Threatpost for B2B
This was a two-for-one deal that Windows administrators could have done without.
Already expecting one patch for an Internet Explorer zero-day being actively exploited, admins got fixes for two zero days instead yesterday as part of Microsoft’s October 2013 Patch Tuesday security updates.
The second caught everyone by surprise, especially organizations already swaying in the wind without a patch for one IE bug being used in active attacks, and for which a Metasploit exploit was available. The bonus fix was for an unrelated bug in the wild for close to a month and also targeting organizations in Japan and Korea, similar to the first zero day.
Researchers at the National Cyber Security Centre of the Netherlands, IOprotect GmbH and Trustwave’s SpiderLabs were credited in the advisory by Microsoft for reporting the vulnerability. SpiderLabs’ Director of Security Research Ziv Mador told Threatpost the company’s researchers were monitoring an attack server that had up until two weeks ago been serving exploits for patched vulnerabilities only. That changed on Sept. 12, Mador said, when an IE 8 exploit bubbled to the surface that his researchers hadn’t seen before.
“It is being used to distribute general malware,” Mador said. “Unlike the previous zero day in IE, this one distributes malware to steal credentials from online gamers, or disrupt access to banking sites. It’s general malware, not targeted attacks.”
The previously reported IE zero day had been used in very targeted attacks against Japanese media companies. The media sites were compromised as part of a watering hole attack and were serving exploits, according to researchers at FireEye, targeting government, high-tech and manufacturing organizations in Japan. FireEye called it a large-scale intelligence gathering operation.
Microsoft had released a Fix-It tool as a temporary mitigation upon disclosing that attacks were in the wild. Last Friday, a Metasploit exploit module was added to the toolkit, ramping up the possibility that more widespread attacks could be imminent.
The second zero day targeted users in Japan and Korea via drive-by downloads. One feature was its ability to identify the language the infected machine was configured to. If neither Japanese nor Korean, IE would redirect to Google and the attack would be terminated, Trustwave said in a blogpost.
However, if it validates the language and IE 8, the attack uses ROP chains to bypass memory protections native to Windows such as DEP and ASLR.
The attack payload includes no fewer than 10 drivers, executables and DLLs dropped onto the victim’s machine, Trustwave said. It will try to disable a number of security products on the computer, redirect banking sites to an attacker-controlled domain and also has components that try to steal gaming credentials.
“The exploit is not trivial and these types of exploits are often not trivial. They require a number of quite creative combinations to work,” Mador said. “That was the case here.”
In addition to the ROP chains, the attack also uses the DOM Element Property Spray technique used in the other IE zero day patched yesterday.
“There are a million ways to develop HTML pages or Web applications, so many attributes, tags, scripts. People who develop browsers have to deal with a huge amount of possible scenarios,” Mador said, pointing to a number of natural places where vulnerable code could lurk in the parsing and rendering of any of these components.
“When we look at exploit code for browser vulnerabilities, quite often they use weird combinations from an HTML perspective that don’t make sense,” Mador said. “They don’t seem to show anything interesting, but the purpose of the combinations is to trigger some vulnerability in the code parsing or memory management.”
The patch was part of a cumulative update for IE addressed in MS13-080; IE has been patched nearly every month in 2013, including an out of band patch earlier this year.
Microsoft and Adobe weren’t the only companies releasing security updates yesterday. BlackBerry piled on the patch parade with an update for its BlackBerry Enterprise Service 10 mobile device management product, fixing a remote code execution vulnerability.
The problem lies in the Universal Device Service (UDS) that’s installed by default in BlackBerry Enterprise Service (BES) versions 10.0 to 10.1.2. If an attacker has access to the corporate network that’s hosting the UDS and can determine its address, they can execute code as the BES10 admin service account without authentication.
This is because JBoss, BES10’s open source hosting environment, is misconfigured. In its current incarnation, JBoss allows non-admin users to upload packages and make them available to clients. If successfully exploited, the vulnerability also lets attackers execute arbitrary code.
It sounds easier said than done though.
“In order to exploit this vulnerability, an attacker must use the Remote Method Invocation (RMI) interface to serve a malicious package to JBoss from a second server on the network that is not blocked by a firewall,” reads BlackBerry’s advisory.
If for some reason BlackBerry users can’t update their system right away, there are a series of workarounds, considered “temporary measures,” by BlackBerry, that users can follow. These mitigations involve tweaking the RMI interface, blocking certain ports and updating Java.
BlackBerry’s BES10 is a mobile device management solution that allows IT professionals to control their users’ BlackBerry devices, Android devices, and iOS devices. Administrators can install and revoke licenses, manage accounts and conduct day-to-day administrative tasks with the service.
While they’re not aware of any attacks exploiting the vulnerability, BlackBerry is urging any Enterprise Service 10 administrators to apply the software update that released yesterday on the company’s Knowledge Base site.
As expected, Microsoft began shipping its latest batch of Patch Tuesday patches earlier this afternoon. However, while it was heavily presumed the update would fix at least one Internet Explorer zero day, the update actually fixes two critical vulnerabilities in the browser.
Eight bulletins — four critical – and 28 vulnerabilities in total are addressed by the update, the 10th anniversary release of the company’s popular flaw remediation program.
Naturally, at the top of the list is MS13-080 which addresses the much-buzzed about use-after-free bug (CVE-2013-3893) on the Microsoft HTML rendering engine in IE. The zero day targeted all builds of IE over the course of the last month or so and this patch, which also loops in nine other IE fixes, builds off of a FixIt tool Microsoft released for the issue in mid-September.
Among those nine IE vulnerabilities, CVE-2013-3897, is also getting the attention of researchers today. The issue, a memory corruption vulnerability that’s been spotted in targeted exploitation, was discovered in part by the National Cyber Security Centre of the Netherlands according to Microsoft.
Trustwave’s SpiderLabs posted a brief synopsis of the vulnerability today and claims the zero day has been in the wild for more than a month and campaigns initially targeted Japanese and Korean users.
According to Wolfgang Kandek, the CTO of cloud security firm Qualys, the vulnerability was still shoehorned into Internet Explorer’s cumulative security update, despite only recently being discovered.
“In the last two weeks, attacks against the same vulnerability became public, again limited and targeted in scope, but since the fix was in the code already, it enabled Microsoft to address the vulnerability… in record time,” Kandek said Tuesday.
Much like the user-after-free bug issue, attacks against CVE-2013-3897 were spotted in the wild but weren’t widespread enough to force Microsoft to issue an out-of-band patch before this week’s update.
The rest of the month’s updates address remote code execution issues in Windows, Office, .NET, Server, SharePoint and an information disclosure issue in Silverlight.
While they’re not known to be actively exploited, three of those issues are marked critical, including vulnerabilities in both Windows’ kernel mode driver (MS13-081) and .NET Framework (MS13-082) that stem from problems with embedded OpenType fonts.
The last critical issue involves a remote, server-side vulnerability in ASP.NET that could let attackers send a specially crafted web request to an ASP.NET web app running on an affected system and in turn, run arbitrary code.
Rapid 7’s Ross Barrett, senior manager of security engineering, called the vulnerability a “real, honest to goodness, potentially “wormable” condition” Tuesday, warning it could spread rapidly.
“If the “bad guys” figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested,” Barrett said.
The rest of the patches address relatively minor issues – at least in comparison to the IE vulnerabilities – in Sharepoint, Microsoft Word, Excel and the company’s application framework, Silverlight.
Per usual the updates will be deployed on most users’ machines automatically over the next day or so. Those who don’t have automatic updates enabled will want to check for updates and install the updates, especially those who run any version of Internet Explorer, manually.
One day after announcing that it had paid researchers $28,000 for reporting a number of vulnerabilities in Internet Explorer 11, Microsoft revealed that it has written a much bigger check–this one for $100,000–to a researcher who has discovered a new attack technique that bypasses all of the exploit mitigations on the newest version of Windows.
James Forshaw, a researcher who also won a reward in the IE 11 bounty program this summer, submitted the technique to Microsoft, which validated it. The reward is part of the company’s bug bounty program that incentivizes researchers to look for novel attack techniques that can defeat the modern anti-exploit technologies such as DEP and ASLR implemented in Windows. The program was announced in June, but Forshaw’s technique is the first one to qualify for the $100,000 payout.
Microsoft officials said that one of the company’s security engineers had discovered a portion of the technique as well, but that didn’t prevent Forshaw from winning the bounty. Katie Moussouris, a senior security strategist at Microsoft, said that the company won’t disclose the details of Forshaw’s technique until engineers have had a chance to analyze it and implement defenses in Windows.
“Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique. Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty,” Moussouris said.
“While we can’t go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.”
The $100,000 reward program is an ongoing one through which Microsoft aims to spur researchers to look for new offensive techniques that can get past the state-of-the-art exploit mitigations. It’s the first time that Microsoft has offered monetary rewards for vulnerability or attack information, following the company’s successful Blue Hat Prize contest, which paid large rewards for novel defensive techniques. Moussouris, who spearheaded the work on both the Blue Hat Prize and the bug bounty program, said that the company was motivated to help find and protect users against large classes of attacks rather than individual bugs.
“We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James’ entry will help us improve our platform-wide defenses and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues,” she said.
Adobe, still reeling from the public disclosure of a massive breach of source code and customer information, released two security advisories today patching vulnerabilities unrelated to the recent break-in.
The first concerns a vulnerability in Adobe RoboHelp 10 for Windows that could allow an attacker to remotely run malicious code on the underlying system supporting the software. RoboHelp 10 is publishing software that enables users to collaboratively develop HTML 5 websites. Content can also be delivered onto third-party software formats such as PDF and mobile apps.
Adobe gives this vulnerability a relatively low priority rating of 3 and said it is not aware of any public exploits of this bug. The security update can be found here.
Adobe, meanwhile, has not commented further on the breach which was made public last Thursday. The company was compromised sometime between July 31 and Aug. 15, and the attack was not discovered by Adobe until Sept. 17. The company disclosed that in addition to the hackers accessing source code for a number of products including Adobe’s ColdFusion Web application server, Acrobat, Publisher and possibly other products, close to three million customer records, including encrypted credit card numbers, were stolen.
On Friday, it was revealed that the gang behind the Adobe attacks had also infiltrated other large companies that were in the process of being notified. The attackers have been active for much of the year using ColdFusion exploits to hit a number of high-value targets. ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software.
“I would characterize the breach as one of the worst in U.S. history because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked,” said Alex Holden of Hold Security LLC, who along with security reporter Brian Krebs discovered and investigated a 40Gb stash of Adobe data found online. “This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses.
“This gang is sophisticated and some new things may follow, I’m sure,” Holden said. “The source code leaks and attacks sourced from this situation may be devastating.”
A popular Android mobile ad library available on Google Play can be used to collect device data or execute malicious code, security researchers have discovered.
The most alarming aspect to the library is that close to 2 percent of Android apps with more than 1 million downloads on Google Play use this particular library, and those apps have been downloaded more than 200 million times, researchers at FireEye said yesterday.
The researchers won’t disclose the name of the library, but said they have informed Google and the library’s vendor, both of whom are reportedly addressing the situation.
Mobile ad libraries enable apps to host advertisements; they generally collect IMEI and IMSI device identifiers. But this particular library, nicknamed Vulna by FireEye, is far more intrusive and capable of collecting text messages, contacts and call details, as well as having the capability to execute code.
“Vulna [also] contains a number of diverse vulnerabilities,” FireEye researchers said. “These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-factor authentication tokens sent via SMS, or turning the device into part of a botnet.”
One of the vulnerabilities discovered by FireEye is the practice of transferring users’ private information in plain text over HTTP allowing an attacker to view it. It also uses HTTP for receiving orders from its command and control server. “An attacker can convert Vulna to a botnet by hijacking its HTTP traffic and serving malicious commands and code,” the researchers said.
The researchers said the library puts the user’s device at risk to a number of exploits, including man-in-the-middle attacks over public Wi-Fi hotspots or even DNS hijacking attacks, redirecting the device’s mobile browser to an attacker-controlled site.
Worse, the library’s activities are difficult to detect because the commands it receives from the C&C server use data encoded in the HTTP header fields rather than in the response body. Source code is obfuscated as well, the researchers said, adding that its behaviors are difficult to analyze.
“In one popular game, Vulna is executed only at certain points in the game, such as when a specific level is reached,” the researchers said, adding that any malicious behavior happens in the background away from the reach of the user.
FireEye cautions that malicious ad libraries such as Vulna are a growing threat, especially for enterprises that allow personal mobile devices to access network resources.
“[These] ad libraries are disturbingly aggressive at collecting users’ sensitive data and embedding capabilities to execute dangerous operations on demand, and they also contain different classes of vulnerabilities which allow attackers to utilize their aggressive behaviors to harm users,” FireEye said. “App developers using these third-party libraries are often not aware of the security issues in them.”
An out-of-the-blue tweet from a Dutch researcher kicked off an unprecedented 24-hour rumor mill yesterday concerning the arrest of Paunch, a hacker allegedly behind the notorious Blackhole Exploit Kit. The arrest, finally confirmed today by the head of the European Cybercrime Centre (EC3), is likely to put a dent in the shadowy cybercrime underworld.
Blackhole is the most well-known malware kit available on the darknet; the kit is leased out to criminals who use the many browser exploits available within the kit to infect users. Cybercriminals use malicious links to lead users to compromised sites and the exploit kit then will determine which exploits will work on the victim’s PC and use them to compromise the machine.
Troels Oerting, who runs the EC3 out of The Hague in the Netherlands, confirmed to TechWeek Europe that Paunch was in custody.
“I know it’s true, we got some information, but I cannot say anymore,” Oerting is quoted, adding that he could not share further details.
The rumor mill kicked off after a tweet from Fox-IT security researcher Maarten Boone announced Paunch’s arrest in Russia. Shortly thereafter, French security researcher Kafeine told Threatpost via email that the kit’s Java archive files had not been updated in almost four days, an indication something was afoot. He provided Threatpost with a graphic, above, that shows a number of Blackhole sites returning gateway errors or JAR files that have been ignored for days; Blackhole JAR files are updated sometimes twice daily.
Kafeine also said that distribution of the Reveton ransomware malware has moved from Blackhole to the WhiteHole Exploit kit. In addition, crypt[.]am, an online service allegedly run by Paunch was unreachable yesterday; the service is used to encrypt portions of the exploit kit.
Aleks Gostev, chief security expert for the Kaspersky Lab Global Research & Analysis Team, also confirmed via anonymous sources that the arrest was made.
“Three scenarios are [now] feasible: Blackhole can disappear, be taken over by other developers, or replaced by other exploit kits,” Gostev said. “What combinations of these scenarios will happen, we will see.”
In January, the Cool Exploit Kit surfaced online, also allegedly built and maintained by Paunch. Cool, however, is much pricier than its older brother, fetching close to $10,000 in monthly lease fees compared to $500 a month for Blackhole.
At the time, Cool made use of a number of browser zero-days that were meant to be kept private, while Blackhole, a hosted service, is a package of known exploits targeting patched bugs, generally browser redirects that force a victim’s browser to an attack site where more malware awaits. Recently, Blackhole shifted away from exclusively offering browser-based bugs, and began folding in exploits for Java, Adobe Reader and Flash.
In 2011, the source code for Blackhole leaked online, which just served to make the landscape for vulnerable organizations that much hairier. But that didn’t hurt business for Paunch and his gang, the alleged creator of Blackhole, who re-invested more than $100,000 in browser and browser plug-in vulnerabilities, according to a post on an underground forum reported by Krebs on Security in January of this year.
As part of its first-ever bounty program, Microsoft has paid out $28,000 to a small group of researchers who identified and reported vulnerabilities in Internet Explorer 11. The IE 11 bounty program only ran for one month during the summer, but it attracted a number of submissions from well-known researchers.
The Microsoft bug bounty program for IE 11 began in June and ended in late July, during the preview period for the browser. Researchers who reported vulnerabilities in the latest version of the company’s browser had the opportunity to earn as much as $11,000. None of the researchers who submitted bugs during the IE 11 window came close to a reward at that level, with the highest payment being $9,400 to James Forshaw for four vulnerabilities discovered in IE and a bonus for finding some IE design vulnerabilities.
Microsoft’s reward program was announced in June after many years of speculation by security researchers about the company’s intentions. Microsoft officials had said in the past that the company didn’t need to pay rewards for vulnerabilities because many researchers came directly to Microsoft with details of new vulnerabilities. That state of affairs changed over the course of the last year or so, leading Microsoft to establish its own take on the bug bounty programs run by many other software vendors.
Unlike Google, PayPal and others, Microsoft’s program–outside of the IE 11 reward–is mainly geared toward paying for innovative attack techniques. The company is offering as much as $100,000 for offensive techniques that are capable of bypassing the latest exploit mitigation technologies on the newest version of Windows. That program is still ongoing.
Among the other researchers who received rewards from Microsoft in the IE 11 program are Peter Vreugdenhill of Exploit Intelligence, Fermin J. Serna of Google, Masato Kinugawa, Ivan Fratric of Google and Jose Antonio Vazquez Gonzalez of Yenteasy Security Research.
The $28,000 Microsoft paid during the IE 11 program isn’t a big number in the grand scheme of things, particularly when compared to the tens of thousands of dollars the Google pays out on a regular basis for Chrome bugs. But the researchers who submitted bugs to the program are a good indication that the security community is taking Microsoft’s program seriously, despite the relatively low payments available.
Image from Flickr photos of Damian Gadal.
Taiwanese electronics company Asus has released an update for one of its routers that corrects an authentication bypass vulnerability discovered in the devices over the summer.
The vulnerability is in Asus’ RT-N10E brand of routers, sold primarily throughout Europe, China and South America.
According to a note on Carnegie Mellon’s CERT Vulnerability Notes Database late Friday, the problem is that once an attacker gains access to the device, they can make their way to a certain website and learn the device configuration without entering log-in credentials.
The site, http://RouterIPAddress/qis/QIS_finish[.]htm, bills itself as the most comprehensive Router Database and is commonly used by end users to research router information and settings worldwide.
The vulnerability (CVE-2013-3610) allows attackers to view information – including the device’s administrator password – that should only be viewable to authenticated users, by being on the local area network.
Firmware update 184.108.40.206 fixes the vulnerable versions, 220.127.116.11 and earlier and also addresses two other, unrelated issues involving an “abnormal disconnection” and a problem with “IPTV connection stability after PPPoE reconnect.”
Those not interested in updating can apply a workaround: Restricting network access to the the router’s system web interface.
A long list of influential security, privacy and technology experts, largely from academic circles, has petitioned the NSA review board to include a technologist among its ranks.
The board, established on Aug. 12 by Director of National Intelligence James R. Clapper upon the orders of the president, is supposed to provide oversight over the U.S. intelligence community’s signals-intelligence and surveillance capabilities. Clapper’s three-paragraph announcement of the board also spoke of the need to balance the country’s national security needs with the need to maintain public trust.
But experts have slammed the board’s makeup because it includes a number of people with close ties to either the White House or Democratic Party. Richard Clarke, former presidential cybersecurity advisor to President George W. Bush, leads the list of panelists familiar to the security industry. The four other panelists include Peter Swire, former OMB privacy director under President Bill Clinton, Michael Morrell, former deputy CIA director under President Obama, Cass Sunstein, former administrator of the White House Office of Administrative and Regulatory affairs, and Geoffrey Stone of the University of Chicago and an informal advisor to Obama’s 2008 campaign.
The review panel, formally known as the Director of National Intelligence Review Group on Intelligence and Communications Technologies, needs to understand the implications of the NSA’s and others’ technical collection capabilities in order to fulfill its charter, the letter to the board states.
“A technologist can situate advancements in modern technology, how they work, what is possible, how data moves through infrastructure and how modern technology may implicate privacy and security,” the group wrote in its letter.
The letter spells out the challenges and potential ramifications of improperly gauging the impacts of the surveillance activities and capabilities, the letter said, adding that the review group will not be successful in gaining a comprehensive understanding of the surveillance systems in place without an independent technologist with no ties to the intelligence community or political groups tied to intelligence. The group also used the Foreign Intelligence Surveillance Court as an example of an oversight board also lacking adequate technical understanding leading to potentially negative consequences.
“Without an understanding of the technical details of the surveillance programs, the FISC has been forced to accept unsupported assertions that the government has made about these programs,” the letter says.
The experts hope the review panel assesses the FISA court’s technical understanding of which it has oversight and adds a technology advisor to that body as well.
The list of luminaries among the 47 who signed the letter, coordinated by the Electronic Frontier Foundation and the Center for Democracy and Technology, includes a number of security and technology pioneers such as Steve Bellovin, Ross Anderson, Ed Felten, Matthew Green, Peter Neumann, Bruce Schneier and Phil Zimmermann. The experts spend considerable space in the letter explaining their concerns over the NSA’s alleged subversion of encryption standards and undermining of popular algorithms with backdoors. The letter covers the supposed backdoor implanted by the NSA in the Dual EC DRBG random number generator central to a number of software products. RSA Security has been the highest profile company urging developers to steer clear of the algorithm, which is used in its BSAFE cryptographic tools and libraries, used at many large companies and government agencies.
The letter also scolds the NSA and GCHQ in the United Kingdom for its alleged hacking of computers to gain pre-encryption access to communications, accusing them of using bogus digital certificates by subverting legitimate certificates or legally ordering Internet companies to use an NSA-owned CERT.
“In the NSA’s dual role as both an information assurance and signals intelligence entity, clearly the signals intelligence mission has trumped information assurance,” the letter said, warning also that companies in the United States may begin to look overseas for security products, and that standards bodies such as the National Institute of Standards and Technology (NIST) may lose their clout because of covert intelligence activity to undermine standards, forcing rogue standards groups to pop up around the world, threatening the compatibility and security of products.
“The Review Group must have deep, competent technical expertise. You must also have access to granular technical details to do this work and you must be able to properly situate the technical reality you find behind the veil of secrecy surrounding the surveillance programs,” the letter concludes. “You must recognize that current NSA surveillance activities make everyone less secure and call into question the extent to which human rights translate into the online environment.”
The latest Snowden documents, made public today, suggest the National Security Agency is able to peel back the veil on a small fraction of Tor users at a time, but overall the integrity of the anonymity network remains intact.
Tor promises its users a level of anonymity online for their Web activities by routing traffic through layers of proxies on the network until packets reach their final destination. The network is used by journalists, activists and other privacy-conscious individuals to keep communication secret.
According to a pair of articles in the Guardian today, the NSA has had some success identifying targets using Tor and then hacking into their computers. Expert Bruce Schneier goes into depth explaining a program called FoxAcid, which matches the vulnerabilities discovered on Tor users’ computers to attacks developed by the NSA.
“Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA,” Schneier said. Schneier, a cryptography pioneer and noted author of cryptography and security manuals, was invited by the Guardian to review the top secret cache of documents taken by Edward Snowden, a former NSA contractor now living in exile in Russia.
The secret to FoxAcid’s success is its ability to target vulnerabilities in the Firefox browser belonging to the Tor browser bundle, Schneier said. Another secret set of servers, code-named Quantam, live on the Internet backbone, placed there by the NSA because of secret partnerships with telecommunications companies in the United States, Schneier said. Because of their location, Quantam servers exploit a race condition between the NSA box and the intended webserver; Quantam is quicker to react to web requests than standard web servers are.
“By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond,” Schneier wrote, “thereby tricking the target’s browser to visit a FoxAcid server.”
Quantam servers can impersonate almost any targeted website because of their position on the backbone, including Google in some cases. The NSA then uses injection attacks to redirect web requests to their machine in order to spy on intended targets, the article said.
The materials released today by the Guardian are based off a number of presentations taken by Snowden while working for the NSA, most are about subverting Tor, which apparently has been a frustrating target for the NSA as indicated by the title of one presentation: “Tor Stinks.”
“We will never to able to de-anonymize all Tor users all the time,” a slide within the NSA presentation states. “With manual analysis, we can de-anonymize a very small fraction of Tor users.”
The documents also provide details and insight into proof-of-concept attacks that target Tor exit nodes, something that would allow an attacker in control to identify traffic leaving the network.
“The proof-of-concept attack demonstrated in the documents would rely on the NSA’s cable-tapping operation, and the agency secretly operating computers, or ‘nodes’, in the Tor system,” the Guardian article says. “However, one presentation stated that the success of this technique was ‘negligible’ because the NSA has ‘access to very few nodes’ and that it is ‘difficult to combine meaningfully with passive [signals intelligence].’”
Tor was in the news this week in another large breaking story. The takedown of the Silk Road online drug and hacking marketplace was announced yesterday, including the arrest of ringleader Ross William Ulbricht, also known as Dread Pirate Roberts. Silk Road was accessible only through Tor, keeping transactions relatively private; the operation operated for years and generated more than $1 billion in sales, according to court documents.
Ulbricht and Silk Road, however, did not compromise any facet of the Tor network, and according to law enforcement, Ulbricht was arrested only because of mistakes in operational security.
“Also, while we’ve seen no evidence that this case involved breaking into the webserver behind the hidden service, we should take this opportunity to emphasize that Tor’s hidden service feature (a way to publish and access content anonymously) won’t keep someone anonymous when paired with unsafe software or unsafe behavior,” a blogpost on the Tor website two days ago said. “It is up to the publisher to choose and configure server software that is resistant to attacks. Mistakes in configuring or maintaining a hidden service website can compromise the publisher’s anonymity independent of Tor.”
The attackers behind the Adobe hack and breaches against data brokers such as LexisNexis have also been linked to similar intrusions against other unnamed organizations. Security expert Alex Holden, who along with security blogger Brian Krebs uncovered the data lost in the Adobe breach, said those compromised organizations are being notified.
“We don’t want to disclose who they are because they may still be unaware of the incident and may be still vulnerable,” Holden told Threatpost today.
Adobe went public with some details on its breach late yesterday; the company was compromised sometime between July 31 and Aug. 15, and the attack was not discovered by Adobe until Sept. 17. The company disclosed that in addition to the hackers accessing source code for a number of products including Adobe’s ColdFusion Web application server, Acrobat, Publisher and possibly other products, close to three million customer records, including encrypted credit card numbers, were stolen.
“I would characterize the breach as one of the worst in U.S. history,” Holden said, “because the source code of an end user product such as Adobe Reader and Adobe Publisher was breached and leaked. This allows additional attack vectors to be discovered and viruses to be written for which there are no defenses.
“This gang is sophisticated and some new things may follow, I’m sure,” Holden said. “The source code leaks and attacks sourced from this situation may be devastating.”
In addition, Holden said this gang has been using ColdFusion exploits in other attacks since the beginning of this year—perhaps back into December—adding that he and Krebs also saw a list of 1.2 million potential .org domains running ColdFusion that the attackers could use as targets stored among the stolen data. Such domain lists are available for sale on the underground, Holden said, though he added he was not certain whether this gang had bought such a service.
“This is just one collection of data,” Holden said. “It’s a huge amount of targets, a huge scale.”
ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software. Attackers were targeting three particular vulnerabilities for ColdFusion 10, 9.02, 9.0.1 and 9.0 for Windows. Hackers were using exploits to bypass authentication schemes in ColdFusion and remotely controlling Web servers running the software. Those vulnerabilities were patched Jan. 15, but organizations may have been slow in patching Internet-facing servers, leaving themselves exposed to attack.
Since then, vulnerabilities were patched in the software in May, after weeks prior cloud-hosting company Linode revealed it was breached by attackers using a ColdFusion zero day, and customer records including payment card information were lost. Previously, on Dec. 11, Adobe patched a sandbox permissions flaw in ColdFusion, weeks after an out-of-band patch resolved a denial-of-service vulnerability.
There’s no indication this string of exploits and publicly reported attacks are related to the Adobe hack. Krebs reported yesterday that Adobe chief security officer Brad Arkin was unsure yet whether the attackers who breached Adobe did so using a ColdFusion exploit, only that they had exploited “some type of out-of-date” software. Similar APT-style attacks begin with a phishing email where legitimate credentials are stolen and used to pivot internally on compromised networks.
In the meantime, Holden said today he was still unsure of whether the attacks on Adobe and the data brokers were a criminal operation or nation-state funded, though the attackers are Russian-speaking, he said. Holden’s company, Hold Security LLC, monitors the hacker underground for such activity, including in this case, communication to and from the gang’s server hosting stolen data.
“The host is still alive; the bad guys are still putting stolen data on it,” Holden said. “We found this is the same gang. The signatures, files and data match between several attacks.”
Holden and Krebs discovered a 40 GB file of stolen data, Krebs reported yesterday, on the same server hosting data stolen from brokers LexisNexis, Dun & Bradstreet and Kroll. Krebs said Web servers at those companies and others had been compromised by an identity theft service known as SSNDOB, and were acting as a botnet since April communicating with its attackers.
Holden, who speaks Russian natively, said Krebs brought him in at that point to help with the investigation; the two had collaborated on other breach investigations, Holden said. Currently, Holden said, he is trying ascertain whether other Adobe products are affected in the breach and whether the hackers got in just once or multiple times. They are also cooperating with Adobe, which continues its internal investigation into how it was breached, the means by which the data was exfiltrated.
Adobe recommends that its customers change their Adobe account passwords and that affected customers will be offered a year’s worth of free credit monitoring.
WASHINGTON, D.C. – The good news is that cooperation between the various law enforcement agencies in different countries all over the world is at an all time high; the bad news is that cybercriminals have embraced a potent combination of the anonymous online currency Bitcoin and equally anonymous, Web-based currency exchanges located outside U.S. jurisdiction that allow them to turn those Bitcoins into real money, making it more difficult than ever to track the bad actors down.
Such are the realities of the world we live in. The once-tried-and-true law enforcement method of following the money in order to get to the bottom of organized criminal operations is made more difficult by the emergence of digital currency, international wire transfers, and Web-based currency exchange services, shielded from U.S. law by their locations and hidden from sight with layers upon layers of obfuscation, Kaspersky Lab principle security researcher Kurt Baumgartner explained in an interview with Threatpost Wednesday.
Baumgartner participated in a panel discussion addressing the global trafficking of financial data at the Visa Global Security Summit this week. The panel heralded cooperation between different national law enforcement agencies, as well as information sharing between private businesses and law enforcement here in the U.S. The panel also highlighted substantial shift in the ways that cybercriminals do business.
It was once the case, Baumgartner explained during the panel discussion, that attackers almost exclusively targeted payment processors and financial services firms in order to steal corporate financial data straight from the source. However, many of these companies began prioritizing network security, fortifying their defenses, and making it much harder for attackers compromise their systems. So the attackers moved onto secondary targets, such as data brokers, where they could pilfer troves of sensitive information from somewhat less secure severs. They could then use this information to launch phishing and other social engineering attacks in order to establish side channels into the more intrinsically valuable networks, eventually stealing the same corporate financial data they sought in the first place.
This information is largely bought and sold online with digital currencies such as Bitcoin, or paid for with international wire transfers facilitated by seemingly – and in many cases – otherwise legitimate money transfer services such as Western Union and WebMoney. In the case of Bitcoin, that currency can be turned into physical money at any number of Web-based currency exchanges – “For a fee, always for a fee, but when you’re looking at laundering money, these guys are willing to pay” Baumgartner said.
“They are performing services and paying for dumps – so stolen personally identifiable information – they pay for it with Bitcoin, and basically the seller takes his proceeds and puts it into an exchange and then he is able to withdrawal actually money,” Baumgarnter said.
Baumgartner would later explain that obfuscation, in addition to these overseas currency exchange services, is making it easier and easier for criminals move their money around and ultimately launder it.
“With all of these incidents, one of the keys to effectively dealing with these bad actors is following the money,” he said. “And when you get Bitcoin involved, it becomes next to impossible to follow the money. Unfortunately, that’s where a lot of these guys are moving.”
Baumgartner eventually came back to what one of the other panel members, the FBI’s Donald Good, had said in their discussion at the summit earlier. The silver lining to all this is that cooperation and coordination between law enforcement is working. Baumgartner knows this because he has played a role in Kaspersky Lab’s participation with Law Enforcement in the U.S. and abroad in taking down botnets and other cybercriminal operations.
Baumgartner rifled off a list of cybercriminal arrests – claiming that nearly all of them have occurred as a result of international cooperation: the takedown of the currency exchange Liberty Reserve, an alleged haven for money laundering, a number of individuals allegedly associated with reputed cybercriminal Alberto Gonzalez were arrested and charged with various crimes in Amsterdam over the summer, and just this week, an Bulgarian believed to have been the leader of a vast a profitable ATM skimming operation was arrested in that country, which, Baumgartner noted, is unusual.
In fact, just a day earlier, the FBI took down the infamous Silk Road underground market. Silk Road was an illegal marketplace for drugs, hacking services, malware and related tools, weapons and ammunition, hacked Web accounts, and an absolute slew of personal, sensitive, and financial information, all of which had to be bought and paid for using Bitcoin. The marketplace reportedly generated some $1.2 billion and is a near perfect microcosm for how the global trade in illicit goods and information operates. Interestingly enough, the Silk Road deployed the use of strong encryption and anonymity tools to shield itself from law enforcement. In the end, Ross William Ulbricht, the man who ran Silk Road, made what the FBI described as “a simple mistake” leading to his arrest. In other words, investigators got lucky, lending credence to Baumgartner’s assertion that criminals are harder to catch than ever given anonymous digital currencies, anonymous Web transfers, and anonymous marketplaces.
Baumgartner also suggested in closing, the possibility that a new trend of corporate identity theft may be emerging. Dunn & Bradstreet, the New Jersey-based corporate licensure firm revealed in Brian Krebs’ ‘SSNDOB[dot]ms’ exposé, is a sort of a corporate data broker. So what happens, Baumgartner said, when an attacker steals the identity of a corporation? He or she steals a lot more money, likely going unnoticed for a much longer period of time.
Attackers accessed customer IDs, encrypted passwords as well as source code for a number of Adobe products, Adobe chief security officer Brad Arkin announced.
Arkin said Adobe is working with law enforcement on the breach in which attackers accessed source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and possibly other Adobe products.
“Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident,” Arkin said in a statement.
Arkin called the attacks on the Adobe network “sophisticated,” and that information on 2.9 million customers was removed from the company’s machines, including customer names, encrypted credit and debit card numbers, expiration dates and other information used in customer orders.
“At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems,” Arkin said. “We deeply regret that this incident occurred.”
Arkin said Adobe is not aware of any zero-day exploits used in the attack, but encouraged customers to run only supported versions of Adobe products and ensure patch levels are current. He said users should also follow guidance available in the Acrobat Enterprise Toolkit and ColdFusion Lockdown Guide.
“These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products,’ Arkin said.
Adobe said it is resetting customer passwords to prevent further access to customer accounts. Impacted customers will be notified via email with information on how to change their passwords, Arkin said.
He added that Adobe is also working on notifying customers whose payment card information was accessed. Notification letters are going out with additional information related to protecting personal information. Adobe said it is offering customers one year of complimentary credit monitoring.
Arkin credited security reporter Brian Krebs and Alex Holden of Hold Security LLC for alerting them to a potential issue and helping with response. Krebs reported today he became aware of the source code leak one week ago when he discovered 40 GB of Adobe data on the same server used by the criminals involved in the LexisNexis, Dun & Bradstreet and Kroll breaches earlier this year.
“The hacking team’s server contained huge repositories of uncompiled and compiled code that appeared to be source code for ColdFusion and Adobe Acrobat,” Krebs wrote today.
Krebs said Adobe believes attackers cracked a source code repository in mid-August after accessing part of Adobe’s network that handles credit card transactions.
Krebs also has a screenshot of Acrobat code from the repository including code for as of yet unreleased product features.
“We’re still at the brainstorming phase to come up with ways to provide higher level of assurance for the integrity of our products, and that’s going to be a key part of our response,” Arkin told Krebs. “We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”
Microsoft has announced that it plans to release eight patches next week as part of its October Patch Tuesday release, addressing flaws in its Windows, the .NET Framework, Office, Server, Silverlight and most importantly its Internet Explorer browser.
Four of the patches are marked critical, including the first one that should address a nasty zero day flaw that’s been affecting all versions of Internet Explorer over the last month or so. Microsoft initially released a FixIt tool for the vulnerability three weeks ago after reports of the exploit were seen in the wild but this is the first patch for the issue the company will ship to users.
The flaw stems from the way that IE “accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” according to an advisory Microsoft released in mid-September.
It didn’t take long for the public to take advantage of the vulnerability’s leaked exploit code. On the same day that Metasploit developed a module for the vulnerability, news came that three new targeted attack campaigns were using the exploit vector.
Despite the increase in attacks, Microsoft has apparently elected to stick to schedule for the contentious bug and not fix it with an out-of-band patch.
Regardless of the timeline, according to several experts, this patch should be the number one issue for users and IT professionals on Tuesday.
“Users should apply a patch ASAP,” Lamar Bailey, the Director of Security Research and Development for network security company Tripwire, said Thursday.
The other three critical updates (Bulletins 2-4) will fix issues elsewhere in Windows, from Windows XP to Windows 8 and Windows RT.
Meanwhile, the Microsoft Office updates (Bulletins 5-7) fix important flaws in SharePoint, Excel and Word, accordingly.
All of the vulnerabilities could lead to remote code execution, save for the last flaw, the most minor, that fixes an information disclosure flaw with its Silverlight application framework.
This of course marks the 10th year of Microsoft’s Patch Tuesday flaw remediation program. The move – at least in the words of Andrew Storms on Wednesday – would create a “great wave of change” in the information security industry from that point on.
Yahoo has promised to put the finishing touches on a new vulnerability reporting and rewards policy by Halloween after finding itself in the throes of a mini scandal this week over two $12.50 Yahoo company store discount codes handed out to one researcher in thanks for turning in a pair of cross-site scripting bugs.
The researcher in question, High-Tech Bridge CEO Ilia Kolochenko, urged Yahoo to “revise its relations” with the security community after sharing his story. Kolochenko, the same bug-hunter who reported XSS bugs in a NASDAQ Web application last month, shared details with Yahoo on a number of security issues it found on several Yahoo domains. The first, a cross-site scripting bug on marketingsolutions.yahoo.com was reported and acknowledged by Yahoo, which informed Kolochenko that issue had already been reported by another researcher.
Kolochenko said he plugged on and five days later, notified Yahoo of three more XSS vulnerabilities on the ecom.yahoo.cocm and adserver.yahoo.com domains.
“Each of the discovered vulnerabilities allowed any yahoo.com email account to be compromised by simply sending a specially crafted link to a logged-in Yahoo user and making him/her [click] on it,” Kolochenko said.
Yahoo, Kolochenko said, replied within two days and rewarded him with a $25 discount code for the Yahoo company store. This did not sit well with the researcher.
“Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price,” he said. “Nevertheless, money is not the only motivation of security researchers.”
Kolochenko pointed toward Google’s bug bounty as an example of a rewards program that pays substantial amounts and also maintains a “Hall of Fame,” playing to the egos of researchers as well.
“If Yahoo cannot afford to spend money on its corporate security, it should at least try to attract security researchers by other means,” Kolochenko said. “Otherwise, none of Yahoo’s customers can ever feel safe.”
Yahoo security team director Ramses Martinez responded yesterday that Yahoo has been quick remedy vulnerabilities reported to his team, but that the recognition and rewards process and policy has been slow in coming.
Martinez acknowledged Kolochenko’s distress in previewing the upcoming revised policy, that he said will reward individuals who identify “new, unique and/or high-risk issues” with payouts in the range of $150 to $15,000.
“The amount,” Martinez said, “will be determined by a clear system based on a set of defined elements that capture the severity of the issue.”
Martinez also said the new policy will be released by Oct. 31, and that any payouts will be done retroactively to July 1. Previously, Martinez had personally acknowledged submissions with a Yahoo T-shirt—which he said he personally paid for—as well as a personal letter to the researcher certifying the find.
“If you submitted something to us and we responded with an acknowledgement (and probably a t-shirt) after July 1st, we will reconnect with you about this new program,” Martinez said. “This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt.”
Martinez said the new Yahoo reporting program will concentrate on improving the reporting process for researchers via a new website, which he said should improve Yahoo’s internal validation and remediation processes. Once an issue is validated, Martinez said the researcher will be contacted within 14 days of submission and will provide that person with a formal recognition via email or written letter and the researcher will also be recognized in some sort of “Hall of Fame,” he said.
Adobe has announced that it plans to patch critical vulnerabilities in two products, Adobe Reader and Acrobat XI (11.0.04) for Windows, next week as part of its monthly Patch Tuesday updates.
Adobe posted about the impending updates yesterday on its Product Security Incident Response Team (PSIRT) blog, adding that while the vulnerabilities are being marked critical, as far as the company knows, there are no known exploits in the wild for them.
The updates for Acrobat and Reader were given a Priority Rating of 2 which means that the products have historically been at what the company calls an elevated risk. Both fixes should go live Oct. 8, in tandem with the 10-year of Microsoft Patch Tuesday.
It’s the first update for Reader and Acrobat since last month’s, APSB13-22, which addressed a handful of vulnerabilities, including those of the stack, buffer and integer overflow variety, along with a memory corruption bug.
We’ll have to wait until Tuesday when Adobe posts their monthly Security Bulletin to see exactly what flaws October’s patches fix.
Dennis Fisher talks with Ryan Naraine about the news from the Virus Bulletin 2013 conference, whether the use of zero days is overrated and the collateral damage that can result from cyberwarfare attacks.http://threatpost.com/files/2013/10/digital_underground_128.mp3
A security vulnerability in the web framework Django could make it easier for an attacker to steal a user’s cookie and log into their website even after they’ve logged out.
The session invalidation vulnerability was discovered by G.S. McNamara, the same researcher who dug up a similar vulnerability in the Ruby on Rails web app framework in September.
Like Rails, Django lets users decide where they want to store user session data. While not the default, one of the options is cookie-based storage which McNamara notes, stores all session data in the cookie and signs it.
“The default name for a session cookie is “sessionid” regardless of whether the cookie stores only a session identifier or the complete session data hash,” McNamara explained in a blog on his MaverickBlogging.com website Monday.
McNamara notes that compared to Rails, it’s a little trickier determining which storage session users have implemented, but if a user was using cookie-based sessions and an attacker had access to that machine, even if the user was logged out, they could find, steal or intercept that cookie, and easily gain access to that user’s website.
Django, an open source web application framework that helps users build web apps, runs on Python and was last updated just two weeks ago.
McNamara, who resides in D.C., alerted the Django developers about the vulnerability but it doesn’t sound like a fix is on the horizon.
Instead the group in charge of the framework, the Django Software Foundation, is electing to warn users about the security implications associated with cookie-based sessions.
“Unlike other session backends which keep a server-side record of each session and invalidate it when a user logs out, cookie-based sessions are not invalidated when a user logs out. Thus if an attacker steals a user’s cookie, he or she can use that cookie to login as that user even if the user logs out,” reads a new note on how to use sessions on the Django site.
When reached Wednesday, Carl Meyer, a Django contributor and a member of its core team, acknowledged the group doesn’t plan to make any further changes to the way it handles cookie session storage, adding that “mitigation would require validating the session against server-stored information on every request,” and that at that point the user might as well just use a server-side session instead of a cookie-based session.
According to Django, it’s up to the developer to evaluate the additional risk of cookie session storage “and weigh the pros and cons for their application.”
McNamara still hopes to work with Django when it comes to enhancing the security of their web framework going forward. In an email to Threatpost on Wednesday, he asserted there are still lingering issues with respect to [Django’s] cookie-based session storage.
“I believe this is a risk that was written off without adequate documentation or warning,” McNamara said.
BERLIN–In the last few years, there have been a series of DDoS attacks and intrusions on government networks in South Korea that have resulted in the loss of untold amounts of data. The four attacks haven’t been linked together or attributed to the same attackers, but there are some similarities in the methods and results, a researcher said.
The attackers on South Korean government sites and banks date back to at least July 2009 and run up through an incident in June of this year. Not all of them were destructive, but some employed malware that wiped the master boot record of infected machines and rendered them unusable. Others were massive DDoS attacks directed against DNS servers or individual sites.
In one of the attacks, in March 2011, a malicious dropper was downloaded onto machines through a drive-by download. That dropper had a time bomb inside of it that instructed it to check the date and time and at a predetermined hour, downloads and executes a piece of malware. That component would then overwrite the MBR of the infected machine. There were two different wiper malware samples involved in the attack, said Christy Chung of Fortinet, one for Windows machines and other for Unix machines. In both cases, the MBR was wiped, rendering the machines unusable.
“The two wipers have similar behaviors,” Chung said during a talk at the Virus Bulletin 2013 conference here Thursday. “After the machine reboots, it shows that the operating system can’t be found because the MBR was overwritten.”
The attacks that occurred on June 25, 2013, used a different tactic, targeting two of the name servers used by some of the major South Korean government Web sites. In that case, the malware that infected the PCs used to attack the name servers had components that added registry keys and created services that enabled the malware to survive a reboot and remain on the system, Chung said. The two target DNS servers were hard-coded into the malware and at a pre-determined time the malware launched the DDoS attack on the servers. The effect as devastating.
“Many of the major Korean government sites were unavailable for some time,” Chung said.
Although there were some similarities in the malware used in the attacks, Chung said she’s not convinced that the same attackers were behind all of them.
“I don’t see that,” she said.