Viry a Červi

How the Waltham cyberstalker’s reign of fear was ended

Sophos Naked Security - 16 Říjen, 2017 - 19:06
No one is truly anonymous online, not even criminals.

Adobe Patches Flash Zero Day Exploited by Black Oasis APT

VirusList.com - 16 Říjen, 2017 - 17:46
Adobe today released an out-of-band Flash Player update addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group called Black Oasis.
Kategorie: Viry a Červi

Brit intel fingers Iran for brute-force attacks on UK.gov email accounts

The Register - Anti-Virus - 16 Říjen, 2017 - 17:06
Russia, you're off the hook

Iran has been blamed for the brute-force attack on UK Parliament earlier this year.…

Kategorie: Viry a Červi

BlackOasis APT and new targeted attacks leveraging zero-day exploit

Kaspersky Securelist - 16 Říjen, 2017 - 16:28

More information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

Introduction

Kaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.

On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today:

So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.

Analysis of the payload allowed us to confidently link this attack to an actor we track as “BlackOasis”. We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by FireEye in September 2017.  The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.

BlackOasis Background

We first became aware of BlackOasis’ activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe warned of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.

Kaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server. Although the exact payload of the attack was no longer in the C&C, the same server was hosting multiple FinSpy installation packages.

Leveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time.  Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively.  These exploit chains also delivered FinSpy installation packages.

Since the discovery of BlackOasis’ exploitation network, we’ve been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:

Decoy documents used in BlackOasis attacks

To summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:

  • CVE-2015-5119 – June 2015
  • CVE-2016-0984 – June 2015
  • CVE-2016-4117 – May 2016
  • CVE-2017-8759 – Sept 2017
  • CVE-2017-11292 – Oct 2017
Attacks Leveraging CVE-2017-11292

The attack begins with the delivery of an Office document, presumably in this instance via e-mail.  Embedded within the document is an ActiveX object which contains the Flash exploit.

Flash object in the .docx file, stored in uncompressed format

The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.

Unpacking routine for SWF exploit

The exploit is a memory corruption vulnerability that exists in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class.  If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.

The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:

NOP sled composed of 0x90 and 0x91 opcodes

The main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.

Second stage shellcode

The second stage shellcode will then perform the following actions:

  1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe
  2. Download a lure document to display to the victim from the same IP
  3. Execute the payload and display the lure document
Payload – mo.exe

As mentioned earlier, the “mo.exe” payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International’s FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations.  This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.

The PCODE of the virtual machine is packed with the aplib packer.

Part of packed VM PCODE

After unpacking, the PCODE it will look like the following:

Unpacked PCODE

After unpacking the virtual machine PCODE is then decrypted:

Decrypted VM PCODE

The custom virtual machine supports a total of 34 instructions:

Example of parsed PCODE

In this example, the “1b” instruction is responsible for executing native code that is specified in parameter field.

Once the payload is successfully executed, it will proceed to copy files to the following locations:

  • C:\ProgramData\ManagerApp\AdapterTroubleshooter.exe
  • C:\ProgramData\ManagerApp\15b937.cab
  • C:\ProgramData\ManagerApp\install.cab
  • C:\ProgramData\ManagerApp\msvcr90.dll
  • C:\ProgramData\ManagerApp\d3d9.dll

The “AdapterTroubleshooter.exe” file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique.  The “d3d9.dll” file is malicious and is loaded into memory by the legit binary upon execution.  Once loaded, the DLL will then inject FinSpy into the Winlogon process.

Part of injected code in winlogon process

The payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.

Targeting and Victims

BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.

Victims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.

Conclusions

We estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.

We believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.

What does it mean for everyone and how to defend against such attacks, including zero-day exploits?

For CVE-2017-11292 and other similar vulnerabilities, one can use the killbit for Flash within their organizations to disable it in any applications that respect it.  Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.

Deploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this.  Users of Kaspersky products are protected as well against this threat by one of the following detections:</p style=”margin-bottom:0!important”>

  • PDM:Exploit.Win32.Generic
  • HEUR:Exploit.SWF.Generic
  • HEUR:Exploit.MSOffice.Generic

More information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

Acknowledgements

We would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.

References
  1. Adobe Bulletin https://helpx.adobe.com/security/products/flash-player/apsb17-32.html
Indicators of compromise

4a49135d2ecc07085a8b7c5925a36c0a
89.45.67[.]107

KRACK Attack Devastates Wi-Fi Security

VirusList.com - 16 Říjen, 2017 - 16:16
The KRACK, or key reinstallation attack, disclosed today allow attackers to decrypt encrypted traffic, steal data and inject malicious code depending on the network configuration.
Kategorie: Viry a Červi

Chrome smoked by Edge in browser phishing test

Sophos Naked Security - 16 Říjen, 2017 - 15:51
NSS Labs says Edge users are better protected from phishing than people using Chrome and Firefox

Customers cheesed off after card details nicked in Pizza Hut data breach

The Register - Anti-Virus - 16 Říjen, 2017 - 15:03
Victims reporting fraudulent transactions

Miscreants have made off with payment card details of "a small number of clients" following a data breach at Pizza Hut.…

Kategorie: Viry a Červi

Remember how you said it was cool if your mobe network sold your name, number and location?

The Register - Anti-Virus - 16 Říjen, 2017 - 13:49
No? Well, never mind, because it's for your own protection

US mobile phone companies appear to be selling their customers' private data – including their full name, phone number, contract details, home zip code and current location to third parties – all in the name of security.…

Kategorie: Viry a Červi

WPA2 KRACK attack smacks Wi-Fi security: Fundamental crypto crapto

The Register - Anti-Virus - 16 Říjen, 2017 - 13:36
Key handshake shakedown

Updated  Users are urged to continue using WPA2 pending the availability of a fix, experts have said, after security researchers went public with more information about a serious flaw in the wireless encryption protocol.…

Kategorie: Viry a Červi

Monday review – the hot 19 stories of the week

Sophos Naked Security - 16 Říjen, 2017 - 11:39
From iPhone's new "off" switch and the 5 mistakes IT wish you wouldn't make to Microsoft's latest security tool, and more!

Linus Torvalds lauds fuzzing for improving Linux security

The Register - Anti-Virus - 16 Říjen, 2017 - 09:03
But he's not at all keen on Santa Claus or fairies

Linus Torvalds release notification for Linux 4.14's fifth release candidate contains an interesting aside: the Linux Lord says fuzzing is making a big difference to the open source operating system.…

Kategorie: Viry a Červi

'Open sesame'... Subaru key fobs vulnerable, says engineer

The Register - Anti-Virus - 16 Říjen, 2017 - 05:55
ONE, TWO, THREE, what are we incrementing FOUR? (Don't ask, we don't give a damn)

A Dutch electronics engineer reckons Japanese auto-maker Subaru isn't acting on a key-fob cloning vulnerability he discovered.…

Kategorie: Viry a Červi

WPA2 security in trouble as KRACK Belgian boffins tease key reinstallation bug

The Register - Anti-Virus - 16 Říjen, 2017 - 03:58
Strap yourselves in readers, Wi-Fi may be cooked

Updated  A promo for the upcoming Association for Computing Machinery security conference has set infosec types all a-Twitter over the apparent cryptographic death of the WPA2 authentication scheme widely used to secure Wi-Fi connections.…

Kategorie: Viry a Červi

Sounds painful: Audio code bug lets users, apps get root on Linux

The Register - Anti-Virus - 16 Říjen, 2017 - 01:39
Cisco discusses Advanced Linux Sound Architecture mess before formal CVE release

An advisory from Cisco issued last Friday, October 13th gave us the heads-up on a local privilege escalation vulnerability in the Advanced Linux Sound Architecture (ALSA).…

Kategorie: Viry a Červi

An oil industry hacker facing jail, a $20m damages bill, and claims of counter-hacking

The Register - Anti-Virus - 14 Říjen, 2017 - 17:30
Inside the bizarre ongoing Rigzone saga

Analysis  David Kent, of Spring, Texas, USA, was sentenced to prison earlier this month for hacking Rigzone.com, a oil and gas industry website he founded and sold to employment data biz DHI Group, in an effort to build a second site, Oilpro.com, into an acquisition target.…

Kategorie: Viry a Červi

Cyberespionage Group Steps Up Campaigns Against Japanese Firms

VirusList.com - 14 Říjen, 2017 - 16:00
Researchers unearth new tactics and strategies used by the criminals behind the hacking group known as Bronze Butler.
Kategorie: Viry a Červi

US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do

The Register - Anti-Virus - 14 Říjen, 2017 - 00:36
Can you say 'collateral damage'?

Two members of the US House of Representatives today introduced a law bill that would allow hacking victims to seek revenge and hack the hackers who hacked them.…

Kategorie: Viry a Červi

IT at sea makes data too easy to see: Ships are basically big floating security nightmares

The Register - Anti-Virus - 13 Říjen, 2017 - 22:30
Experts find maritime computer defenses lacking

If there's anything worse than container security, it would appear to be container ship security.…

Kategorie: Viry a Červi

Pulitzer-winning website Politifact hacked to mine crypto-coins in browsers

The Register - Anti-Virus - 13 Říjen, 2017 - 20:38
Mysterious malicious code silently chews up CPU cycles to craft cash on visitors' dime

Updated  Politifact, the Pulitzer Prize-winning website devoted to checking the factual accuracy of US politicians' words, appears to have been hacked so that it secretly mines cryptocurrency in visitors' browsers.…

Kategorie: Viry a Červi

Hackers steal restricted information on F-35 fighter, JDAM, P-8 and C-130

Sophos Naked Security - 13 Říjen, 2017 - 19:48
Hackers gained “full and unfettered access” to a third-party holding restricted information
Syndikovat obsah