Category Archives: Security Essentials

Blockchain & Brainwallet cracking

img_1293The blockchain is the underlying technology that enables the bitcoin cryptocurrency to exist. A foundational component of this technology is its complex cryptosystem. The blockchain cryptosystem relies on public key algorithms based on Elliptic Curve and message digest functions like SHA-256 and RIPEMD-160. When you create a bitcoin wallet, under the hood you are creating an Elliptic Curve key pair based on Secp256k1 curves. The key pair has a private key and a public key. The private key is the one you keep secret and allows you to sign transactions. For example, when you send bitcoins to someone, you are signing this transaction with your private key and then you announce it to the network. The miners will pick up your transaction and verify that the transaction signature is valid and broadcast to the network until enough miners have validated the transaction and thus achieving consensus. The checks and balances of the Blockchain ledger are updated and when consensus is achieved, your transaction is written in “digital stone”.

On the other hand, the public key is the one used to create your bitcoin wallet address. The public key allows you to receive bitcoins. However, your bitcoin wallet address is not your raw Elliptic Curve public key There are additional steps performed in order to create an address. First, a digital representation of your public key is computed using SHA-256 followed by RIPEMD-160. Second, a byte with network id is prepended to this string. Third, a checksum of this string is computed by performing SHA-256 twice. From these results the first 4 bytes are appended to the string produced in second step. This string is encoded in Base58 and this is your bitcoin wallet address. The picture below illustrates this steps in a non-automated way.

generatebitcoinaddr

There are many forms to store your bitcoins as well as to create wallets. One of the early methods to create bitcoin wallets was known as brain wallets. Unfortunately, this user-friendly method allowed you to enter a password or passphrase which was then hashed using an algorithm such as SHA-256 and used as seed to generate your private key. Due to its popularity and easy usage, many Brain wallets were used in the last few years with weak passwords or passphrases, transforming the Blockchain wallet address hashes in password or passphrases representation of your private key. This weak way of generating your private key allowed attackers to steal your bitcoins just by doing password cracking against the hashes stored in the Blockchain.

Although, this attack has been known for years,  it only got widely known recently due to the work made by Ryan Castellucci. Ryan’s released on 7th August 2015 at DEFCON 23 the results of his work cracking brain wallets in conjunction with a tool called BrainFlayer : A proof-of-concept cracker for cryptocurrency brain wallets and other low entropy key algorithms. You can view Ryan’s talk here.  Two months after Ryans’ initial release of BrainFlayer, he released a faster version. This was the result of the work done by Nicolas Courtois, Guangyang Song from
International Association for Cryptologic Research (IACR), University College London, and Ryan’s to optimize the speed of computing secp256k1 bitcoin elliptic curve. This has been detailed in the paper Speed Optimizations in Bitcoin Key Recovery Attacks.  Furthermore, this year at the Financial Cryptography and Data Security conference, Marie Vasek presented another article The Bitcoin Brain Dain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets. This paper published the results of evaluating 300 billion passwords against Blockchain hashes and their findings about 884 brain wallets that had funds at a given time, suggesting they might have been drained by active attackers.

So, how do you perform such attack?

The attempt to recover a password just by knowing its encrypted representation can be made mainly using three techniques. Dictionary attacks, which is the fastest method and consists of comparing the dictionary word with the password hash. Another method is the brute force attack, which is the most powerful one but the time it takes to recover the password might render the attack unfeasible. This is of course dependable on the complexity of the password and the chosen algorithm. Finally, there is the hybrid technique which consists of combining words in a dictionary with word mangling rules.

With that being said let’s go over the steps needed to perform this attack against the Blockchain hash160 hashes using a dictionary. This is done in 6 steps:

  • Bootstrap the Blockchain.
  • Parse the Blockchain by running Blockparser and get allBalances.
  • Extract hash160 strings.
  • Create a Bloomfilter.
  • Run BrainFlayer with your favorite dictionary.
  • Use Addressgen to generate key pair.

First step is to bootstrap the blockchain. To perform this, we need to download, install and run the bitcoin software on a system connected to the Internet. The system then becomes a node and part of the peer-to-peer blockchain network. The first task performed by the node is to download the entire database of records i.e., the public transaction ledger and verify it using the transaction engine. In other words, the node downloads the entire blockchain and verifies the validity of all blocks by performing a series of checks   This needs a lot of bandwidth and computing power. As I write this the Blockchain size is 90.633 Gb and contains 438556 blocks. The data contains every transaction that has been made in the blockchain since the genesis block was created on the 3rd of January 2009 at 18:15:05 GMT. To download the entire Blockchain, took me more than 72 hours . The image below illustrates the steps needed to perform the download, installation and running the bitcoin software.

installbitcoin

Then, the picture below illustrates the steps needed to perform the configuration and running the bitcoin software. You can view the progress by executing the getblockchaininfo command and check the number of blocks that have been already downloaded.

runbitcoin

After downloading the entire Blockchain we move into the second step. Parse the Blockchain.  The tool to perform this heavy lifting exercise is called Blockparser and is a powerful utility, open source, written in C++ that was created by Znort987. The tool doesn’t seem to be maintained anymore but is still able to perform its work. When blockparser performs the parsing, it creates and keeps the index in RAM which means with the current size of the blockchain you need enough RAM to be able to parse it in reasonable amount of time. The tool can perform various task but for this exercise we are interested in the allBalances command. To perform the parsing, I used a system with 64 GB ram and the process was smooth. I tried it on a system with 32Gb and stopped it due to the heavy swapping that was happening. The allBalances produced a 30Gb text file. The image below exemplifies these steps.

blockchainparsing

Third step is to extract the hash160 addresses from the allBalances. We are interested in the hash160 because this field contains the representation of the Bitcoin public key. Below you can see the output of allBalances.

allbalances

Forth step, we create a bloom filter with the tool hex2blf which is part of the brainflayer toolkit. We also need to create a binary file containing all the hashes sorted in order to be used with the bloom filter. This will reduce the false positives.

Fifth step, we launch brainflayer using our favorite dictionary against the bloom filter file we generated in the previous step. If there is a match you will see the password or passphrase and the corresponding hash. In the output of cracked password you could see C or U in the second column. This is to indicate if the key is Compressed or Uncompressed. In the below image you can see these steps.

brainflayer

Sixth step and last step is to create the Elyptic Curve key pair using the known password or passphrase. This can be done using the tool Addressgen created by sarchar. Addressgen is a utility written in Python 3 to generate private keys and their corresponding addresses using secp256k1. This utility will allow you to generate the ECDSA key pair which can be used to take over the wallet.

generateaddress

Financial gain is a significant incentive to have people performing all kinds of activities in order to attempt to steal your coins. If you are interested in attacks against the Blockchain I would suggest looking at the different papers created by the professor Dr. Nicolas Courtois and available on his website. On a different note, there are other researchers that are brute forcing the entire bitcoin private key keyspace in order to find private keys for addresses that have funds. There is one project that has the code name Large Bitcoin Collider which is a distributed effort with a pool where people can contribute computing power. The thread on Bitcointalk forum is quite interesting and the author has the following aim for this project: “allow the Bitcoin community to actually have a better shot at risk assessment of this threat vector. Right now, the math says the danger is negligible. Should there at some point be evidence or indication of the contrary, then it’s still better to have a project like this for analysis/experimentation of this concrete attack vector”. The author also writes that the project is a derivative of brainflayer and supervanitygen. Moreover, brainflayer can also perform brute force attack, sequentially against the entire private key space. This would be unfeasible to perform in a reasonable time frame but better to view the talk “Stealoing Bitcoin with Math – HOPE XI” given by Fillippo Valsorda and Ryan’s where among other things they show how quick brain wallets get drained, attacks against newer Brainwallet implementations and other attacks against Eliptic Curve Digital Signature Algorithm (ECDSA).

 

References:
Mastering Bitcoin – Unlocking Digital Cryptocurrencies by Andreas M. Antonopoulos

Tagged , , , ,

The ABC’s of a Cyber Intrusion

IntrusionNowadays, in corporations of any size and maturity level, I believe the success of many of the initial compromise and follow up actions is based on three variables. First, a well-crafted phishing email, either with a weaponized document or malicious link. Second the ability of the malicious email/link to circumvent the multitude of expensive filters that are layered throughout the network boundary and reach to the endpoint. Third, a well-intentioned employee making mistakes.  If these three conditions are met then the threat actor is likely to establish a foothold inside the corporate network.  Of course the conditions for the second and third variable to be met are likely outside of the attacker control and depends on many factors that can impact the success of the exercise. For example, two questions that might be relevant to determine how hard would be for a threat actor to get in, are: How well optimized, tuned and monitored is the deployed security technology? How well behaved and trained are the corporate users about the different types of threats?

Nevertheless, a threat actor that has strong technical capabilities can shift tactics and compromise websites that are related to your business and instead focus on a watering hole attack. This might remove the third variable from the equation.

Once the threat actor(s) got in, he will likely perform internal recon to find assets and data of interest. To collect this information he needs a toolbox. More often than the defenders would like the attackers are using Windows native tools to perform their actions. However, many times to be able to access more resources within the environment they deploy their own tools which sometimes are legitimate sysadmin tools – like SysInternals Suite. Normally, these tools are moved into the environment using the same channel that has been used to establish foothold. The toolbox might consist in exploit(s), credential theft tool(s), utilities to (de)compress and encrypt data and other utilities or scripts.

After having their toolbox deployed – normally referred as staging phase – is common that they start enumerating and mapping the environment. The initial collection might consist of information about the users, their roles, the enforced password policies, the workstations and server names. To do this the threat actor only needs to query the Domain. By Domain I mean the Active Directory which is likely present in any corporate network environment. In a very simple manner the Active Directory is a directory that can be easily queried just like someone would query any other directory such as the yellow pages. Just by executing the net.exe command on a command prompt the attacker can dump all the users, service accounts and which users and service accounts belong to which groups. This information is of great value and become very useful when the attacker is moving laterally. In addition, this information can be complemented by gathering which users are logged on a particular system using the query.exe command. Furthermore, the attacker can leverage powerful Windows Management Instrumentation Command Line (wmi.exe) and PowerShell techniques to increase his capabilities to collect even more information about the Domain. This can all be done with a non-privileged account.

Then, provided with all this rich information the threat actor can start expanding his territory and move laterally. How would he do that? Well, in fact you could be thinking about using the latest 0-day or a novel exploit technique but in today’s corporate networks sometimes the attacker doesn’t need this. Why? Well, many times the weakness of corporate networks is processes and people. For example, the persons that have the keys to the domain such as sysadmins are likely to be a target. The sysadmins are persons with a day job, a pile of tasks to perform and many times part of an understaffed team. Moreover, their goal is likely not security but availability of the services, minimum disruption to the business and at the end of the day a job well done that satisfy the business needs.

Consider the scenario that exists in most corporate networks when someone raises a ticket into helpdesk. Or some endpoint maintenance or action needs to be performed by a sysadmin. Many times the administration of the workstations is done by sysadmins that connect to the endpoint and authenticate using domain credentials that have privileged accounts. This will make their credentials exposed because when the user logs on interactively, Windows will cache the user password in memory. Perhaps, here we have a problem with the processes and not with technology. A privileged domain account should never login into a workstation. Other scenario that is problematic is the management of service accounts. Many times privileged service accounts are used for all type of services. This means the credentials of the service accounts are exposed and can be retrieved by an attacker with local access to the system. Therefore, service accounts should be managed prudently and more important a common mistake is to allow service accounts to login interactively. The scope of service accounts should be limited and, perhaps, here we have another process issue, service accounts should never be used to logon interactively. Another common challenge is that internal network segregation is often not the same as the perimeter leaving services and servers exposed to direct access from the workstations. These are some of the common challenges that are difficult problems to solve and where many times convenience wins and technology alone is not likely to overcome.

What is the impact of this? If a threat actor manages to get a foothold inside an environment that relies on practices such as the ones described previously, then he can access a variety of credentials. The captured credentials will depend on the technique and hardening settings of the endpoint used and are either in a form of a hash, ticket or clear text. This can be accomplished using tools such as Windows Credential Editor, Mimikatz, Gsecdump or AceHash. Won’t antivirus detect these tools? Likely, when they are used off the shelf but not when they are customized. Furthermore, more often than we would like, the internal network segregation is simple and not designed to prevent attacks. This means the attacker can enumerate services at will and leverage the gathered credentials to logon into servers. This step is a game changer!

If the attacker has credentials that can be used to login into your Servers and Domain Controllers then is likely game over. For example he could create a persistence and unnoticed backdoor just by setting a registry key that will use the cmd.exe as a Debugger for tools like sethc.exe (Sticky Keys) and osk.exe (On-screen keyboard). Or even worse he could easily steal the Active Directory database (ntds.dit). Even though the database is not accessible via user mode API’s the threat actor can leverage different techniques such as Volume Shadow copy, Powershell offensive framework like PowerSploit or use a forensic tool that is able to read low level NTFS. With a copy of the Active Directory database the threat actor can perform an offline attack using tools like Impacket secredumps to extract all the credentials. If the threat actors have the keys to the kingdom they will likely be undetected for quite some time and might start using the same egress points as your remote access users. How many VPN users do you have that are in the exception list of not having 2nd factor?

From an IT point of view this will mean your network would be in the worst state possible and your most plausible solution, among other things, is to rebuild the workstations, servers and potentially go over the painful task of having to rebuild the entire Active Directory forest. Now, this will be expensive however, it’s not impossible and the organization will survive. But, if the attacker also gets access to the servers that hold the organization critical information, valuable data, and intellectual property that would make the business leaders tremble. The financial direct or indirect losses of a security incident can be significant. The reputational damage can be difficult to assess and the disruption of critical systems on heavy regulated industry can have significant consequences.

Multi-stage, multi-faceted attacks are here to stay. The tools and technique will evolve and become more sophisticated than ever. The threat actors behind the attacks will try to become stealthy and remain under the radar.  However, on the other side of the fence we have the defenders. Which I believe can have a big impact on detecting and preventing the threat actors mission. If the detection only occurs after the fact then they can respond and stop the bleeding and limit the damage. But before they do this the organizations should get the basics right. It can take time and is never too late. A good starting point is to choose a framework such as the SANS TOP 20 Critical Controls. Use it as a reference for building, designing, deploying and adopt security controls and measure the security posture of your organization. Then move on from there to build more advanced capabilities!

Tagged , , ,

Dridex Black Friday

Last October different law enforcement agencies orchestrated a takedown of the Dridex Botnet. However, the threat actors behind Dridex spam runs seem stronger than ever. The resurrection of Dridex after the announced take down has been ferocious. During the last Black Friday in our spam traps we observed at least four different phishing campaigns delivering Dridex. Each campaign was carefully crafted in order to lure the users to open the malicious documents. The creativity of the threat actors is captivating. The below picture illustrates one of these emails that is supposedly sent from the well-known rent-a-car company AVIS. The email contains a Microsoft Office document attached that contains malicious macros on it.

blackfridayemail2

Another one was an email supposedly sent from Bruce Sharpe from the Industrial Pump Supplier Aline Pumps in Australia. According to the social network zoominfo Bruce Sharpe exists and is an account manager in the company. The subject was Tax Invoice and once again the email contained a Microsoft Office document attached with malicious macros.Other one was an email sent from Ivan Jarman from SportSafe UK. The company is a global provider of sports equipment. This time the subject was Invoice and the email contained a Microsoft Office document attached with malicious macros. The last one was an email from the company Integrated Petroleum Services. According to the website one key location is Equatorial Guinea and the emails supposedly come from there. The subject this time was Transfer and the email contained a Microsoft Office document attached with malicious macros. As bonus the footer will mention the email has been scanned by the Antivirus AVAST. All documents use the same technique. Attract the user to enable macros in order to view the document contents.

blackphishingmacro

Across all the campaigns the technique is the same. All the Microsoft Office documents contain embedded macros that download a malicious executable from one of many hard coded URLs. These hard coded URLs are normally collateral victims of the operation. The encoding and obfuscation techniques used in the macros are constantly changing in order to bypass security controls.

Normally these URLs are hosted under legitimate sites that have been compromised to host the malicious file. When the macro is executed it will fetch a second stage payload from the compromised server. This payload is then saved to C:\Users\%%username\AppData\Local\Temp and then executed.

After the machine gets infected Dridex will start beaconing out to the C2 addresses. Dridex uses HTTP to encapsulate the traffic and encrypts the payload. Below an example how the first HTTP POST request made by the infected machine looks like in the network. A POST to the root folder full of gibberish.

blackcnctraffic

From this moment onward the malware is capable of stealing all kinds of credentials from the victim’s computer. It can also redirect victim’s traffic to sites controlled by the threat actors using man-in-the-browser functionality. This allows interception and manipulation of traffic that is supposed to be delivered to legitimate sites. Dridex has remote access functionality that allows the threat actor to connect to websites trough the victim computer.

Phishing campaigns that distribute commodity malware are common and ongoing problem for end users and corporations.E-mail continues to be the weapon of choice   for mass delivering malware. The tools and techniques used by attackers  continue to evolve and bypass all the security controls in place. From a defense perspective, the US-CERT put together excellent tips for detecting and preventing this type of malware and to avoid scams and phishing attempts applicable to home users and corporations.

Tagged , , ,

Hacking Team – Arsenal of Cyber Weapons

hackingteam5Following my last post regarding the Hacking Team breach there are two topics that deserve their own article.First, all the information about how the zero day and exploit acquisition market works with real facts. Second, the treasure trove of zero day exploits and tools that appeared as a consequence of the leak. Let me write two paragraphs about the first and then the second will follow.

Details how the deals were done and some of the companies operating on this market have been leaked. For example the CVE-2015-0349  exploit code has been bought by the Hacking Team for 45k USD to a Russian security researcher. A great summary on how this deal was made is here and worth reading. It references all the exchanged e-mails between the company and the researcher. Another good article from Wired here.

At the moment, the best compilation about how the exploit acquisition market works was made by Vlad Tsyrklevich who wrote a great write-up summarizing all information that has been leaked. It covers the deals, vendors, exploit costs and references the original emails. Among the different  security brokers that were doing business with Hacking Team, Netragard came to public and announced the shut down of its exploit acquisition program.  On another article Vlad wrote about an exploit catalog from December 2014 that contains references to many unknown vulnerabilities. With this information a spike in hunting these unknown vulnerabilities has started by the good and the bad guys.

Now, the main topic of this article. As of this writing the arsenal of cyber weapons that Hacking Team had at their disposal:

  • Microsoft OpenType Font Driver Vulnerability (CVE-2015-2426)

Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows from Vista SP2 to Windows 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka “OpenType Font Driver Vulnerability.”

Details have been posted by Trend Micro here:

“Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE).  By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification. The vulnerability can allow attackers remote control over the affected system.”

The exploit was originally developed by Eugene Ching from Qavar Security. It’s also available on GitHub here.

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-078 contains a patch for it.

  • Microsoft Internet Explorer 11 jscript9.dll Use-After-Free Vulnerability (CVE-2015-2425)

This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. Details have been posted by Vectra Networks here

“The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability. While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.”

and by TrendMicro here

“Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-065: Security Update for Internet Explorer (3076321) contains a patch for it.

  • Windows Adobe Type Manager Privilege Escalation Vulnerability (CVE-2015-2387)

This vulnerability allows privilege escalation. Details about it on CERT.org

“Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. Note that exploit code for this vulnerability is publicly available, as part of the HackingTeam compromise. We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.”

Details have been posted by Trend Micro here

” The vulnerability exists in the OpenType manager module (ATMFD.dll), which is provided by Adobe. The DLL is run in the kernel mode. An attacker can exploit the vulnerability to perform privilege escalation which can bypass the sandbox mitigation mechanism.”

Microsoft worked to release a patch asap and the  Microsoft Security Bulletin MS15-077 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) contains a patch for it.

  • Adobe Flash ActionScript 3 BitmapData Use-After-Free Vulnerability (CVE-2015-5123)

Critical vulnerability (CVE-2015-5123) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by Trend Micro here.

“Another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) has surfaced from the HT leak. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited.  It affects all versions of Adobe Flash in Windows, Mac, and Linux”

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 opaqueBackground Use-After-Free Vulnerability (CVE-2015-5122)

Critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Details have been posted by FireEye here:

The HackingTeam leak already resulted in the public disclosure of two zero-day vulnerabilities this week. One of the vulnerabilities, CVE-2015-5119 in Adobe Flash, was quickly adopted by multiple groups and used in widespread attacks. FireEye Labs identified a PoC for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT to the issue.

Details have been posted by Trend Micro here:

“Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 18.0.0.203).”|

More details by Zscaler here. Malware Don’t Need Coffee saw them being used in the wild across 5 different exploit kits – Rig, Neutrino, Magnitude Nuclear Pack, Null Hole.

Adobe worked to release a patch asap and the  Security Advisory for Adobe Flash Player (APSA15-04)  and Security updates available for Adobe Flash Player (APSB15-18) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player 18.0.0.209.

  • Adobe Flash ActionScript 3 ByteArray Use-After-Free Vulnerability (CVE-2015-5119)

Details have been posted by Zscaler here

“CVE-2015-5119 exploit payload that we have now seen in the wild. The sample has multiple layers of obfuscation and packer routines. The malicious Flash payload is packed, XOR’ed and stored as a binary data inside a parent Flash file that dynamically unpacks a malicious Flash file and writes it to memory at run time.”

Malware Don’t Need Coffee saw the exploit being used in the wild before being patched across 7 different exploit kits.

Adobe worked to release a patch asap and the Security Advisory for Adobe Flash Player (APSA15-03) and Adobe Security Bulletin (APSB15-16) patches it. Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows and Macintosh update to Adobe Flash Player.

  • Adobe Flash Player Integer Overflow (CVE-2015-3087)

An integer overflow vulnerability that could lead to code execution. Adobe patched this vulnerability under the Security Advisory for Adobe Flash Player (APSP15-09).

  • Adobe Flash Player Use-After-Free Vulnerability (CVE-2015-0349)

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors

Trend Micro posted details here. “One of the Flash Player vulnerabilities found in the HT dump is believed to be CVE-2015-0349 which was patched by Adobe in April 2015”

Adobe Security Bulletin (APSB15-06) contains a patch for it.  Patched Adobe Flash version is 17.0.0.169

  • Android Fake “BeNews” App

Trend Micro posted details here:

“We analyzed the recent Hacking Team dump and found a sample of a fake news app that appears to be designed to circumvent filtering in Google Play. This is following news that iOS devices are at risk of spyware related to the Hacking Team. The fake news app was downloaded up to 50 times before it was removed from Google Play on July 7.”

  • Android Spying Tool 

Feature rich surveillance software for Android. It leverages CVE-2014-3153, CVE-2013-6282, CVE-2012-2825 and CVE-2012-2871 to perform the desired functionality.

Trend Micro posted details here

Following news that iOS devices are at risk of spyware related to the Hacking Team, the saga continues into the Android sphere. We found that among the leaked files is the code for Hacking Team’s open-source malware suite RCSAndroid (Remote Control System Android), which was sold by the company as a tool for monitoring targets. (Researchers have been aware of this suite as early as 2014.)

Collin Milliner a security researcher has posted his frustration when finding that Hacking Team reused is open source code.

  • Rootkit for UEFI BIOS

Details posted by Trend Micro here:

“The dissection of the data from the Hacking Team leak has yielded another critical discovery: Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.”

And a great write-up by Intel Advanced Threat Research here

“The leaked source code goes beyond a research proof-of-concept, revealing a commercial rootkit platform called “]HackingTeam[ UEFI Vector” and using real attacks as a part of Hacking Team’s RCS malware platform. According to the leaked code and emails, this hacking platform may have already been already sold to some HackingTeam customers. Some of the emails point to specific modes on which the persistent rootkit was tested. Both “agent” and “soldier” are the names of trojan horse applications also found in the leaks. The rootkit reinstalls these applications automatically, from infected firmware”

 

Tagged , ,

Hacking Team Breach Summary

[The news on Twitter, on the media, and across the infosec community in the last days have been fascinating to due to the revelations from the Hacking Team breach. Details about how the company operates,  information about espionage and surveillance, zero days exploit catalogs, all the secrets and drama make this story ready for someone to write a book about it. Because I was on vacations while all this happened, I decided to write a short summary about it in order to catch-up. LR]

Sunday night, 5th of July, news started making the rounds about 400Gb of data stolen from the notorious Italian surveillance software company Hacking Team. With a quite epic start, the person behind the attack – someone that goes by the name Phineas Fisher – hijacked the company twitter account, changed the handler from Hacking Team to Hacked Team and posted the following message: “Since we have nothing to hide, we are publishing all our emails, files, and source code” with a torrent link to download the data.

hackingteam1

Shortly after, on the same twitter handle, print screens about the leaked data started to disseminate internal company emails, their clients and operating procedures. This continued for at least half day. Some hours later their list of clients have been posted on Pastebin revealing some questioning relationships with  countries known for human rights violations.  The company has been subject to criticism several times over the past years regarding the unethical sale of surveillance tools. CitizenLabs and Reporters Without Borders were organizations that went vocal in the past regarding their questionable practices. That known, the news were expected to have a lot of attention by the media, journalists, activists and others.

Meanwhile, as this was not enough, one of the companies employees Christian Pozzi came publicly to support the company. Unfortunately for him, his personal passwords were on the massive amount of data leaked. Worse was that the quality of the passwords were weak and moments after his initial twitter post, his twitter account got hijacked as well and his passwords posted online and twitted.

hackingteam3

Following, when people all over the world started to get their hands on the torrent file all kinds of confidential information started to arise. Sales revenue, contracts, budgets plans, agreements, emails, operating manuals, configuration files, source code, zero day exploit catalogs, and all kind of business and technical information started to be on the internet. Wikileaks indexed and made searchable all their emails.

The days after the breach have been quite revealing due to their software and capabilities – their main business is security services and tools to governments and law enforcement organizations – specially for the information security community due to the number on unknown zero day vulnerabilities exposed and their surveillance software. But, on the other hand, the criminals soon started to use the source code and exploits on spear phishing campaigns and the Neutrino and Angler exploit Kits started to leverage the Flash 0 days while Adobe and Microsoft were working on releasing patches. This topic deserves a post on its own and I will write a summary about it soon.

As expected, the company started to investigate who has been behind the breach. According to Reuters Italian prosecutors are investigating six former employees. Ars Technica also reports this here.

In the last days, Eric Rabe and David Vincenzetti, Hacking Team Chief Communications Officer and CEO respectively, have been quite brave and their twitter handler continues to post updates. On the company website there were several news released about this topic. Among other things they seem to have requested all their clients to suspend their operations and asked the Anti Virus companies to start detecting their software. hackingteam2

Phineas Fisher who claims to be the actor behind the breach used his dormant twitter account writing that he will released the details on how the company got hacked. Stay tuned!

Tagged
gb_master's /dev/null

... and I said, "Hello, Satan. I believe it's time to go."

Source Code Auditing, Reversing, Web Security

Finding Hidden codes in the software

BruteForce Lab's Blog

security, programming, devops, visualization, the cloud

Count Upon Security

Increase security awareness. Promote, reinforce and learn security skills.

Naked Security

Computer Security News, Advice and Research

Didier Stevens

(blog \'DidierStevens)

malwology

Adventures in double-clicking malware / by Anuj Soni

Rational Survivability

Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation.

SANS Internet Storm Center, InfoCON: green

Increase security awareness. Promote, reinforce and learn security skills.

TaoSecurity

Increase security awareness. Promote, reinforce and learn security skills.

Schneier on Security

Increase security awareness. Promote, reinforce and learn security skills.

Technicalinfo.net Blog

Increase security awareness. Promote, reinforce and learn security skills.

Lenny Zeltser

Increase security awareness. Promote, reinforce and learn security skills.

Krebs on Security

In-depth security news and investigation