It’s no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years.
Security researchers and software vendors have known for a long time that attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities. It’s a concern, especially for large vendors such as Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to sink their teeth into.
And the attackers also know that many users don’t install patches right away. Microsoft has succeeded in getting many of its customers to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers have tended to focus most of their attention on older flaws for which patches already have been published.
Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.
“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723. The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities,” Jeong Wook Oh of Microsoft said.
“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7. So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”
Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a zero day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications. It, of course, just lends more support to the advice that security experts are always giving users: Install patches as soon as they’re available.
Defenders are at an asymmetric disadvantage when it comes to defending their networks. Attackers spend every minute of their day focused exclusively on penetrating your network to accomplish their mission…and opportunities abound. Today’s modern networks go beyond the walls of the enterprise to include endpoints, mobile devices, and virtual desktops and data centers. These extended networks constantly evolve and create new attack vectors including mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers and home computers. The job of the defender has never been more challenging.
Unfortunately, defenders don’t have the luxury of spending their days focused on security. The reality is that most IT security teams are understaffed, hampered by static and disconnected security technologies and consumed with addressing compliance and regulatory issues and other business imperatives. Unfocused on threats for too long, they risk being blindsided by attackers gaining maximum leverage of new vulnerabilities and new techniques to gain entry and achieve their objective, be it to gather data or simply to destroy.
Security teams need to recalibrate the way they approach security. To stay ahead of threats they need to start thinking like attackers. The only way to do this is to change their security model to be threat-centric; to address the extended network and the full attack continuum – before, during and after an attack. And to be truly effective, this threat-centric model must encompass all aspects of a security – not only technology, but processes and people as well.
Here are just few recommendations for how to move forward with a threat-centric approach to security.
Technology: It’s a natural instinct to go for low-hanging fruit first so most organizations start by protecting their core networks with solutions that are typically the fastest and easiest to deploy. But ‘silver bullets’ don’t exist and this approach alone won’t suffice. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. You need solutions that also protect endpoints, mobile and virtual environments. They must work together in a continuous fashion and they must span the full attack continuum.
Before an attack, defenders need comprehensive awareness and visibility of what’s on the extended network – devices, operating systems, services, applications, users, content and potential vulnerabilities. Establishing a baseline of information is a critical first step in defending your organization from attack. From there you can implement policies and controls to defend it, for example implementing access control over applications and users to minimize the attack surface.
During an attack, the ability to continuously detect threats and block them is critical. And because threats change so quickly, having the ability to learn and update detection information based on evolving threat intelligence is critical to maintaining security effectiveness.
After an attack, marginalizing the impact becomes the priority. To do this defenders need to take a proactive stance with retrospective security, the ability to identify the root cause, understand the scope of the damage, contain the event, eliminate the risk of re-infection, remediate it and bring operations back to normal.
Processes: There are two aspects to consider here; the first is identifying processes ripe for automation. There aren’t enough hours in the day and IT security teams have too many other responsibilities to be able to address today’s barrage of attacks with manual approaches. The ability to reduce labor intensive tasks and streamline processes with automation is essential. Tools that can intelligently identify and automatically alert only on relevant security events can save security teams hours investigating events that aren’t real threats. In addition, being able to automatically enforce and tune security policies and rules to keep pace with the changing threat landscape and evolving IT environment minimizes risk of exposure to the latest threats and vulnerabilities.
The second aspect to consider is an incident response process. Security events happen and many organizations don’t have an incident response plan in place. Every organization should have a designated Incident Response team, even if not full time, that is cross-functional and trained to communicate and respond to security events. The team needs to be backed by documented processes and policies. For example, an InfoSec Policy must be put in place to ensure you’re protecting the right data. An incident response runbook with clear step-by-step instructions for the team to follow in the event of an attack, including incident notification and a collaboration call tree, leads to better, swifter and more accurate containment and remediation. Finally, systematic program reviews on a quarterly basis can ensure that your policies, configurations and rules performance are protecting your organization as needed.
Education: At the end of the day, technology and processes are only as good as the people behind them. Organizations must be committed to keeping their staff highly trained on the current threat landscape. Ongoing professional development with a specific focus on being able to identify an incident, know how to classify it and how to contain and eliminate it will help keep security teams apprised of the latest techniques used by attackers to disguise threats, exfiltrate data and establish beachheads for future attacks. Certifications and trainings to remain current on security technologies and how to optimize their deployment and tuning for maximum security effectiveness ensure organizations are getting the most from their IT security investments.
In these particularly challenging times for security professionals, it’s imperative they re-balance and optimize operations for a consistent emphasis on the threat. By putting a threat focus closer to the center of what they do they’ll have the clarity, the resources and the liberty they need to sharpen decision-making and confront the greatest risks to their enterprise.
Al Huger is the vice president of development, cloud technology group, at Sourcefire.
Gmail and Google Apps account hijacking has been the linchpin of a number of high-profile targeted attacks, starting with the Aurora attacks of 2009, right up until last week’s attack against the Twitter account belonging to the satirical Onion news site.
Granted we’re talking about two very different levels of severity between stealing data from the defense industrial base and sending out a few politically motivated hoax Tweets, but the thirst for legitimate credentials among state-sponsored hackers, cybercriminals and hacktivists won’t abate any time soon.
The chase, along with the general inadequacy of passwords, has forced Google for one to aggressively pursue a new direction for authentication into its online services. The company this week announced a new long-term plan for strong authentication, one that builds off a similar initiative in 2008 that led to the current implementations of two-factor authentication for Gmail and risk-based login challenges in order to determine if requests for access are indeed from the intended user.
Going forward, Google hopes to put strong authentication in place when endpoints such as laptops, tablets or smartphones are first configured and have the device act as an authenticator. It also explained a number of other measures it would like to see implemented in the relatively near future. Clearly, smart phones have changed the dynamic of authentication for Google.
“With mobile devices like Android the usability is even further improved because you only login to the device once at the OS level and it works across all the apps on the device instead of having to go through a multi-step login flow for each application,” said Eric Sachs, a product manager with the Google security team. “However to improve the usability of this approach, one of our goals will be to have a consistent concept of identity between the OS, applications, and websites accessed from the browser on the device.”
Google has also thrown its support behind the ChannelID open standard, which aims to secure the cookie on the device that certifies the user has signed in to a service. The concept puts up a barrier for man in the browser attacks that attempt to sniff and steal cookies as they’re passed to the browser. This tighter connection between cookies and encryption keys as proposed in the standard and currently in place in the Chrome browser is another priority initiative for Google going forward.
“In essence, the browser self-provisions an anonymous public-private key pair for each web domain it needs to talk to via SSL. The web domain can use the consistent SSL public key Channel ID presented by the client device to tie into cookies that it issues to the client device,” Sachs said. “But once the cookies are ‘tied’ in this manner, they are no longer reusable bearer tokens. The web server will only accept them as part of a connection that has been digitally signed with the same ChannelID. ChannelID significantly reduces the risk associated with leaked reusable bearer tokens.”
At the start of its initial five-year plan, Sachs said Google did not anticipate the use of smartphones as authenticators. But with apps providing one-time passwords, for example, Sachs said Google is experimenting with apps that display notifications about risky behavior and alert the user to approve an action within an app before moving forward. This would remove from the equation hackers who might have remote access to an app from gaining access.
“That type of ‘login approval’ approach has another interesting security aspect. While risk-based and strict two-factor login challenges do improve the security of a sign-in flow, they still have the potential to be broken through phishing attacks that trick a user into providing an OTP,” Sachs said. “But the ‘login approval’ approach makes phishing much harder and thus provides the potential to provide even stronger protection than Google’s two-factor offering.”
Google said it also is re-thinking how to unlock devices so that passcodes are no longer necessary, and involve the use of fingerprint scanners, Near Field Communication between devices, or proximity readers. These same concepts could be applied, Google said, where the OS would intervene when a risky behavior appears in the browser and request the user to approve it via a fingerprint check, for example. Google acknowledges this could require changes to APIs and how the OS and browser communicate.
“Once again, the time may be right given the ubiquity of personal devices such as mobiles and tablets,” Sachs said. “Further, the notion of a ‘local authentication’ to the device is becoming an accepted and expected part of the user experience.”
Adobe is set to push security updates for various versions of its Acrobat and Reader software packages, in tandem with Microsoft, in the May edition of Patch Tuesday.
According to the Adobe Product Security Incident Response Team, each of the updates in this month’s patch are considered serious, meaning that the updated provide fixes for vulnerabilities that an attacker could exploit to execute malicious code on user machines without user knowledge.
Additionally, each of the updates is receiving the most urgent priority one or two ratings. Priority one means that attackers are likely exploiting the to-be-fixed vulnerability in the wild; priority two denotes fixes for vulnerabilities that have, historically, placed users at an elevated risk for exploit, but for which there are currently no known exploits in the wild.
Adobe’s Patch Tuesday release will provide priority two rated fixes for Adobe Reader version XI (11.0.02) on Windows and Mac, version X (10.1.6) and earlier 10.x versions on Windows and Mac, version 9.5.4 and earlier 9.x versions on Mac, and version 9.5.4 and earlier 9.x versions on Linux machines.
The patch shipment also a provides priority one fix for a vulnerability in Adobe Reader version 9.5.4 and earlier 9.x versions for Windows.
The release will also supply priority two fixes for Adobe Acrobat version XI (11.0.02) for Windows and Macintosh, version X (10.1.6) and earlier 10.x versions for Windows and Macintosh, and version 9.5.4 and earlier 9.x versions for Macintosh.
Acrobat’s priority one fix resolves a vulnerability in version 9.5.4 and earlier 9.x versions for Windows.
Attackers using a vulnerability in Adobe’s ColdFusion app server were able to compromise servers belonging to the Washington State court system sometime in the last few months and walked off with data belonging to as many as a million residents of the state. The attackers had access to 160,000 Social Security numbers and the driver’s license numbers and names of a million people.
Officials say they’re uncertain exactly when the breach occurred, although they believe it to have been sometime after September. The breach of the court system’s Web site occurred in two separate incidents, which were discovered in February and March of this year.
“Once the breach was discovered, AOC took immediate action to further secure the environment and begin investigation and analysis into the depth and severity of the breach. In addition, AOC collaborated with the Washington State Consolidated Technology Services (CTS) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) for internet security, who provided valuable information in determining the scope of this security breach. MS-ISAC is a focal point for cyber threat prevention, protection, response and recovery for the nation’s state, local, territorial and tribal governments. The MS-ISAC 24×7 cyber security operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response. AOC has implemented significant security enhancements to ensure that our systems and data are secure and to prevent the potential for future compromise,” the court system said in a statement on its site.
The attackers had no access to financial information, but were able to access 160,000 SSNs. The court warned that anyone who had been booked into a city or county jail between September 2011 and December 2012 is at risk for having their SSN affected by the breach. The potential pool of people whose driver’s license numbers and names were accessed is much larger:
- If you received a DUI citation in Washington State between 1989 through 2011; or
- If you had a traffic case in Washington State filed or resolved in a district or municipal court between 2011 through 2012; or
- If you had a superior court criminal case in Washington State filed against you or resolved between 2011 through 2012
Adobe is planning to patch a vulnerability on ColdFusion next week, but it’s not clear whether that is the same flaw that the attackers in this operation exploited.
Eight members of a New York cybercrime cell have been indicted in a carefully coordinated heist that drained $45 million from thousands of ATMs in less than 24 hours.
In an federal indictment unsealed Thursday in Brooklyn, authorities charge the attacks were reminiscent of a suspense movie in which the defendants and their co-conspirators carried out a scheme dubbed “Unlimited Operation” because of the unlimited proceeds that were possible.
Authorities allege the cybergang hacked into a credit card processor’s networks and compromised prepaid debit cards to dramatically raise withdrawal limits or account balances. The card numbers were given to associates around the world (in at least 26 countries) to cash out the fake cards using compromised card data, including PINs, as quickly as possible. The cash was then spent on kickbacks or luxury goods, such as Porsche and Mercedes cars and Rolex watches, and spent around the world.
The global attacks were marked by “the surgical precision of the hackers carrying out the cyberattack.” Of the $45 million believed to have been stolen, $2.8 million came from New York City machines.
“As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe,” said U.S. Attorney Loretta Lynch in a prepared statement. “In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours.”
Among the eight charged in the elaborate scheme were alleged New York ringleader Alberto Yusi Lajud-Pena, 23, also known as “Prime” and “Albertico.” He was reportedly murdered a few weeks ago in the Dominican Republic. Others included in the four-count federal indictment are Elvis Rafael Rodriguez, 24; Emir Yasser Yeje, 24; Joan Luis Minier Lara, 22; Evan Jose Pena, 35; Jose Familia Reyes, 24; Jael Mejia Collado, 23; and chung Yu-Holguin, 22.
According to the government’s filings, the first operation on December 22, 2012, targeted a credit card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates. “After the hackers penetrated the credit card processor’s computer network, compromised the RAKBANK prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign,” the U.S. Justice Department outlined.
“In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised RAKBANK account data, resulting in approximately $5 million in losses to the credit card processor and RAKBANK. In the New York City area alone, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City.”
The second heist took place between the afternoon of February 19 and early morning of February 20, 2013. This time the target was a credit card processor that serviced MasterCard prepaid debit cards for the Bank of Muscat, located in Oman. “This attack was particularly devastating: Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs.”
The global investigation involved assistance and cooperation from authorities from numerous countries, including MJapan, Canada, Germany, Romania, the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand and Malaysia.
Microsoft will ship 10 bulletins in the May edition of Patch Tuesday. The company considers just two of the patches critical, one of which supplements the currently available “Fix it” tool that resolved the IE zero-day vulnerability exploited recently in a watering-hole attack targeting the U.S. Department of Labor.
The critical patches address that and other vulnerabilities in Microsoft Windows and Internet Explorer that could give an attacker the ability to execute code remotely.
The remaining important patches will mend a denial of service hole in Windows, a spoofing issue in that and the .NET framework, a remote code execution bug in Lync, two remote code execution flaws and one information disclosure problem in Office, an information disclosure vulnerability in Windows Essentials, and an elevation of privilege defect in Windows.
Wolfgang Kandek, the CTO of Qualys Inc., writes on his blog that systems administrators should prioritize the IE zero-day vulnerability that enabled the Department of Labor hack and the other remote code execution flaws.
Kandek says that the second bulletin addresses the IE 8 zero-day mentioned above, while the first bulletin provides fixes for the IE vulnerabilities made public in the Pwn2Own contest at CanSecWest conference in March.
The Tuesday release will also include patches for Adobe and a new version of Reader. Most importantly, Adobe is working on a fix for a recent ColdFusion zero-day that should be ready for shipment on Tuesday.
Microsoft will release the patches on Tuesday, replacing the advanced notification bulletins on their Security TechCenter webpage.
Domain registrar Name.com has informed its customers via email of a data breach and asked them to reset their passwords.
The company, based in Denver, said it discovered a breach and customer account information such as encrypted credentials and credit card numbers may have been accessed along with customer email addresses.
“It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com,” the customer email said.
Name.com told its customers that it uses strong encryption to store payment card data and that the encryption keys required to access that data was not compromised. EPP codes required for domain transfers were also not affected in the breach, as in the case with the keys, those were stored separately from the compromised data.
“We take the matter very seriously,” the email said. “We’ve already implemented additional security measures and will continue to work diligently to protect the safety and security of your personal information.”
Name.com said on its Twitter feed that it was staggering the release of notifications to customers and information about password resets. As of 2 p.m. ET, there was no mention of the breach on the Name.com website, nor on its corporate blog.
The company is taking some heat because it is asking its users to click on an email link in order to proceed with a password reset. This is the same tactic a phishing email would use, for example. Name.com does remind its users that if they use their passwords on other sites, to change those too.
Webhosting.info said Name.com is the 27th largest registrar by total domains with 498,035; Go Daddy is the leader with more than 25 million domains and 32 percent market share.
This is the second large password breach in the last two weeks. On April 28, daily deal site LivingSocial report it had been breached and hackers accessed user names, email addresses and encrypted passwords. More than 50 million were advised to change their passwords. LivingSocial said no credit card data was accessed.
Microsoft later this month will release a new version of its EMET protection tool, and this iteration will include a certificate pinning feature that will enable users to associate a specific certificate with a given certificate authority. The feature is designed a defense against man-in-the-middle attacks that use forged certificates to redirect users or intercept protected traffic.
EMET is a toolkit designed specifically to help prevent certain kinds of exploits from working on protected applications. For example, users can deploy EMET to get the advantages of DEP or ASLR in applications that were not compiled with those exploit mitigations enabled. The new version of EMET is due May 28 and is beta trim right now. The addition of certificate pinning is a significant one, although the feature only works by default when users are browsing with Internet Explorer.
Certificate pinning is a technique that can be used as a defense against attacks that take advantage of users’ trust in certificates and CAs, a trust that has been exploited many, many times in recent years. The compromises of Comodo, DigiNotar and other CAs have exposed the cracks in the CA infrastructure that have been there since its inception but rarely are noticed by anyone outside of the immediate vicinity. Attackers have discovered ways to issue fraudulent certificates to themselves for various important sites, notably Google, Mozilla, Yahoo and others.
Some of those attacks would not have been as damaging as they were if the users on the other end of the Web connection from the fake certificates had certificate pinning available. That defense would have allowed users to pin the Google SSL certificate to the Google Internet Authority, which issues the company’s legitimate certificates. EMET, which is meant as an enterprise tool, can help organizations fix that situation.
“EMET 4.0 comes with Certificate Trust enabled by default, including a set of pre-configured websites for the most common domains used by Microsoft online services; nevertheless, since we believe that certificate pinning is a useful tool to detect MITM attacks targeting any domain and not just Microsoft services, we designed Certificate Trust totally configurable, in order to allow any user to configure custom pinning rules that will be enforced when browsing the web with Internet Explorer,” Elia Florio of Microsoft wrote.
“EMET 4.0 has a main switch button in the system mitigation panel that can be used to activate or de-activate Certificate Trust. Once enabled, users have to specify which certificates and Root Certificate Authorities to trust. Users can verify that the Certificate Trust feature is activated from the EMET GUI by checking that the system status of this mitigation is “Enabled” and that Internet Explorer process (iexplore.exe) is in the list of configured apps (with or without memory mitigations enabled). This configuration allows EMET to inject into the protected process a new small module (EMET_CE.DLL) that will operate only within Internet Explorer to enforce the certificate pinning protection.”
There is a function in EMET 4.0 that allows advanced users to create some exceptions for certificate pinning, as well, based on variables such as key size and country of origin for the certificate. Users also can manually opt-in other executables for the certificate pinning, including another browser.
In addition to the certificate pinning feature, EMET 4.0 also includes protection against some techniques that researchers developed last year to bypass previous versions of the toolkit.
“For example, instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory. These “Deep Hooks” can be configured in EMET’s Advanced Configuration. We have seen exploits attempt to evade EMET hooks by executing a copy of the hooked function prologue and then jumping to the function past the prologue. With EMET 4.0’s “Anti detours” option enabled, common shellcode using this technique will be blocked. Finally, EMET 4.0 also includes a mechanism to block calls to banned API’s,” Microsoft said.
A pro-Syrian regime hacker collective known as the Syrian Electronic Army (SEA) recently compromised the Twitter, Google Apps and other accounts belonging to The Onion, a long-running satirical news publication in the U.S. Like The New York Times before it, The Onion published a fascinating (non-comical) tell-all, indicating that it, like the Associated Press, had it fallen victim to a SEA spear phishing campaign.
Unlike the attack at The New York Times, which was the work of a state-funded, military-grade attack team, the SEA launched a fairly typical spear-phishing attack against the editorial team at The Onion. In fact, this campaign was almost identical to an attack it launched weeks earlier that resulted in a successful compromise of the Associated Press.
According to The Onion’s frank and honest assessment, the SEA used three distinct methods to compromise employee accounts at the Onion. First, on May 3, “from strange, outside email addresses,” the SEA sent the phishing email–screen-grabbed below–to a few of The Onion’s employees:
From here, The Onion’s IT Team said, at least one employee followed the link that appeared to lead to the Washington Post, but actually led to a compromised website that, in turn, redirected users to a fraudulent Google application credential reset page. Again, at least one employee fell for the ruse, and consequently gave the SEA access to his or her Gmail account.
Now that the SEA had access to an employee account, on May 6, it used it to send more of the same phishing email to other Onion employees. At this point, likely because the phishing emails were coming from a trusted email account, a number of employees followed the link. Only two employees actually entered their credentials into the fraudulent forms though, one of which had access to The Onions social media accounts.
The Onion then became aware of the compromise and sent out a company-wide password reset email. At the same time, the attackers sent a duplicate but fraudulent password reset email to everyone at The Onion except the IT teams, which compromised another two corporate accounts.
The Onion then published an article titled, “Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels.” To which the SEA responded by publishing the contents of editorial emails on Twitter. The Onion’s IT team now admits that it did not know for sure which accounts were compromised and forced a password reset for every company account, ending the saga.
Ironically, this phishing post-mortem is hosted on an unrelated domain, so we reached out to The Onion for confirmation, because the People’s Daily, a Communist Party paper in China, looked silly when it ran with The Onion’s top available bachelor story about Kim Jong Un, which was, of course, a joke. The Onion’s press contact confirmed that this article is indeed a legitimate and accurate telling of what happened.
Microsoft has released a Fix-It to address an Internet Explorer 8 zero-day that was exploited in a watering hole attack against the U.S. Department of Labor website last week.
The Fix It is a temporary mitigation until a patch is released. Microsoft’s next scheduled Patch Tuesday security updates are set for next week, though it’s unlikely an update for CVE-2013-1347 will be ready in time.
The vulnerability is present only in IE 8, Microsoft said. The flaw is a use-after free memory corruption bug that would allow an attacker to be able to remotely execute code on a compromised machine.
“The Fix It is an effort to help protect as many customers as possible, as quickly as possible,” said Dustin Childs, group manager Trustworthy Computing.
This is the second Fix It that Microsoft has issued this year. The first was also for a similar memory-related vulnerability in IE in January that was used in watering hole attacks against a number of government, political and manufacturing websites. IE 8 was the primary culprit there as well, though IE 6 and 7 were also vulnerable yet no exploits were public for those two versions.
According to Net Market Share, IE 8 has the highest market share with 23 percent, followed by IE 9 (18 percent) and Chrome 26.0 (13 percent). Experts who analyzed the attack against the Department of Labor’s Site Exposure Matrices website said that the typical government agency worker would likely still be running IE 8, making them a tempting target for such an attack.
This tactic has been employed not only against government workers and political activists as part of espionage campaigns, but against a popular mobile developer’s website that ensnared a number of Facebook, Apple, Microsoft and Twitter employees.
In the case of the DoL, the target was likely downstream employees of the Department Energy who work on nuclear weapons programs, experts at Invincea speculated. The DoL’s SEM site is a resource for employees who may have been exposed to radiation. The redirect on the site was sending visitors to a site hosting the Poison Ivy remote access Trojan, malware that is used espionage campaigns; it opens a backdoor on compromised computers where attackers can move about unnoticed.
Microsoft’s first Fix It of 2013, however, wasn’t a smashing success. Shortly after it was released, researchers at Exodus Intelligence reported they were able to bypass it. While the Fix It did address one means attackers had at their disposal to get onto victims’ machines, it didn’t address all possible avenues.
Adobe is readying a patch for a critical vulnerability in its ColdFusion Web application server that is being used in attacks right now. The vulnerability affects several versions of ColdFusion running on Windows, Unix and OS X.
The flaw, which Adobe plans to patch on May 14, can be used by a remote attacker to retrieve files from affected servers. There is a public exploit available for the vulnerability, making the patch a high priority for enterprises running ColdFusion.
“There are reports that an exploit for this vulnerability is publicly available. ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue,” Adobe said in its advisory.
The company recommends that customers running vulnerable versions of ColdFusion, which include 10, 9, 9.02 and 9.01, follow the recommendations in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide to help install mitigations that will prevent exploitation of this vulnerability.
One of the largest online music streaming services was briefly singing a different tune after learning a new Google Chrome plug-in allowed users to download copies of songs for free.
Google this week pulled from its Chrome Web Store the browser extension known as Downloadify, which exploited a vulnerability in Spotify’s web player to allow a user to download a DRM-free, MP3 backup of a song as it started playing.
“It is effectively stealing,” Sheena Sheikh, an intellectual property attorney told the BBC. “You are committing an infringement. You’re not authorised to download the songs. You don’t have permission.”
Although Google removed the extension from its Chrome store, it might still be circulating on other sites. The Dutch developer also published the code on GitHub, according to CNET. He reportedly took advantage of a flaw in the Spotify Web client that lacked encryption — unlike the desktop and mobile versions. He also told a reporter at The Verge he did not plan to update the program and believed Spotify had taken steps to boost its security.
Spotify currently has about 6 million subscribers and is second only to Apple as a digital revenue source for major music recording companies.
Sometime around 2:45 PM EDT yesterday, Syria’s BGP routes were severed and the country disappeared from the Internet. Just as quickly as it had fallen, Syria came back online this morning.
In March, the Middle Eastern nation entered the third year of a violent conflict in which the country’s ruling regime, headed by President Bashar al-Assad, is fighting a civil war against the Syrian National Coalition, a hodgepodge group of militias led by the Free Syrian Army and the Syrian Islamic Liberation Front. Syria lost its Internet connection similarly in November of last year.
Umbrella Security reported the outage, saying resolvers belonging to its parent company, OpenDNS, showed a precipitous drop in inbound and outbound Internet traffic. Search giant Google and the Internet monitoring Renesys Corporation would later confirm the blackout. Neither of the top-level domains located in Syria could be reached for the duration of the outage, which lasted just less than 20 hours.
“There have been numerous incidents where access to and from the Internet in Syria was shut down,” Explained Umbrella Security CTO Dan Hubbard. “Shutting down Internet access to and from Syria is achieved by withdrawing the BGP routes from Syrian prefixes.”
Internet traffic routing relies on the BGP, which distributes routing information and ensures that Internet-connected routers know how to connect IP addresses. When and if an IP range goes dark, it is removed from the BGP routes, letting the routers know that those IPs are no longer reachable. During the outage, Hubbard said the usual 70 or so routes into the BGP routing tables for Syria had decreased to just three routes.
The disconnect meant that Syria could not communicate with the outside world. It’s not clear whether the outage disrupted Internet communication within the besieged nation’s borders.
Oddly, as pointed out by the Electronic Frontier Foundation, despite the “unprecedented humanitarian crisis” that is ongoing in Syria, the country’s Internet has, for the most part, remained available, offering the world a stark view into a brutal civil war.
You cannot accuse the keepers of the Cool Exploit Kit of not recognizing market trends. Given a rash of recent watering hole attacks and zero-day exploits built around Microsoft’s Internet Explorer browser, it’s no surprise that a 15-month-old IE exploit has been included in the crimeware package.
This is a remote code execution heap-based buffer overflow flaw that impacts IE 6-9. Researchers from VUPEN demonstrated a successful exploit during the 2012 Pwn2Own contest that was able to bypass ASLR and DEP data execution protections built into Window. VUPEN’s exploit beat a fully patched version of IE 9 running on a Windows 7 machine.
“This can be achieved by leaking an address of the mshtml.dll module, building a heap spray based on this address and triggering the vulnerability again to execute the payload,” VUPEN said in a blogpost last July, adding that its researchers combined this exploit with another zero-day in order to bypass IE’s Protected mode.
“After triggering the vulnerability for a memory leak to disclose interesting addresses, it is possible to trigger the same vulnerability once again to achieve code execution by overflowing the same buffer in memory with arbitrary values,” VUPEN said.
Microsoft’s Justin Kim said Cool is the only kit to carry the IE exploit.
“For a while it seemed exploit kit writers were not too interested in this vulnerability,” Kim said.
The IE exploit is not the only new addition to Cool. Microsoft said Adobe Reader and Flash exploits have also been added (CVE-2012-0755 and CVE-2013-0634, respectively). The IE attack, however, opens the spectrum of potential victims because of a return-oriented programming technique that allows it to identify the DLL a process is running on, and match a malicious payload to the corresponding DLL.
“The exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions ofmshtml.dll. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled,” Kim said. “With this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.”
The Cool Exploit Kit was first detected in October in a spate of attacks involving the Reveton ransomware. The discovery of Cool happened after French researcher Kafeine discovered an exploit for a Windows vulnerability first exploited by Duqu. The same exploit ended up in the Blackhole Exploit Kit, leading experts to conclude the same group was running both.
As for the Adobe-related additions to Cool, the most severe seems to be CVE-2013-0634 for Flash, which was patched by Adobe in February. The exploit injects websites with malicious .SWF files targeting Firefox and Safari users. This is the same LadyBoyle attack used against targets in the aerospace industry signed with digital certificates stolen from Asian gaming companies as outline in the Winnti research done by Kaspersky Lab. Tibetan activists were also targets of these attacks as well.
Android’s security gets its share of grief, but perhaps it’s been a bit misguided. Like many other popular open source technologies, there are a number of different flavors of the mobile platform, each with its security properties and nuances.
That’s why the Pentagon’s decision to endorse the use of Android inside the Department of Defense merits a second look. This wasn’t a wholesale blessing of Android as a platform, but a specific accreditation of one hardened version of the OS. And for now, that’s the way it’s got to be.
Android’s security woes aren’t necessarily tied to a shoddy OS or an exposed kernel; there have been few documented exploits of either. Instead, hackers find it much more economical to chip away at the application ecosystem around it. It’s trivial to write a malicious app, sneak it past the sleeping guard at the gate of the Google Play store or some third-party site serving Android apps, to then own a bunch of devices.
What’s difficult and expensive is writing exploits for known vulnerabilities at the core of the platform. Exploit writers have a difficult time circumventing Apple’s top-to-bottom control over iOS. Apple not only keeps its source code closed, but also lords over hardware manufacturing and shipping. You don’t have the angst Android suffers with its handset makers and wireless carriers force-feeding users their apps, or holding back on features and security updates. And never mind the walled garden that is the Apple App Store, which requires all apps developed for iOS be signed by Apple and that developers actually prove they are who they say they are. This is very much unlike Google Play where a credit card gets you in the door for keeps.
That’s the plight of the consumer Android user whose personal and payment information is at risk to the exploits of identity and credit card thieves. Enterprises whose intellectual property is the soul of the business have been flailing in the wind because of BYOD, finding it near impossible to meet the demands of a mobile workforce, yet keep data safe. That’s a different realm where the network access afforded by a mobile device could result in a company’s secret sauce walking out the door. The DoD’s approach is one that more organizations could soon emulate given that surely some hacker somewhere is already poking holes in the Android OS rather than building another untrustworthy app.
“I’d argue that mobile operating system and platform security is a major concern for security-sensitive organizations, more so than the application ecosystem,” said Duo Security CTO Jon Oberheide. “Many malicious applications out there, or at least the ones that folks like the DoD are concerned with, target the mobile platform itself and exploit latent vulnerabilities that allow an attacker full control over the device.”
Recently, Azimuth Security researcher Dan Rosenberg was able to exploit a vulnerability in the Trust Zone running on a number of Motorola Android devices that allowed him to jailbreak the device. The outcome was relatively benign, but he proved it that a kernel-level exploit could be pulled off and others surely were watching.
Trust Zones are a security technology integrated into ARM processors that allows a device to run security-related technology in a separate kernel isolated by the processor from whatever else is running on the phone, Rosenberg explained.
“Trust Zones have been black box technologies in the past and not a lot of research has been done on the various implementations and whether they are robust,” Rosenberg told Threatpost. “So a lot of people treated it as a one size fits all solution because no one looked at it. Finding vulnerabilities in the Trust Zone could have significant ramifications for the security of devices if the platform is relying on Trust Zones to do security tasks.”
One such device that will implement Trust Zone is the Samsung KNOX-based Android phone endorsed by the DoD. KNOX borrows from the desktop security world heavily with its use of virtualized partitions, or containers, to separate business data from personal data on the same device. The Qubes operating system developed by Joanna Rutkowska operates on a similar, yet stricter concept, separating the operating system into separate domains. Each domain has its own security policy and access controls.
“KNOX seems like one of the first Android solutions that takes multipronged approach to securing the platform, segmenting data and implementing hardening measures to secure the OS and kernel, which is frequently missing from security solutions,” Rosenberg said. “Many rely on the OS as a trusted base, but the reality is, if you’re able to exploit the OS, you can subvert the protections sitting on top of it. This is one thing they’re doing well, but only time will prove if the implementation is robust.”
Android malware numbers, again mostly via applications, continue to climb. Duo Security’s X-Ray mobile vulnerability assessment application was introduced last summer. In September, a first run-through of the application against Android devices showed that more than 50 percent had unpatched vulnerabilities.
“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far,” Oberheide wrote in a blogpost at the time. “We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.”
Indeed, the carriers and handset makers have come under fire for failing to provide timely security updates for Android, contributing to the skyrocketing numbers of malicious apps and exposed vulnerabilities. In February, the U.S. Federal Trade Commission came down hard on handset makers HTC, and in April, the American Civil Liberties Union asked the FTC to investigate the four leading wireless carriers’ lack of Android security updates for consumers.
KNOX seems to be a positive step forward, but even the experts are cautious.
“Knox adds a good deal of security functionality beyond the core Android platform, but like any security technology, isn’t perfect,” Oberheide said, noting Rosenberg’s Trust Zone hack. “I expect many more to surface as that attack surface attracts more attention.”
The attack that employed compromised Apache Web server binaries is turning out to be more complex than originally thought, as researchers now have found that the attackers also are using Trojaned Nginx and Lighttpd binaries as part of the campaign. More concerning, though, is the possibility that the attacks also have compromised a number of DNS servers and are using them to change crucial elements of the campaign on the fly and help hide their tracks.
The new details of the attack campaign, which researchers have dubbed Linux/Cdorked, show that the attackers have cast a wider net than what was found originally and have access to a wider range of compromised machines. Researchers at ESET who have analyzed the attack say that the group behind the attacks may have been active since December 2012. The researchers have discovered more than 400 Web servers compromised by this malware, and that some of them are among the most highly trafficked sites on the Web.
Still, with the new details and further investigation into the attack, researchers still aren’t sure how the attackers are getting their malware onto the compromised Web servers.
“We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites,” Marc-Etienne M. Leveille of ESET wrote in an analysis of the attacks.
The general pattern of the attacks involves the attackers modifying Web server binaries on target sites, then using the malicious binary to serve code to certain users that redirects them to a malicious site. The user may then be redirected to a third site, but the end goal is to push the victim to a site that serves the Blackhole exploit kit. On mobile devices, such as iPhones and iPads, users are redirected to porn sites.
The attackers in this campaign are being quite careful to hide their actions, both on the client level and in a larger sense. In addition to keeping a large blacklist of IP ranges that the malware will not redirect to malicious Web sites, the attackers also appear to be using compromised DNS servers to change domains and subdomains quickly. The construction of the URLs for these domains that are part of the redirection chain for the Cdorked malware have a peculiar format, and after looking into them, the ESET researchers came to the conclusion that the DNS servers being used have been compromised.
“The peculiar format of the subdomains and the fact that they are constantly changing strongly suggested that the DNS servers were also compromised. We did some tests where we modified the characters of the subdomain and in some cases the IP address in the response changed. With some more testing we were able to confirm that the IP address returned by the DNS request is actually encoded in the subdomain itself. It is using the characters at odd positions to form a 4 bytes long hex string to decode the IP address from. A basic chained XOR cipher is used to encode the IP address,” M.Lavielle said. “Due to the algorithmic nature of this behavior, we see no other explanation than the presence of trojanized DNS server binaries on the nameservers involved in Linux/CDorked.A.”
Web security researchers say that the tactics the attackers are using are not the most efficient ones and that they are causing themselves some unnecessary trouble.
“This has all the disadvantages of a typical root compromise, meaning that the attacker must now find a way to escalate privileges to root. The main advantage to using this sort of backdoor is that web masters typically don’t monitor or back up anything outside of the web root and in many cases don’t even have access to do so in shared hosting environments. This means the attacker naturally gets persistence where a typical modification to source code or .htaccess files would be fixed relatively quickly,” said Robert Hansen, a noted security researcher and director of product management at White Hat Security.
Industrial control minded researchers from the security firm Cylance launched a custom exploit against a building management system deployed at Google’s Sydney, Australia office, gaining access to a configuration file containing device administration passwords that could be used to gain complete control of the device in question.
This vulnerability in Tridium’s Niagara framework affects an unknown number of organizations aside from Google. In fact, Tridium claims on its website that “there are over 245,000 instances of the Niagara Framework deployed worldwide.” Cylance said its scans revealed some 25,000 similarly vulnerable systems facing the Internet.
In Tridium’s words, Niagara “is a software platform that integrates diverse systems and devices regardless of manufacturer or communication protocol into a unified platform that can be easily managed and controlled in real time over the Internet using a standard web browser.” In other words, the framework acts as a hub between disparate devices using seemingly incompatible communication protocols, controlling various aspects of office management. Cylance’s Billy Rios described Tridium Niagara via email as a general purpose ICS and building management devices.
In this case, Cylance researchers claimed to find that the vulnerable device had access to Google’s HVAC systems, alarms panel, and a variety of other building management features. A root exploit of this kind could potentially give attackers the ability to manipulate heating systems, turn off alarms, and maybe even unlock locked doors and perform other nefarious deeds, though this would ultimately depend upon the specific device configurations.
Rios told Threatpost that Google’s specific Tridium device was configured primarily to control HVAC systems on Google’s campus. However, organizations custom build their own interfaces to control a wide range of attached devices. Rios claimed that the same devices have been implemented by other companies to manage energy, lighting, fire, security, intrusion, elevator and access controls.
Cylance has been aware of this vulnerability for six months. As part of a larger project designed to uncover vulnerable, Internet-facing industrial control systems, Cylance researchers performed a scan looking for vulnerable Tridium Niagara devices. Their collective interests were thoroughly piqued when it turned out that Google had one such vulnerable device installed in their Wharf 7 offices in Sydney.
Upon further investigation, Cylance’s researcher determined that the embedded device was running a slightly outdated version of the platform software on the Unix-like QNX operating system. Using some of the information that the researchers already knew about the device, they built a custom exploit and managed to extract the device’s highly sensitive config.bog file, which reportedly contains usernames and passwords for all the devices users. Of course, once an attacker has an admin’s username and password combination, an attacker effectively can take control of that device at whim.
Cylance researchers poked around a bit and saw that the device had access to Google’s HVAC systems and a variety of other building management features. They could have, but ultimately did not, root the device for full system access.
Cylance reported the issue as part of Google’s Vulnerability Rewards Program, but the disclosure did not qualify for VRP reward money. Google has since pulled the system offline, according to the report.
*Image of Google offices, Sydney, Australia via Br3nda’s Flickr photostream, Creative Commons