Category Archives: Security Essentials

Blockchain & Brainwallet cracking

img_1293The blockchain is the underlying technology that enables the bitcoin cryptocurrency to exist. A foundational component of this technology is its complex cryptosystem. The blockchain cryptosystem relies on public key algorithms based on Elliptic Curve and message digest functions like SHA-256 and RIPEMD-160. When you create a bitcoin wallet, under the hood you are creating an Elliptic Curve key pair based on Secp256k1 curves. The key pair has a private key and a public key. The private key is the one you keep secret and allows you to sign transactions. For example, when you send bitcoins to someone, you are signing this transaction with your private key and then you announce it to the network. The miners will pick up your transaction and verify that the transaction signature is valid and broadcast to the network until enough miners have validated the transaction and thus achieving consensus. The checks and balances of the Blockchain ledger are updated and when consensus is achieved, your transaction is written in “digital stone”.

On the other hand, the public key is the one used to create your bitcoin wallet address. The public key allows you to receive bitcoins. However, your bitcoin wallet address is not your raw Elliptic Curve public key There are additional steps performed in order to create an address. First, a digital representation of your public key is computed using SHA-256 followed by RIPEMD-160. Second, a byte with network id is prepended to this string. Third, a checksum of this string is computed by performing SHA-256 twice. From these results the first 4 bytes are appended to the string produced in second step. This string is encoded in Base58 and this is your bitcoin wallet address. The picture below illustrates this steps in a non-automated way.

generatebitcoinaddr

There are many forms to store your bitcoins as well as to create wallets. One of the early methods to create bitcoin wallets was known as brain wallets. Unfortunately, this user-friendly method allowed you to enter a password or passphrase which was then hashed using an algorithm such as SHA-256 and used as seed to generate your private key. Due to its popularity and easy usage, many Brain wallets were used in the last few years with weak passwords or passphrases, transforming the Blockchain wallet address hashes in password or passphrases representation of your private key. This weak way of generating your private key allowed attackers to steal your bitcoins just by doing password cracking against the hashes stored in the Blockchain.

Although, this attack has been known for years,  it only got widely known recently due to the work made by Ryan Castellucci. Ryan’s released on 7th August 2015 at DEFCON 23 the results of his work cracking brain wallets in conjunction with a tool called BrainFlayer : A proof-of-concept cracker for cryptocurrency brain wallets and other low entropy key algorithms. You can view Ryan’s talk here.  Two months after Ryans’ initial release of BrainFlayer, he released a faster version. This was the result of the work done by Nicolas Courtois, Guangyang Song from
International Association for Cryptologic Research (IACR), University College London, and Ryan’s to optimize the speed of computing secp256k1 bitcoin elliptic curve. This has been detailed in the paper Speed Optimizations in Bitcoin Key Recovery Attacks.  Furthermore, this year at the Financial Cryptography and Data Security conference, Marie Vasek presented another article The Bitcoin Brain Dain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets. This paper published the results of evaluating 300 billion passwords against Blockchain hashes and their findings about 884 brain wallets that had funds at a given time, suggesting they might have been drained by active attackers.

So, how do you perform such attack?

The attempt to recover a password just by knowing its encrypted representation can be made mainly using three techniques. Dictionary attacks, which is the fastest method and consists of comparing the dictionary word with the password hash. Another method is the brute force attack, which is the most powerful one but the time it takes to recover the password might render the attack unfeasible. This is of course dependable on the complexity of the password and the chosen algorithm. Finally, there is the hybrid technique which consists of combining words in a dictionary with word mangling rules.

With that being said let’s go over the steps needed to perform this attack against the Blockchain hash160 hashes using a dictionary. This is done in 6 steps:

  • Bootstrap the Blockchain.
  • Parse the Blockchain by running Blockparser and get allBalances.
  • Extract hash160 strings.
  • Create a Bloomfilter.
  • Run BrainFlayer with your favorite dictionary.
  • Use Addressgen to generate key pair.

First step is to bootstrap the blockchain. To perform this, we need to download, install and run the bitcoin software on a system connected to the Internet. The system then becomes a node and part of the peer-to-peer blockchain network. The first task performed by the node is to download the entire database of records i.e., the public transaction ledger and verify it using the transaction engine. In other words, the node downloads the entire blockchain and verifies the validity of all blocks by performing a series of checks   This needs a lot of bandwidth and computing power. As I write this the Blockchain size is 90.633 Gb and contains 438556 blocks. The data contains every transaction that has been made in the blockchain since the genesis block was created on the 3rd of January 2009 at 18:15:05 GMT. To download the entire Blockchain, took me more than 72 hours . The image below illustrates the steps needed to perform the download, installation and running the bitcoin software.

installbitcoin

Then, the picture below illustrates the steps needed to perform the configuration and running the bitcoin software. You can view the progress by executing the getblockchaininfo command and check the number of blocks that have been already downloaded.

runbitcoin

After downloading the entire Blockchain we move into the second step. Parse the Blockchain.  The tool to perform this heavy lifting exercise is called Blockparser and is a powerful utility, open source, written in C++ that was created by Znort987. The tool doesn’t seem to be maintained anymore but is still able to perform its work. When blockparser performs the parsing, it creates and keeps the index in RAM which means with the current size of the blockchain you need enough RAM to be able to parse it in reasonable amount of time. The tool can perform various task but for this exercise we are interested in the allBalances command. To perform the parsing, I used a system with 64 GB ram and the process was smooth. I tried it on a system with 32Gb and stopped it due to the heavy swapping that was happening. The allBalances produced a 30Gb text file. The image below exemplifies these steps.

blockchainparsing

Third step is to extract the hash160 addresses from the allBalances. We are interested in the hash160 because this field contains the representation of the Bitcoin public key. Below you can see the output of allBalances.

allbalances

Forth step, we create a bloom filter with the tool hex2blf which is part of the brainflayer toolkit. We also need to create a binary file containing all the hashes sorted in order to be used with the bloom filter. This will reduce the false positives.

Fifth step, we launch brainflayer using our favorite dictionary against the bloom filter file we generated in the previous step. If there is a match you will see the password or passphrase and the corresponding hash. In the output of cracked password you could see C or U in the second column. This is to indicate if the key is Compressed or Uncompressed. In the below image you can see these steps.

brainflayer

Sixth step and last step is to create the Elyptic Curve key pair using the known password or passphrase. This can be done using the tool Addressgen created by sarchar. Addressgen is a utility written in Python 3 to generate private keys and their corresponding addresses using secp256k1. This utility will allow you to generate the ECDSA key pair which can be used to take over the wallet.

generateaddress

Financial gain is a significant incentive to have people performing all kinds of activities in order to attempt to steal your coins. If you are interested in attacks against the Blockchain I would suggest looking at the different papers created by the professor Dr. Nicolas Courtois and available on his website. On a different note, there are other researchers that are brute forcing the entire bitcoin private key keyspace in order to find private keys for addresses that have funds. There is one project that has the code name Large Bitcoin Collider which is a distributed effort with a pool where people can contribute computing power. The thread on Bitcointalk forum is quite interesting and the author has the following aim for this project: “allow the Bitcoin community to actually have a better shot at risk assessment of this threat vector. Right now, the math says the danger is negligible. Should there at some point be evidence or indication of the contrary, then it’s still better to have a project like this for analysis/experimentation of this concrete attack vector”. The author also writes that the project is a derivative of brainflayer and supervanitygen. Moreover, brainflayer can also perform brute force attack, sequentially against the entire private key space. This would be unfeasible to perform in a reasonable time frame but better to view the talk “Stealoing Bitcoin with Math – HOPE XI” given by Fillippo Valsorda and Ryan’s where among other things they show how quick brain wallets get drained, attacks against newer Brainwallet implementations and other attacks against Eliptic Curve Digital Signature Algorithm (ECDSA).

 

References:
Mastering Bitcoin – Unlocking Digital Cryptocurrencies by Andreas M. Antonopoulos

Tagged , , , ,

The ABC’s of a Cyber Intrusion

IntrusionNowadays, in corporations of any size and maturity level, I believe the success of many of the initial compromise and follow up actions is based on three variables. First, a well-crafted phishing email, either with a weaponized document or malicious link. Second the ability of the malicious email/link to circumvent the multitude of expensive filters that are layered throughout the network boundary and reach to the endpoint. Third, a well-intentioned employee making mistakes.  If these three conditions are met then the threat actor is likely to establish a foothold inside the corporate network.  Of course the conditions for the second and third variable to be met are likely outside of the attacker control and depends on many factors that can impact the success of the exercise. For example, two questions that might be relevant to determine how hard would be for a threat actor to get in, are: How well optimized, tuned and monitored is the deployed security technology? How well behaved and trained are the corporate users about the different types of threats?

Nevertheless, a threat actor that has strong technical capabilities can shift tactics and compromise websites that are related to your business and instead focus on a watering hole attack. This might remove the third variable from the equation.

Once the threat actor(s) got in, he will likely perform internal recon to find assets and data of interest. To collect this information he needs a toolbox. More often than the defenders would like the attackers are using Windows native tools to perform their actions. However, many times to be able to access more resources within the environment they deploy their own tools which sometimes are legitimate sysadmin tools – like SysInternals Suite. Normally, these tools are moved into the environment using the same channel that has been used to establish foothold. The toolbox might consist in exploit(s), credential theft tool(s), utilities to (de)compress and encrypt data and other utilities or scripts.

After having their toolbox deployed – normally referred as staging phase – is common that they start enumerating and mapping the environment. The initial collection might consist of information about the users, their roles, the enforced password policies, the workstations and server names. To do this the threat actor only needs to query the Domain. By Domain I mean the Active Directory which is likely present in any corporate network environment. In a very simple manner the Active Directory is a directory that can be easily queried just like someone would query any other directory such as the yellow pages. Just by executing the net.exe command on a command prompt the attacker can dump all the users, service accounts and which users and service accounts belong to which groups. This information is of great value and become very useful when the attacker is moving laterally. In addition, this information can be complemented by gathering which users are logged on a particular system using the query.exe command. Furthermore, the attacker can leverage powerful Windows Management Instrumentation Command Line (wmi.exe) and PowerShell techniques to increase his capabilities to collect even more information about the Domain. This can all be done with a non-privileged account.

Then, provided with all this rich information the threat actor can start expanding his territory and move laterally. How would he do that? Well, in fact you could be thinking about using the latest 0-day or a novel exploit technique but in today’s corporate networks sometimes the attacker doesn’t need this. Why? Well, many times the weakness of corporate networks is processes and people. For example, the persons that have the keys to the domain such as sysadmins are likely to be a target. The sysadmins are persons with a day job, a pile of tasks to perform and many times part of an understaffed team. Moreover, their goal is likely not security but availability of the services, minimum disruption to the business and at the end of the day a job well done that satisfy the business needs.

Consider the scenario that exists in most corporate networks when someone raises a ticket into helpdesk. Or some endpoint maintenance or action needs to be performed by a sysadmin. Many times the administration of the workstations is done by sysadmins that connect to the endpoint and authenticate using domain credentials that have privileged accounts. This will make their credentials exposed because when the user logs on interactively, Windows will cache the user password in memory. Perhaps, here we have a problem with the processes and not with technology. A privileged domain account should never login into a workstation. Other scenario that is problematic is the management of service accounts. Many times privileged service accounts are used for all type of services. This means the credentials of the service accounts are exposed and can be retrieved by an attacker with local access to the system. Therefore, service accounts should be managed prudently and more important a common mistake is to allow service accounts to login interactively. The scope of service accounts should be limited and, perhaps, here we have another process issue, service accounts should never be used to logon interactively. Another common challenge is that internal network segregation is often not the same as the perimeter leaving services and servers exposed to direct access from the workstations. These are some of the common challenges that are difficult problems to solve and where many times convenience wins and technology alone is not likely to overcome.

What is the impact of this? If a threat actor manages to get a foothold inside an environment that relies on practices such as the ones described previously, then he can access a variety of credentials. The captured credentials will depend on the technique and hardening settings of the endpoint used and are either in a form of a hash, ticket or clear text. This can be accomplished using tools such as Windows Credential Editor, Mimikatz, Gsecdump or AceHash. Won’t antivirus detect these tools? Likely, when they are used off the shelf but not when they are customized. Furthermore, more often than we would like, the internal network segregation is simple and not designed to prevent attacks. This means the attacker can enumerate services at will and leverage the gathered credentials to logon into servers. This step is a game changer!

If the attacker has credentials that can be used to login into your Servers and Domain Controllers then is likely game over. For example he could create a persistence and unnoticed backdoor just by setting a registry key that will use the cmd.exe as a Debugger for tools like sethc.exe (Sticky Keys) and osk.exe (On-screen keyboard). Or even worse he could easily steal the Active Directory database (ntds.dit). Even though the database is not accessible via user mode API’s the threat actor can leverage different techniques such as Volume Shadow copy, Powershell offensive framework like PowerSploit or use a forensic tool that is able to read low level NTFS. With a copy of the Active Directory database the threat actor can perform an offline attack using tools like Impacket secredumps to extract all the credentials. If the threat actors have the keys to the kingdom they will likely be undetected for quite some time and might start using the same egress points as your remote access users. How many VPN users do you have that are in the exception list of not having 2nd factor?

From an IT point of view this will mean your network would be in the worst state possible and your most plausible solution, among other things, is to rebuild the workstations, servers and potentially go over the painful task of having to rebuild the entire Active Directory forest. Now, this will be expensive however, it’s not impossible and the organization will survive. But, if the attacker also gets access to the servers that hold the organization critical information, valuable data, and intellectual property that would make the business leaders tremble. The financial direct or indirect losses of a security incident can be significant. The reputational damage can be difficult to assess and the disruption of critical systems on heavy regulated industry can have significant consequences.

Multi-stage, multi-faceted attacks are here to stay. The tools and technique will evolve and become more sophisticated than ever. The threat actors behind the attacks will try to become stealthy and remain under the radar.  However, on the other side of the fence we have the defenders. Which I believe can have a big impact on detecting and preventing the threat actors mission. If the detection only occurs after the fact then they can respond and stop the bleeding and limit the damage. But before they do this the organizations should get the basics right. It can take time and is never too late. A good starting point is to choose a framework such as the SANS TOP 20 Critical Controls. Use it as a reference for building, designing, deploying and adopt security controls and measure the security posture of your organization. Then move on from there to build more advanced capabilities!

Tagged , , ,

Dridex Black Friday

Last October different law enforcement agencies orchestrated a takedown of the Dridex Botnet. However, the threat actors behind Dridex spam runs seem stronger than ever. The resurrection of Dridex after the announced take down has been ferocious. During the last Black Friday in our spam traps we observed at least four different phishing campaigns delivering Dridex. Each campaign was carefully crafted in order to lure the users to open the malicious documents. The creativity of the threat actors is captivating. The below picture illustrates one of these emails that is supposedly sent from the well-known rent-a-car company AVIS. The email contains a Microsoft Office document attached that contains malicious macros on it.

blackfridayemail2

Another one was an email supposedly sent from Bruce Sharpe from the Industrial Pump Supplier Aline Pumps in Australia. According to the social network zoominfo Bruce Sharpe exists and is an account manager in the company. The subject was Tax Invoice and once again the email contained a Microsoft Office document attached with malicious macros.Other one was an email sent from Ivan Jarman from SportSafe UK. The company is a global provider of sports equipment. This time the subject was Invoice and the email contained a Microsoft Office document attached with malicious macros. The last one was an email from the company Integrated Petroleum Services. According to the website one key location is Equatorial Guinea and the emails supposedly come from there. The subject this time was Transfer and the email contained a Microsoft Office document attached with malicious macros. As bonus the footer will mention the email has been scanned by the Antivirus AVAST. All documents use the same technique. Attract the user to enable macros in order to view the document contents.

blackphishingmacro

Across all the campaigns the technique is the same. All the Microsoft Office documents contain embedded macros that download a malicious executable from one of many hard coded URLs. These hard coded URLs are normally collateral victims of the operation. The encoding and obfuscation techniques used in the macros are constantly changing in order to bypass security controls.

Normally these URLs are hosted under legitimate sites that have been compromised to host the malicious file. When the macro is executed it will fetch a second stage payload from the compromised server. This payload is then saved to C:\Users\%%username\AppData\Local\Temp and then executed.

After the machine gets infected Dridex will start beaconing out to the C2 addresses. Dridex uses HTTP to encapsulate the traffic and encrypts the payload. Below an example how the first HTTP POST request made by the infected machine looks like in the network. A POST to the root folder full of gibberish.

blackcnctraffic

From this moment onward the malware is capable of stealing all kinds of credentials from the victim’s computer. It can also redirect victim’s traffic to sites controlled by the threat actors using man-in-the-browser functionality. This allows interception and manipulation of traffic that is supposed to be delivered to legitimate sites. Dridex has remote access functionality that allows the threat actor to connect to websites trough the victim computer.

Phishing campaigns that distribute commodity malware are common and ongoing problem for end users and corporations.E-mail continues to be the weapon of choice   for mass delivering malware. The tools and techniques used by attackers  continue to evolve and bypass all the security controls in place. From a defense perspective, the US-CERT put together excellent tips for detecting and preventing this type of malware and to avoid scams and phishing attempts applicable to home users and corporations.

Tagged , , ,

Hacking Team – Arsenal of Cyber Weapons

hackingteam5Following my last post regarding the Hacking Team breach there are two topics that deserve their own article.First, all the information about how the zero day and exploit acquisition market works with real facts. Second, the treasure trove of zero day exploits and tools that appeared as a consequence of the leak. Let me write two paragraphs about the first and then the second will follow.

Details how the deals were done and some of the companies operating on this market have been leaked. For example the CVE-2015-0349  exploit code has been bought by the Hacking Team for 45k USD to a Russian security researcher. A great summary on how this deal was made is here and worth reading. It references all the exchanged e-mails between the company and the researcher. Another good article from Wired here.

At the moment, the best compilation about how the exploit acquisition market works was made by Vlad Tsyrklevich who wrote a great write-up summarizing all information that has been leaked. It covers the deals, vendors, exploit costs and references the original emails. Among the different  security brokers that were doing business with Hacking Team, Netragard came to public and announced the shut down of its exploit acquisition program.  On another article Vlad wrote about an exploit catalog from December 2014 that contains references to many unknown vulnerabilities. With this information a spike in hunting these unknown vulnerabilities has started by the good and the bad guys.

Now, the main topic of this article. As of this writing the arsenal of cyber weapons that Hacking Team had at their disposal:

  • Microsoft OpenType Font Driver Vulnerability (CVE-2015-2426)

Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows from Vista SP2 to Windows 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka “OpenType Font Driver Vulnerability.”

Details have been posted by Trend Micro here:

“Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE).  By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification. The vulnerability can allow attackers remote control over the affected system.”

The exploit was originally developed by Eugene Ching from Qavar Security. It’s also available on GitHub here.

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-078 contains a patch for it.

  • Microsoft Internet Explorer 11 jscript9.dll Use-After-Free Vulnerability (CVE-2015-2425)

This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. Details have been posted by Vectra Networks here

“The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability. While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.”

and by TrendMicro here

“Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-065: Security Update for Internet Explorer (3076321) contains a patch for it.

  • Windows Adobe Type Manager Privilege Escalation Vulnerability (CVE-2015-2387)

This vulnerability allows privilege escalation. Details about it on CERT.org

“Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. Note that exploit code for this vulnerability is publicly available, as part of the HackingTeam compromise. We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.”

Details have been posted by Trend Micro here

” The vulnerability exists in the OpenType manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-077 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) contains a patch for it.

  • Adobe Flash ActionScript 3 BitmapData Use-After-Free Vulnerability (CVE-2015-5123)

Critical vulnerability (CVE-2015-5123) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by Trend Micro here.

“Another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) has surfaced from the HT leak. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited.  It affects all versions of Adobe Flash in Windows, Mac, and Linux”

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 opaqueBackground Use-After-Free Vulnerability (CVE-2015-5122)

Critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by FireEye here:

The HackingTeam leak already resulted in the public disclosure of two zero-day vulnerabilities this week. One of the vulnerabilities, CVE-2015-5119 in Adobe Flash, was quickly adopted by multiple groups and used in widespread attacks. FireEye Labs identified a PoC for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT to the issue.

Details have been posted by Trend Micro here:

“Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 18.0.0.203).”|

More details by Zscaler here. Malware Don’t Need Coffee saw them being used in the wild across 5 different exploit kits – Rig, Neutrino, Magnitude Nuclear Pack, Null Hole.

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 ByteArray Use-After-Free Vulnerability (CVE-2015-5119)

Details have been posted by Zscaler here

“CVE-2015-5119 exploit payload that we have now seen in the wild. The sample has multiple layers of obfuscation and packer routines. The malicious Flash payload is packed, XOR’ed and stored as a binary data inside a parent Flash file that dynamically unpacks a malicious Flash file and writes it to memory at run time.”

Malware Don’t Need Coffee saw the exploit being used in the wild before being patched across 7 different exploit kits.

Adobe worked to release a patch asap and the Security Advisory for Adobe Flash Player (APSA15-03) and Adobe Security Bulletin (APSB15-16) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player.

  • Adobe Flash Player Integer Overflow (CVE-2015-3087)

An integer overflow vulnerability that could lead to code execution. Adobe patched this vulnerability under the Security Advisory for Adobe Flash Player (APSP15-09).

  • Adobe Flash Player Use-After-Free Vulnerability (CVE-2015-0349)

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors

Trend Micro posted details here. “One of the Flash Player vulnerabilities found in the HT dump is believed to be CVE-2015-0349 which was patched by Adobe in April 2015”

Adobe Security Bulletin (APSB15-06) contains a patch for it.  Patched Adobe Flash version is 17.0.0.169

  • Android Fake “BeNews” App

Trend Micro posted details here:

“We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.”

  • Android Spying Tool 

Feature rich surveillance software for Android. It leverages CVE-2014-3153, CVE-2013-6282, CVE-2012-2825 and CVE-2012-2871 to perform the desired functionality.

Trend Micro posted details here

Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets. (Researchers have been aware of this suite as early as 2014.)

Collin Milliner a security researcher has posted his frustration when finding that Hacking Team reused is open source code.

  • Rootkit for UEFI BIOS

Details posted by Trend Micro here:

“The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.”

And a great write-up by Intel Advanced Threat Research here

“The leaked source code goes beyond a research proof-of-concept, revealing a commercial rootkit platform called “]HackingTeam[ UEFI Vector” and using real attacks as a part of Hacking Team’s RCS malware platform. According to the leaked code and emails, this hacking platform may have already been already sold to some HackingTeam customers. Some of the emails point to specific modes on which the persistent rootkit was tested. Both “agent” and “soldier” are the names of trojan horse applications also found in the leaks. The rootkit reinstalls these applications automatically, from infected firmware”

 

Tagged , ,

Hacking Team Breach Summary

[The news on Twitter, on the media, and across the infosec community in the last days have been fascinating to due to the revelations from the Hacking Team breach. Details about how the company operates,  information about espionage and surveillance, zero days exploit catalogs, all the secrets and drama make this story ready for someone to write a book about it. Because I was on vacations while all this happened, I decided to write a short summary about it in order to catch-up. LR]

Sunday night, 5th of July, news started making the rounds about 400Gb of data stolen from the notorious Italian surveillance software company Hacking Team. With a quite epic start, the person behind the attack – someone that goes by the name Phineas Fisher – hijacked the company twitter account, changed the handler from Hacking Team to Hacked Team and posted the following message: “Since we have nothing to hide, we are publishing all our emails, files, and source code” with a torrent link to download the data.

hackingteam1

Shortly after, on the same twitter handle, print screens about the leaked data started to disseminate internal company emails, their clients and operating procedures. This continued for at least half day. Some hours later their list of clients have been posted on Pastebin revealing some questioning relationships with  countries known for human rights violations.  The company has been subject to criticism several times over the past years regarding the unethical sale of surveillance tools. CitizenLabs and Reporters Without Borders were organizations that went vocal in the past regarding their questionable practices. That known, the news were expected to have a lot of attention by the media, journalists, activists and others.

Meanwhile, as this was not enough, one of the companies employees Christian Pozzi came publicly to support the company. Unfortunately for him, his personal passwords were on the massive amount of data leaked. Worse was that the quality of the passwords were weak and moments after his initial twitter post, his twitter account got hijacked as well and his passwords posted online and twitted.

hackingteam3

Following, when people all over the world started to get their hands on the torrent file all kinds of confidential information started to arise. Sales revenue, contracts, budgets plans, agreements, emails, operating manuals, configuration files, source code, zero day exploit catalogs, and all kind of business and technical information started to be on the internet. Wikileaks indexed and made searchable all their emails.

The days after the breach have been quite revealing due to their software and capabilities – their main business is security services and tools to governments and law enforcement organizations – specially for the information security community due to the number on unknown zero day vulnerabilities exposed and their surveillance software. But, on the other hand, the criminals soon started to use the source code and exploits on spear phishing campaigns and the Neutrino and Angler exploit Kits started to leverage the Flash 0 days while Adobe and Microsoft were working on releasing patches. This topic deserves a post on its own and I will write a summary about it soon.

As expected, the company started to investigate who has been behind the breach. According to Reuters Italian prosecutors are investigating six former employees. Ars Technica also reports this here.

In the last days, Eric Rabe and David Vincenzetti, Hacking Team Chief Communications Officer and CEO respectively, have been quite brave and their twitter handler continues to post updates. On the company website there were several news released about this topic. Among other things they seem to have requested all their clients to suspend their operations and asked the Anti Virus companies to start detecting their software. hackingteam2

Phineas Fisher who claims to be the actor behind the breach used his dormant twitter account writing that he will released the details on how the company got hacked. Stay tuned!

Tagged

Your data has been taken hostage!

ransomwareOn December 1989, several thousand diskettes labeled “AIDS Information – Introductory Diskette Version 2.0” were delivered to users around Europe luring the users to install a software that contained information about AIDS/HIV claimed to come from PC Cyborg Corporation. After installing the software the trojan horse would start encrypting sections of the hard drive using substitution ciphers.  Following a reboot a message would be shown to the user that the software license had expired and the user would need to send 189$ to a post box in Panama to get his files back.  This was the first extortion based attack relying on cryptography. Not long after a decryption routine was made available to help users get their files back. This was possible because the trojan horse relied on weak symmetric encryption [1].

Malicious cryptography evolved and back in 1996, Adam Young and Moti Yung published a paper on the 17th IEEE Symposium named Cryptovirology: Extorsion based security threats and countermeasures. A influential paper that presented the idea of cryptovirology and demonstrated the offensive side of cryptography using asymmetric encryption. One of the offensive method described in the paper consists of an extortion based attack that will result in loss of access to information.   This is accomplished by the cryptovirus:  A cryptovirus (cryptotrojan) is a computer virus (Trojan horse) that uses a public key generated by the author to encrypt data that resides on the host system, in such a way that can only be recovered by the author of the virus (assuming no fresh backup exists).  Years after, the security industry started to see more of this type of extortion based attacks such as the GpCode trojan initially seen in 2004 by security software company Kaspersky. Some variants claimed to be using strong asymmetric algorithms such as RSA but they used weak algorithms allowing researchers to retrieve the users files.  Michael Ligh had a nice write up on one of these variants here and more recently the security researcher XyliBox also dissected one of these samples.

Last year and this year the security industry saw a uptick in malware connoted as ransomware such as variants of Cryptolocker, CryptoDefense and Cryptowall. Dell SecureWorks Counter Threat Unit have great write up here and here about these threats. These extortion based attacks gained popularity due to its spread using effective phishing campaigns – check Brian Krebs on Operation Torvar – and new techniques relying on strong encryption to make your most important files useless. New variants of ransomware even take advantage of asymmetric cryptographic protocol ECDH – Elliptic curve Diffie–Hellman.  Essentially the files are encrypted with a symmetric key and this key is then encrypted with a public key which can only be decrypted by a private key belonging to the attacker. To get this key the users are persuaded to pay a bounty using virtual currencies such as Bitcoin. The security company Bromium recently published an interesting analysis report about the crypto malware families seen in the past 18 months.

What can you do? The most effective defense against these type of threats is to have proper backups. This type of malware has the capability to encrypt any attached storage such as USB drives or network drives – make sure you do your backups and keep that external drive disconnected. You back up your data once a day, right? at least weekly? maybe monthly? For enterprises the tools and processes used to backup and restore information in a timely manner need to be in place. Please note that Windows has a feature called Volume Shadow Copy that allows you to restore files to their previous state however the newer variants of this malware delete shadow copies and disable the service prior to encrypting the files.

Other things can be done, like educating users to not open attachments or links in emails from unknown senders and be suspicious about unexpected attachments and links from known senders. Also make sure to keep your software updated. Other techniques might include hardening your system using Microsoft AppLocker to introduce software whiltelisting.

[1] Szor, Peter (2004) The Art of Computer Virus Research and Defense. Addison-Wesley

Tagged , , , , , , , ,

2014 – Campaign’s of Cyber Espionage

apt-reports-1[In the article below, a summary of publicly disclosed cyber espionage campaigns released during 2014.  An interesting read for those in the information security field.~Luis]

In January 2014 security software vendor Symantec published a report about a campaign of attacks that targeted the energy sector. The report Targeted Attacks Against the Energy Sector. According to Candid Wueest : The energy sector has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide. Companies in the sector are facing a growing risk of having their services interrupted or losing data.

In February 2014, Russian security software vendor Kaspersky released a report describing a series of attacks observed against 31 countries. The code named they used to refer to the incidents was Careto.  Unveiling “Careto” – The Masked APT. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules.

During the same month the security company Trend Micro released its findings about the Russian underground. This report Russian Underground Revisited is the second part of a report that was initially released in 2012 which provided a summary on the underground market. Places in the Internet where cybercriminals converge to sell and buy different products and services exist. Instead of creating their own attack tools from scratch, they can instead purchase what they need from peers who offer competitive prices.

A few months later, Symantec described a series of attacks mainly against energy sector companies.  Dragonfly: Cyberespionage Attacks Against Energy Suppliers A cyber espionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries.

June was  the month when the security company Crowdstrike released its findings about campaign code named Putter Panda.  CrowdStrike has been tracking the activity of a cyber espionage group operating out of Shanghai, China, with connections to the People’s Liberation Army Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486, since 2012.

In July, another report from Kaspersky came forward. This time with the code name Energetic Bear more like a Crouching Yeti . Kasperspky also release an appendix containing IOCs.  Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010.

A report issued by CrowdStrike described sophisticated attack against a large Fortune 500 company, Campaign code name Deep Panda. In late December 2011, CrodwStrike received three binary executables files that were suspected of having been involved in a sophisticated attack against a large Fortune 500 company. The files were analyzed to understand first if they were in fact malicious, and the level of sophistication of the samples.

Noteworthy, a report released by the company AIRBUS Defence & Space with the code name Operation Pitty Tiger – “The Eye of the Tiger”. This report contained information on a group of APT attackers known as “Pitty Tiger”. This information comes directly from investigations led by our Threat Intelligence. Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in several sectors, such as defense and telecommunications, but also at least one government.

Key findings about a campaign code named  The Epic Turla Operation was released in August by Kaspersky. This was the result of 10 months of investigation on attacks against more than 45 countries. The company also released an appendix with  IOCs. Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call “Epic Turla”. The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies. The attacks are known to have used at least two zero-day exploits.

Operation Arachnophobia was the code name for a campaign released by the company ThreatConnect working in collaboration with Fireeye. We first discovered a suspected Pakistani threat group in 2013, and have since followed their activity and found new observations and insight into the group and its tactics that we call, “Operation Arachnophobia”.Working in collaboration with FireEye Labs, the TCIRT team has discovered evidence pointing to this groups continued exploitation operations using custom malware, dubbed BITTERBUG by FireEye.

In October iSIGHT Partners released the details of a campaign code named Sandworm . A report that disclosed the usage of a 0 day vulnerability used against Western governments, NATO and the Ukrainian government. in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th  – CVE-2014-4114.Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia.

During the same month the security software company Sophos released a report code named  The Rotten Tomato Campaign . Gabor Szappanos, of SophosLabs Hungary, writes an interesting dive into the world of the attackers, examining the malware used by cybercriminals in these attacks, and shows how several different groups used the same zero-day Microsoft Word exploit.

A series of attacks targeting companies in the Defense Industry was code named Operation Death Click and released by Invincea. Most targeted attacks against organizations originate as spear-phish campaigns or watering hole style web driveby attacks. Within the last six months, Invincea has discovered and stopped targeted malvertizing attacks against specific companies — particularly those in the Defense Industrial Base.

A large scale effort that targeted Fortune 500 companies code named  Operation SMN : Axiom Threat Actor Group Report was disclosed by the software analytics company Novetta. The company also released extra resources varying from static analysis of the malware to yara signatures. Axiom is responsible for directing highly sophisticated cyber espionage operations against numerous Fortune 500 companies, journalists, environmental groups, pro-democracy groups, software companies, academic institutions, and government agencies worldwide for at least the last six years.

The Italian firm Tiger Security disclosed details about Operation Distributed Dragons Although it is no news that the way of performing attacks continuously changes shape and form, since January 2014 there has been evidence of a new “breed” of Chinese DDoS attacks based on the breach of Linux servers, whose objectives are not completely clear but significantly different from the approach so far experienced.

A series of incidents targeting United States and its allies using spear-phishing tactics was released by TrendMicro  – Operation Pawn Storm – Using Decoys to Evade Detection. Operation Pawn Storm refers to economic and political espionage attacks instigated by a group of threat actors primarily targeting military, embassy, and defense contractor personnel from the United States and its allies.

The German security software company G Data Software published the details about OPERATION “TOOHASHThe experts of G DATA’s SecurityLabs discovered a cyber-espionage campaign that perfectly exemplifies the way how targeted attacks work. The purpose of this campaign was to steal valuable documents from the targeted entity. We entitle this operation “TooHash”.

Still in October the security software vendor Fireeye published a report about a campaign of attacks that targeted the energy sector. APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS? In this paper we discuss a threat group whose malware is already fairly well-known in the cybersecurity community. This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain. Nor have we observed the group steal and profit from financial account information.

Last week the details about a campaign code named The Dark Hotel APT were released by Kaspersky . Facts about attackers that have been active for at least seven years, conducting targeted strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and other mechanisms. The company also released an appendix with IOCsThe Darkhotel APT is a threat actor possessing a seemingly inconsistent and contradictory set of characteristics, some advanced and some fairly rudimentary.

Tagged , ,