanging fruit for some time. While the introduction of new technologies will help stem the flow of attacks, it will not eliminate fraud completely and attackers have a track record of adapting their methods.
Point-of-sale malware is now one of the biggest sources of stolen payment cards for cybercriminals. Although it hit the headlines over the past year, the POS malware threat has been slowly germinating since 2005 and the retail industry missed several warning signals in the intervening period. This allowed attackers to hone their methods and paved the way for the mega-breaches of 2013 and 2014, which compromised approximately 100 million payment cards and potentially affected up to one-in-three people in the US.
Attacks have reached epidemic proportions in part because POS malware kits are now widely available, which means attackers can target retailers without having to develop their tools from scratch. For example, BlackPOS (detected by Symantec as Infostealer.Reedum), which was used in the some of the most high profile attacks, has been for sale since February 2013 with a price tag of US$2,000. This is a relatively small investment for attackers, who are likely to net millions from a successful operation.
Figure 1. Point-of-sale attacks exploded once malware kits became widely available on the cyberunderground
Hopelessly exposed
Attacks on point-of-sale terminals had their genesis as far back as 2005, when attackers began using networking-sniffing malware to intercept payment card data while in transit. A group of attackers led by Albert Gonzalez were the main perpetrators, stealing more than 90 million card records from retailers.
As payments processors and retailers tightened up their security, the attackers adapted and attention turned to the point-of-sale terminal. When a card is swiped, its details are briefly stored in the terminal’s memory while being transmitted to the payment processor. This provides a brief window for malware on the terminal to copy the card data, which it then transmits back to the attackers. The technique is known as “memory scraping”.
POS malware was first discovered October 2008, when Visa issued an alert on a new type of exploit. During a fraud investigation, it found that attackers had been installing debugging software on POS systems that was capable of extracting full magnetic stripe data from its memory. Little heed appears to have been taken of this warning, giving malware developers time to perfect their methods. In the intervening period, developers have worked to streamline the malware, integrating all functionality into a single piece of software.
This development process eventually led to fully featured POS malware kits emerging on underground markets from 2012 onwards. US retailers were hopelessly exposed and what followed was a flood of high profile breaches, with several major US retailers hit by POS malware attacks.
The following video demonstrates how POS malware works:
Spotlight: BlackPOS
One of the most widely used forms of POS malware is BlackPOS which is also known as KAPTOXA, Memory Monitor, Dump Memory Grabber, and Reedum. Variants of BlackPOS have been used to mount some of the biggest retail POS breaches.
Its development mirrors the evolution of the broader POS malware market. The earliest versions of BlackPOS date from 2010. Over time, it has evolved into a highly capable cybercrime tool which employs encryption to cover its tracks and can be customized to suit the target environment.
By February 2013, BlackPOS was ready for the mass market and the group behind one of its variants began selling it on underground forums, charging customers $2,000 for the package.
Thriving marketplace
While the malware used to mount POS attacks is usually sold on underground forums, these forums are also often where the bounty of those attacks returns to be sold. For example, stolen credit card details from some of the biggest US breaches were sold on a forum known as Rescator.
New research from Symantec found that prices can vary heavily depending on a number of factors, such as the type of card and its level, i.e. gold, platinum or business. Card data originating from the US tends to be cheaper because of the widespread availability stolen US cards. Card details along with extra information, known as “Fullz”, tend to attract higher prices because details such as someone’s date of birth or credit card security password make it easier to perform fraudulent transactions or other activities.
Single credit cards from the US tend to cost $1.50 to $5, with discounts often available for those who buy in bulk. Single cards from the EU tend to cost more, selling for $5 to $8. Fullz start at $5 and can range up to $20. A single embossed plastic card with custom number and name meanwhile will sell for approximately $70. The stolen cards uploaded to Rescator were initially selling at a cost of $45 to $130 per card before prices later settled down.
Will new technologies render POS malware obsolete?
New payment card technologies, many of which are already in use in Europe, have been promoted as effective countermeasures for POS malware but are not a silver bullet. Their arrival is likely to herald the end of the large-scale POS breaches seen in recent years, but they will not eradicate theft of credit card data completely.
The adoption of EMV, chip-and-pin cards to replace traditional magnetic stripe cards ought to render the current generation of memory-scraping POS malware ineffective. However, chip-and-pin cards are still susceptible to skimming attacks and stolen credit card numbers can still be used in “card-not-present” transactions, such as online purchases.
Additionally, stolen credit card information in Europe is often used in the US since it doesn’t have chip and pin as a verification method. Going by this precedent, the advent of chip and pin in the US may mean attackers will continue to attempt to steal card information but use it in other countries that don’t use the chip-and-pin standard.
The chip-and-pin standard itself may be superseded at some point by the adoption of NFC mobile payment solutions such as Apple Pay, Google Wallet or CurrentC. With these payment technologies, the credit card number isn’t transmitted during the transaction. NFC is still susceptible to exploitation by attackers, but most attacks require physical proximity, making large-scale thefts almost impossible.
Advice for consumers
Some retailers are rolling out encryption on their point-of-sale networks to prevent memory scanning, which is encouraging. However, attackers have a tendency to adapt and evolve, and will no doubt look to circumvent these additional countermeasures.
There are several steps you can take to remain vigilant against this type of fraud:
- Monitor your bank account and credit card statements for any strange or unfamiliar transactions. Notify your bank immediately if you notice anything suspicious. Small transactions, such as a $1 charitable donation, are often used by criminals to test if a card is still usable.
- Carefully guard personal information such as your address, your Social Security number, or date of birth, and don’t use easily guessed passwords or PIN codes. All of these details can be used to facilitate identity theft and defeat additional security checks.
Advice for businesses
Symantec has a number of solutions for retailers who wish to guard their point-of-sale systems from attack. For more details, please read: Secure Your Point-of-Sale System
Symantec protection
Symantec products detect all of the currently known variants of point-of-sale malware, including:
BlackPOS
FrameworkPOS
Dexter
Chewbacca
JackPOS
RawPOS
Vskimmer
Backoff
Further information
For more information about attacks against POS systems, please read our whitepaper entitled: Attacks on point of sales systems
Regin: Top-tier espionage tool enables stealthy surveillance
An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.
It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.
As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
Figure 1. Regin’s five stages
Regin also uses a modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.
Timeline and target profile
Regin infections have been observed in a variety of organizations between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards. Targets include private companies, government entities and research institutes. Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure.
Figure 2. Confirmed Regin infections by sector
Infections are also geographically diverse, having been identified in mainly in ten different countries.
Figure 3. Confirmed Regin Infections by country
Infection vector and payloads
The infection vector varies among targets and no reproducible vector had been found at the time of writing. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.
Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.
There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.
More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.
Stealth
Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing. Symantec was only able to analyze the payloads after it decrypted sample files.
It has several “stealth” features. These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.
Conclusions
Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist. Additional analysis continues and Symantec will post any updates on future discoveries
Further reading
Indicators of compromise for security administrators and more detailed and technical information can be found in our technical paper - Regin: Top-tier espionage tool enables stealthy surveillance
Protection information
Symantec and Norton products detect this threat as Backdoor.Regin.
DroidJack RAT: A tale of how budding entrepreneurism can turn to cybercrime
Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.
While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.
Figure 1. DroidJack website logo
Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.
Figure 2. DroidJack website logo
On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.
Figure 3. SandroRAT control panel
On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.
Figure 4. DroidJack control panel
Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:
- No root access required
- Bind the DroidJack server APK with any other game or app
- Install any APK and update server
- Copy files from device to computer
- View all messages on the device
- Listen to call conversations made on the device
- List all the contacts on the device
- Listen live or record audio from the device's microphone
- Gain control of the camera on the device
- Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
- Get the device’s last GPS location check in and show it in Google Maps
Figure 5. Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps
Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.
In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material. Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.
Figure 6. Disclaimer used in DroidJack marketing
Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job. Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.
Protection summary
Symantec offers the following protection against DroidJack.
Antivirus
- Android.Sandorat
- Android.Malapp (prior to the release of Sandorat)
Smart security for today's smart homes: Don't let attackers spoil your Christmas
Contributor: Mario Ballano
With the holiday season around the corner, thoughts turn to a warm home brightened up by the twinkle of seasonal decorations. If you’re a geek like me, it’s always tempting to opt for the high-tech solution and control your festive lights with one of the growing number of home automation devices available. However, Symantec has found that some of these devices contain security flaws that could allow attackers to gain access to your home network.
Two home automation hubs tested by Symantec had multiple security flaws that could potentially allow attackers to gain access to the hubs themselves and, by extension, to other devices connected to them. The issues aren't specific to these particular hubs; any connected device is potentially at risk. Many more smart home devices potentially have similar security flaws.
While the explosion of internet-enabled devices, known as the Internet of Things (IoT), holds exciting possibilities for home automation, it also presents some serious security challenges and home users need to be aware that it isn’t just their PCs or smartphones that could be compromised by attackers.
A Pandora’s Box
There is a huge range of smart home devices that could find their way into your house this holiday season:
- Smart power plugs to control Christmas lights
- CCTV cameras to catch Santa’s visit
- Smart smoke detectors in case the Christmas tree catches fire
- Smart entertainment systems, allowing the festive music to follow you from room to room
- Smart thermostats to keep your home nice and warm
- Smart door locks to keep unwanted guests out
- Security alarm systems to keep your home safe while on vacation
Many of these smart home devices connect wirelessly to a central hub which lets you manage them all from a smartphone or web browser. Apart from Wi-Fi, smart home devices use a wide range of communication protocols, such as Powerline, Z-Wave, Zigbee, in addition to custom radio protocols. We started our analysis with two smart power plug and hub combinations.
Smart hubs and security
The first hub we looked at uses Wi-Fi and its own radio protocol for communication. To ensure that the hub is running the latest version of its firmware, it periodically checks the internet for firmware updates. This is a good practice, as users are unlikely to manually update their IoT devices themselves and could potentially fall foul of unpatched, exploitable vulnerabilities.
However, in this case, the firmware updates were not digitally signed and were downloaded from an open Trivial File Transfer Protocol (TFTP) server. This could allow an attacker on the same network to redirect the device to a malicious TFTP server. There are several means of doing this such as through Address Resolution Protocol (ARP) poisoning or by changing the domain name system (DNS) settings. The TFTP server could then send a malicious firmware update to the device. If this happens, then the complete setup would be compromised and other connected devices could be attacked, as the attacker would have full control over the hub.
This same smart hub uses a custom radio transmission protocol for sending commands to connected devices without any additional authentication or security implementation. Unfortunately, this allows for successful replay attacks. These are very simple attacks which allow an attacker within range of the network to intercept some of the traffic and then replay it back over the network. For example, a signal to open a garage door captured while you are leaving the house could be used again later in the day to gain access. The same can be done for turning on or off lights. The attacker doesn’t even need to understand the protocol, they simply have to capture the signal used to issue a command a replay it.
The user can store this hub’s configuration details in a cloud service, allowing them to manage the device from the internet through any web browser. Unfortunately, the user’s account is protected by a simple, four-digit PIN code. This can be easily cracked with the tools available to today’s attackers.
Apart from the problem of an attacker guessing the PIN code (especially considering how “1234” is a common, unsecure PIN choice for many users), there are other issues with this particular cloud service. We discovered that the backend server is susceptible to a blind SQL injection attack. This could potentially reveal other users’ configuration details or may even let the attacker take control of other accounts. This could let the attacker switch off Christmas tree lights, or worse, without even being close to the house.
Unfortunately, the second smart home hub that we tested was not much better. This one did not use any authentication method for commands that were sent in the internal network. If an attacker is on the same Wi-Fi network as the hub, then they could gain control of any device connected to the hub. They could even go a step further, as the hub had a remote code execution vulnerability, allowing the attacker to execute arbitrary commands with root privileges on the hub.
Risks to your smart home
These hubs are just two examples of what we managed to compromise in a short space of time and are the latest in a long line of security flaws found in smart home devices. For example, there have been cases where people modified the thermostat of their ex-spouse or disabled security locks. Recent reports warned of how thousands of webcams and baby monitors are accessible to anyone from the internet. There have also been reports of people taking control of home automation systems belonging to others.
In general, we have found that smart home device sensors can be attacked directly, for example by modifying the firmware through physical access to the device’s JTAG interface. The attackers could then sell the modified device to someone else, potentially compromising other devices or networks in their home.
Depending on the Wi-Fi network’s security settings, attackers could intercept communications from an IoT device to the central hub, smartphone, or the cloud and inject their own commands.
Additionally, if a backend cloud server is used for remote administration, this part also needs to be protected. Attackers could attempt to brute-force passwords to gain access to this server.
You may say that switching someone’s lights on and off is not such a big deal. This may be true, but the effects of a smart home attack are more relevant to security when you are on vacation. Some people may use remote-controlled lights to pretend that someone is still at home to keep burglars away. Smart thieves could also use open IP webcams to check if the owners are at home and where their valuable items are.
Another possible avenue for attackers to explore would be to apply the proven-to-work model of ransomware to the smart home. The homeowner could be coerced to pay a ransom in order to turn up the heating or even just to watch TV. This is a creepy potential paradise for stalkers, burglars, and other shady characters.
Smart protection
You should be vigilant when installing smart home devices and make sure that you understand the devices’ configuration settings. We at Symantec will keep our eyes open on the smart home device market and continue to inform vendors about discovered weaknesses in the devices we study.
Security varies a lot with different smart home devices, so it is difficult to give generic advice to users. Here are a few points to consider when installing smart home devices:
- Only enable remote administration from the internet if you really need it
- Set a strong password for the devices where possible
- Use strong passwords and WP2 encryption to protect your Wi-Fi network
- Use trusted smart home brands from companies that invest in security
Destover: Destructive malware has links to attacks on South Korea
Backdoor.Destover, the destructive malware that was the subject of an FBI Flash Warning this week, shares several links to earlier attacks directed at targets in South Korea. Some samples of Destover report to a command-and-control (C&C) server that was also used by a version of Trojan.Volgmer crafted to attack South Korean targets. The shared C&C indicates that the same group may be behind both attacks.
Volgmer is a targeted piece of malware, likely used by a single group, which has been used in limited attacks, possibly as a first stage reconnaissance tool. It can be used to gather system information and download further files for execution. Significantly, the version of Volgmer which shares a C&C with Destover was configured specifically to attack South Korean targets and will only run on Korean computers.
Destover also share some techniques and component names with the Jokra attacks against South Korea in 2013. However there is no hard evidence as yet to link the attacks and a copycat operation can’t be ruled out. Links also exist to the Shamoon Attacks, with both attackers using the same, commercially available drivers. However, in this instance it appears highly unlikely that the same group was behind both attacks and instead it would appear that the Destover attacks copied techniques from Shamoon.
Destover in action
Destover is a particularly damaging form of malware that is capable of completely wiping an infected computer. It was the subject of an FBI Flash Warning earlier this week after at least one variant of it was understood to have been used in a high profile attack.
There are several malicious files associated with the FBI Destover report:
- diskpartmg16.exe
- net_ver.dat
- igfxtrayex.exe
- iissvr.exe
Diskpartmg16.exe is the first file that is created on an infected computer and, when executed, it creates the files net_ver.dat and igfxtrayex.exe.
When “diskpartmg16.exe” is run, it connects to a number of specific IP addresses within a set IP range, as well as computer names in the format “USSDIX[Machine Name]”. This indicates that this variant of Destover was not intended to be indiscriminate and the malware had instead been configured to only attack computers belonging to one particular organization.
The destructive payload of Destover is carried by igfxtrayex.exe. In certain instances, when run, it will:
- Delete all files on fixed and remote drives
- Modify the partition table
- Install an additional module(iissvr.exe)
- Connect to a number of IP addresses on ports 8080 and 8000.
Iissvr.exe, meanwhile, is a backdoor which listens on port 80. Once an attacker communicates with the compromised computer, this file displays a message, which reads:
“We’ve already warned you, and this is just a beginning.
We continue till our request be met.
We’ve obtained all your internal data including your secrets and top secrets.
If you don’t obey us, we’ll release data shown below to the world.
Determine what will you do till November the 24th, 11:00 PM(GMT).
Post an email address and the following sentence on your twitter and facebook, and we’ll contact the email address.
Thanks a lot to God’sApstls [sic] contributing your great effort to peace of the world.
And even if you just try to seek out who we are, all of your data will be released at once.”
Links to Volgmer
Some samples of Destover seen by Symantec link to a C&C server that has been used by variants of Trojan.Volgmer in the past. Symantec has been tracking Trojan.Volgmer for several months. Volgmer is a threat capable of opening a back door on an infected computer, which allows the malware to communicate with a C&C server to retrieve system information, execute commands, upload files, and download files for execution.
Interestingly, the variants of Volgmer that share a C&C server with Destover are configured to end execution if the compromised computer’s region is not “Korea”.
Links to Jokra
The Destover attackers use techniques and components, such as file names, that are similar to those used in the Jokra attacks against South Korea in 2013. These attacks crippled servers belonging to several South Korean banks and broadcasting organizations and also defaced the website of a Korean telecoms firm.
The malware used in the Jokra attacks contained code that did not begin wiping the hard drive until a set time period expired. Destover is also configured to perform a delayed wipe. Furthermore, media outlets in South Korea have reported that a number of similar file names were used in both attacks (Korean language link).
Similarities to Shamoon attacks
Destover also share some commonalities with the Shamoon Attacks. Both Destover and the malware used by the Shamoon attackers (W32.Disttrack) share some drivers. These are not malicious files and are commercially available drivers. While both Destover and Disttrack are destructive forms of malware, there is no evidence to suggest that the same group is behind both attacks.
Symantec protection
Symantec and Norton products detect this threat as Backdoor.Destover.
Mind the gap: Are air-gapped systems safe from breaches?
Contributor:Candid Wueest
Industries that deal with sensitive information rely heavily on air-gapped systems to protect their critical data. However, while these systems are more secure than most others, there are ways to compromise them, potentially allowing attackers to steal the affected organizations’ highly sensitive data. From radio signal-emitting graphics cards to computers communicating through their speakers, are air gaps, once considered the Fort Knox of security measures, beginning to show cracks?
An air gap is a security measure that protects critical data by keeping one or more computers isolated from other unsecured networks, such as the internet, for example. System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks. Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses. Several research reports have been making the news recently concerning ways in which air-gapped systems can be breached. Although some of the methods sound like they were taken straight out of a science fiction story, security researchers have definitely taken up the challenge of bridging the air gap.
Problems for would-be attackers
If an attacker wishes to breach an air-gapped system, they face three major hurdles:
- Compromising a computer within the isolated network
To breach an air-gapped system, the attacker needs to infect at least one of the air-gapped computers with malware. This could be done by using an insider in the targeted firm or an outsider, such as a consultant, who may be able to get access to the isolated area and use a malware-infected USB drive to compromise the computer. Air-gapped computers could also be compromised in supply chain attacks, where the computer’s components are intercepted and tampered with during the manufacturing or shipping processes. - Sending commands to the compromised computer
Once a computer has been compromised, the attacker has to figure out how to send commands and updates to the malware. Normally, this would be conducted over the internet; however, anyone interested in taking on an air-gapped system needs to use a little more creativity. - Exfiltrating data from the compromised computer
Unless the attacker only wants to cause some damage, they’ll need to find a way to exfiltrate the stolen data from the air-gapped network.
Let’s get creative
In light of these challenges, let’s take a look at some of the recent air-gap attack research reports and talk about how much of a realistic threat, if any, each method poses and what can be done to stay protected.
Turn on, tune in, get the data out
Researchers have recently proved how it’s possible to exfiltrate data from an air-gapped network by using FM radio signals sent from a computer’s graphics card. The researchers’ created proof-of-concept malware called AirHopper that uses the computer’s video display adapter to broadcast FM-compatible radio signals to a device with an FM receiver. The researchers were able to create an image pattern that generates a carrier wave modulated with a data signal. The image sent to the computer monitor looks indistinguishable from regular visual output but contains extra data that is transmitted as FM radio signals.
Attackers using this technique could infect computers with malware using USB devices or by way of supply-chain tampering. As for the receiver, this could be any modern smartphone, as most contain built-in FM receivers. The smartphone could belong to someone involved in the attack or someone who has had their device compromised. As smartphones are connected to the internet, they would be easier to compromise than a computer in an air-gapped network through a range of techniques like compromised websites or malicious emails.
The receiver needs to be within eight yards (seven meters) of the broadcasted radio signals in order to work. The researchers say they can transmit about 13 to 60 bytes a second in their tests, which is more than enough data to include login credentials and other sensitive information. For instance, an attacker with a receiver would only need to be in range of the compromised computer’s monitor for roughly eight seconds to download a 100-byte password file.
The technique is similar to how TEMPEST attacks are carried out; however, a TEMPEST attack only allows the attacker to spy on what is being displayed on the computer’s monitor.
Real world implications and mitigation
This technique is the most plausible for data exfiltration. Compromising smartphones is something that is well within the capabilities of cybercriminals and nation states, so exfiltrating the stolen data would not be a major hurdle. When it comes to mitigation, banning the use of mobile devices within a certain range of the air-gapped system may be one solution. However, if that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network.
Whispering malware
A recent research report detailed a system that uses inaudible sound as a means of communication, allowing data to be passed between computers that have no network connection. The researchers developed a proof-of-concept program that uses the built-in microphones and speakers found in many computers to transmit small amounts of data over a distance of roughly 65 feet (20 meters). However, this distance could be extended by a great deal using what the researchers call an acoustical mesh network of compromised computers that effectively relay the data to each other.
As most adults can hear sounds between 100Hz and 20kHz, anything outside of this range should be inaudible. According to the researchers, most commercial soundcards operate at a frequency of 48kHz though in their tests, most speakers wouldn’t work above 23kHz. This meant that the researchers needed to transmit at a frequency somewhere in the rage of 20kHz to 23kHz.
The scientists experimented with several different methods to send data between two laptops using only sound. The most effective method used a system originally developed to acoustically transmit data under water, called the adaptive communication system (ACS) modem. Bridging air-gapped systems using this method, however, only provides a bitrate of about 20 bits per second. As with the other method described in this blog, this relatively tiny transmission rate rules out the exfiltration of large files such as documents and images but does feasibly allow for sensitive data to be sent, such as passwords or encryption keys.
Real world implications and mitigation
Depending on whether or not computers within the air-gapped network are fitted with speakers and microphones, this technique could pose a moderate threat. However, as the researchers themselves note, there are several possible ways in which this type of attack vector can be mitigated. Disabling audio output and input devices is perhaps the most obvious countermeasure. The researchers recommend that system administrators should not fit air-gapped computers with audio output hardware to begin with. If needed, users could use headphones; however, these would need to be disconnected when not in use as they too can be used to transmit.
Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious.
A more elaborate air-gap compromise: Dots, dashes, drones, and printers
Recent research presented at the 2014 Black Hat Europe conference showed how a malware-infected computer on an air-gapped network could receive and send attack commands through a multi-function printer’s scanner that the computer is connected to. To transmit data, an attacker would need to shine light, visible or infrared, into the room where the scanner is and while a scan is in progress.
The researchers devised a system to send and receive binary data using Morse code and say that several hundred bits can be sent during one scan, plenty to contain commands for the malware. Detecting the light from far away would be a problem but the researchers say this can be made easier with the use of a quadcopter drone.
An attacker could use a laser to send data from up to five kilometers away, although the researchers only tested the method up to 1,200 meters. An infected computer could be made to initiate a scan at a certain time or the attacker could wait until someone uses the scanner.
Real world implications
This method doesn’t pose much of a threat to air-gapped networks as it relies on several conditions being just right for it to work. Firstly, a successful breach would rely on there being a multifunction printer with a scanner connected to the isolated network and secondly, the scanner would need to be open or at least in use. But the most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it’s back to the drawing board for our would-be attackers.
Mind the gap
Air gaps are considered to be a reliable way to secure sensitive data and systems but no system is without its weaknesses. The examples discussed in this blog are all related to work carried out by security researchers in an effort to raise awareness around potential security weaknesses in air-gapped networks. Luckily, these researchers present their work to the public so that relevant measures can be put in place to protect against the weaknesses they highlight. Unfortunately, cybercriminals don’t publish their work in scientific journals or give talks at security conferences, so we have no way of countering their attack techniques until they’re uncovered. If there’s one thing we can be sure of, it’s that the bad guys are always hard at work figuring out new ways to get to the stuff we don’t want them to reach.
Microsoft Patch Tuesday – December 2014
Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 24 vulnerabilities. Thirteen of this month's issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft's summary of the December releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-dec
The following is a breakdown of the issues being addressed this month:
MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Security Feature Bypass (3009712)
Outlook Web Access Token Spoofing Vulnerability (CVE-2014-6319) MS Rating: Moderate
A token spoofing vulnerability exists in Exchange Server when Microsoft Outlook Web Access (OWA) fails to properly validate a request token.
OWA XSS Vulnerability (CVE-2014-6325) MS Rating: Important
An elevation of privilege vulnerability exists when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited this vulnerability could run script in the context of the current user.
OWA XSS Vulnerability (CVE-2014-6326) MS Rating: Important
An elevation of privilege vulnerability exists when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited this vulnerability could run script in the context of the current user.
Exchange URL Redirection Vulnerability (CVE-2014-6336) MS Rating: Important
A spoofing vulnerability exists in Microsoft Exchange when Microsoft Outlook Web Access (OWA) fails to properly validate redirection tokens.
MS14-080 Cumulative Security Update for Internet Explorer (3008923)
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6327) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6329) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6330) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6366) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6369) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6373) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6374) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6375) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-6376) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Internet Explorer Memory Corruption Vulnerability (CVE-2014-8966) MS Rating: Critical
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
XSS Filter Bypass Vulnerability in Internet Explorer (CVE-2014-6328) MS Rating: Important
An XSS filter bypass vulnerability exists in the way Internet Explorer disables an HTML attribute in otherwise appropriately filtered HTTP response data. This vulnerability could allow initially disabled scripts to run in the wrong security context, leading to information disclosure.
XSS Filter Bypass Vulnerability in Internet Explorer (CVE-2014-6365) MS Rating: Important
An XSS filter bypass vulnerability exists in the way Internet Explorer disables an HTML attribute in otherwise appropriately filtered HTTP response data. This vulnerability could allow initially disabled scripts to run in the wrong security context, leading to information disclosure.
Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6368) MS Rating: Important
A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, allowing an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. This vulnerability could allow an attacker to bypass the Address Space Layout Randomization (ASLR) security feature.
VBScript Memory Corruption Vulnerability (CVE-2014-6363) MS Rating: Critical
A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow (3017301)
Index Remote Code Execution Vulnerability (CVE-2014-6356) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
Use After Free Word Remote Code Execution Vulnerability (CVE-2014-6357) MS Rating: Critical
A remote code execution vulnerability exists in the way that Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
MS14-082 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3017349)
Microsoft Office Component Use After Free Vulnerability (CVE-2014-6364) MS Rating: Important
A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.
MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)
Global Free Remote Code Execution in Excel Vulnerability (CVE-2014-6360) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Excel does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
Excel Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6361) MS Rating: Important
A remote code execution vulnerability exists in the way that Microsoft Excel does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
VBScript Memory Corruption Vulnerability (CVE-2014-6363) MS Rating: Critical
A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)
Information Disclosure Vulnerability (CVE-2014-6355) MS Rating: Important
An information disclosure vulnerability exists in the Microsoft Graphics Component that could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. The vulnerability is caused when the Microsoft Graphics Component improperly handles the decoding of JPEG images in memory. An attacker could use this information disclosure vulnerability to gain information about the system that could then be combined with other attacks to compromise the system.
More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
Underground black market: Thriving trade in stolen data, malware, and attack services
During the holiday season, shoppers scour the internet to find the best deals for the perfect gifts. Ordinary consumers aren’t the only ones looking for bargains at this time of year. A host of cybercriminals are looking to shop at other people’s expense and use underground marketplaces to buy and sell illegal goods and services. Stolen data, compromised online accounts, custom malware, attack services and infrastructure, fraudulent vouchers, and much more can be bought if you know where to go.
Prices for illegal goods and services can vary widely, depending on what’s offered, but bargains exist even for cybercriminals on the tightest budgets. Attackers can pick up stolen data and compromised accounts for less than a dollar. Larger services, such as attack infrastructure, can cost anything from a hundred dollars to a few thousand. However, considering the potential gains that attackers could make by using this infrastructure, the upfront cost may be worth it for them.
Considering all of the data breaches and point-of-sale (POS) malware incidents that occurred in the last 12 months, you may think that underground markets are flooded with stolen data, causing prices to drop. Interestingly enough, this does not seem to be the case for all illegal goods on these marketplaces.
Shopping in the underground
While some illegal marketplaces are viewable on the public internet, news coverage around underground sites has increased this year, forcing many scammers to move to darker parts of the internet. For example, some forums are now hosted on the anonymous Tor network as hidden services. Other markets are only accessible with an invitation and require a buy-in, which could involve money or goods—like 100 freshly stolen credit cards. Other markets are run on private chat rooms and have rigid vetting procedures for new users. In these closed circles, prices are usually much lower and the traded amount of goods or services is higher.
Stolen data for sale
Prices have dropped for some of the data offered, such as email accounts, but they remain stable for more profitable information like online bank account details. In 2007, stolen email accounts were worth between US$4 and $30. In 2008, prices fluctuated between $0.10 and $100. In 2009, the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10. The latest pricing is a good indication that there is now oversupply and the market has adjusted accordingly.
Credit card information, on the other hand, has not decreased in value in recent years. In 2007, this information was advertised at between $0.40 and $20 per piece. How much you pay can depend on a number of factors, such as the brand of the card, the country it comes from, the amount of the card’s metadata provided, volume discounts, and how recently the card data was stolen. In 2008, the average asking price for credit card data was slightly higher--$0.06 to $30--and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card information range between $0.50 and $20. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cybercriminals trade in bulk volumes.
Of course, we have no visibility into transactions and do not know how many buyers actually pay the upper end of the price range. The quality of the stolen goods is also questionable, as some sellers try to sell old data or resell the same data multiple times. This may also explain why there has been a boom in additional service offerings that verify that the seller’s accounts are still active or that a credit card has not yet been blocked. Most underground marketplaces even provide a guarantee for the data’s freshness and replace blocked credit cards within 15 minutes of purchase. As expected, where there is demand, someone will step in and address the gap in the market.
Attack services for hire
Crimeware-as-a-service has also become popular on underground marketplaces. Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams. This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.
A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and distributed denial-of-service (DDoS) attacks can be ordered from $10 to $1,000 per day. Any product or service directly linked to monetary profit for the buyer retains a solid market price.
Cashing out with fraudulent vouchers and tickets
Cybercriminals are always coming up with new strategies to cash out their profits. Vouchers and online gift cards are currently in vogue, as they can easily be traded or sold online. Attackers pay for them using stolen credit cards or generate them from hijacked online retailer accounts. They then sell the vouchers and online gift cards for 50 to 65 percent of the nominal value. Cybercriminals can also sell hotel, airline, and train tickets for approximately ten percent of the original asking price. Of course, this is very risky for the people who buy these tickets. Recently, 118 people were arrested in a global operation on suspicion of using fake tickets or obtaining stolen card data to purchase airline tickets. The airline industry believes that fraudulent tickets are costing it around $1 billion annually.
Older methods such as packet re-sending agents have declined in popularity. This method involved buying expensive goods with stolen credit cards and having them shipped to an uninvolved volunteer, who then reships the goods to the attacker’s anonymous PO box. This is getting harder to do, as many shops will only ship to the registered home address of the credit card. This also led to some attackers picking up the items in a physical store nearby, rather than shipping them somewhere first.
The expansive underground marketplace
These examples aren’t the only goods and services on offer on underground marketplaces. Also for sale are:
- Scans of real passports ($1 to $2), which can be used for identity theft purposes
- Stolen gaming accounts ($10 to $15), which can yield valuable virtual items
- Custom malware ($12 to $3,500), for example tools for stealing bitcoins by diverting payments to the attackers
- 1,000 followers on social networks ($2 to $12)
- Stolen cloud accounts ($7 to $8), which can be used for hosting a command-and-control (C&C) server
- Sending spam to 1 million verified email addresses ($70 to $150)
- Registered and activated Russian mobile phone SIM card ($100)
Protection
The booming underground marketplace is another reason it’s important to protect your data and identity. Otherwise, you may find your personal information in the shopping basket of a cybercriminal during this holiday season.
Symantec recommends the following basic security guidelines:
- Always use strong passwords, and never reuse them across other websites.
- Update the software on all of your devices regularly to prevent attackers from exploiting known vulnerabilities.
- When entering personal or financial information, ensure that the website is encrypted with a Secure Sockets Layer (SSL) certificate by looking for the padlock icon or “HTTPS” in the address bar. Report any suspicious behavior before submitting sensitive information online.
- Use comprehensive security software, such as Norton Security, to protect yourself from cybercriminals.
- Exercise caution when clicking on enticing links sent through emails or posted on social networks. If something looks too good to be true, then it likely is.