Feed aggregator

RSA Conference 2015

Secure List feed for B2B - Wed, 04/22/2015 - 07:54

The RSA Conference 2015 is being held at the Moscone Center in San Francisco. It a massive event, with thousands of people in attendance.

A huge number of booths built up by vendors provide coffee bars, presentations, and swag giveaways. Threat intelligence is hawked by many here. But, some of the most surprising parts of cyber-security that has been a long time coming is a discussion I do not always hear – cyber-security insurance and quantification methodologies of threat risk assessment. Yawn. This arrival following the massive 2014 data breaches, of course, is partly expected and a double edged sword. It both incentivizes corporate decision makers to act more irresponsible with protecting your data (just buy more insurance to cover it, it’s cheap!), and the policies may incentivize decision makers to strengthen their organization’s cybersecurity in order to meet coverage requirements. Either way, carriers are underwriting more cybersecurity policies and we have yet to see the real impact.

From Kaspersky Lab, our very own David Jacoby will be presenting later today on IoT security at 10:20 am, West Moscone Room 3018. Come check it out!

How exploit packs are concealed in a Flash object

Secure List feed for B2B - Wed, 04/22/2015 - 07:00

One of the most important features of a malicious attack is its ability to conceal itself from both protection solutions and victims. The main role in performing a hidden attack is played by exploits to software vulnerabilities that can be used to secretly download malicious code on the victim machine. Generally, exploits are distributed in exploit packs which appear in the form of plugin detects (to identify the type and version of software installed on the user computer) and a set of exploits, one of which is issued to the user if an appropriate vulnerability is found.

Recently, we have come across a new technique used to hide exploit-based attacks: fraudsters packed the exploit pack in the Flash file.

Downloading an Exploit

The standard technique used in a drive-by attack is to compromise a web site with a link leading to a landing page with the exploit pack. From there the pack uploads the necessary exploit onto the user computer.  From the point of view of security software, this unmasks all the components of the exploit pack because they are simply uploaded onto the landing page. As a result, the exploits and the plugin detects are visible in the web traffic. The criminals must mask each component separately if the attack is to go unnoticed.

The unconventional new approach with the Flash package is definitely more efficient for criminals. The standard landing page is missing. The user follows the link to get to a page with a packed Flash object that turns out to be the exploit pack and the configuration file in an image form. The packed Flash file with the exploit pack is loaded to a page in the browser and has the right to write to and modify the page, i.e. it can add exploits to the page which will then be executed.

Let us look into how this works, using the Netrino exploit pack as our example.

This is what the packed Flash object looks like:

The packed Flash object (exploit pack)

This is how it looks after de-obfuscation:

The Flash object (exploit-pack) after de-obfuscation

The packing is supposed to prevent the malicious object from being detected. A Flash object like this is not opened by most popular deobfuscators. For instance, SWF Decompiler freezes and then reports an error.


The results of using a popular deobfuscator on the Flash object of the Neutrino exploit pack

The Flash object is written to a page in the user’s browser with the parameter allowscriptaccess = “always” – this allows for the page to be modified, even if the object was loaded from a different domain. Although Flash objects rarely require page modification rights, there is nothing very unusual about this option and indeed a lot of legitimate Flash content is loaded this way. With this privilege, the malicious Flash object simply writes exploits to the page from its binary data.

Thus, there is no malicious content in the web traffic or on the page delivered to the browser. The malicious content is hidden behind a good packer, and the exploits emerge while a page is processed by the browser.

Contents of the Flash object

Let us have a look at what the analyzed Flash object contains, and what it writes to a web page. After unpacking, we see six embedded binary objects. These binary objects are coded with RC4, and some are also compressed with the standard ‘deflate’ algorithm.

The encoded binary objects within the Flash object

Here is how one of the objects is decoded and delivered:

The code for decrypting and adding the exploit to a page

Other objects are decrypted in a similar manner.

Let us summarize the binary objects contained in the Flash pack:

  • An exploit for the CVE-2013-2551 vulnerability in Internet Explorer
  • The exploit for the CVE-2013-2551 vulnerability

  • A malicious DLL which is also part of other versions of the Neutrino exploit pack (discussed later in this article).
  • Two exploits for the CVE-2014-6332 vulnerability in Internet Explorer’s VBS processor:

  • Exploits for the CVE-2014-6332 vulnerability

  • An exploit for the CVE-2014-0569 vulnerability in Adobe Flash
  • The exploit for the CVE-2014-0569 vulnerability

  • An exploit for the CVE-2014-0515 vulnerability in Adobe Flash
  • The exploit for the CVE-2014-0515 vulnerability

By the way, there is no plugin detect for Adobe Flash exploits in this exploit pack. ActionScript tools are used to check the version of Adobe Flash. Adobe Flash versions that can be attacked using exploits are hardcoded in the Flash-pack code:

In the most recent versions, modifications were introduced into the Flash pack. These include adding another exploit for the vulnerability CVE-2015-0536 in Adobe Flash.

The configuration file

Let us have a look at one interesting function in the Flash pack.

It should be remembered that an image (a configuration file) is posted on the landing page alongside with the Flash object.

The image posted on the page

A special function reads this image from the landing page, decodes its Base64 and RC4, and thus obtains the configuration file.

The function for obtaining the configuration file

The configuration file contains the keys and identifiers of the exploits discussed above, which are available for the user to download. The availability of the configuration file gives some flexibility to the cybercriminals: they can specify the best settings for its operation at each specific period of time without changing the exploit pack itself. For example, they can specify priority exploits or separately keep the keys with which to decrypt the objects within the pack.

The configuration file decrypted from the image

In the later versions of the Flash pack, however, the configuration file is part of the actual exploit pack rather than a separate picture.

Implementing the payload

The shell-code of one of the exploits is a VBS code with binary code in a string, which is executed by the exploitation of the vulnerability CVE-2014-6332 in Internet Explorer’s VBS processor. As a result, the file shell32.dll is loaded to the folder “%temp%/System32/.

The name and the path of the loaded file are similar to those of regular Windows DLLs. Using the regular DLL hijacking technique, one can go without using the functions run, start, open etc., and thus mask the launch of a malicious DLL from the security product.

Using DLL hijacking shell32.dll

The exploit modifies the environment variable SYSDIR and attempts to load System.ShellApplication – this launches the malicious DLL.

The launched DLL is a dropper which loads the script”p.js” to the victim’s computer and launches it.

The main part of shell32.dll code

The launched p.js script

This script is the loader of the principal malicious file.

Distribution

The version of the Flash pack described in this article emerged in late 2014 and was actively distributed in Q1 2015. There were also new modifications of the Flash pack, but their basic working principles didn’t change.

It wasn’t until March 2015 that we observed Neutrino Flash pack attacks on the computers of 60,541 users. On average about 2,000 users were attacked every day; on certain days, the number of potential victims reached 5,000 to 6,000.

The number of unique users attacked by Neutrino Flash pack

This exploit pack is predominantly used to attack users located in the USA and Canada.

The geographic distribution of Neutrino Flash-pack attacks (as of March 2015)

Conclusion

The idea of use a Flash-pack to distribute exploits is relatively new and it has proved fairly successful for cybercriminals. Existing Flash properties allow them to pack the exploit pack into a Flash object and conceal it with an obfuscator. The Flash capability to specify website access parameters then allows them to write exploits to a webpage in the user’s browser. The exploit-pack’s components are not found in the web traffic, nor in the loaded page.

Although the malware writers are constantly updating the exploit-pack and introducing modifications into the code of the malicious Flash pack in order to prevent security products from detecting it, Kaspersky Lab responds promptly to these threats. Alongside regular protection methods, Kaspersky Lab’s products use a special “Anti-Exploit Protection” (AEP) component, which detects this threat with the help of behavior analysis.

Kaspersky Lab’s products detect this Flash pack under the verdict HEUR:Exploit.Script.Blocker, HEUR:Exploit.SWF.Generic.

Renewed Attention on Android Apps Failing SSL Validation

Threatpost for B2B - Tue, 04/21/2015 - 20:12
CERT researcher Will Dormann presented an update on his research looking at Android apps that fail to validate SSL; Google meanwhile, says it will get stricter with enforcement.

Threat Information Sharing Bill to Become Law, Experts Say

Threatpost for B2B - Tue, 04/21/2015 - 20:04
SAN FRANCISCO - The U.S. House of Representatives is likely to pass an information sharing bill this week and that bill is just as likely to become law in the coming months, according to a panel of Experts at the RSA Conference in San Francisco.

Microsoft Data Shows Drop in Remote Code Execution Bugs Being Exploited

Threatpost for B2B - Tue, 04/21/2015 - 17:41
SAN FRANCISCO–One of the downsides to being a software company with a huge customer base is that your products are going to be prime targets for attackers. But the flip side to that coin is that you’re going to gather a lot of data about vulnerabilities and attacks. Microsoft has been collecting that data for […]

The CozyDuke APT

Secure List feed for B2B - Tue, 04/21/2015 - 16:50

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a precise attacker. Kaspersky Lab has observed signs of attacks against government organizations and commercial entities in the US, Germany, South Korea and Uzbekistan. In 2014, targets included the White House and the US Department of State, as believed.

The operation presents several interesting aspects

  • extremely sensitive high profile victims and targets
  • evolving crypto and anti-detection capabilities
  • strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components

The actor often spearphishes targets with e-mails containing a link to a hacked website. Sometimes it is a high profile, legitimate site such as “diplomacy.pl”, hosting a ZIP archive. The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy.

In other highly successful runs, this actor sends out phony flash videos directly as email attachments. A clever example is “Office Monkeys LOL Video.zip”. The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently. Many of this APT’s components are signed with phony Intel and AMD digital certificates.

Recent CozyDuke APT activity attracted significant attention in the news:

Sources: State Dept. hack the ‘worst ever’, CNN News, March 2015
White House computer network ‘hacked’, BBC News, October 2014
Three Months Later, State Department Hasn’t Rooted Out Hackers, Wall Street Journal, February 2015
State Department shuts down its e-mail system amid concerns about hacking, Washington Post, November 2014

Let’s examine a smattering of representative CozyDuke files and data. There is much to their toolset.

Office Monkeys dropper analysis

CozyDuke droppers and spyware components often maintain fairly common characteristics, but these files’ functionality are modified in slight ways depending on the team’s needs. This rapid development and deployment is interesting.

68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip

Believe it or not, recipients in bulk run the file within:

95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe

This file in turn drops two executables to %temp%:

  • 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe
  • 3d3363598f87c78826c859077606e514, player.exe

It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague. It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques:

3d3363598f87c78826c859077606e514,player.exe,338kb,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33

Anti-detection and trojan functionality

The file collects system information, and then invokes a WMI instance in the root\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here:

SELECT * FROM AntiVirusProduct
SELECT * FROM FireWallProduct

The code hunts for several security products to evade:

  • CRYSTAL
  • KASPERSKY
  • SOPHOS
  • DrWeb
  • AVIRA
  • COMODO Dragon

In addition to the WMI/wql use, it also hunts through the “SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\” registry key looking for security products to avoid. Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates. These files are stored within an 217kb encrypted cab file in the dropper’s resources under the name “A”. The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \x36\x11\xdd\x08\xac\x4b\x72\xf8\x51\x04\x68\x2e\x3e\x38\x64\x32.

The cab file is decompressed and its contents are created on disk. These dropped files bundle functionality for both 64bit and 32bit Windows systems and are all located within one directory:
C:\Documents and Settings\user\Application Data\ATI_Subsystem\

6761106f816313394a653db5172dc487,amdhcp32.dll,54kb  ← 32bit dll,CompiledOn:2014.07.02 21:13:24
d596827d48a3ff836545b3a999f2c3e3,aticaldd.dll,60kb  ← 64bit dll,CompiledOn:2014.07.02 21:13:26
bc626c8f11ed753f33ad1c0fe848d898,atiumdag.dll,285kb ← 32bit dll, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26
4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat

The code copies rundll32.exe from windows\system32 to its newly created %appdata%\ATI_Subsystem subdirectory as “amdocl_as32.exe” alongside the three dll’s listed above. It runs atiumdag.dll with two parameter values, it’s only export and an arbitrary pid,  i.e.:
“C:\Documents and Settings\user\Application Data\ATI_Subsystem\amdocl_as32.exe” “C:\Documents and Settings\user\Application Data\ATI_Subsystem\atiumdag.dll””, ADL2_ApplicationProfiles_System_Reload 1684″

This dll is built with anti-AV protections as well. However, it looks for a different but overlapping set, and the random duplication suggests that this component was cobbled together with its dropper, partly regionally based on target selection.

  • K7
  • KASPERSKY
  • AVG

The code collects information about the system and xml formats this data prior to encryption for proper parsing:

Finally, this process beacons to www.sanjosemaristas.com, which appears to be a site that has been compromised and misused multiple times in the past couple of years.
hxxp://www.sanjosemaristas[.]com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter’s service name GUID. It uses standard Win32 base cryptography functions to generate a CALG_RC4 session key to encrypt the collected data communications and POSTs it to the server.

Executable-Signing Certificates

Samples are usually signed with a fake certificate – we’ve seen two instances, one AMD and one Intel:

Configuration files:

Some of the malware uses an encrypted configuration file which is stored on disk as “racss.dat”. This is encrypted by RC4, using the key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}. Here’s how it looks decrypted:

Second stage malware and communications:

The attackers send commands and new modules to be executed to the victims through the C&Cs. The C&C scripts store these temporarily until the victim next connects to retrieve local files. We’ve identified two such files:

  • settings.db
  • sdfg3d.db

Here’s how such a database file appears:

These are BASE64 encoded and use the same RC4 encryption key as the malware configuration.

Decoding them resulted in the following payloads:

59704bc8bedef32709ab1128734aa846, ChromeUpdate.ex_
5d8835982d8bfc8b047eb47322436c8a, cmd_task.dll
e0b6f0d368c81a0fb197774d0072f759, screenshot_task.dll

Decoding them also resulted in a set of tasking files maintaining agent commands and parameter values:

conf.xml

And a set of “reporting” files, maintaining stolen system “info”, error output, and “AgentInfo” output, from victim systems:

DCOM_amdocl_ld_API_.raw
Util_amdave_System_.vol
Last_amdpcom_Subsystem_.max
Data_amdmiracast_API_.aaf
7.txt

screenshot_task.dll is a 32-bit dll used to take a screenshot of the full desktop window and save it as a bitmap in %temp%. The number of times the screenshot is repeated is configurable within the xml task file.

cmd_task.dll is a 32-bit dll that maintains several primitives. It is used to create new processes, perform as a command line shell, and several other tasks.

Each of these payloads is delivered together with a configuration file that explains how to run it, for instance:


In another tasking, we notice a tracked victim:

Attackers map a network drive use Microsoft OneDrive to run further tools:

They copy down a base64 encoded document from Microsoft OneDrive to the victim system and decode it there:

Not everything works as planned, so they maintain error reporting facility for the c2 communications:

Furthermore, ChromeUpdate is a 64-bit executable (which appears to be a WEXTRACT package) that oddly drops a 32-bit Dll. Cache.dll is simply stored as a cabinet file in the ChromeUpdate’s resource section.

ChromeUpdate.exe starts the file with “rundll32 cache.dll,ADB_Setup”

Cache.dll analysis

Cache.dll was written in C/C++ and built with a Microsoft compiler.

Cache.dll code flow overview

  • RC4 decrypt hardcoded c2 and urls
  • resolve hidden function calls
  • collect identifying victim system data
  • encrypt collected data
  • send stolen data to c2 and retrieve commands
Cache.dll code details

Structurally, “Cache.dll” is a fairly large backdoor at 425KB. It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn’t exposed until runtime. No pdb/debug strings are present in the code.

It maintains eight exports, including DllMain:

  • ADB_Add
  • ADB_Cleanup
  • ADB_Initnj
  • ADB_Load
  • ADB_Release
  • ADB_Remove
  • ADB_Setup

ADB_Setup is a entry point that simply spawns another thread and waits for completion.

Above, we see a new thread created with the start address of Cache.dll export  “ADB_Load” by the initial thread.

This exported function is passed control while the initial thread runs a Windows message loop. It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data:

The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key “\x8B\xFF\x55\x8B\xEC\x83\xEC\x50\xA1\x84\x18\x03\x68\x33\xC9\x66\xF7\x45\x10\xE8\x1F\x89\x45\xFC\x8B\x45\x14\x56″.

The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality:

InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetSetOptionW
GetAdaptersInfo

Much like the prior office monkey “atiumdag.dll” component, this code collects identifying system information using standard win32 API calls:

  • Computer name – GetComputerNameW
  • User name – GetUserNameW
  • Adapter GUID, ip address, mac address – GetAdaptersInfo
  • Windows version – GetVersionExW

It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls.

Cache.dll connectback urls:

  • 209.200.83.43/ajax/links.php
  • 209.200.83.43/ajax/api.php
  • 209.200.83.43/ajax/index.php
  • 209.200.83.43/ajax/error.php
  • 209.200.83.43/ajax/profile.php
  • 209.200.83.43/ajax/online.php
  • 209.200.83.43/ajax/loader.php
  • 209.200.83.43/ajax/search.php

Observed user-agent string on the wire, but it’s dynamically generated based on the Windows system settings (retrieved using standard win32 api “ObtainUserAgentString”):
“User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)”

Communications with the CozyDuke C2 include key/value pairs passed as URL parameters. Observed keys that remind us of the Cosmicduke communications include:

  • status=
  • k=
  • mode=
  • ajax=
  • name=
  • subNodeId=
  • nodeId=
  • r=
  • t=
  • id=
  • item=
  • item_id=
  • js=
  • j=
  • v=
  • json=
  • i=
  • c=
  • x=
  • a=

 

Connections with MiniDuke/CosmicDuke/OnionDuke:

One of the second stage modules of CozyDuke/Cozy Bear, Show.dll, is particularly interesting because it appears to have been built onto the same platform as OnionDuke. Below we compare Show.dll with the OnionDuke sample MD5: c8eb6040fd02d77660d19057a38ff769. Both have exactly the same export tables and appear to be called internally “UserCache.dll”:

This seems to indicate the authors of OnionDuke and CozyDuke / Cozy Bear are the same, or working together.

Another interesting comparison of two other files matches a recent second stage tool from the CozyDuke attacks with a second stage component from other Miniduke/Onionduke attacks.

2e0361fd73f60c76c69806205307ccac, update.dll (MiniDuke), 425kb (internal name = “UserCache.dll“)
9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (CozyDuke), 425kb (internal name = “UserCache.dll“)

The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time. The table below presents the function matches based on size data, but the calls, jmps and code all match as well. The contents of only one of these exports in update.dll has no match whatsoever in cache.dll.

Unlike the atiumdag.dll file above, however, cache.dll and update.dll do not maintain anti-AV and anti-analysis functionality sets. Perhaps they plan to pair this stealer with another dropper that maintains the WMI anti-AV functionality. This rotating functionality seems representational for the set, along with other characteristics. Their custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography, and trojan functionality changing per operation. This rapid development and deployment reminds us of the APT28/Sofacy toolset, especially the coreshell and chopstick components.

We expect ongoing and further activity from this group in the near future and variations on the malware used in previous duke-ish incidents.

For more information about MiniDuke, CosmicDuke and OnionDuke, please see References.

Related MD5s

62c4ce93050e48d623569c7dcc4d0278, 2537.ex_
a5d6ad8ad82c266fda96e076335a5080, drop1.ex_
93176df76e351b3ea829e0e6c6832bdf, drop1.pd_
7688be226b946e231e0cd36e6b708d20, 8.zip
fd8e27f820bdbdf6cb80a46c67fd978a, doc853.ex_
93176df76e351b3ea829e0e6c6832bdf, doc853.pdf
9ad55b83f2eec0c19873a770b0c86a2f, reader_sl.ex_
f16dff8ec8702518471f637eb5313ab2 1.ex_
8670710bc9477431a01a576b6b5c1b2a
93176df76e351b3ea829e0e6c6832bdf, dropped\hppscan854.pdf
f58a4369b8176edbde4396dc977c9008, dropped\reader_sl.ex_
83f57f0116a3b3d69ef7b1dbe9943801
b5553645fe819a93aafe2894da13dae7
acffb2823fc655637657dcbd25f35af8
1a42acbdb285a7fba17f95068822ea4e
d543904651b180fd5e4dc1584e639b5e
d7af9a4010c75af6756a603fd6aef5a4
93176df76e351b3ea829e0e6c6832bdf, 3852.pdf
f2b05e6b01be3b6cb14e9068e7a66fc1, dropped\reader_sl.ex_
57a1f0658712ee7b3a724b6d07e97259, dropped\3852.ex_
93176df76e351b3ea829e0e6c6832bdf, 5463.pdf
eb22b99d44223866e24872d80a4ddefd, dropped\5463\reader_sl.ex_
90bd910ee161b71c7a37ac642f910059, dropped\5463.ex_
1a262a7bfecd981d7874633f41ea5de8
98a6484533fa12a9ba6b1bd9df1899dc
7f6bca4f08c63e597bed969f5b729c56
08709ef0e3d467ce843af4deb77d74d5

Related CozyDuke C&Cs: 121.193.130.170:443/wp-ajax.php 183.78.169.5:443/search.php 200.119.128.45:443/mobile.php 200.125.133.28:443/search.php 200.125.142.11:443/news.php 201.76.51.10:443/plugins/json.php 202.206.232.20:443/rss.php 202.76.237.216:443/search.php 203.156.161.49:443/plugins/twitter.php 208.75.241.246:443/msearch.php 209.40.72.2:443/plugins/fsearch.php 210.59.2.20:443/search.php 208.77.177.24:443/fsearch.php www.getiton.hants.org.uk:80/themes/front/img/ajax.php www.seccionpolitica.com.ar:80/galeria/index.php 209.200.83.43/ajax/links.php 209.200.83.43/ajax/api.php 209.200.83.43/ajax/index.php 209.200.83.43/ajax/error.php 209.200.83.43/ajax/profile.php 209.200.83.43/ajax/online.php 209.200.83.43/ajax/loader.php 209.200.83.43/ajax/search.php Appendix: Parallel and Previous Research

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Securelist, Feb 2013
Miniduke is back: Nemesis Gemina and the Botgen Studio, Securelist, July 2014
MiniDuke 2 (CosmicDuke), CrySyS, July 2014
COSMICDUKE Cosmu with a twist of MiniDuke [pdf], F-Secure, September 2014
THE CASE OF THE MODIFIED BINARIES, Leviathan Security, October 2014
A word on CosmicDuke, Blaze’s Security Blog, September 2014
OnionDuke: APT Attacks Via the Tor Network, F-Secure, November 2014
The Connections Between MiniDuke, CosmicDuke and OnionDuke, F-Secure, January 2015

Kaspersky Lab products detect the malware used by the CozyDuke threat actor as:
HEUR:Trojan.Win32.CozyDuke.gen
Trojan.Win32.CozyBear.*

DHS Secretary on Recruiting Trip at RSA Conference

Threatpost for B2B - Tue, 04/21/2015 - 15:01
DHS Secretary Jeh Johnson pitched RSA Conference attendees on working for the department's NCCIC initiative, as well as providing help on solving the NSA's frontdoor problem.

NetNanny Found Using Shared Private Key, Root CA

Threatpost for B2B - Tue, 04/21/2015 - 14:43
An issue with the content-control software NetNanny could open users’ systems up to man-in-the-middle (MiTM) attacks, HTTPS spoofing and intercept, researchers warned Monday.

Crypto ‘Front Door’ Debate Likely to Go On For Years

Threatpost for B2B - Tue, 04/21/2015 - 14:42
SAN FRANCISCO–Encryption is the hot new topic in security at the moment, as it has been any number of times in the last few decades. And, as in the past, the notions of key escrow, mandated legal access to encrypted systems and other ideas for helping governments defeat cryptosystems have followed right along with the latest crypto […]

Naval Academy Midshipmen Win NSA Hacking Contest

Threatpost for B2B - Tue, 04/21/2015 - 14:01
Cadets from the U.S. Naval Academy have won the NSA's annual hacking contest for the third time in fifteen years.

Jeremiah Grossman on Adapting to a Changing Market

Threatpost for B2B - Tue, 04/21/2015 - 10:32
Dennis Fisher talks with Jeremiah Grossman of WhiteHat Security about his RSA Conference talk on the coming change in the security industry regarding guarantees, security insurance and how it will all affect customers.

Remote Code Execution Hole Patched in Magento eCommerce Platform

Threatpost for B2B - Mon, 04/20/2015 - 16:12
A nasty remote code execution vulnerability was recently patched in Magento, eBay’s eCommerce platform

Previewing RSA 2015 with Brian Donohue

Threatpost for B2B - Mon, 04/20/2015 - 09:22
Dennis Fisher talks with Brian Donohue in advance of Brian's first visit to the RSA Conference this week. They discuss what to expect in terms of the content, the chaos and the suit-to-civilian ratio at the show.
Syndicate content