The Google Play store has been an Eden for hackers wanting to get malicious code onto Android devices. A number of things made the marketplace too tempting for attackers to resist, including the open source nature of the operating system, lax vetting of developers, and the ability to modify code in runtime by pushing app updates from outside the store.
Recently, Google took steps to remedy that situation with important policy changes that prohibit developers from sending users who download apps from Google Play to another site outside of the marketplace for updates. The policy change with the most security implications reads: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.
APKs are the Android application package file used by Google Play to download or update applications. Hackers have been able to successfully abuse them in a number of arenas, including targeted attacks against Tibetans who exchange app updates via APKs over email attachments because of limited access to the Internet.
“The changes are long overdue,” said Jon Oberheide, cofounder and CTO of Duo Security, a hosted two-factor authentication service for mobile devices. “We first pointed out the security risk of applications downloading new executable code at runtime back in 2009 with a proof of concept app that masqueraded as a Twilight Eclipse app and silently polled at a remote server for exploit payloads to pull down to root the device at an attacker’s whim.”
For the time being, these are paper changes on the part of Google, setting the stage for an automated mechanism down the line. That along with mandatory code-signing, which also makes traditional memory-corruption exploits difficult, would someday bring Google in line with Apple’s submission process.
Apple is much more of a walled garden when it comes to application development and code submission for the App Store. Users must present valid identification, be it a driver’s license or articles of incorporation for a business developers’ license. In Google Play, only a credit card is required to obtain a license. While both Apple and Google do some type of static code review, Apple requires all code be signed, unlike Google. All of these factors have surely cut into the effectiveness of Bouncer, Google’s application malware scanner.
“Eliminating the ability for an app to change its behavior based on external input or runtime environments (the more general problem beyond pulling down new executable code), is much more difficult,” Oberheide said. “Removing the ability to pull down executable code definitely raises the bar and is an additional step toward implementing mandatory code signing, similar to iOS. Even with mandatory code signing, as Apple openly admits, preventing an app from changing its behavior at runtime is near impossible from a theoretical point of view.
“Performing any sort of effective static or dynamic analysis along the lines of Bouncer is intractable if the application you’re analyzing will pull down its real code and exhibit malicious behaviors at some arbitrary point in the future beyond what Bouncer will catch.”
There is a newly identified ongoing attack campaign in which attackers are using compromised Apache HTTP binaries to redirect users to malicious sites serving various flavors of malware, including the Blackhole exploit kit. Rather than going the traditional route of simply injecting malicious code onto target Web sites, this attack crew is replacing the existing Apache binary with a compromised one that contains what security researchers say is a highly sophisticated backdoor.
The backdoor, which researchers are calling Linux/Cdorked, has a number of interesting attributes, but perhaps the most unusual bit is the fact that the backdoor doesn’t write any files to disk and instead uses shared memory as a means of maintaining its presence on the machine. The lack of information left on infected machines makes life difficult for researchers trying to analyze the attack, but what experts have come up with so far shows that there could be as many as several hundred infected servers at this point.
“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system,” Pierre-Marc Bureau of ESET, which has done analysis of the attack, said in a blog post.
“The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is performed with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key.”
The Linux/Cdorked backdoor is interesting on several levels aside from its ability to leave little to no trace on compromised machines. One other odd aspect is the attackers’ decision to completely replace the Apache HTTP binary as part of the attack. This is a more complicated and risky attack scenario than what’s normally seen in code-injection/redirection attacks. Typically, attackers looking to push large numbers of victims to a site they control–such as a porn or gambling site or a malware depot–will look for sites vulnerable to a particular exploit, load their code onto those sites and then have it redirect victims to the target site. A halfway enterprising attacker would have no trouble finding dozens or hundreds of sites on which to bury his malicious redirect code.
But the attackers in this case took the more difficult route, opting to compromise the Web server itself and then fully replace the Apache binary. How they’re compromising the servers to begin with is also still a question. Researchers at Sucuri, who also analyzed the attacks, speculated that the attackers maybe using brute-force attempts on SSH servers as an initial entry point. Once the attackers have the malicious binary on a target server, they appear to be using them selectively. The malicious redirects are only served to each IP address once a day, and the sites from which the binary loads the malicious code appear to be random URLs.
“Once the malware is loaded it will redirect the site to spammy sites (most often porn pages). At the sites we analyzed, they were being pushed to httx://amazingtubesites.org (seems offline now). On some cases we also saw the redirection going to the Blackhole Exploit kit,” Daniel Cid, CTO of Sucuri, wrote.
The backdoor has a list of almost two dozen commands that the attacker can use, and these are sent to the compromised server via an HTTP POST request, ESET’s Bureau said.
“ The request must also contain a cookie header starting with “SECID=”. The query string value must hold 2 hex encoded bytes that are encrypted with the client IP, using the same technique as the shell. The SECID cookie data will be used as arguments to some of the commands. We believe that the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region. We also believe that the conditions for redirection are set this way, for example, a white list of user agents to redirect can be preconfigured and a black list of IPs to avoid redirection,” he wrote.
The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal.
That’s what makes a recent discovery from RSA Security’s FraudAction Research Lab all the more jarring. Expert Limor Kessem found this week that a new fraud service was being marketed over Facebook. The developer, an Indonesian-speaking person, was selling a customized botnet panel for the Zeus Trojan.
Kessem said the Facebook page was updated frequently with information about botnets, exploits and their version of Zeus.
“Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers—which they have no qualms about sharing publicly,” Kessem said.
While this particular criminal is an outlier, the use of social networks to market crimeware speaks to the commodity nature some of the malware used for fraud. Zeus source code was leaked online in 2011, and since then many variants have popped up, each with varying degrees of functionality. While high-end underground forums are out of reach for many, others such as this developer, might be trying to expand their reach with his own version of the banking malware and taking advantage of a market shift where some of the more professional malware dealers have been laying low. Some, such as the keepers of the Citadel Trojan, have sworn off commercially selling their kit and will trade only with current and trusted customers.
“Underground forums are fairly well protected; these folks want to keep a low profile,” said George Tubin, senior security researcher at Trusteer. “But, you can imagine that maybe some want to branch out a little and get into a new market and attract folks who are not part of this secret underground as a way to reach out. Maybe they want to reach out to a new group of folks with no access to forums or don’t know how to get to them.”
In fact, commercial versions of Zeus, SpyEye and Ice IX aren’t for sale either, another trend leading toward crimeware kits and service offerings available online.
“This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena,” Kessem said. “Marketing cybercrime in such an open and accessible manner is not something common.”
Crimeware kits and fraud services have become increasingly specialized, Tubin said, and cheaper. Criminals not only sell malware, phishing kits and botnets ready for launch, but have added features such as phone flooding capabilities for denial-of-service attacks, as well as check-forging specialists who can create counterfeit personal checks from stolen online check images. Specialization has also come to malware and botnets, to the point where compromised computers making up a botnet can be sold or rented according to geography if an attacker wants to target a particular regional financial institution.
“It’s amazing how every piece can be bought directly or as a service,” Tubin said, adding that malware writers want to make these kits sellable, therefore, easy to use.
“There are a broad range of kits out there,” he said. “Malware writers want to make them as intuitive as possible in order sell to a wide variety of folks, not just sophisticated programmers. That’s probably what is being sold on social networks and other outlets where they are reaching out to folks they have not before hoping these people just get sucked in once they realize how easy it is to do.”
Google, which gradually has been moving its users away from using passwords as their main form of authentication for Web services, has joined a young organization whose goal is to phase out passwords and replace them with various forms of strong authentication. The FIDO Alliance, formed last year, is working to make two-factor authentication the default mechanism for authentication through the establishment of an open standard for strong authentication.
Google has been working to make passwords obsolete for some time now. It has introduced two-factor authentication for its Gmail service, giving users the ability to enable an option that requires the use of a one-time code in addition to their normal password in order to sign in to their accounts. Other vendors, including Apple and Facebook, have followed suit. But none of those vendors have made two-factor authentication the default mode.
The FIDO Alliance is seeking to help make two-factor authentication a more mainstream thing through the development of an open standard for the use of various strong authentication technologies such as TPMs (trusted platform modules), hardware tokens and others.
“The formation of the FIDO Alliance addresses a longtime, critical need for technology providers and their users: stronger security that is easier to use,” said Phillip Dunkelberger, Nok Nok Labs CEO and founding FIDO Alliance member. “From day one, through our Unified Authentication Infrastructure, we are developing solutions that will deliver on the vision of the FIDO Alliance.”
Google’s involvement lends some major muscle to the effort. The company already has gone pretty far down the road toward developing strong authentication systems and has significant engineering and security resources to contribute to the project.
“Joining the FIDO Alliance is a great way to increase industry momentum around open standards for strong authentication,” sayid Sam Srinivas, Product Management Director for Information Security at Google and FIDO Alliance Board Member. “We look forward to continuing our current development work on strong, universal second-factor tokens as part of a new FIDO Alliance working group.”
The standard that FIDO is working on would support a range of technologies, including one-time passwords, near-field communications (NFC) and other alternatives. It’s not clear how soon the standard will be ready.
Another day, another smartphone lock screen bypass vulnerability.
This time a flaw in a popular messaging application for the Android mobile platform is to blame. Viber, which is similar to Skype in that it allows users to make free phone calls and send instant messages, is vulnerable to a flaw that could allow an attacker with physical access to an Android device full control of the phone, according to Bkav Corporation, a California security company.
Viber has been installed between 50 million and 100 million times, the company said on the Google Play store. The app is also available for iPhone, BlackBerry and Windows devices. Bkav did not say whether any of those devices are vulnerable as well.
The alert posted by Bkav said the vulnerability is present on Samsung, Sony, HTC, Google Nexus, and other devices that support Android.
“Through a few actions on Viber, new message popups, combining with some tricks like using [a] victim’s notification bar, sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user,” the alert said.
The exploit is relatively simple according to Bkav. There are several video examples of bypasses for different handsets, each relying on either a Viber instant message or missed call combined with the use of the Viber keyboard and back button to unlock the phone.
Bkav said it reported the vulnerability to Viber, which has yet to acknowledge it.
A similar vulnerability was discovered in Samsung devices running Android 4.1.2 by a U.K. researcher through the use of the emergency call button and emergency contact list buttons, which causes the home screen to appear briefly allowing an outsider to access any app without having to authenticate via the Android pattern lock or PIN.
A little-known policy through which the Departments of Justice, Defense, and Homeland Security offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on the private networks of defense contractors has reportedly been expanded by Executive Order to include a score of other “critical infrastructure” industries, according to information obtained as part of a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center (EPIC).
EPIC writes that the pilot-version of the program was brought to light in June 2011 after the Washington Post published a report detailing the implementation of a new program by National Security Administration that let them monitor traffic flowing from some defense contractors through certain Internet service providers. At the time, the Washington Post quoted Deputy Defense Secretary William J. Lynn III saying that the program was designed to help thwart attacks against defense firms and that the government hoped to expand the program moving forward.
The documents obtained in the FOIA request, EPIC said, reveal that the DoD advised private industry organizations on the ways in which they circumvent federal wiretap laws in order to aid the DoD and DHS in their surveillance of private Internet networks belonging to defense contractors.
EPIC, digital rights group the Electronic Frontier Foundation, and others are concerned that this program is being expanded to apply to the broad swath of organizations that potentially fall under the increasingly vague category of “critical infrastructure.”
The government has not yet named the program, but EPIC claims that the NSA has partnered with AT&T, Verizon, and CenturyLink in order to keep tabs on the Internet traffic flowing into and out of some 15 defense contractors, including Lockheed Martin, CSC, SAIC, and Northrop Grumman.
For its part, the NSA has said that it is not directly monitoring these networks, but is rather filtering their traffic in order to detect the presence of suspicious packets based on a number of malicious code signatures that the agency has developed.
EPIC issued a FOIA request in July 2011 requesting the following information: “All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman, or any other defense contractors regarding the new NSA pilot program; All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program; All analyses, legal memoranda, and related records regarding the new NSA pilot program; Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program; Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.”
The government failed to provide any of this information. So, EPIC filed a FOIA lawsuit on March 1, 2012 and was eventually granted access to thousands of pages of previously unreleased documents, which they have posted on their website.
Photo courtesy of Flickr user TexasGOPVote.com, Creative Commons
Google has released a new Transparency Report, this time pointing out sharp increases in the number of government requests from Brazil and Russia it received to remove content from Google-branded websites.
This is the seventh time the Mountain View-based company has released the report that provides details on how many countries have appealed to the company to remove potentially controversial content over a specific span of time.
In total, Google received 2,285 government requests to remove 24,179 different types of content from July to December 2012, up from 1,811 requests and 18,070 pieces of content from January to June 2012.
Google’s Legal Director Susan Infantino broke down the numbers in a post on its blog Thursday. Complaints from Brazil are up, 697 in the second half of the year compared to 191 in the beginning of the year along with complaints from Russia, up 114 from six. Both of the increases stem from congressional shifts in those countries. Brazil held municipal elections last fall and half of that country’s requests called for the deletion of potentially defamatory candidate content. In Russia a new law was implemented that allows government authorities to blacklist and take down websites that contain content harmful to children. More than 100 of the requests from Russia pertained to that law.
Google has been releasing the reports every few months – already this year in January and March – in hopes of making it clear for users what governments are doing when it comes to censorship online. Google has made it clear that it’s receiving more and more requests to remove blog posts, especially those that contain politically tinged content, over time.
This version of the report is the first where Google has begun breaking down exactly when it blocked and unblocked certain videos on YouTube in particular countries.
As part of one request, Google responded to 20 countries that wanted a controversial movie deleted from YouTube. Google went on to restrict clips from Jordan, Malaysia and other nations and temporarily restricted views for the video in Egypt and Libya. The film, “Innocence of Muslims” has fostered a vicious fight over freedom of speech and censorship online since its release last summer. It has also been the motive for a string of denial-of-service attacks against a number of leading U.S. banks.
“While the videos were within our Community Guidelines, we restricted videos from view in several countries in accordance with local law after receiving formal legal complaints,” Infantino wrote.
The report is the third of its kind for Google this year and follows similar reports from Twitter in January and Microsoft in March regarding the disclosure of information requests via law enforcement. The reports are being seen as a welcome trend in the security industry; as Threatpost editor Dennis Fisher put it last month, “it’s time for these disclosures to become as commonplace as quarterly earnings reports.”
If three reports in four months from Google - even if each one is breaking down relatively the same information – is a sign, it’s looking like it’s a promising trend.
Adobe has named Brad Arkin to the newly created position of CSO, a major expansion of responsibilities for Arkin, who has been leading the company’s product security and privacy initiatives.
Adobe has been in the security spotlight for several years now, as attackers have focused their attention on the company’s portfolio of products that enjoy user counts in the billions. Flash and Reader have been frequent targets for attackers who are always on the lookout for vulnerabilities in widely deployed applications, which give them the best chance of compromising a high number of users. Exploits for Adobe products often pop up in the commercial exploit kits such as Cool, Blackhole and others and Flash and Reader zero days are highly prized in the hacking underground.
As the threats to Adobe’s products have escalated, so too have the company’s efforts to combat them. Arkin joined the company in 2008, just as Adobe was emerging as a key target. Before that, attacker mainly had focused on Microsoft, Oracle and browsers, but the ubiquity of Adobe’s products drew their attention. Arkin began addressing the problem from the bottom up, implementing a software security program designed to help developers write more secure code and eliminate vulnerabilities before products ship. The company joined the BSIMM program to help measure the effectiveness of the security development lifecycle and also began implementing countermeasures in its products to help prevent exploitation of vulnerabilities.
One of the key changes Arkin’s team made was the implementation of a sandbox for both Flash and Reader. The sandbox helps prevent an attacker from using a bug in a protected application to break out and gain control of the underlying operating system. With Flash running on more than a billion machines, that protection gives users of modern versions good protection.
In his new role, Arkin will continue to run the company’s ASSET security research team and the PSIRT product response team, but also will have responsibility for Adobe’s worldwide infrastructure security.
“In my new role, I have the opportunity to lead Engineering Infrastructure Security, a team that builds and maintains security-critical internal services relied on by our product and engineering teams, such as code signing and build environments. I will also continue to manage and foster two-way communication with the broader security community, a vital part of the central security function,” Arkin wrote in a blog post.
“The driving goal behind our security work is to protect our customers from those who would seek to harm them. Adobe has some of the most widely-deployed software in the world and we are keenly aware that this makes us a target.”
It’s not quite the development freeze Microsoft underwent during the Trustworthy Computing push, but it’s a start for Oracle, which will delay the release of Java 8 until Q1 of next year, largely because the platform and browser plug-in is such a security disaster.
This year has done nothing but reinforce that notion. Start where you will, with any number of zero-days, watering hole attacks, or a pair of takedowns at Pwn2Own, Java has taken a beating from hackers in 2013 and apparently enough is enough.
Mark Reinhold, chief architect of the Java Platform Group, took to his personal blog last week to announce that the next version won’t make its scheduled September GA date.
“Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8,” Reinhold said. “Looking ahead, Oracle is committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features. This work will require more engineer hours than we can free up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage.”
In other words, see ya next year Java 8. Not that many people would miss it.
For months, you’ve had experts from a number of security, development and IT organizations tell you flat out: “Disable Java.” And for the average Web user, that’s a feasible strategy. Disabling the plug-in won’t impede the average browsing experience. Websites functionality won’t be impaired and you’ve lessened your exposure to exploits targeting the technology. It’s on the business end where disabling Java becomes a sticky proposition. Any number of home-spun applications rely on Java, as do some pretty well-deployed commercial mobile banking, e-government and enterprise services applications. Disabling Java means real costs to those organizations and an impact on availability of services.
So that puts the onus on Oracle to right its ship in a hurry. Larry Ellison has yet to issue a landmark Gates-esque memo, but maybe he should. Rather than Unbreakable, maybe Ellison should formally put the capital-B Broken label on Java. The industry would surely say “No, duh, Larry,” but it’s a start—admitting you have a problem is generally considered the first step on the road to recovery.
Java is everywhere, making it an attractive target for hackers. Exploits targeting previously unreported vulnerabilities have been folded into a number of popular commercial malware kits. You can also find free attack code on Pastebin and a number of other online sources. It pays to attack Java; just ask the Tibetans, the defense industrial base, mobile developers at Twitter, Apple, Microsoft and Facebook, and any one hosting a website that’s been popped by a Java exploit since Christmas.
It’s a mess.
Not that Oracle hasn’t tried. A slew of security enhancements have been added to Java in recent months around code signing and new prompts warning users that a Java applet could be unsafe. The warnings have shields, are color-coded and there’s bold red text hammering the message home. Neat. Problem is that, much like Microsoft back in the day, by taking this approach Oracle tries to turn the user into a security admin. Users don’t want to be admins. They want their apps. They will click Yes, Run, Save, Execute—whatever it takes to get their apps or funny cat video. And hackers know this. And they’ll trick users into clicking on a harmful applet by spoofing Oracle’s dialog box and security warnings, twisting and turning them in their favor.
Locking down Java 8 is a start. Oracle is putting some key features on hold with this decision and has given itself a yearlong cushion to get its security house in order. For years security experts have been asking Oracle when its Trustworthy Computing moment will come and maybe this is the start. As Reinhold confirmed, security will be a priority going forward.
“If we sacrifice quality in order to maintain the schedule,” he wrote, “then we’ll almost certainly repeat the well-worn mistakes of the past, carving incomplete language changes and API designs into virtual stone where millions of developers will to work around their flaws for years to come until those features—or the entire platform—are replaced by something new.”
Twitter is facing increased pressure to beef up authentication for users after the hijacking of another high-profile account yesterday caused some temporary tremors on the stock market.
The social network has reportedly been testing two-factor authentication internally; Twitter lags behind Google, Facebook, Microsoft and Apple in implementing a two-factor authentication system. Wired claimed in a report published last night that the micro-blogging giant has developed a two-step login feature. A source told Wired that Twitter plans on incrementally rolling the authentication feature out to its users as soon as internal testing wraps up.
This comes on the heels of a series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. An AP reporter Mike Baker tweeted that the hijacking came less than an hour after some at the AP received an “impressively disguised phishing email.” The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.
White House press secretary Jay Carney almost immediately dispatched any concerns by announcing in a press briefing that he had just been with President Obama and that the president was perfectly fine. Once it was clear that the tweet was a fraud, Twitter and the AP quickly suspended this and other AP accounts, and, just as rapidly as it fell, the Dow Jones returned to previous levels.
The Associated Press would later confirm the compromise, saying the Syrian Electronic Army, a pro-Bashar al-Assad regime hacker group, had claimed responsibility for a hack that was preceded by a phishing attack campaign on AP networks. Contrary to what has been widely reported, the AP did not say with any degree of certainty that this account takeover resulted from the earlier phishing campaign.
Two-factor authentication systems require users to authenticate themselves with one mechanism, usually a password, before asking them to authenticate with a second, usually a numeric code sent via SMS to a mobile device. There are variations on how two-factor systems work. Some of the better ones include a physical token or even a biometric identifier as one of the factors. The reality though is that even a rudimentary SMS-based second factor of authentication, like those used by Google and Facebook, would have made it much more difficult for any attacker to hijack AP’s Twitter account (if the AP had the feature turned on).
The Syrian Electronic Army has carved itself a niche with its Twitter takeovers. The Pro-Syria group claimed responsibility for attacks in which it wrested control of National Public Radio accounts last week and British Broadcasting Corp. account last month, according to a New York Times report.
To its credit though, the hacker collective hasn’t limited itself to hijacking Twitter accounts and publishing alarming but ultimately untrue tweets. In September 2011, the SEA allegedly hacked into and defaced a Harvard University site in an apparent, but unclear, attempt to promote the embattled Assad regime. The hacktivist group has reportedly taken credit for similar attacks targeting the Twitter accounts of Al-Jazeera English, Reuters, and CBS and may have also target the Qatar Foundation, FIFA, Human Rights Watch, and Colombia University.
Twitter account takeovers happen all the time, but usually involve low skilled hackers guessing bad passwords or using automated tools to break weak ones – as opposed to the sort of sustained phishing campaign that numerous sources have suggested enabled the AP hijack. It is probably safe to say that a Twitter account takeover has never caused the amount of grief that yesterday’s did. Fox News suffered a similar breach last summer when hackers took over their politics-specific Twitter account and announced that the President had been assassinated while campaigning in Iowa. The Fox News incident grabbed headlines, but its impact paled in comparison to the almost identical mishap that plagued the more prestigious AP yesterday.
“This latest attack shows just how devastating the impact of hacktivist groups can be as the fake news which was spread from AP’s compromised Twitter account was enough to cause panic on Wall Street for a few moments, making the Dow Jones index plummet by more than 150 points,” said a Kaspersky Lab spokesperson.
A pair of popular WordPress plugins used to help sites cache content have fixed serious vulnerabilities that attackers could exploit simply by including special HTML code in a comment. Both WP Super Cache and W3 Total Cache contained a vulnerability that allowed for PHP code injection through a simple attack vector, but both plugins have now been updated to address the vulnerability.
The vulnerability was in the way that the plugins handled dynamic snippets included in the comments on sites with one of the plugins enabled. An attacker who found a vulnerable site would be able to execute arbitrary code on the backend server. The developers of both plugins have patched the vulnerability and so details of the bug have now become public.
“As a result, blogs with WP Super Cache (before version 1.3) and W3 Total Cache (before version 0.9.2.9) were at risk of PHP code injection. Blog comments could contain dynamic snippets (in HTML-comments) and WordPress core did not them filter out. Upon a such a malicious comment having been submitted, a new cached version of the page was created that included the injected PHP-code. Upon the first request of the cached page, that code was successfully executed,” Frank Goossens, a Belgian blogger wrote in a description of the problem.
First word of the vulnerability appeared in a WordPress user forum about a month ago, and the original poster included detailed code that demonstrated the vulnerability. Last week, Donncha O Caoimh, the author of WP Super Cache, said that he was releasing a new version of his plugin and would add a feature in a future version to disable a function that was one of the causes of the vulnerability.
“I’ve just released a new version of WP Super Cache that removes the html comments from user comments. I’ll publish a post about it in a few days time after most people have hopefully upgraded their sites. In the next release (1.4) I’m going to disable mfunc and associated functions by default because I suspect most users don’t even use them. Admins will have to enable them on the settings page,” O Caoimh wrote.
The hugely popular WordPress publishing platform is is used by a wide variety of users, including professional publishers and individual writers. There are hundreds of plugins available for the platform that perform all kinds of tasks, from preventing spam comments to enabling the site to run on mobile platforms, and attackers often target vulnerabilities in those plugins, as they know that users may not update them as often as they should. Just as browser extensions and plugins such as Flash and Java have become favorites of attackers, so too have the WordPress plugins.
Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again.
Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS.
Serial port servers, also known as terminal servers, provide control system or IT administrators with remote access to non-networked equipment, enable tracking of physically mobile systems, or out-of-band communication to network and power equipment in case of outages. Not only do they provide serial port connections to devices, but many are wireless-enabled.
“The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn’t require any authentication to talk to the serial port which is part of the device,” Moore told Threatpost. “At the end of the day, it became a backdoor to huge separate systems that shouldn’t be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn’t configured for the serial port.”
Attackers who are able to gain access to the serial port are golden because once they’re on the server, the device assumes they are physically present and doesn’t require an additional log-in, Moore said. Making matters worse, he added, automatic log-offs are not enabled.
“So an administrator who logged into a device like an industrial control system, an attacker can follow behind them and take over an authenticated session to a serial port,” Moore said. “There are a huge number of devices out there are exposing an interactive administrative or command shell without any authentication because an administrator had previously authenticated and left the session open.”
An attacker with essentially undetectable access is able to capture or manipulate data moving through the serial port. Moore said it would be possible to add a signature to the device, for example that any time the word password appears, that UDP packet and the entire serial session could be mailed to a third party.
“If you’re looking to steal data, you could write a rule where it emails you the data you care about as it floats across the serial port,” he said, adding that attackers could mess with anything from HVAC, to oil pipelines, traffic signal or even corporate VPN connections, essentially opening a backdoor into a company’s networked resources.
Access to a remote serial port happens via a log-in over telnet, SSH or Web interface, Moore said. You could also connect to a specific TCP port that acts as a proxy for the serial port. Telnet, SSH or a Web interface requires authentication, however, an attacker could telnet into a TCP connection without authentication because the devices are configured under the assumption that anyone with access is physically connected to the serial port. Moore said he found more than 13,000 root shells, system consoles and admin interfaces that did not require authentication or were pre-authenticated. However, Moore said he was unaware of any attacks.
“Seeing how much stuff that’s out there, it’s kind of surprising no one has,” Moore said. “You don’t need to know anything about serial ports to start exploiting this stuff. If you scan, you start seeing random authenticated router shells popping up. For an attacker, they don’t have to know that’s a serial port, they’ll just say ‘hey cool, a shell.’”
As far as remediation, Moore said he is trying to bring awareness to the issue now and is encouraging companies to only use encrypted management services, require authentication for serial ports, enable activity timeouts for serial consoles and other best practices.
Photo courtesy HD Moore.
Microsoft has released a new version of the MS13-036 patch that was causing some customers’ machines to crash. The company had recommended in the days after the original fix was first released that customers uninstall the MS13-036 patch while Microsoft investigated the cause of the problems.
The new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn’t specify which software was causing the crashes, but said that the update should resolve the problems.
“We’ve determined that the update, when paired with certain third-party software, can cause system errors,” said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.
The MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.
Childs said in a blog post Tuesday that customers should install the revised update as soon as possible.
“As we previously discussed, we stopped distributing this update when we learned some customers were having issues. The new update, KB2840149, still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won’t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,” he said.
It’s a familiar refrain: Attackers often have months of unfettered access to corporate networks; and security and network managers remain in the dark until they’re notified of serious breaches by third parties.
Enterprises, regardless of industry, dread that fateful knock on the door by the FBI, card brands or fraud detection services informing them that an external group has been moving data off their network for months. Yet it’s happening with greater frequency and with devastating consequences in some cases, according to the 2013 Verizon Data Breach Investigations Report (DBIR).
This year’s version of the DBIR has quantified not only financially motivated attacks, but also those carried out by state-sponsored attackers targeting intellectual property or military secrets. The numbers in the report paint a representative picture of the state of affairs for companies that value IP such as those in manufacturing and telecommunications, and the numbers aren’t pretty. Sixty six percent of breaches remain undiscovered for months or longer, up from 55 percent in 2011 and 41 percent in 2010.
Targeted attacks and attacks motivated by espionage represent 21 percent of the 621 breaches investigated by Verizon’s RISK Team and those attacks account for the inflated numbers representing the time from initial compromise to discovery, Verizon said.
“That pits the virtually unlimited resources of a nation against the very finite resources of a single company. Nobody can reasonably be expected to withstand that,” the DBIR says, adding that while prevention remains an important part of any security strategy, more investment must be made in detection and response to breaches that result in data loss.
This year’s report paints a gruesome picture, one where most companies are compromised and lose data in a matter of hours. Financially motivated attacks that rely on relatively simple SQL injection attacks or compromises of remotely accessible point-of-sale systems guarded by weak or default credentials beef up those numbers substantially. Attackers are able to break those systems in a matter of seconds or minutes. And initial compromises in financially motivated attacks are not difficult, according to the DBIR data. In such attacks, 78 percent were considered low or very low difficulty, while in espionage-related attacks, the degree of difficulty climbs to 22 percent overall and 26 percent in attacks against large organizations.
The time from compromise to data exfiltration is longer only because espionage attackers require more time pivot between network resources, and find and exploit vulnerable systems before they’re able to move data to a command and control server. From the data, 84 percent of compromises are achieved within hours, and in 69 percent of breaches, data is moving off the network within hours.
Unfortunately for the victims, only 9 percent of breaches are discovered within hours. It’s taking months to years for most network intrusions to be discovered; 62 percent of breaches are found within months, 4 percent in years.
“Let’s stop treating [detection and response] like a backup plan if things go wrong,” the DBIR says, “and start making it a core part of the plan.”
Once discovered, most breaches are contained within days or weeks (76 percent), leaving a quarter to be contained within months or longer.
There is some tempered good news in that while 70 percent of breaches were discovered by third parties, down from 92 percent last year, detection capabilities seem to still be lacking within IT organizations. Another win is that external notification by organizations with no business relationship to the victim such as ISPs, and industry watchdog groups, climbed to 34 percent of breaches in cases of espionage. Fraud detection services and customer and law enforcement notification lead the way for financially motivated attacks.
In an attempt to better evade detection, cybercriminals are increasingly configuring their command and control infrastructure in such a way that initial malware callbacks communicate with a server located in the same country as the newly infected machines.
This emerging trend is among the vast and varied findings of a FireEye report, “The Advanced Cyber Attack Landscape,” made public this morning. FireEye gathered the data in the report in an analysis of some 12 million messages communicated between various malware targeting enterprises and their command and control servers.
The creation and proliferation of malware is more global than ever, with C&C servers living in 184 countries. That’s a substantial 42 percent increase from 2010, when only 130 nations played host to C&C servers.
While the breadth and quantity of such servers is changing dramatically, much remains the same: parts of South and Eastern Asia and areas near Eastern Europe are still the international cybercrime hotspots. China, South Korea, India, Japan, and Hong Kong are believed to be responsible for 24 percent of cyberattacks, while Russia, Romania, Poland, Ukraine, Kazakhstan, and Latvia accounted for 22 percent. The caveat to FireEye’s claim that these regions are driving the majority of advanced attacks is that their analysis showed that 44 percent of C&C servers are actually located in North America. This, FireEye believes, is a statistical anomaly reflecting the new reality that attackers are evading detection more and more by distributing the C&C servers in close proximity to their targets.
In fact, North America’s 44 percent share of these servers and its more drastic 66 percent share of C&C servers responsible for advanced persistent threat-style attack campaigns is an indicator of something that has not changed according to FireEye: relatively speaking, the U.S. corporate landscape, particularly its wealth of high technology firms, is densely packed with valuable intellectual property, and therefore attackers continue targeting companies based there. However, forensic analysis of the tools used in these attacks and the communication tactics of the C&C infrastructure supporting them revealed that the vast majority of attacks – and as many as 89 percent of APT tools, most of them related to Gh0stRAT – originated in China where they were developed by Chinese hacker groups.
Another evolution is a move toward the use of social sites like Facebook and Twitter to communicate with infected machines. This tactic and another whereby attackers embed stolen content in commonly used JPG files are deployed by attackers in an attempt to make malicious traffic seem benign.
Other interesting findings highlighted by FireEye are that South Korean businesses, mostly because of that country’s incredibly developed Internet infrastructure, are witnessing the highest level of callbacks per organization. Their findings also suggest that Japan’s density of intellectual property may rival that of the U.S., considering that 87 percent of callbacks originate and stay in that country. Lastly, high exit-rate detection in both the U.K and Canada suggests to FireEye that attackers are generally unconcerned about being detected in those countries.
Optimism and praise followed last week’s Java critical patch update. Oracle not only patched 42 vulnerabilities in the Java browser plug-in, but also added new code-signing restrictions and new prompts warning users when applets are potentially malicious. It took less than a week, however, to deflate any good will toward Java that resulted.
Noted Java bug hunter Adam Gowdiak, founder and CEO of Security Explorations of Poland, said this week that he reported to Oracle a new Reflection API vulnerability that affects all Java versions, including 7u21 released last Tuesday.
“It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday. “Successful exploitation in a Web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).”
Attackers can exploit this vulnerability to achieve a complete Java security sandbox escape, Gowdiak said, adding that he also send proof-of-concept code to Oracle demonstrating an exploit. Gowdiak, who first reported vulnerabilities in the Reflection API a year ago, also said that this vulnerability is present in the server versions of the Java Runtime Environment, as well as in the JRE Plugin and JDK software.
“It’s been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API-based vulnerabilities,” Gowdiak said. “It looks like Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the ‘allowed’ class space. If so, no surprise [this issue] was overlooked.”
Gowdiak identified four Java components and APIs that are risk for exploit: Sun Microsystems’ implementation of the XSLT interpreter; Long Term Persistence of JavaBeans Components; RMI and LDAP (RFC 2713); and many SQL implementations.
“These are the APIs and Java components that could be potentially used as execution vectors for untrusted Java code in other than web browser environments,” he told Threatpost via email. “In other words, they have the potential to be abused for the exploitation of Java SE flaws.”
Last week’s Oracle patch update repaired many issues plaguing the platform. Of the 42 vulnerabilities patched in the update, all but three were remotely exploitable. A number of Java zero-day vulnerabilities and exploits have been the center of watering hole attacks and other high-profile website hacks.
The update also now requires any applets that execute at runtime on the browser be signed with a trusted certificate, and that all code will prompt the user for approval. The level of user interaction required depends on the potential risk involved, Oracle said. Oracle has color coded its user prompts; blue for apps signed by a trusted certificate, and yellow indicating an untrusted or expired certificate. Red text accompanies high-risk warnings that an applet could be a security risk.
“We are not sure if these warnings will help the platform,” Gowdiak said. “Java was supposed to provide a safe execution environment for untrusted, potentially harmful code. A dialog prompt warning a user about a security risk prior to the execution of an untrusted application basically denounces one of the main advantages of the platform: its security.”
Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java.
“The platform will not deny the execution of Java applications, however in high-risk scenarios the user is provided an opportunity to abort execution if they choose,” Oracle said in its advisory last week. “Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications.”
Dennis Fisher talks with Chris Hoff of Juniper Networks about his childhood scaring sheep on a farm in New Zealand, his early days hacking on the first wave of personal computers, his misadventures in a college computer lab and how he ended up as an itinerant security guy.
Image via Flickr user Myrcurial‘s photostream, Creative Commons