Threatpost for B2B
Browsers, brokers and BIOS: you could safely call that triumvirate the past, present and future of security, but you’d be wrong.
If last week’s CanSecWest conference, and Pwn2Own and Pwnium contests are indeed a point-in-time snapshot of the technical side of information security, then after last week it’s a no-brainer all three merit more than a lackadaisical passing interest.
Researchers came to the Pwn2Own and Pwnium tables with an alarming rash of exploits for zero-day browser vulnerabilities. None was to be spared among the big four of Internet Explorer, Firefox, Chrome and Safari, each falling despite state-of-the-art mitigations and constant reminders about the threats posed by Web-based exploits and malware.
Experts also spent hours during the second day of CanSecWest painstakingly explaining detailed problems in device hardware, in particular how attackers can and will soon exploit weaknesses in bootloaders and machine BIOS in order to own systems. The controversy over the legitimacy of badBIOS did little to dissuade researchers from MITRE and Intel from coming to Vancouver and explaining how an attacker gaining access at this level of system architecture might as well take up permanent residency on a computer.
And then there are the brokers. While VUPEN founder and top boss Chaouki Bekrar may bristle at the notion of being labeled a broker, preferring instead “exploit vendor,” companies like his hover over events like this and over vulnerability research. Their presence is a reminder that high-level hacking is all about playing for keeps, and while $400,000 may be enough of a lure to burn some 0days on a public stage, imagine the deals cut behind closed doors.
On to the three B’s of CanSecWest and Pwn2Own:
Browsers: The greatest payoffs at Pwn2Own—aside from the $150,000 grand prize for Microsoft EMET bypasses—were for browser exploits. Vupen collected skins for zero-days in IE 11, Firefox and Chrome; it withdrew from a chance at a Safari takedown, but only after the Keen Team of China successfully bypassed the sandbox in the Apple browser. Browsers are hardened, but even with sandboxes and other mitigations in place, white hats are finding ways to sidestep those protections.
“Exploitation is harder. Finding zero-days in browsers is hard,” Bekrar said.
Researchers have to find one or more vulnerabilities and chain together exploits in order to beat the enhancements vendors have made; Bekrar said his team was able to find a Firefox zero-day, but only after running 60 million test cases through a fuzzer.
“That proves Firefox [Mozilla] has done a great job fixing flaws. The same for Chrome,” Bekrar said of the Google browser. “Chrome has the strongest sandbox; it’s even more difficult to create exploits for it.”
BIOS: Easily the headiest session track at CanSecWest, the threat to the boot-up process is real and it may be one area where researchers have a jump on attackers. What hackers covet, perhaps more than anything, is a persistent presence on a machine. Replacing a computer’s BIOS or Master Boot Record gives an attacker that nearly unbreakable grip on a computer.
Researchers from MITRE and Intel shared tales of sophisticated bootkits that execute before start-up and take advantage of signed checks built into the boot process to validate its presence and escalate all the way up to platform firmware. It’s a fatal infection, one that often lingers after BIOS is re-flashed.
There’s plenty more to come on this, but one thing is for certain: Sharpen your skills around this discipline and prepare for an investment in people who are adept at BIOS and firmware security research and forensics.
Brokers: A few years back, there was the No More Free Bugs movement, a grassroots cause that clamored for vendors to pay up for bugs. While this didn’t exactly spawn the market that gave us the VUPEN and Endgame Systems of the world, it did draw them out from the shadows. Bugs are big business and companies such as these develop six- and seven-figure exploits for the exclusive purview of their customers. Bekrar says his customers are NATO governments and that he would not sell to an oppressive regime. This is, however, the new normal.
“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising. Not one of our exploits has ever been discovered in the wild. All of our customers use exploits in a targeted way for specific national security missions.”
*CanSecWest image via leduardo‘s Flickr photostream
Now that the dust has settled after the Pwn2Own contest, the browser manufacturers are beginning to roll out patches for the vulnerabilities exploited by contestants. Google on Monday released fixes for a number of bugs in Chrome discovered and exploited during Pwn2Own, releasing new versions of the browser for Windows, Mac and Linux.
This year’s Pwn2Own, which runs in conjunction with the CanSecWest conference in Vancouver, showcased vulnerabilities and exploits in most of the major browsers, including Internet Explorer and Firefox, along with Chrome. The team from VUPEN, the French security and exploit-sales firm, took home several hundred thousand dollars in prize money from the contest, a good portion of it for demonstrating new bugs in Google Chrome. In addition to the prize money from the contest, Google also is paying its own rewards to the researchers who used new flaws in Chrome.
VUPEN earned a $100,000 reward from Google for its two Chrome vulnerabilities, and an anonymous researcher also earned $60,000 for two separate vulnerabilities. The flaws used in Pwn2Own that Google fixed in Chrome 33 are:
- [$100,000]  Code execution outside sandbox. Credit to VUPEN.
- [$60,000]  Code execution outside sandbox. Credit to Anonymous.
Patches for Internet Explorer and Firefox likely will take a little longer, as they’re on longer update cycles than Google, which typically pushes out new versions whenever significant security issues need to be fixed. Google security officials said that they plan to publish some details of the exploits used against Chrome in Pwn2Own in the coming weeks.
“We’re delighted at the success of Pwn2Own and the ability to study full exploits. We anticipate landing additional changes and hardening measures for these vulnerabilities in the near future. We also believe that both submissions are works of art and deserve wider sharing and recognition. We plan to do technical reports on both Pwn2Own submissions in the future,” Anthony Laforge of Google said in a blog post.
In a letter sent to President Obama and members of Congress, former members and staff of the Church Committee on intelligence said that the revelations of the NSA activities have caused “a crisis of public confidence” and encouraged the formation of a new committee to undertake “significant and public reexamination of intelligence community practices”.
Although it may seem like the NSA’s activities have only recently come under public scrutiny, the agency first was dragged into the light in 1975 when reports surfaced that for decades it had had secret agreements with telegram companies to get copies of Americans’ international communications. The Church committee, formally known as the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, was formed to investigate the NSA’s methods and produced a report that took the agency to task for overstepping its bounds and expanding programs well beyond their initial scope.
“We have seen a consistent pattern in which programs initiated with limited goals, such as preventing criminal violence or identifying foreign spies, were expanded to what witnesses characterized as ‘vacuum cleaners,’ weeping in information about lawful activities of American citizens. The tendency of intelligence activities to expand beyond their initial scope is a theme, which runs through every aspect of our investigative findings,” the committee’s final report said.
In the letter sent Monday to Obama and Congress, several former advisers to and members of the Church committee, including the former chief counsel, said that the current situation involving the NSA bears striking resemblances to the one in 1975 and that the scope of what the NSA is doing today is orders of magnitude larger than what was happening nearly 40 years ago.
“The need for another thorough, independent, and public congressional investigation of intelligence activity practices that affect the rights of Americans is apparent. There is a crisis of public confidence. Misleading statements by agency officials to Congress, the courts, and the public have undermined public trust in the intelligence community and in the capacity for the branches of government to provide meaningful oversight,” the letter says.
“The scale of domestic communications surveillance the NSA engages in today dwarfs the programs revealed by the Church Committee. Indeed, 30 years ago, the NSA’s surveillance practices raised similar concerns as those today.”
Signed by 15 former advisers and members of the committee, including Frederick A.O. Schwarz Jr., the lead counsel for the committee, the letter is addressed to Obama, Congress and the American public.
The findings of the Church committee eventually led to a number of changes in the way that intelligence agencies operated and the checks that were put in place to oversee their activities. One result was the formation of the permanent intelligence committees in the House of Representatives and the Senate, and another was the passing of the Foreign Intelligence Surveillance Act. FISA is one of the authorities that the NSA relies upon in order to conduct its surveillance operations, specifically the phone metadata program that was the first one revealed last year by Edward Snowden.
The former members of the Church Committee said that a new committee to oversee and investigate the NSA’s activities is a must if the American public is to ever have any trust in the agency and the intelligence community as a whole again.
“As former members and staff of the Church Committee we can authoritatively say: the erosion of public trust currently facing our intelligence community is not novel, nor is its solution. A Church Committee for the 21st Century—a special congressional investigatory committee that undertakes a significant and public reexamination of intelligence community practices that affect the rights of Americans and the laws governing those actions—is urgently needed. Nothing less than the confidence of the American public in our intelligence agencies and, indeed, the federal government, is at stake,” the letter says.
The information security field is full of certifications – CompTIA, GIAC, CHE, ISC2 CISSP, CISM, with a vast number of areas and directions within these families. In the industrial space, the most “unsecured” enterprise sector compared to well-established information security practice in most economies, the situation is absolutely different.
We have just a few known certifications related to Industrial (ICS/SCADA) security – IC32 from ISA99 and, recently, a GICSP, based on a SANS training course.
There were a number of hot debates recently in the Industrial Automation community about which of those two is better and whether either of them is good enough to ensure that the certified person can do a good job on Industrial Security.
In fact, I personally do not think either IC32 or GICSP is sufficient for people to be responsible for ICS cyber security.
More than that, I do not believe that one person could be fully responsible for security of a critical infrastructure, being skilled enough in both IT Security and Engineering. It takes a mixed team with enough knowledge overall to make the right decisions, and to safely walk through a “SCADA Triangle”.
What is the SCADA Triangle? The creator of the SCADA Triangle idiom is Jason Larsen from INL.
He made one of the most remarkable speeches during the latest S4x2014 conference. His talk focused on the potential staging of an attack on an industrial system, using a device with limited resources – having only 4 kilobytes of memory. This is not enough to record and replay data to fool the control room, hiding an attack from the operator. But he discussed some ways that could make such a hidden attack possible, particularly the
DSP (digital signal processing) techniques that modulate the fake signal by using triangulation.
Jason’s keynote was full of technical details, which led to the tongue-in-cheek response from the audience: “OK, so we now understand that SCADA is a triangle”. Eventually it became a recurring joke during the entire four-day conference.
Jokes aside, today on many (not all, but many) industrial sites, we have a real SCADA Triangle.
The Bermuda SCADA Triangle describes people involved in the ICS security decisions, namely:
- - Engineers, who are often more afraid of security measures than of malware,
- - IT security people, most likely not allowed to go into or make decisions about industrial infrastructure,
- - CEOs, who don’t see how Cyber Security spending relates to revenues and why should they invest in it;
ICS security is typically lost in this triangle, in many cases without even clear decisions on how responsibility for ICS security has to be split between the teams and people inside the company.
Efficient ICS security is to be built by the above mentioned team of people. So there is no such thing as a single professional certification. Instead there are several things to be done:
1) Establish a common language and understanding between the decision-makers from CxO, engineers and IT. Change their perception of the problem. It’s not easy, as lectures and technical red/blue exercises are flawed: too long, too technical, boring, not for managers, failing to build “common language” at the “common sense” level.
A good example of how it gets solved is Kaspersky Industrial Protection Simulation (KIPS), a role playing game featuring a simulated water utility trying to accomplish its mission to produce and sell water to the community, while dealing with and resolving a number of unexpected cyber events.
I have seen it run at the ICS Cyber Security Conference, Cyber Security Malaysia, Security Analyst Summit (so some of you have already played it as well), feedback ranged between “It was truly eye-opening and a number of the participants asked about setting up this game at their companies” and “We have to build a network of people based on affiliation and cooperation and the KIPS is a perfect way how to kick it off.”
So it is possible to sail through a SCADA Triangle safely, but it is an enormous task to make such mutual understanding among ICS-related decision makers happen worldwide.
- 2) Educate Engineers on the basics of IT security
- 3) This is what IC32 stands for. It is somewhat weak from a security specialist point of view, but provides overall understanding to engineers.
- 4) Educate IT security professionals on ICS specifics
- 5) This is also a very important part – as we have Security teams inside the companies, security service providers, government agencies responsible for regulation/audit – but none of them understand the specifics of ICS (I run trainings on ICS/SCADA Security Basics for such entities).SANS ICS training (note that I was not able to take the course personally yet) can also be helpful for providing such basics to security people, but I would not set the goal of having certification as creating “compliant”, “ready-to-go” ICS Security experts.
And after those people have more understanding of each other’s “playgrounds”, a company should form the team including both engineering and IT security specialists, to make effective decisions on ICS security.
P.S.: After setting up the ICS security team decision-making process, there is still a big challenge on making all employees on the industrial site obey security rules so they do not become the weakest link. But that is another (big) topic to cover.
What do you think?
Vyacheslav Borilin is a business development manager at Kaspersky Lab and specializes in ICS security.
More than 7,600 different power, chemical and petrochemical plants may still be vulnerable to a handful of SCADA vulnerabilities made public this week.
A researcher at Rapid 7, the Boston-based firm responsible for the popular pen testing software Metasploit, and an independent security researcher discovered the bugs in Yokogawa Electric’s CENTUM CS3000 R3 product. The Windows-based software is a little dated at this point, having first been introduced in 1998 but is primarily used by infrastructure in power plants, airports and chemical plants across Europe and Asia.
Juan Vazquez, with Rapid 7 and security researcher Julian Vilas Diaz discovered the bugs. The two initially discussed their findings in a co-authored talk “Kicking SCADA Around” last weekend at the RootedCON conference in Madrid, Spain before technical details about the bugs were eventually published in a blog post on Monday.
The vulnerabilities, three in total, are essentially just a series of buffer overflows, heap based and stack based, that could open the software up to attack. All of them affect computers where CENTUM CS 3000, software that helps operate and monitor industrial control systems, is installed.
With the first one, an attacker could send a specially crafted sequence of packets to BKCLogSvr.exe and trigger a heap based buffer overflow, which in turn could cause a DoS and allow the execution of arbitrary code with system privileges.
The second would involve a similar situation, a special packet could be sent to BKHOdeq.exe and cause a stack based buffer overflow, allowing “execution of arbitrary code with the privileges of the CENTUM user.”
Lastly, another stack based buffer overflow, this involving the BKBCopyD.exe service, could allow the execution of arbitrary code, as well.
Rapid 7 first disclosed the vulnerabilities to Japanese electrical engineering firm back in December before they were acknowledged by CERT/CC. The company published an advisory on the vulnerabilities (.PDF) last Friday, a day before Vazquez and Vilas presented them, and three days before they were publicly disclosed via Rapid 7’s blog.
Yokogawa recommends those running CENTUM CS 300 update to the latest version of the software (R3.09.50) and patching it to resolve the vulnerabilities.
Dennis Fisher and Mike Mimoso talk about the news from the CanSecWest conference, the drama and melodrama at Pwn2Own and the bad year that RNGs have had.http://threatpost.com/files/2014/03/digital_underground_148.mp3
*Photo via mayanais‘ Flickr photostream, Creative Commons
Mark Zuckerberg is mad as hell, and he’s not going to take it anymore. Actually, he is going to take it, because we all are going to take it, at least for the foreseeable future.
Zuckerberg is upset that the NSA is spying on his users, and even madder that the agency is allegedly using fake Facebook servers to infect targets with malware as part of surveillance operations. In a post on his personal page Thursday, Zuckerberg, co-founder and CEO of Facebook, sounded a bit like a parent at his wit’s end, saying that he was “confused and frustrated” by the way that the U.S. government has been behaving of late.
“When our engineers work tirelessly to improve security, we imagine we’re protecting you against criminals, not our own government,” he wrote.
“The US government should be the champion for the internet, not a threat. They need to be much more transparent about what they’re doing, or otherwise people will believe the worst.”
Now, there are plenty of easy swings to be taken at both Zuckerberg and Facebook on this topic. The humor of the CEO of a company whose business is built upon mining the data it collects from its billions of users and selling the results to advertisers complaining about widespread surveillance is obvious. But there are a couple of clear and important differences between Facebook and the NSA. Facebook is up front about what it is and how it makes money. The user is the product. In return for connecting you electronically to the people you already know so you can avoid talking to them in real life, Facebook shows you marginally relevant ads and gathers untold terabytes of data on user behavior and preferences. That’s called commerce. And users know the deal going in.
What the NSA does is meant to be kept secret and users are not supposed to have any idea whether they’re a target of the agency’s surveillance methods. And in most cases, that’s the way it works. As has been shown, the NSA is extremely good at performing its mission. It’s when the agency goes beyond that mission that things get messy, and that’s what has Zuckerberg and so many others upset right now. A story this week in The Intercept revealed that the agency has allegedly been impersonating a Facebook server as part of a method for attracting surveillance targets and eventually installing malware on their machines. The agency on Thursday denied that impersonates the Web site of any U.S. company.
“NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false,” the agency said in a statement.
Many people, corporations and organizations are angry about the allegations surrounding the NSA and its activities, but Zuckerberg, as the CEO of a multi-billion-dollar company, has some options for expressing his emotions that aren’t available to most people. For example, calling the White House. Well, anyone can call the White House, but most of us won’t get through to the Oval Office. It’s not clear whether Zuckerberg did, either, but he called.
“I’ve called President Obama to express my frustration over the damage the government is creating for all of our future. Unfortunately, it seems like it will take a very long time for true full reform,” he wrote.
“So it’s up to us — all of us — to build the internet we want. Together, we can build a space that is greater and a more important part of the world than anything we have today, but is also safe and secure. I’m committed to seeing this happen, and you can count on Facebook to do our part.”
As name-droppy and petulant as that all may sound, Zuckerberg is right about much of it. True reform, however you’d like to define that, always takes a long time, and that’s especially true when you’re talking about things as important and controversial as national security, surveillance and privacy. People feel a lot of feelings about these topics, and justifiably so. There has been a lot of healthy debate around all of this, and that should continue. But nothing moves quickly in Washington, and changes to the NSA’s mission or priorities won’t be the exception.
More importantly, Zuckerberg is correct that it’s up to us to build the Internet we want. So far, that Internet is a broken, compromised ad platform that’s only good for pictures of kittens and GIFs of dumb celebrities doing dumb things. And that’s fine if that’s the Internet you want. But if you’re interested in something that’s a little more useful and usable and secure, it’s going to take a lot of effort. Security is hard and security at the scale of the Internet has proven to be incredibly hard.
But that doesn’t mean we should cede what ground we’ve gained thus far to governments or attackers or other adversaries. That’s what they’re counting on, and if we give it to them, then we have no one to blame but ourselves.
Image from Flickr photos of Robert Scoble.
VANCOUVER – One is the bug hunter, the other the exploit specialist.
Fang Jiahong and Liang Chen represented the Keen Team at Pwn2Own on Thursday, starting off the second day of the annual exploit festival with a quick takedown of Apple’s Safari browser. They then wrapped up the contest with a successful zero-day exploit of Adobe Flash, the second time the Adobe product was toppled.
For 2½ years, this emerging team of eight vulnerability researchers and exploit developers from China has nudged its way into the fray that is bug hunting and exploitation. Today’s Pwn2Own Safari win netted the Keen Team a $40,000 prize; the Flash bug $75,000. They said they will donate a portion of their winnings to charities representing the families of the missing Malaysian Airlines flight MH370.
Last November, the Keen Team won the Mobile Pwn2Own contest in Japan, cracking iOS 7.0.3 three weeks after the update was available to users. The victory was the first for a Chinese collective since the contest began six years earlier.
Jiahong and Chen, along with the remaining members of Keen Team, have known each other for the better part of a decade, beginning their careers working for Microsoft after graduating from Jiao Tong University in Shanghai with degrees in information security.
Jiahong’s passion, he said, is digging for vulnerabilities, not only in Apple’s various platforms, but also for Microsoft products and mobile platforms. Android is his current area of focus.
“Liang is good at exploiting issues in different systems, advanced exploitations,” Jiahong said. “We have several people working on vulnerability digging, new ways of finding vulnerabilities and researching into other areas of infosec like Web security and mobile. We have a team of people focusing on vulnerability studies including exploitation.”
For their Pwn2Own Safari bug, Chen said Keen Team exploited two vulnerabilities: a heap overflow in the Safari Webkit that gave them arbitrary code execution. That wasn’t enough to pwn the underlying Mavericks version of OS X. Chen said he had to chain together two vulnerabilities to successfully exploit the system.
“We utilized another system vulnerability to bypass the sandbox to get a process running in the user’s context,” he said. The bugs were disclosed to HP’s Zero Day Initiative, which sponsored Pwn2Own and bought all of the vulnerabilities exploited during the contest. Apple was present as well for the disclosure.
“I think the Webkit fix will be relatively easy,” Chen said. “The system-level vulnerability is related to how they designed the application; it may be more difficult for them.”
Chen said the big challenge was bypassing the Safari sandbox because the exposed attack surface is so small compared to Internet Explorer, for example.
“For Apple, the OS is regarded as very safe and has a very good security architecture,” Chen said. “Even if you have a vulnerability, it’s very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems.”
Jiahong can now focus on finding bugs in mobile operating systems, Android in particular. Android’s fragmentation—multiple vendors and hardware carriers each with their own flavor of Android and update policies—requires deeper study of the OS compared to iOS. Researchers, he said, focus only on the latest version of iOS because most users are on the latest rev.
“Google has been very good about security, but vendors write their own code or hardware vendors write their own kernel modules and drivers,” Jiahong said. “Your (research) methodology may not apply to every system.”
VANCOUVER – Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail.
A group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military obligation, a promise that kept him from seeing his Internet Explorer 11 exploit come up short Thursday morning.
HP’s Zero Day Initiative, sponsors of the event, said they bought the vulnerability regardless, and worked with the researchers on breaking down the details. The particulars would also be shared with Microsoft as is customary with all bugs purchased by ZDI, sharing them with the affected vendors.
Registrants at Pwn2Own have 30 minutes to demonstrate their exploit and verify it works by executing the calculator application on the underlying system. In this case, Lee’s exploit was chasing down a vulnerability in IE 11 on a fully patched 64-bit Windows 8.1 machine. A successful exploit would have been worth $100,000.
Generally, entrants in Pwn2Own withdraw if there are difficulties with their exploits. On Tuesday, Microsoft rolled out another patch for Internet Explorer. The cumulative rollup, a regular Patch Tuesday update, repaired a zero-day in Internet Explorer 10 being used in targeted attacks, including Operation SnowMan targeting the U.S. Veterans of Foreign Wars and a separate attack on a French aerospace manufacturer. It was not disclosed whether the patch affected the Lee exploit.
The failure of Lee’s exploit was in stark contrast to others demonstrated to that point, including one by German researcher Sebastian Apelt of Siberas who succeeded against IE 11. Apelt’s exploit worked in less than a minute and was good for $100,000. Earlier on Thursday, a pair of Chinese hackers from the Keen Team successfully exploited a zero-day vulnerability in Apple’s Safari browser to gain control of a Macbook running OS X Mavericks. That exploit was worth $65,000 and the members of Keen Team announced they would donate a portion of that to Malaysian charities.
Soon after the IE setback, Pwn2Own regular George Hotz took down Firefox to collect a $50,000 prize. Hotz is perhaps better known for his jailbreaking exploits against the iPhone and the PlayStation gaming console. Hotz’s attack against Firefox was the fourth time zero-days were exploited in the Mozilla browser during the two-day event.
Hackers from French exploit vendor Vupen took down both Internet Explorer and Firefox on Wednesday as part of a $350,000 haul. Vupen also beat Adobe Reader and Flash. On Thursday, Vupen has another exploit for Chrome worth another $100,000. Once the Keen Team popped Safari today, Vupen withdrew its Safari bug. It also withdrew its Java entry on Wednesday.
Vupen founder Chaouki Bekrar said his researchers prepared for two months in advance on Pwn2Own and had little trouble with IE 11 yesterday, using a a use-after-free vulnerability combined with an “object confusion” to bypass the IE sandbox, Bekrar said.
“It’s definitely getting harder to exploit browsers, especially on Windows 8.1,” Bekrar said. “Exploitation is harder and finding zero-days in browsers is harder.”
Vupen’s successful exploit of Firefox on Wednesday also took advantage of a different use-after-free zero day to bypass ASLR and DEP memory protections in Windows. Bekrar said the bug was found through the use of fuzzers against 60 million test cases.
“That proves Firefox has done a great job fixing flaws; the same for Chrome,” Bekrar said. “Chrome has the strongest sandbox, so that’s even more difficult to create exploits for.”
ZDI announced prior to the event it would buy all the Pwn2Own bugs at a price of close to $1.1 million.
The NSA on Thursday responded to media reports that it has been impersonating Facebook and other sites in order to compromise surveillance targets’ machines, saying that the agency “does not use its technical capabilities to impersonate U.S. company websites.”
It is relatively rare for the NSA to respond directly to reports about its technical capabilities or surveillance methods, even considering the massive volume of reports that have come out in the last nine months about the agency. On Wednesday, The Intercept, citing documents supplied by NSA leaker Edward Snowden, reported that the agency sometimes impersonated Facebook servers as a way to attract targets. The operation was part of a plan to infect millions of machines with the agency’s special brand of malware, according to the report.
It’s well-known that the NSA’s Tailored Access Operations (TAO) unit, which does much of the agency’s offensive work, has a wide range of technical capabilities at its disposal. Typically the unit’s efforts are deployed in small, targeted operations. But the allegation that the agency is now performing large-scale compromises of machines changes that equation.
However, the NSA said in a statement that the allegations are false and that the agency does not perform broad, indiscriminate exploitation operations.
“Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which the capability must be employed,” the statement from the NSA Public Affairs Office says.
A good portion of the discussion around the NSA revelations of the last few months has involved whether the agency has overstepped its bounds and abandoned its legal mission of conducting foreign intelligence operations. U.S. citizens are supposed to be off-limits for NSA operations, except in specific circumstances. The agency says that reports that its officers don’t target users indiscriminately.
“NSA’s authorities require that its foreign intelligence operations support valid national security requirements, protect the legitimate privacy interests of all persons, and be as tailored as feasible. NSA does not use its technical capabilities to impersonate U.S. company websites. Nor does NSA target any user of global Internet services without appropriate legal authority. Reports of indiscriminate computer exploitation operations are simply false,” the statement says.
Several Samsung Galaxy devices are said to have a backdoor that could give an attacker “over-the-air remote control” that could be used to access the phone’s file system and turn some devices into spying tools.
Developers behind the Replicant project, a Cyanogen-based Android OS, discovered the backdoor is included in “most proprietary Android systems” running on Galaxy devices. The Galaxy Nexus S, S, S2, Note, Nexus, both the seven-inch and 10.1-inch Tab 2 and the Note 2 are all affected by the backdoor.
Technically the problem lies in a program – Android’s Radio Interface Layer (RIL) – that runs on the devices’ baseband processor that’s in charge of handling the communication with the modem. That program, Samsung’s IPC protocol, allows the modem to “perform remote file I/O operations on the file system” via a class of requests called RFS commands.
The program affords the user the ability to read, write and delete files on the phone’s storage, according to Replicant developer Paul Kocialkowski in a write up on the backdoor yesterday in a blogpost on the Free Software Foundation.
Kocialkowski goes on to explain that the program is shipped with the aforementioned Galaxy devices and that the way its implemented on certain devices can give it sufficient rights to access and modify user data.
Even when the modem is isolated and cannot directly access the storage, the backdoor can provide remote access to the phone’s data, something Kocialkowski stresses is simply “unacceptable behavior,” regardless of whether it’s something Samsung knew about.
“It is possible that these were added for legitimate purposes without the intent of doing harm by providing a back door,” Kocialkowski said of the RFS commands. “Nevertheless, the result is the same and it allows the modem to access the phone’s storage.”
A further in depth analysis of the backdoor shows that some of the RFS commands are so obviously titled (IPC_RFS_READ_FILE, IPC_RFS_WRITE_FILE, IPC_RFS_RENAME_FILE, etc.) that it’s clear they perform I/O operations on the file system.
Replicant goes on to claim that the commands “were not found to have any particular legitimacy nor relevant use-case,” making it even more interesting that they’re there.
Samsung didn’t immediately respond to a request for comment on Thursday. Dan Rosenberg, a security researcher who has done a lot of work on Android security, said on Twitter that he confirmed that some versions of the Galaxy S4 and Note 3 also are affected by this issue.
It was almost a year ago that an Italian researcher discovered half a dozen bugs in some of the company’s devices, including some that allowed attackers to send premium SMS messages without permission and change a user’s settings without their knowing.
Most recently, in January, researchers from Israel determined that it was possible to bypass a secure virtual private network connection on Samsung Galaxy S4 devices and redirect traffic in clear text to an attacker.
A recent watering-hole attack targeted firms in the energy sector using a compromised site belonging to a law firm that works with energy companies and led victims to a separate site that used the LightsOut exploit kit to compromise their machines.
The attack, which was active during late February according to researchers at Zscaler, follows a familiar pattern seen in many other such attacks. It began with the compromise of a law firm’s site at 39essex[.]com and when users hit the site, they were redirected to a third-party site, which hosted the exploit kit. When victims visited the second compromised site hosting the kit, it performed a number of diagnostic tests on the user’s browser to see what sort of exploits should be delivered.
The kit checks to see whether Java is running, whether the user is running Internet Explorer and what version of Adobe Reader is installed. Once that information is gathered, the LightsOut exploit kit goes to work, firing exploits against the user’s machine.
“Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole. However, other security sources tell us that the site used in the attack is also a known HAVEX RAT CnC,” Chris Mannon of Zscaler wrote in an analysis of the attack.
This most recent attack shares a lot of traits with one that ran last fall, and also targeted firms in the energy and oil sector. In that watering hole attack, the attackers were using Java, IE and Firefox exploits and the malware delivered was used to record system configurations and data on the clipboard and from the keyboard.
The researchers at Zscaler said that the similarities between the two attacks is likely not a coincidence.
“It would seem that the attackers responsible for this threat are back for more,” Mannon said.
Image from Flickr photos of Joe Stump.
The term metadata and the implications of its collection and analysis have been one of the key points in the debate surrounding the NSA’s broad surveillance programs over the last year. Legislators, policy makers and others continue to argue about whether metadata can actually reveal anything about the people behind the phone numbers, but researchers who have studied a new data set say there should be no doubt: metadata is sensitive information.
Researchers at Stanford University’s Security Lab and Society last fall spun up a new program called MetaPhone designed to gather metadata from volunteers’ Android phones and then analyze the data to see what conclusions they could draw. The project’s 546 participants called more than 33,000 unique numbers during the study period, and the Stanford researchers were able to infer highly sensitive information about some of the volunteers, including serious medical conditions, gun ownership and other data.
“At the outset of this study, we shared the same hypothesis as our computer science colleagues—we thought phone metadata could be very sensitive. We did not anticipate finding much evidence one way or the other, however, since the MetaPhone participant population is small and participants only provide a few months of phone activity on average,” Jonathan Mayer of Stanford wrote in a post revealing some of the results of the MetaPhone project.
“We were wrong. We found that phone metadata is unambiguously sensitive, even in a small population and over a short time window.”
By using the data collected from their volunteers’ phones, along with information from public sources such as Google Places and Yelp to help identify the callers’ contacts, the Stanford researchers were able to discover that their volunteers were calling a large variety of businesses that could be considered sensitive. Doctors’ offices, medical device companies, churches, gun shops and even marijuana dispensaries popped up on the list. Some people also called alcohol rehabilitation programs and family planning clinics.
“The degree of sensitivity among contacts took us aback. Participants had calls with Alcoholics Anonymous, gun stores, NARAL Pro-Choice, labor unions, divorce lawyers, sexually transmitted disease clinics, a Canadian import pharmacy, strip clubs, and much more. This was not a hypothetical parade of horribles. These were simple inferences, about real phone users, that could trivially be made on a large scale,” Mayer said.
The conclusion, Mayer said, is clear: Metadata can reveal sensitive information. NSA officials, lawmakers and even President Obama have maintained that metadata does not constitute sensitive information because it doesn’t include the content of calls. Metadata, in general, includes the originating and terminating numbers of a call as well as the length of the call.
“The dataset that we analyzed in this report spanned hundreds of users over several months. Phone records held by the NSA and telecoms span millions of Americans over multiple years. Reasonable minds can disagree about the policy and legal constraints that should be imposed on those databases. The science, however, is clear: phone metadata is highly sensitive,” Mayer wrote.
Image from Flickr photos of Mathias Ripp.
VANCOUVER – The prelude to the annual Pwn2Own contest between sponsor HP’s Zero Day Initiative and Pwnium contest sponsor Google produced not only zero-day exploits for Internet Explorer and Safari, but some skepticism about whether the exploits and details on the vulnerabilities were held for the contest.
The event, known as Pwn4Fun, featured researchers from the two companies who demonstrated exploits against previously unreported vulnerabilities in the Apple and Microsoft browsers. Successful exploitation resulted in more than $80,000 donated to the Red Cross of Canada.
Still, some experts have questioned how long the two companies knew about the vulnerabilities they exploited and questioned why they hadn’t reported them sooner.
Aaron Portnoy of Exodus Intelligence was the loudest among a chorus of critics who took to Twitter to condemn the contest and accused Google in particular of being critical in the past of companies for withholding details on vulnerabilities and exploits or sharing them only with customers.
“What angers me is the blatant hypocrisy originating from the Google team members who run Pwnium, Pwn4Fun and Pwn2Own against other researchers who have sat on 0day,” Portnoy said. “Watching Google take the moral high ground only when it is convenient angers me—and even more so the fact that nobody wants to call them on it.”
Google security engineer Chris Evans told Threatpost that Google had shared the vulnerability with Apple beforehand.
“Google has a policy of not withholding vulnerability details, and the vulnerabilities demonstrated today had already been reported to the vendor, Evans said. “This morning, we demonstrated exploits for these vulnerabilities as part of the competition.”
Google kicked off Pwn4Fun with a run at Safari running on a fully patched MacBook. The successful exploit was good for $32,500 to the Canadian Red Cross. An hour later, HP’s Jasiel Spelman, Matt Molinyawe, and Abdul-Aziz Hariri took down Internet Explorer, a zero day worth $50,000 to the same charity.
HP’s Zero Day Initiative purchased the two bugs, as well as all of the vulnerabilities to be exploited during the Pwn2Own contest; 15 successful exploits during the two-day event would result in close to $1.1 million in payouts.
Google did not share details on the Safari vulnerability. HP ZDI said it exploited a use-after-free vulnerability and a sandbox bypass to gain code execution with process continuation, meaning the exploit would not visually crash the browser, HP said. The company said it also disclosed six more IE zero day vulnerabilities to Microsoft.
“Thinking of user safety, it’s too soon to share details about the exploits or bugs they are based on. We do believe in open sharing within the security community so that we can all learn from each other and push internet security forward,” Evans said via email. “Accordingly, we’ll be publishing details on one of our blogs in the future.”
HP’s Brian Gorenc, manager of vulnerability research for the ZDI, told Threatpost that it was not withholding a zero-day vulnerability for use in the contest.
“We are responsibly disclosing several vulnerabilities and techniques at an event built around responsible disclosure,” Gorenc said. “While we will be demonstrating the exploit publicly, the techniques and vulnerability details will be kept private.”
Gorenc said HP ZDI will provide Microsoft with a white paper that includes a full analysis of the IE vulnerabilities exploited and techniques used in the contest, the same process Pwn2Own contestants must follow as well.
“Vendors are then given 120 days to fix the security flaws, a pretty significant window of time,” Gorenc said. “The time that ZDI spends analyzing all sorts of software helps to secure the internet – which is why contests like Pwn2Own are so important in helping the industry keep dangerous vulnerabilities out of the black market.”
VANCOUVER – A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes.
A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS.
“The Early Random PRNG in iOS 7 is surprisingly weak,” said Tarjei Mandt senior security researcher at Azimuth Security. “The one in iOS 6 is better because this one is deterministic and trivial to brute force.”
The Early Random PRNG is important to securing the mitigations used by the iOS kernel.
“All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,” Mandt said. “It must provide sufficient entropy and non-predictable output.”
The PRNG launches at boot and provides entropy to various kernel exploit mitigations, Mandt said.
Those mitigations include physical kernel map randomization, stack-check guard, zone cookie protections, and kernel map randomizations. Those mitigations are important memory protections that keep the kernel safe from buffer overflow attacks and other exploits targeting how memory is allocated and where code is safely allowed to execute.
IOS 6’s PRNG, Mandt said, suffered from poor entropy sources and poor use of seed data used to generate outputs. Similar to its deployment in OS X, Mandt said, the PRNG in iOS 6 used Mach Absolute Time to derive outputs.
“It could return the same value over and over because it was reliant on clock information,” Mandt said.
This was supposedly addressed in iOS 7 where time-based correlation issues were avoided through the use of a Linear Congruential Generator (LCG). The LCG in iOS 7 leverages information from four state generations, Mandt said, each one producing 16 bits of output. Each time, the lower three bits of each piece of output are discarded because they are considered weak.
Mandt said there are generally known problems associated with LCGs, including serial correlation between outputs making them susceptible to brute force attacks.
Mandt stressed that it is difficult to defend against an attacker who has already exploited an existing vulnerability in iOS or even OS X and is able to then monitor PRNG outputs.
“Having fewer state generations per output makes this less practical,” he said. “This prevents brute forcing of the internal state using a single output.”
Mandt also suggested Apple could avoid the usage of weak bits by passing output through a temper function or choosing a PRNG with less correlation. Hardening mitigations could help too, he said; that could include XOR encryption of stack cookies.
Mandt said he did not disclose the issue to Apple, representatives of which, he said, requested to see his slides 15 minutes before his presentation today.
“Quite a bit of mitigations rely on the PRNG,” Mandt said. “If the generator is broken, all of this is pretty much useless.”
VANCOUVER – It’s become a familiar walk for Chaouki Bekrar. Year after year at the Pwn2Own contest, the controversial Vupen founder is scurried from a small room in the basement of the Sheraton hotel to a suite several floors above. It’s a short journey from where a string of zero-day exploits are executed to where formal disclosure is made to the vendor in question. It’s also where payment is arranged, and on this day, exclusivity is promised to HP’s Zero Day Initiative.
Bekrar, left, made this trek four times on Wednesday, earning close to $400,000 in the process and cementing his place as perhaps one of the most divisive people in security. Vupen, a French company, is well known as an exploit vendor and its magnetic figurehead stands by his well-worm mantra that the zero-days they develop are exclusively for customers, a list that includes a number of NATO governments. Vupen, Bekrar said, will not sell zero-days to repressive regimes.
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising.
“Not one of our exploits have ever been discovered in the wild,” Bekrar added. “All of our customers use exploits in a targeted way for specific national security missions.”
Vupen, like other research outfits, used to disclose zero-day vulnerabilities to vendors, but that changed in 2010 because most vendors were reticent to support bug bounty programs or compensate bug hunters.
“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”
Now, Google, Facebook, Yahoo and many other technology companies have instituted some sort of bug bounty program. Microsoft take on bounties—paying for mitigation bypasses—was admittedly a shot across the bow of exploit vendors such as Vupen and a reaction to a growing trend of researchers no longer disclosing directly to Microsoft but instead through a broker.
“I’ve been working on this for a while and this is the first time the research told us that the majority of people were going through brokers,” said Microsoft senior security strategist Katie Moussouris in June when the program launched. “If we can find these holes as early as possible, we can protect against whole classes of attack. We don’t want to wait for a third party.”
Microsoft has paid out a pair of $100,000 bounties for bypasses of its ASLR and DEP mitigations in Windows. A similar program for Internet Explorer vulnerabilities—with smaller payouts—was also launched but only for a month.
“They have a bounty for techniques, however the number of techniques is limited,” Bekrar said. “So the scope of the bounty is pretty small.”
Bekrar and his team of Vupen researchers did earn a $100,000 payout today for the IE 11 zero-day. He said the Vupen exploit took down a use-after-free vulnerability combined with an “object confusion” to bypass the IE sandbox.
“It’s definitely getting harder to exploit browsers, especially on Windows 8.1,” Bekrar said. “Exploitation is harder and finding zero-days in browsers is harder.”
Vupen also successfully exploited Firefox, exploiting another user-after-free bug to bypass ASLR and DEP memory protections in Windows.
“The Firefox zero-day we used today we found it through fuzzing, but it required 60 million test cases. That’s a big number,” Bekrar said. “That proves Firefox has done a great job fixing flaws; the same for Chrome. Chrome has the strongest sandbox, so that’s even more difficult to create exploits for.”
Vupen has a Chrome zero day it plans to exploit tomorrow possibly for another $100,000. It is also registered for a try at Safari, but the Keen Team is first on the docket against Safari and depending on what happens there, Bekrar said Vupen may not try its Safari zero day. Vupen also withdrew a planned Java exploit that required a click-to-play bypass that offered a $30,000 prize.
Vupen also successfully exploited Adobe Reader and Flash running in Internet Explorer 11 on a patched 64-bit Windows 8.1 machine. Each of the Adobe vulnerabilities and exploits were worth $75,000.
The Adobe Reader exploit was the first of Pwn2Own. Vupen chained together a heap overflow exploit and a native PDF sandbox escape to beat Reader XI. The Flash exploit, meanwhile, required three zero-days, Bekrar said, a use-after-free, a JIT spray and a sandbox escape.
“The first motivation for coming to Pwn2Own is the challenge to show that even the most secure browsers and products can still be compromised,” Bekrar said, adding that all of the exploits used at Pwn2Own were developed for the contest and were not shared with customers beforehand.
Mozilla had a busy day with three zero-days disclosed against Firefox. Beyond Vupen, Mariusz Mlynski, a Polish researcher who has been credited with reporting dozens of Firefox bugs, and Juri Aedla, a frequent Chrome bug-finder, won $50,000 each for toppling the Mozilla browser.
More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system’s pingback feature.
While the WordPress team is aware of the issue it’s not expected to be patched as it’s a default feature on WordPress, not a flaw, meaning it’s a problem that will likely be left up to site developers to mitigate.
Attackers abused a number of sites that have the feature, essentially XML-RPC requests that make it easy for blogs to cross-reference other blog posts, enabled.
Daniel Cid, the CTO of security firm Sucuri, described the attack, which took down a undisclosed website belonging to one of the firm’s clients, in a blog post on Monday.
According to Cid the attack appears to have used the application-layer (Layer 7) HTTP Flood Attack style of DDoS, which are harder to detect as the requests look like they’re coming from legitimate sites.
In this case they were legitimate sites, 162,000 of them, sending “random requests at a very large scale” to the site’s server, each one with a randomized value that bogged their site down by bypassing their cache and mandating a full page reload each time.
Unlike conventional DDoS attacks that use NTP and DNS, this attack, reflective in nature, used the websites as indirect source amplification vectors. While WordPress sites were the victim this time around, experts say any site could technically be tweaked to dole out this kind of flood attack.
“We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk,” Cid wrote.
Since the POST requests were sent to “/xmlrpc.php request” they’re easy to find in logs, so Cid is encouraging WordPress developers to check theirs to ensure that their sites aren’t vulnerable and attacking other WordPress sites.
Users can look through logs for POST requests to a XML-RPC file like the one below:188.8.131.52 – - [09/Mar/2014:20:11:34 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A\x0A\x0Ahttp://fastbet99.com/?1698491=8940641\x0A\x0A\x0A\x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A” 184.108.40.206 – – [09/Mar/2014:23:21:01 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”
Developers can also use a scanner the firm came up with this week to check its logs to tell if certain WordPress sites are DDoSing other websites.
If found, Cid claims users can remedy the situation by either disabling XML-RPC pingback or creating a plugin to add a filter to block these kind of pingbacks. Users interested in learning more on how to do that can head over to their blog.
As Johannes B. Ullrich, chief technology officer at the SANS Technology Institute adds, removing xmlrpc.php is not a recommended option as it will “break a number of other features that will use the API.”
Google has fixed several serious security vulnerabilities in Chrome 33, just ahead of the Pwn2Own hacking competition at CanSecWest this week, which surely will reveal several more new bugs in the browser.
The company’s Chrome browser is always at the top of the target list for contestants in Pwn2Own, which rewards them with cash prizes for demonstrating exploits against previously unknown vulnerabilities in the major browsers. A team from VUPEN, along with individual researchers, are lined up to go after Chrome, Internet Explorer, Safari and Adobe Reader and Flash. Google also runs its own Pwnium contest in parallel with Pwn2Own and offers large rewards for new attacks against Chrome.
Pwn2Own is set to begin Wednesday and run through Thursday at the conference, and on Tuesday Google patched four high-risk flaws in Chrome.
 High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
Google likely will be releasing more patches for Chrome later this week as researchers demonstrate their new exploits.
An ever-shrinking number of vulnerable network time protocol (NTP) servers are being used with customized distributed denial of service (DDoS) toolkits to perform increasingly potent NTP amplification attacks.
According to the DDoS mitigation specialists at Prolexic, who issued a high alert DDoS attack threat advisory this morning, high-bandwidth NTP amplification DDoS attacks are up 371.43 percent in the last 30 days. This increase comes despite a high-level of awareness regarding the fact that vulnerable NTP servers can be exploited to amplify DDoS attacks and a concerted effort throughout the security community to decrease the number of vulnerable NTP servers.
“During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base,” said Stuart Scholly, a senior vice president and general manager of security at Akamai Technologies, who recently acquired Prolexic. “In fact, the largest attacks we’ve seen on our network this year have all been NTP amplification attacks.”
Not only did the overall number of NTP amplification attacks increase from January to February, but so too did the average peak bandwidth of DDoS attacks (up 217.97 percent) and the average peak volume of DDoS attacks (up 807.48 percent). In addition, such attacks are affecting more industries than ever as well, including the finance, gaming, e-commerce, Internet, media, education, software-as-a-service (SaaS), and security industries.
Perhaps the most exploitable aspect of NTP is the monlist request. One of the more recent and commonly deployed DDoS toolkits uses an NTP server’s own list of recent server connections – known as its monlist and containing as many as 600 IP addresses – as the payload to create malicious traffic at the target site. While the method is not new, Prolexic claims it is certainly garnering wider use than it previously has.
In their advisory, Prolexic notes that the ongoing effort to purge the Internet of vulnerable NTP servers is driving attackers to develop new tools enabling them to launch potent attacks with fewer servers. As their report makes clear, the existing vulnerable NTP servers are more than capable of reaching crippling DDoS amplification levels.
In a lab environment, Prolexic simulated NTP amplification attacks and found that the method could amplify the bandwidth and volume of DDoS attacks by 300 times and 50 times respectively. The company notes that the results of these test reflect a “perfect storm” scenario and that real-world attacks would be less effective.
Researchers looking into the recently uncovered Turla, or Snake, cyber espionage campaign have discovered some similarities connecting it to older pieces of malware such as Agent.btz, the worm that several years ago infected U.S. military networks and eventually caused the Department of Defense to ban the use of USB drives. However, there is not enough evidence to suggest that the two pieces of malware were created by the same authors, researchers say.
Reports last week detailed the Turla malware’s infection of networks belonging to U.S. government agencies as well as some targets in Ukraine, the U.K. and some other European countries. The malware hides on infected systems, steals data and sends it off to a remote server, much like other cyber espionage tools. Turla seems to have been written by Russian-speaking authors, like Agent.btz and the Red October cyber espionage malware. Turla also uses the same XOR key and log file names as Agent.btz, suggesting a strong link between the two.
However, the details of the Agent.btz attack have been known publicly for six years now, including the specific log file names, and even the XOR key, which was published in 2008 when the attack was discovered. Agent.btz, unlike Turla, was a self-replicating worm and it infected U.S. military networks and had the ability to jump to USB drives connected to compromised machines. After the attack was discovered and remediated, the Department of Defense prohibited the use of USB drives on its networks. Both Turla and and Agent.btz have files with identical names, and Red October and Turla both use a file called “thumb.dd”.
With all of that detail known publicly, researchers say that there is not enough evidence to say conclusively that Turla is directly connected to Agent.btz or Red October.
“We cannot make such a conclusion based only on the listed facts”, said Aleks Gostev, Chief Security Expert at Kaspersky Lab. “All the information used by developers was publicly known – at least by the time of Red October and Gauss/Flame creation. First of all, it wasn’t a secret that Agent.btz used ‘thumb.dd’ as a container file to collect information about infected systems.
“Secondly, the XOR key used by developers of Turla and Agent.btz to encrypt their log files was also published in 2008. It’s unknown since when this key was first used in Turla, but we see it for sure in the latest samples of the malware (created in 2013-2014). At the same time, there is some data that Turla’s development started in 2006 – before any known sample of Agent.btz. Which leaves the question open.”
Researchers at Kaspersky Lab, who uncovered the Red October cyber espionage campaign, said that it’s possible that malware was programmed to scan for the “thumb.dd” file on infected machines in order to steal whatever data the file contained. Red October was a highly specialized tool designed to infect specific systems and steal data. Gostev said that there also are some similarities between the Flame and Gauss malware and Agent.btz, including some similar naming conventions. A possible explanation, he said, is that the authors of Flame and Gauss were familiar with the analysis of Agent.btz and adopted some of the same techniques.
“Summarizing all the above, it is possible to regard Agent.btz as a certain starting point in the chain of creation of several different cyber-espionage projects. The well-publicized story of how US military networks were infected could have served as the model for new espionage programs having similar objectives, while its technologies were clearly studied in great detail by all interested parties. Were the people behind all these programs all the same? It’s possible, but the facts can’t prove it,” Gostev said in his analysis of the Turla connection to other malware.