Feed aggregator

Researcher: ‘Lax’ Crossdomain Policy Puts Yahoo Mail At Risk

Threatpost for B2B - Thu, 12/11/2014 - 13:23
A security researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that puts email content and contacts at risk.

Microsoft Recalls Patch Tuesday Exchange Update

Threatpost for B2B - Thu, 12/11/2014 - 12:47
For the second month in a row, Microsoft is recalling a security update published along with its monthly patch Tuesday release.

Black Energy Malware May Be Exploiting Patched WinCC Flaw

Threatpost for B2B - Thu, 12/11/2014 - 10:34
Experts at ICS-CERT say that the BlackEnergy malware that has been seen infecting human-machine interface systems may be exploiting a recently patched vulnerability in the Siemens SIMATIC WinCC software in order to compromise some systems.

Mozilla to Support Certificate Transparency in Firefox

Threatpost for B2B - Thu, 12/11/2014 - 07:00
Mozilla is planning to add support for Certificate Transparency checks in Firefox in the near future, but the company says that the feature won't be turned on by default at first.

Kaspersky Security Bulletin 2014. A Look into the APT Crystal Ball

Secure List feed for B2B - Thu, 12/11/2014 - 07:00

 PDF version
 EPUB version
 Download Full Report PDF
 Download Full Report EPUB

  1. Predictions 2015
  2. Overall statistics for 2014
  3. Malware Evolution
  4. A Look into the APT Crystal Ball

Over the past years, Kaspersky's Global Research and Analysis Team (GReAT) has shed light on some of the biggest APT campaigns, including RedOctober, Flame, NetTraveler, Miniduke, Epic Turla, Careto/Mask and others. While studying these campaigns we have also identified a number of 0-day exploits, including the most recent CVE-2014-0546. We were also among the first to report on emerging trends in the APT world, such as cyber mercenaries who can be contracted to launch lightning attacks or more recently, attacks through unusual vectors such as hotel Wi-Fi. Over the past years, Kaspersky Lab's GReAT team has monitoring more than 60 threat actors responsible for cyber-attacks worldwide, organizations which appear to be fluent in many languages such as Russian, Chinese, German, Spanish, Arabic, Persian and others.

By closely observing these threat actors, we put together a list of what appear to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention, both from an intelligence point of view but also with technologies designed to stop them.

The merger of cyber-crime and APT

For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses in the worth hundreds of millions of dollars. Maybe this market is no longer so lucrative, or maybe the cybercriminal market is simply overcrowded, but it now seems like there is a struggle being waged for 'survival'. And, as usual, that struggle is leading to evolution.

What to expect: In one incident we recently investigated attackers compromised an accountant's computer and used it to initiate a large transfer with their bank. Although it might seem that this is nothing very unusual, we see a more interesting trend: Targeted attacks directly against banks, not their users.

In a number of incidents investigated by Kaspersky Lab experts from the Global Research and Analysis Team, several banks were breached using methods straight out of the APT playbook. Once the attackers got into the banks' networks, they collected enough information to enable them to steal money directly from the bank in several ways:

  • Remotely commanding ATMs to dispense cash.
  • Performing SWIFT transfers from various customer accounts,
  • Manipulating online banking systems to perform transfers in the background.

These attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world. As usual, cybercriminals prefer to keep it simple: they now attack the banks directly because that's where they money is.  We believe this is a noteworthy trend that will become more prominent in 2015.

Fragmentation of bigger APT groups

2014 saw various sources expose APT groups to the public eye. Perhaps the best-known case is the FBI indictment of five hackers on various computer crimes:

This public "naming and shaming" means we expect some of the bigger and "noisier" APT groups to shatter and break into smaller units, operating independently.

What to expect: This will result in a more widespread attack base, meaning more companies will be hit, as smaller groups diversify their attacks. At the same time, it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comments Crew and Wekby) will see more varied attacks from a wider range of sources.

Evolving malware techniques

As computers become more sophisticated and powerful, operating systems also become more complex. Both Apple and Microsoft have spent a lot of time improving the security posture of their respective operating systems. Additionally, special tools such as Microsoft's EMET are now available to help thwart targeted attacks against software vulnerabilities.

With Windows x64 and Apple Yosemite becoming more popular, we expect APT groups to update their toolsets with more powerful backdoors and technologies to evade security solutions.

What to expect: Today, we are already seeing APT groups constantly deploying malware for 64-bit systems, including 64-bit rookits. In 2015, we expect to see more sophisticated malware implants, enhanced evasion techniques and more use of virtual file systems (such as those from Turla and Regin) to conceal precious tools and stolen data.

While we see these increases in advanced techniques, some attackers are moving in the opposite direction. While minimizing the number of exploits and amount of compiled code they introduce to compromised networks altogether, their work continues to require sophisticated code or exploit introduction at a stable entry into the enterprise, script tools and escalation of privilege of all sorts, and stolen access credentials at victim organizations.

As we saw with BlackEnergy 2 (BE2), attackers will actively defend their own presence and identity within victim networks once discovered. Their persistence techniques are becoming more advanced and expansive. These same groups will step up the amount and aggression of destructive last effort components used to cover their tracks, and they include more *nix support, networking equipment, and embedded OS support. We have already seen some expansion from BE2, Yeti, and Winnti actors.

New methods of data exfiltration

The days when attackers would simply activate a backdoor in a corporate network and start siphoning terabytes of information to FTP servers around the world are long gone. Today, more sophisticated groups use SSL on a regular basis alongside custom communication protocols.

Some of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include exfiltration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers).

These in turn have resulted in many corporations banning public cloud services such as Dropbox from their networks. However, this remains an effective method of bypassing intrusion detection systems and DNS blacklists.

What to expect: In 2015, more groups to adopt use of cloud services  in order to make exfiltration stealthier and harder to notice.

New APTs from unusual places as more countries join the cyber arms race

In February 2014, we published research into Careto/Mask, an extremely sophisticated threat actor that appears to be fluent in Spanish, a language rarely seen in targeted attacks. In August, we also released a report on Machete, another threat actor using the Spanish language.

Before that, we were accustomed to observing APT actors and operators that are fluent in relatively few languages. Additionally, many professionals do not use their native language, preferring instead to write in perfect English.

In 2014, we observed a lot of nations around the world publicly expressing an interest in developing APT capabilities:

What to expect: Although we haven't yet seen APT attacks in Swedish, we do predict that more nations will join the "cyber-arms" race and develop cyber-espionage capabilities.

Use of false flags in attacks

Attackers make mistakes. In the vast majority of the cases we analyze, we observe artifacts that provide clues about the language spoken by the attackers. For instance, in the case of RedOctober and Epic Turla, we concluded that the attackers were probably fluent in the Russian language. In the case of NetTraveler we came to the conclusion that attackers were fluent in Chinese.

In some cases, experts observe other meta features that could point toward the attackers. For example, performing file timestamp analysis of the files used in an attack may lead to the conclusion in what part of the world most of the samples were compiled.

However attackers are beginning to react to this situation. In 2014 we observed several "false flag" operations where attackers delivered "inactive" malware commonly used by other APT groups. Imagine a threat actor of Western origin dropping a malware commonly used by a "Comment Crew," a known Chinese threat actor. While everyone is familiar with the "Comment Crew" malware implants, few victims could analyze sophisticated new implants. That can easily mislead people into concluding that the victim was hit by the Chinese threat actor.

What to expect: In 2015, with governments increasingly keen to "name and shame" attackers, we believe that APT groups will also carefully adjust their operations and throw false flags into the game.

Threat actors add mobile attacks to their arsenal

Although APT groups have been observed infecting mobile phones, this hasn't yet become a major trend. Perhaps the attackers wish to get data that isn't usually available on mobiles, or maybe not all of them have access to the technologies that can infect Android and iOS devices.

In 2014 we saw several new APT tools designed for infecting mobiles, for instance Hacking Team's Remote Control System mobile modules.

Additionally, during the Hong Kong protests in October 2014, attacks were seen against Android and iOS users which appear to be connected to APT operations.

Although a mobile phone might not have valuable documents and schematics, or geopolitical expansion plans for next 10 years, they can be a valuable source of contacts as well as listening points. We observed this with the RedOctober group, which had the ability to infect mobile phones and turn them into "Zakladka's", mobile bugs.

What to expect: In 2015, we anticipate more mobile-specific malware, with a focus on Android and jailbroken iOS.

APT+Botnet: precise attack + mass surveillance

In general, APT groups are careful to avoid making too much noise with their operations. This is why the malware used in APT attacks is much less widespread than common crimeware such as Zeus, SpyEye and Cryptolocker.

In 2014 we observed two APT groups (Animal Farm and Darkhotel) using botnets in addition to their regular targeted operations. Of course, botnets can prove to be a vital asset in cyberwar and can be used to DDoS hostile countries; this has happened in the past.  We can therefore understand why some APT groups might want to build botnets in addition to their targeted operations.

In addition to DDoS operations, botnets can also offer another advantage - mass surveillance apparatus for a "poor country". For instance, Flame and Gauss, which we discovered in 2012, were designed to work as a mass surveillance tool, automatically collecting information from tens of thousands of victims. The information would have to be analyzed by a supercomputer, indexed and clustered by keywords and topics; most of it would probably be useless. However, among those hundreds of thousands of exfiltrated documents, perhaps one provides key intelligence details, that could make a difference in tricky situations.

What to expect: In 2015 more APT groups will embrace this trend of using precise attacks along with noisy operations and deploy their own botnets.

Targeting of hotel networks

The Darkhotel group is one of the APT actors known to have targeted specific visitors during their stay in hotels in some countries. Actually, hotels provide an excellent way of targeting particular categories of people, such as company executives. Targeting hotels is also highly lucrative because it provides intelligence about the movements of high profile individuals around the world.

Compromising a hotel reservation system is an easy way to conduct reconnaissance on a particular target. It also allows the attackers to know the room where the victim is staying, opening up the possibility of physical attacks as well as cyber-attacks.

It isn't always easy to target a hotel. This is why very few groups, the elite APT operators, have done it in the past and will use it as part of their toolset.

What to expect: In 2015, a few other groups might also embrace these techniques, but it will remain beyond the reach of the vast majority of APT players.

Commercialization of APT and the private sector

Over the last few years, we published extensive research into malware created by companies such as HackingTeam or Gamma International, two of the best known vendors of "legal spyware". Although these companies claim to sell their software only to "trusted government entities", public reports from various sources, including Citizen Lab, have repeatedly shown that spyware sales cannot be controlled. Eventually, these dangerous software products end up in the hands of less trustworthy individuals or nations, who can use them for cyber-espionage against other countries or their own people.

The fact is that such activities are highly profitable for the companies developing the cyber-espionage software. They are also low risk because – so far – we have not seen a single case where one of these companies was convicted in a cyber-espionage case. The developers of these tools are usually out of the reach of the law, because the responsibility falls with the tool users, not the company that develops and facilitates the spying.

What to expect: It's a high-reward, low risk business that will lead to the creation of more software companies entering the "legal surveillance tools" market. In turn, these tools will be used for nation-on-nation cyber-espionage operations, domestic surveillance and maybe even sabotage.

Conclusions

In general, 2014 was a rather sophisticated and diverse year for APT incidents. We discovered several zero-days, for instance CVE-2014-0515 which was used by a group we call "Animal Farm". Another zero-day we discovered was CVE-2014-0487, used by the group known as DarkHotel. In addition to these zero-days, we observed several new persistence and stealth techniques, which in turn resulted in the development and deployment of several new defense mechanisms for our users.

If we can call 2014 "sophisticated", the word for 2015 will be "elusive". We believe that more APT groups will become concerned with exposure and they will take more advanced measures to hide from discovery.

Finally, some of them will deploy false flag operations. We anticipate these developments and, as usual, will document them thoroughly in our reports.

Microsoft Enables Removal of SSL 3.0 Fallback In IE

Threatpost for B2B - Wed, 12/10/2014 - 16:40
Microsoft has given Windows admins the option to remove the SSL 3.0 fallback from Internet Explorer. By disabling SSL 3.0, IE is no longer vulnerable to POODLE attacks.

Potential Security Concerns in Comcast Hotspot Class-Action

Threatpost for B2B - Wed, 12/10/2014 - 13:53
A class-action suit has been filed against Comcast for using customer routers as public Wi-Fi hotspots. Can attackers exploit router bugs to jump from public to private networks?

Some Recursive DNS Implementations Patch DoS Vulnerability

Threatpost for B2B - Wed, 12/10/2014 - 11:59
Some domain name server (DNS) implementations are at risk for denial-of-service attacks after a vulnerability was disclosed and patched in a few popular server packages, including BIND, PowerDNS and NLnetLabs.

Red October Attackers Return With CloudAtlas APT Campaign

Threatpost for B2B - Wed, 12/10/2014 - 11:12
The attackers behind the Red October APT campaign that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails.

Payment Gateway Provider Breached, Plain Text Data Accessed

Threatpost for B2B - Wed, 12/10/2014 - 10:03
Payment gateway and mobile payment app provider CHARGE Anywhere disclosed it had been breached and hackers had access to plain text payment card transaction authorization requests.

Yahoo Plans to Disclose All New Bugs It Finds Within 90 Days

Threatpost for B2B - Wed, 12/10/2014 - 08:00
Yahoo officials say that the company will disclose any new vulnerabilities that the company’s security team finds within 90 days of discovery. The new policy is the same one used by Google’s Project Zero, a team of researchers that looks for vulnerabilities in a variety of commonly used software packages and platforms. That team has […]

Cloud Atlas: RedOctober APT is back in style

Secure List feed for B2B - Wed, 12/10/2014 - 05:03

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.

After our announcement in January 2013, the RedOctober operation was promptly shut down and the network of C&Cs was dismantled. As usually happens with these big operations, considering the huge investment and number of resources behind it, they don't just "go away" forever. Normally, the group goes underground for a few months, redesigns the tools and the malware and resume operations.

See:

Since January 2013, we've been on the lookout for a possible RedOctober comeback. One possible hit was triggered when we observed Mevade, an unusual piece of malware that appeared late in 2013. The Mevade C&C name styles as well as some other technical similarities indicated a connection to RedOctober, but the link was weak. It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good.

Meet Cloud Atlas

In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world.

Some of the filenames used in the attacks included:

  • FT - Ukraine Russia's new art of war.doc
  • Катастрофа малайзийского лайнера.doc
  • Diplomatic Car for Sale.doc
  • МВКСИ.doc
  • Organigrama Gobierno Rusia.doc
  • Фото.doc
  • Информационное письмо.doc
  • Форма заявки (25-26.09.14).doc
  • Информационное письмо.doc
  • Письмо_Руководителям.doc
  • Прилож.doc
  • Car for sale.doc
  • Af-Pak and Central Asia's security issues.doc

At least one of them immediately reminded us of RedOctober, which used a very similarly named  spearphish: "Diplomatic Car for Sale.doc". As we started digging into the operation, more details emerged which supported this theory.

Perhaps the most unusual fact was that the Microsoft Office exploit didn't directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.

Cloud Atlas exploit payload - VBScript

This VBScript drops a pair of files on disk - a loader and an encrypted payload. The loader appears to be different every time and internal strings indicate it is "polymorphically" generated. The payload is always encrypted with a unique key, making it impossible to decrypt unless the DLL is available.

We observed several different spear-phishing documents that drop uniquely named payloads. For instance, the "qPd0aKJu.vbs" file MD5:

E211C2BAD9A83A6A4247EC3959E2A730 drops the following files:

DECF56296C50BD3AE10A49747573A346 - bicorporate - encrypted payload
D171DB37EF28F42740644F4028BCF727 - ctfmonrn.dll - loader

The VBS also adds a registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ setting the key "bookstore" to the value "regsvr32 %path%\ctfmonrn.dll /s", which ensures the malware runs every time at system boot.

Some of the DLL names we observed include:

f4e15c1c2c95c651423dbb4cbe6c8fd5 - bicorporate.dll
649ff144aea6796679f8f9a1e9f51479 - fundamentive.dll
40e70f7f5d9cb1a669f8d8f306113485 - papersaving.dll
58db8f33a9cdd321d9525d1e68c06456 - previliges.dll
f5476728deb53fe2fa98e6a33577a9da - steinheimman.dll

Some of the payload names include:

steinheimman
papersaving
previliges
fundamentive
bicorporate
miditiming
damnatorily
munnopsis
arzner
redtailed
roodgoose
acholias
salefians
wartworts
frequencyuse
nonmagyar
shebir
getgoing

The payload includes an encrypted configuration block which contains information about the C&C sever:

The information from the config includes a WebDAV URL which is used for connections, a username and password, two folders on the WebDAV server used to store plugins/modules for the malware and where data from the victim should be uploaded.

C&C communication

The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we've seen communicate via HTTPS and WebDav with the same server "cloudme.com", a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden.

(Important note: we do not believe that CloudMe is in any way related to the Cloud Atlas group - the attackers simply create free accounts on this provider and abuse them for command-and-control).

Each malware set we have observed so far communicates with a different CloudMe account though. The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism. Of course, it should be possible to reconfigure the malware to use any Cloud-based storage service that supports WebDAV.

Here's a look at one such account from CloudMe:

The data from the account:

The files stored in the randomly named folder were uploaded by the malware and contain various things, such as system information, running processes and current username. The data is compressed with LZMA and encrypted with AES, however, the keys are stored in the malware body which makes it possible to decrypt the information from the C&C.

We previously observed only one other group using a similar method – ItaDuke – that connected to accounts on the cloud provider mydrive.ch.

Victim statistics: top 5 infected countries CloudAtlas RedOctober Russia 15 35 Kazakhstan 14 21 Belarus 4 5 India 2 14 Czech Republic 2 5 Similarities with RedOctober

Just like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years.

Interestingly, some of the spear-phishing documents between Cloud Atlas and RedOctober seem to exploit the same theme and were used to target the same entity at different times.

Cloud Atlas RedOctober

Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used – RC4 in RedOctober vs AES in Cloud Atlas.

The usage of the compression algorithms in Cloud Altas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the "scheduler" plugin uses it to decompress executable payloads from the C&C.

It turns out that the implementation of the algorithm is identical in both malicious modules, however the way it is invoked is a bit different, with additional input sanity checks added to the CloudAtlas version.

Another interesting similarity between the malware families is the configuration of the build system used to compile the binaries. Every binary created using the Microsoft Visual Studio toolchain has a special header that contains information about the number of input object files and version information of the compilers used to create them, the "Rich" header called so by the magic string that is used to identify it in the file.

We have been able to identify several RedOctober binaries that have "Rich" headers describing exactly the same layout of VC 2010 + VC 2008 object files. Although this doesn't necessarily mean that the binaries were created on the same development computer, they were definitely compiled using the same version of the Microsoft Visual Studio up to the build number version and using similar project configuration.

Number of object files, CloudAtlas loader Number of object files, Red October Office plugin Number of object files,Red October Fileputexec plugin HEX compiler version Decoded compiler version 01 01 01 009D766F VC 2010 (build 30319) 01 01 01 009B766F VC 2010 (build 30319) 22 2E 60 00AB766F VC 2010 (build 30319) 5B 60 A3 00010000 – 05 07 11 00937809 VC 2008 (build 30729) 72 5C AD 00AA766F VC 2010 (build 30319) 20 10 18 009E766F VC 2010 (build 30319)

To summarize the similarities between the two:

Cloud Atlas RedOctober Shellcode marker in spearphished documents PT@T PT@T Top target country Russia Russia Compression algorithm used for C&C communications LZMA LZMA C&C servers claim to be / redirect to BBC (mobile malware) BBC Compiler version VC 2010 (build 30319) VC 2010 (build 30319) (some modules)

Finally, perhaps the strongest connection comes from targeting. Based on observations from KSN, some of the victims of RedOctober are also being targeted by CloudAtlas. In at least one case, the victim's computer was attacked only twice in the last two years, with only two malicious programsRedOctober and Cloud Atlas.

These and other details make us believe that CloudAtlas represents a rebirth of the RedOctober attacks.

Conclusion

Following big announcements and public exposures of targeted attack operations, APT groups behave in a predictable manner. Most Chinese-speaking attackers simply relocate C&C servers to a different place, recompile the malware and carry on as if nothing happened.

Other groups that are more nervous about exposure go in a hibernation mode for months or years. Some may never return using the same tools and techniques.

However, when a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything. They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces.

We believe this is also the case of RedOctober, which makes a classy return with Cloud Atlas.

Kaspersky products detect the malware from the Cloud Atlas toolset with the following verdicts:

Exploit.Win32.CVE-2012-0158.j
Exploit.Win32.CVE-2012-0158.eu
Exploit.Win32.CVE-2012-0158.aw
Exploit.MSWord.CVE-2012-0158.ea
HEUR:Trojan.Win32.CloudAtlas.gen
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Script.Generic
Trojan-Spy.Win32.Agent.ctda
Trojan-Spy.Win32.Agent.cteq
Trojan-Spy.Win32.Agent.ctgm
Trojan-Spy.Win32.Agent.ctfh
Trojan-Spy.Win32.Agent.cter
Trojan-Spy.Win32.Agent.ctfk
Trojan-Spy.Win32.Agent.ctfj
Trojan-Spy.Win32.Agent.crtk
Trojan-Spy.Win32.Agent.ctcz
Trojan-Spy.Win32.Agent.cqyc
Trojan-Spy.Win32.Agent.ctfg
Trojan-Spy.Win32.Agent.ctfi
Trojan-Spy.Win32.Agent.cquy
Trojan-Spy.Win32.Agent.ctew
Trojan-Spy.Win32.Agent.ctdg
Trojan-Spy.Win32.Agent.ctlf
Trojan-Spy.Win32.Agent.ctpz
Trojan-Spy.Win32.Agent.ctdq
Trojan-Spy.Win32.Agent.ctgm
Trojan-Spy.Win32.Agent.ctin
Trojan-Spy.Win32.Agent.ctlg
Trojan-Spy.Win32.Agent.ctpd
Trojan-Spy.Win32.Agent.ctps
Trojan-Spy.Win32.Agent.ctpq
Trojan-Spy.Win32.Agent.ctpy
Trojan-Spy.Win32.Agent.ctie
Trojan-Spy.Win32.Agent.ctcz
Trojan-Spy.Win32.Agent.ctgz
Trojan-Spy.Win32.Agent.ctpr
Trojan-Spy.Win32.Agent.ctdp
Trojan-Spy.Win32.Agent.ctdr
Trojan.Win32.Agent.idso
Trojan.Win32.Agent.idrx
HEUR:Trojan.Linux.Cloudatlas.a
Trojan.AndroidOS.Cloudatlas.a
Trojan.IphoneOS.Cloudatlas.a

 

Parallel research:

New Version of Destover Malware Signed by Stolen Sony Certificate

Threatpost for B2B - Tue, 12/09/2014 - 14:49
Researchers have discovered a new version of the Destover malware that was used in the recent Sony Pictures Entertainment breaches, and in an ironic twist, the sample is signed by a legitimate certificate stolen from Sony. The new sample is essentially identical to an earlier version of Destover that was not signed. Destover has been used […]

'Destover' Malware Now Digitally Signed by Sony Certificates (Updated)

Secure List feed for B2B - Tue, 12/09/2014 - 14:47

Several days ago, our products detected an unusual sample from the Destover family. The Destover family of trojans has been used in the high profile attacks known as DarkSeoul, in March 2013, and more recently, in the attack against Sony pictures in November 2014. We wrote about it on December 4th, including the possible links with the Shamoon attack from 2012.

The new sample is unusual in the sense it is signed by a valid digital certificate from Sony:

The signed sample has been previously observed in a non signed form, as MD5: 6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014.

The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.

Functionally, the backdoor contains two C&Cs and will alternately try to connect to both, with delays between connections:

  • 208.105.226[.]235:443 - United States Champlain Time Warner Cable Internet Llc
  • 203.131.222[.]102:443 - Thailand Bangkok Thammasat University

So what does this mean? The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We've seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.

We've already reported the digital certificate to COMODO and Digicert and we hope it will be blacklisted soon. Kaspersky products will still detect the malware samples even if signed by digital certificates.

Stolen certificate serial number:

  • ‎01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce

Thumbprint:

  •  ‎8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a

 

UPDATE (December 10, 2014)

Since the publication of this blog, news has emerged that this sample may have been the result of a "joke" by a group of security researchers.  This has prompted questions from journalists and others in the community so we decided to address them with this update:

1. Did you find the signed sample in the wild?

So far, we have not encountered the signed sample in the wild. We've only seen it submitted to online malware scanning services. However, the existence of this sample demonstrated that the private key was in the public domain. At that point we knew we had an extremely serious situation at hand, regardless of who was responsible for signing this malware.

Reports indicate the "researcher" reached out to the certificate authorities to get the certificate revoked after submitting the malware online. The certificate would have been revoked without the creation of new malware. There really was no need to create new malware to prove that the certificate hadn't been revoked yet.

2. Do you know how many Sony certificates were leaked? 

So far dozens of PFX files have been leaked online. PFX files contain the needed private key and certificate. Such files are password protected, but those passwords can be guessed or cracked. Not all of these PFX files will be of immediate value to attackers.

3. What is the danger of a code-signing certificate from a major corporation leaking online?

The importance of leaked code-signing keys cannot be overestimated. Software signed by a trusted publishing house will generally be trusted by the operating system, security software and first responders. It's an extremely powerful way for attackers to stay below the radar.

Certificate revocation needs to be a top priority when responding to a major malware and breach incidents.

4. Do anti-malware products "trust" signed programs more those that are not signed?

Trust in files is based on their reputation and digital signatures play a big role in gauging reputation. But a digital signature by itself is not enough to create trust. We look at the reputation of the entities that issued and requested the certificate.

Kaspersky Lab products detect digitally signed files. Our products detected the signed Destover variant with the detection routine created for the first Destover variant.

IE, Schannel Bulletins Re-Released With Patch Tuesday Updates

Threatpost for B2B - Tue, 12/09/2014 - 14:16
Microsoft released seven security bulletins, three of them rated critical, as part of its December 2014 Patch Tuesday updates. It also re-released November updates for IE and SChannel

Yik Yak Patches Privacy Vulnerability in iOS App

Threatpost for B2B - Tue, 12/09/2014 - 14:13
Yik Yak, an application that allows users to share purportedly anonymous status updates with others near them, has fixed a critical privacy vulnerability in the iOS version of its app.

Adobe Patches Flash Player Vulnerability Under Attack

Threatpost for B2B - Tue, 12/09/2014 - 12:17
Adobe released security updates for Flash Player, Reader, Acrobat and ColdFusion. The Flash vulnerability is being exploited in the wild, Adobe said.

Linux Modules Connected to Turla APT Discovered

Threatpost for B2B - Tue, 12/09/2014 - 10:26
Researchers at Kaspersky Lab have found two Linux modules connected to the Turla APT campaigns.
Syndicate content