Feed aggregator

Four Vulnerabilities Patched in IntegraXor SCADA Server

Threatpost for B2B - Fri, 09/12/2014 - 13:22
Four different remotely exploitable vulnerabilities were recently discovered and patched in a popular SCADA server.

Hacked Brazilian Newspaper Site Targets Router DNS Settings

Threatpost for B2B - Fri, 09/12/2014 - 11:30
A Brazilian political website has been compromised and is injecting iFrames that attempt to change the victim's router DNS settings.

Documents in Long-Running Yahoo FISC Challenge Case Published

Threatpost for B2B - Fri, 09/12/2014 - 10:41
During a long-running secret dispute between Yahoo and government officials over the constitutionality of orders from the federal government to turn over data belonging to Yahoo users, the company was facing fines of $250,000 for refusing to comply with the order. The revelation is contained in a cache of 1,500 pages of documents declassified by the […]

Dropbox Reports 80 Percent of Subpoenas Contain Gag Request

Threatpost for B2B - Fri, 09/12/2014 - 09:52
Dropbox revealed in its latest Transparency Report that 80 percent of the subpoenas it receives are accompanied by a request not to inform users their data is being requested.

Chinese Hacking Groups Team Up Against Government, Military Systems

Threatpost for B2B - Thu, 09/11/2014 - 15:23
Two Chinese cyber espionage campaigns are working in tandem in hopes of sniffing out trade secrets from surrounding nations.

US-CERT Warns of Vulnerability in Cisco Baseboard Controller

Threatpost for B2B - Thu, 09/11/2014 - 15:21
US-CERT published an advisory warning of a denial-of-service vulnerability in Cisco's Integrated Management Controller; Cisco has already released an update patching the flaw.

Congress Urged to Update ECPA with Email Privacy Protection

Threatpost for B2B - Thu, 09/11/2014 - 13:24
A coalition of groups covering a wide swath of interests and political affiliations is banding together to call on Congress to address email privacy law.

Users in Dark about Permissions Granted to Mobile Apps

Threatpost for B2B - Thu, 09/11/2014 - 13:03
A report from the UK's ICO says that permissions given to mobile apps often far exceed what's necessary, and that privacy policies are hardly apparent to users downloading apps.

Key Flaw Enables Recovery of Files Encrypted by TorrentLocker

Threatpost for B2B - Thu, 09/11/2014 - 11:03
Crypto ransomware, a relatively unknown phenomenon a couple of years ago, has exploded into one of the nastier malware problems for Internet users. Variants such as CryptoLocker and CryptoWall have been siphoning money from victims for some time, and now researchers have dissected a newer variant known as TorrentLocker and found that the creators made […]

Thefts in Remote Banking Systems: Incident Investigations

Secure List feed for B2B - Thu, 09/11/2014 - 07:00

More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business.

In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system.

Description of the Incident

An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization's accounting department and asked for confirmation of a payment worth 3 million rubles (about US$80,000). It transpired that nobody in the organization had ever heard of this payment. The accountant was certain that he did not make that payment; he explained that he was out on his lunch break at the time of the transaction.

The accountant used banking software on his workstation to prepare payment orders and send them to the bank. The logs on this software recorded two suspicious payments to the same address. The first was a relatively small payment of 300,000 rubles. This did not sound any alarm bells, and was processed without a query. The second payment, worth 3 million rubles, alerted the staff at the company's bank.

It was clear that the accountant had not made the payments himself, so the organization suspected a malware attack. But how was that possible? They were using specialized banking software with password protection. They required a special file to access the remote banking system, and the bank itself would check the IP address of the sender of any payment.

Investigation

The main goal of a malware incident investigation is to accurately assess the consequences of the attack, identify every compromised computer and establish exactly how the malware penetrated the victim computer(s). The organization affected can then use this information to effectively mitigate the damage and address weaknesses in its corporate security system to prevent such incidents from happening in the future.

During the investigation, it is also sometimes possible to detect hitherto-unknown malware species and add their signatures to the security databases, protecting other users from their future impact.

In this case an image of the hard disk from the accountant's desktop was provided to Kaspersky Lab's Global Emergency Response Team (GERT) for analysis and investigation.

Remote Access to Desktop

During our first-pass analysis of the accountant's hard drive, we identified a modified version of the legal Remote Manipulator System which enables remote access to the computer. This type of software is often used by accountants and system administrators. However, this program was located in a suspicious catalogue, had a suspicious name ('C:\windows\dotcom\wmiterm.exe' is an overly "system-related" path , so even an advanced user is unlikely to smell a rat), and had two modifications to conceal its operation:

  • The icon in the Windows Task Bar was hidden,
  • The Registry key where the program stores its configuration was modified: 'HKLM\SYSTEM\Remote Manipulator System\v4' was changed to 'HKLM\SYSTEM\System\System\Remote\ Windows', which again looks very similar to the system registry key.

These modifications are typical of malware, so we added signatures for this program to Kaspersky Lab's antivirus databases – it is detected as malicious with the verdict 'Backdoor.Win32.RMS'.

While analyzing the operation of Backdoor.Win32.RMS, we discovered that the cybercriminals used it to download another malware program onto the victim computer, 'Backdoor.Win32.Agent'. (This detection was added to Kaspersky Lab products immediately). That backdoor provided remote VNC (Virtual Network Computing) access to the victim computer. Interestingly, the code of this malware program has a lot in common with the 'hVNC' module of the Carberp Trojan. Carberp's source code is available for public access.

So, how did Backdoor.Win32.RMS sneak onto the accountant's desktop?

Infecting a Corporate Desktop

In the Microsoft Outlook database, stored in the file 'outlook.pst' on the hard drive, we found an email containing an attachment named "запрос ИФНС № АС-4-31339.doc" ('Federal Tax Service request no. AC-4-31339.doc'). Kaspersky Lab Anti-Virus detected that Microsoft Office document as malicious with the verdict 'Exploit.MSWord.CVE-2012-0158.'

The cybercriminals used social engineering methods: the email was sent in the name of Russia's Federal Tax Service, called for immediate action, and provided contact details of real Tax Service officers.

"Federal Taxation Service. Please provide all required documents as soon as possible."

The accountant would certainly have opened the attachment, which exploited a vulnerability in Microsoft Word to download a self-unpacking archive from a remote server and then initialize the unpacking. The archive contained two files: 'SYST.EXE', a renamed version of the file archiver '7zip', and 'SYST'.

While unpacking, the source archive launched the archive program 'SYST.EXE' with parameters instructing it to unpack the password-protected archive 'SYST' using the incorporated password. This trick of using a password-protected password successfully bypasses security software's attempts at static unpacking of the file, impeding its detection.

Unpacking 'SYST' created the following: the 'Backdoor.Win32.RMS' file (which we detected earlier) and the 'INST.CMD' script which installed the backdoor in the system. This is the script that copied the malicious program's files into the folder 'C:\windows\dotcom'.

After we detected the backdoors, we began to understand how the cybercriminals could steal the money. If they had remote access to the computer, they could have make their own payment order, and then the key file and the sender's IP address would be legitimate. But we still didn't know how they criminals got the password to access the banking software. We decided to look for a keylogger program.

The keylogger

The file 'Svchost.exe' attracted our attention, located in the root of the system disk. It turned out to be a keylogger (detection added with the verdict 'Trojan-Spy.Win32.Delf'); it also contained functionality to manage the configuration of Backdoor.Win32.RMS. This unusual capability was apparently introduced by the cybercriminals because they needed a tool to control the modified Remote Manipulator System: they had hidden this program's entire user interface and could use it to manage the configuration.

We also discovered that this keylogger was downloaded with the help of Backdoor.Win32.RMS.

The keylogger sent a log containing all stolen information to the C&C at regular intervals and kept an up-to-date copy of the log on the infected computer's hard drive. We found the banking password within the piles of information stolen by the keylogger.

The battle plan

Following our research, we reconstructed the cybercriminals' action plan:

  1. The cybercriminals launched a targeted attack using social engineering and a Microsoft Word vulnerability to infect the accountant's computer with Backdoor.Win32.RMS.
  2. With the help of that backdoor, the cybercriminals loaded two more malicious programs onto the victim computer: a keylogger (Trojan-Spy.Win32.Delf) and another backdoor (Backdoor.Win32.Agent) which establishes remote VNS access to the victim computer.
  3. The keylogger intercepted the password to the remote banking account.
  4. While the accountant was away from his computer, the cybercriminals used Backdoor.Win32.Agent and the VNS access to the computer to start the banking software on behalf of the accountant.
  5. The cybercriminals used the password intercepted by the keylogger to create a payment order worth 300,000 rubles and send it to the bank.
  6. A bit later, they created another payment order, this time worth 3 million rubles, and sent it to the bank.

As we got towards the end of the investigation, we discovered yet another interesting fact: the IP-addresses of C&C servers for all malicious programs used in the attack belonged to the same sub-network.

Diagram of the cybercriminal attack

We also found out that the cybercriminals acted very fast: it took them just four days to carry out their planned crime. Three days were spent preparing, and the plan was executed within just a few hours on the fourth day.

Day 1. The cybercriminals sent the email to the company's accountant. The accountant read the email, opened the attachment, and the malicious program Backdoor.Win32.RMS was downloaded to his program. On the following days, the cybercriminals used this program to watch the accountant's activities.

Day 4. The cybercriminals used Backdoor.Win32.RMS to load the keylogger Trojan-Spy.Win32.Delf to the victim computer and intercepted the password to the banking software. Soon afterwards they loaded Backdoor.Win32.Agent and used it to connect to the accountant's computer. Then they sent payment orders from the victim computer to the bank.

Notifying the cybercriminals' victims

As the cybercriminals used several IP addresses from the same sub-network, we decided to have a closer look at the C&C servers. As it turned out, the cybercriminals made a mistake when configuring one of the servers, so any user can see the HTTP requests to the C&C servers. That's how we were able to track down the IP addresses from which requests were sent using the keylogger's protocol. As we found out, there were several computers with different IP-addresses infected with the keylogger.

There was one odd feature of this keylogger: when it was launched on an infected computer, it downloaded the latest version of its log from the C&C server. Thus, any user could review the keylogger's log if they opened the appropriate URL address in their web browser. We decided to have a close look at the HTTP requests sent to the C&C server, and in them we found the names of the logs that the keyloggers sent to the C&C server. In many cases, the logs contained the name of the organization which owned the infected computer and the victims' contacts (We could also find the victims' IP addresses using the vulnerability in the C&C server). This information helped us contact other victims (most of them were accountants at SMBs) and warn them that their computers were infected. They were very grateful for the information.

Features of banking attacks

As we said at the beginning of the article, this attack is a typical case of stealing money from a company.

  1. Cybercriminals actively use social engineering to encourage users to open the malicious file.
  2. Members of staff who deal with commercially important information and handle the company's finances need training on the basics of IT security. The company must implement security policies that would minimize the risk of employee negligence causing an infection on the corporate network.

  3. When attacking important targets, cybercriminals may use new exploits for previously unpublished vulnerabilities. In such cases regular attack detection tools, such as IDS, are not good enough.
  4. However, 0-day exploits are too expensive to use in attacks on regular companies. Here we usually see exploits for known vulnerabilities. This means simple steps like promptly updating software (especially Microsoft Office and Java) and installing a quality security solution can ensure adequate levels of protection.

  5. Yet another feature of this attack is that it involves legal software. This is a growing trend: we see cybercriminals using legitimate applications to gain remote access to victim computer before downloading and launching malicious files on them.
  6. Security products obviously won't flag up the use of legitimate software. So cybercriminals can use these applications in a bid to keep their operations secret. In this attack, secrecy was ensured by using a version of Remote Manipulator System with modifications introduced into its executable file. We added a signature for this modified version of Remote Manipulator System so in future Kaspersky Lab's products will detect it.

    If cybercriminals use the original, unmodified versions of legitimate software, the only solution will be for security systems to notify the user every time a potentially unwanted program is launched. All users, especially those who deal with financial and other important documents, must remember that no security system can provide absolute protection. They should pay attention to system notifications and be alert to any anomalous behavior on their computer. It's important to notify security staff of any suspicious event in the system.

Ideally, default deny mode should be enabled on all computers used to make payments in a remote banking system; this mode restricts Internet access and prevents the launch of irrelevant, non-whitelisted software. The same applies to computers used by corporate users to work with commercially important (business-critical) information.

Conclusion

These days, the main driving force behind all cybercriminal actions is money. Gaining access to remote banking systems is the most direct and straightforward way of stealing money from an organization. It is little surprise that remote banking systems are an increasingly attractive target for cybercriminal attacks.

Anyone who uses remote banking systems is more than familiar with the security systems incorporated in them … but so are the cybercriminals. The use of passwords, key files and tokens, as well as restricting IP access, can lull users into a false sense of security.

However, none of these measures, whether taken individually or as a group, will do anything to enhance security if they are implemented on a compromised computer. On an infected machine, passwords can be intercepted, key files can be copied. Cybercriminals can create a hidden desktop and use the original IP address and the token connected to the victim computer.

When investigating security incidents we regularly encounter the following situation: a malicious program is launched on a computer, but later it is detected and removed from the system. Subsequently the affected computer is used as before, continuing to carry out banking transactions with the accountant confident that the problem has been solved.

Users must realize that once a malicious program is executed, the computer affected should be considered compromised. The first malicious file only loads the main malicious payload. That payload typically consists of programs which update themselves all the time to escape detection by security products. Alternatively, cybercriminals load legitimate software with modifications that enable cybercriminals to connect to it via malicious C&C servers. In this case the malicious programs will not be detected.

Overlooking this can cause huge damage to a company. If a malicious program has been detected on a computer with critical information, incident response measures must be taken immediately.

Sadly, our experience shows that organizations often sound the alarm too late, when they are already facing financial loss or the shutdown of critical computing services. Moreover, the response measures taken within corporations usually prove ineffective, and often impede further investigation.

There is no such thing as a one-size-fits-all response to an incident. There are too many possible attack methods out there. For example, in some cases shutting the computer down immediately helps to preserve data that would be irreversibly deleted by a malicious program after a certain period. In other situations, though, a shutdown will destroy the RAM data that is vital to a subsequent investigation. Only an incident investigation specialist can make the right decision.

In any case, if there is the slightest suspicion of intrusion, any compromised computer should be disconnected from the Internet and the corporate network, and malware incident specialists should be called in.

Only a detailed investigation of a security incident can lead to an effective response.

Microsoft Updates September 2014

Secure List feed for B2B - Wed, 09/10/2014 - 21:54

Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.

Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or "the DeputyDog actor". The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. "The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit". Microsoft rated this vulnerability patch "important" across OS versions, while the other privately disclosed IE vulnerabilities are rated "critical".

The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It's most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.

Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.

More can be read about September 2014 Microsoft Security Bulletins here.

Details Disclosed for Critical Vulnerability Patched in Webmin

Threatpost for B2B - Wed, 09/10/2014 - 15:56
The University of Texas information security office disclosed details of a vulnerability in remote management software Webmin that could allow someone to remotely delete files on a host server.

Five Million Email Passwords, Addresses Appear on Russian Bitcoin Forum

Threatpost for B2B - Wed, 09/10/2014 - 15:43
Five million email addresses showed up on a Russian Bitcoin security forum last night. Most of the leaked addresses belong to Gmail users.

CTIA's Super Mobility Week 2014

Secure List feed for B2B - Wed, 09/10/2014 - 15:31

The world's largest mobile innovation forum, "Super Mobility Week", is being held in Las Vegas. We were there to participate and moderate a panel on mobile and cloud cyber-security with speakers from Verizon, Samsung, and Eriksonn Mobile.

The event maintains an impressive vendor floor and multiple stages for discussions and panels throughout the days. The floor hosts vendors presenting their newest products, including wearables and other IoT. The afternoon keynotes yesterday brought a switch from the planned Twitter's CEO to their "President of Global Revenue" Mark Bain, who spoke about both their technology push onto wearables and IoT, and a glimpse into their data mining capabilities derived from their Gnip acquisition. It's notable that he didn't mention anything about security or privacy. Two factor authentication is ancient history for them, while Apple and their customers unfortunately continue to learn the hard way that some inconvenience is a small tradeoff for privacy and security.

Microsoft also keynoted, bringing their EVP of Devices Group onstage to discuss their push into mobile to cloud technologies with Nokia devices and "Cloud OS". Again, no mention of security baked into these technologies, although we haven't seen any recent naked celebrity photo theft from the Microsoft cloud.

My panel's discussion weaved mainly in and out of enterprise wide security challenges to BYOD and cloud adoption, along with recent and relevant threats that we noted:

1. The recent Apple iCloud mess revealed several things

  • Apple provided password and knowledge based authentication services that enabled social engineering and brute force attacks and dismissed 2FA (until now). On cloud service authentication security, Apple "led from behind"
  • Apple's cloud security enabled brute forcing of both AppleIDs and iCloud passwords
  • In general, mobile to cloud customers have no idea of where their data resides, if it or how much of it flows off of their mobile device, how many organizations have access to it, or how well it is secured

2. Mobile malware volumes continue to surge - our mobile malware collection now includes almost half a million samples. Digging deeper, in 2013, we saw around 600 mobile banking trojans and now our malware collection maintains around 8,500 banker variants specifically supporting financial cybercrime.

3. Wifi and Ssl insecurities, as implemented in and used by mobile technologies, are on the increase and will likely continue to be.

4. Targeted attackers express interest in an expanded set of technologies, including various mobile devices by the Rocra, LuckyCat and Chuli attackers.

The event lasts from September 9th to the 11th.

Apache Warns of Tomcat Remote Code Execution Vulnerability

Threatpost for B2B - Wed, 09/10/2014 - 15:31
Some older versions of Apache Tomcat, the company’s open source web server and servlet container, are vulnerable to remote code execution.

Information Sharing on Threats Seen as a Key for Auto Makers

Threatpost for B2B - Wed, 09/10/2014 - 10:20
A small segment of the security research community has been spending a lot of time tearing apart the innards of various vehicles and looking at ways that the computers and local networks that reside in modern cars can be hacked. There has been some remarkable success on this front, and while auto makers haven’t paid […]

The world at your fingertips… and theirs too

Secure List feed for B2B - Wed, 09/10/2014 - 07:00

Technology has changed our lives, the way we live and work. With the emergence of wearables, the convergence between the virtual and the physical world makes people feel more natural using technology all the time.Google Glass is one of the most amazing wearable devices and although it is still at an early stage of development, it is undeniable that you can do awesome things and experience the world in a different way with them.

With out-the-box functionality, you can search the internet, take pictures or videos, check mail, send messages to Hangouts contacts, or publish information to Google+. What truly excites us are foreseeable uses in fields like medicine or education. The device could become indispensable by helping surgeons check patient vital signs or video broadcasting their surgeries to other specialists. Similarly, we can foresee novel means of transmitting knowledge to students in interactive ways. Perhaps we can even imagine enhancements to law enforcement by enabling immediate recognition of wanted criminals.

Unfortunately, the emergence of new technologies also entails new security risks. There are in fact many concerns about potential risks to privacy and ways in which these new devices could be compromised. Cybercriminals don't rest and are always looking for new ways to obtain gains from their victims, whenever they see an opportunity they will work day and night to achieve this objective.

New Technologies, Old Risks.

New and existing devices have many things in common: they use the same protocols and are interconnected with other devices using similar applications. There is no way around this. Traditional attack vectors are mainly against the network layer in the form of Man-in-The-Middle (MiTM), the exploitation of some vulnerability in the operating system, or the applications themselves. Being based on Android, Glass could inherit known vulnerabilities found in other devices with the same OS.

There are two ways to surf the Web from Google Glass: through Bluetooth pairing to a mobile device that shares its data network connection, or directly through Wi-Fi with prior configuration of the network via a MyGlass account or mobile app generated QR code.

The procedure to add a network is pretty simple: by adding a network name and password a QR code is generated containing connection settings which when looked at through Glass establishes an automatic connection to the network.

Last year, a vulnerability was published by the Security firm Lookout related to this procedure that would mislead a user to connect to a fake access point through a malicious QR thus allowing a potential attacker to hijack network communications and possibly redirect navigation to a malicious web page that could exploit a known Android web vulnerability. This vulnerability was patched but gave us a clear sense that attackers could discover ways to compromise these new devices.

A source of potential risks is that unlike a computer or a mobile device, the Glass interface is navigated through 'cards' to scroll through the different applications and settings thus limiting configuration options and in some cases automating certain procedures and functions with little input from the user, as in the case of connecting to a network or sharing information. This automation opens the door for exploitation by attackers and the compromise of user privacy.

Another threat avenue is the propensity for users to activate 'debug mode' in order to install applications outside of the official glassware ecosystem thus raising the risk of installing malicious applications.

This opens the possibility of new attacks using old methods such as social engineering through the use of the magic words: "free" and "sex". Although not all apps advertised this way are malicious, the terms stand as a hook for users in search of new experiences, willing to step out of the comfort zone pre-arranged by the manufacturer.

One simple test

As mentioned earlier, a feature distinguishing Glass from other wearables is the ability to navigate the internet directly via a Wi-Fi connection, rather than exclusively piggybacking off of a paired mobile device. However, this ability also means that the device is exposed to network vectors attacks, particularly MiTM.

Imagine this scenario, you are at your favorite coffee shop and decide to connect to the Wi-Fi network using Glass. You set up the network and are off to check-in on Foursquare, launch an app to recognize the song playing in the background and fetch the lyrics. But what if in this network someone is using a tool to poison the other devices into redirecting traffic towards a router IP address thus capturing all of the network traffic?

We tested by doing just that in a controlled laboratory network. Once the network was compromised, we did some searches on google, standard site browsing, sent pictures and messages to some of our contacts, and even read the news.

Once we captured enough traffic to analyze, we found that almost all the traffic remains encrypted after the network was compromised, specially the google searches. However, we found enough information in plain text to correlate and piece together the user's navigation to airlines, hotels, and touristic destination sites and how and where the device was connected. Nothing too sensitive but in some cases useful for when carrying out a profiling job.

In the end, as with any other device, security must be visualized in layers and we need to protect every layer to reduce the risk of compromise. In this case, the network layer could be exposed since the device can connect to public networks but lacks the option for VPN connections thus insuring traffic can be captured and analyzed.

In coming months, we'll see wearable devices becoming the next attack targets, highlighting the need to pay special attention to these devices, their capabilities, and the information they handle.

You can also follow me on twitter @r0bertmart1nez

Syndicate content