Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Global Threat Intelligence Report March 2015

with one comment


photo

GLOBAL Threat Intelligence Report – March 2015

  1. Executive Summary

In the month of March there were several high level vulnerabilities exposed ranging from programmatic issues to compromise of user security by supply chain tampering by a maker of laptops and desktops. All of these instances show just how much the landscape changes per month in the security of our systems and networks.

This report has been generated to give the end user an idea of what is happening in the security space as well as insights into little thought of security issues that could lead to compromise of your network. From the macro to the micro-verse, security issues can have great effect on corporations large and small. From the effects of the Target hack response of ten million dollars in reparations to their clients to the FREAK vulnerability and the attacks on core protocols that the internet is based and is secured with, these reports give you an idea of where to look and what to look for.

  1. Global Threats

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest

http://www.techspot.com/news/60121-fully-patched-versions-firefox-chrome-ie-11-safari.html

Analysis:

Think that patching your browser on a regular basis is the only answer to your security problems? Then guess again. At the last Pwn2Own contest all of the major browsers fell to attacks even though they were fully patched.

What this statistic shows is that even when a system has been curated well and security patches applied, there can always be flaws in the code that can lead to compromise. This is an important fact to remember and plan for in any environment dealing with on-line activities.

However, mitigations can be taken to help stem these types of attacks. Consider deploying systems like EMET 5 or another HIDS client that can monitor the volitile memory space as well as changes to the operating system that might trigger when a browser is exploited. It is also a given that your company should have IDS/IPS/SIEM capabilities as well to detect traffic that may be going to C&C’s from compromised systems and browsers.

The Largest Email Hack in History

The US Department of Justice announced today that it has charged three men for participating in what officials are calling “one of the largest reported data breaches in US history” and “the largest data breach of names and email addresses in the history of the Internet.”

According to allegations in the indictments, between February 2009 and June 2012, Viet Quoc Nguyen, 28, a citizen of Vietnam, allegedly hacked into at least eight email service providers (ESPs) throughout the United States and stole confidential information, including proprietary marketing data containing over one billion email addresses. Nguyen, along with Giang Hoang Vu, 25, also a citizen of Vietnam, then allegedly used the data to send “spam” to tens of millions of email recipients. The data breach was the largest in U.S. history and was the subject of a Congressional inquiry in June 2011. ~USDOJ

http://motherboard.vice.com/read/three-men-charged-in-the-largest-email-hack-in-the-history-of-the-internet

Analysis:

The hacking of eight major email providers in this case shows just how important common information like our email addresses and content are to criminals. That this is the biggest and seemingly longer running of the scams also show’s how long something like this can go on and how it has been corporatized in a way.

The criminals created an enterprise in which they used the data from their ill gotten gains to send spam and generate revenue from it. This is common today but is not completely predicated usually on the hacking of major email providers and stealing inside information.

The FREAK Vulnerability and SSL

Just when you thought it was safe to use your computer again after last year’s Heartbleed, Shellshock and other computer bugs that threatened your security and just as I predicted in my column of Dec. 20, 2014, researchers have discovered yet another security flaw that threatens millions of Internet users.

http://www.usatoday.com/story/money/columnist/2015/03/07/weisman-cybersecurity/24382891/

Analysis:

The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see more attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Target Offers 10 Million Dollars in Breach Payments

Target has agreed to pay $10 million to settle a class-action lawsuit related to the company’s 2013 data breach.

Court documents show hacking victims could get as much as $10,000 apiece.

http://www.npr.org/blogs/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit

Analysis:

The Target hack was one of the first of recent time that has made a lasting impression on the world. This attack not only showed how the adversaries used advanced and persistent means to gain access and keep it in Target’s networks but also how a company can be financially and reputation-ally compromised.

Now that Target is making offers of money, more than just offering credit monitoring, shows just how important these attacks are on a companies bottom line as well as continuing their reputation. This round of settlements though has been marked as low and not enough by many in the industry and in the public however.

The upshot here is that the company has had to respond in this manner due to their own culpability in their security measures being not up to speed to catch the warning signs that were going off like klaxon’s in the night. It is important to all organizations to perform due diligence in this day and age of advanced adversaries who may not be nation state sponsored.

One in Three Websites at Risk on the Net

Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.

Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of “risky,” meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.

http://www.cbsnews.com/news/one-in-three-websites-at-risk-for-hacking/

Analysis:

There are a couple of factors that could lead to this vulnerability assessment being the case. The first of which is that the vulnerabilities are just so many that they are hard to keep up with in an enterprise environment. The second is that either the companies are not performing their scans as regularly as they should or have decided that the vulnerabilities are acceptable to them and write them off as acceptable risk.

I am unsure of the reality here regarding these potential risks to all these sites on-line. Risk acceptance and determination of the level of risk are hard to scope out as each environment is making that calculation (one hopes) for themselves so there are variations in levels of care. However, this article and the statistics therein show that as a whole, we can understand how easily the adversaries can exploit systems easily reached on-line and why we keep seeing stories about large scale hacks on organizations.

 ISIS Hit List and Information Warfare

At least three times in the last five months, U.S. military members have been urged to limit their social media activity in response to worries that ISIS-linked terrorists could track them down, in the U.S. or abroad.

The latest warning came this week, when a group calling itself the Islamic State Hacking Division posted personal information of about 100 service members, which defense officials said had been collected from social media sites.

http://www.nbcnews.com/news/us-news/isis-hit-list-fuels-concerns-over-tech-savvy-terrorists-n328781

Analysis:

While this story is about the war on terror and the on-line antics of a small cadre of Da’esh followers, it is also a cautionary tale. The information that was leaked on-line was not in fact hacked, but instead all available through Google searches. This is an important fact in the story to clarify but also sets the stage for the second important insight, of how much of our personal data is on-line.

A simple Google ‘Dork’ can deliver a huge amount of OSINT on a target today and the use of that data to then re-post it on a page like pastebin and call for assassinations shows the power of the net. Basically, this story is the story of asymmetric warfare and how easily it can be carried out online. Now imagine that it is not in fact a terrorist organization doing this but a disgruntled employee or client of a company doing this.

Every individual should consider how much data they put online and where they are putting it. From cyber bullying to outright death threats, we make it easy to ‘dox’ ourselves with our Tweets, Facebook postings, and emails.

GITHUB DdoS

On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.

The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here’s an overview of why the cloud-based git repository host was targeted.

http://www.techrepublic.com/article/chinese-government-linked-to-largest-ddos-attack-in-github-history/

Analysis:

China and India both blocked GitHub recently for their site’s content that evidently they found threatening. In the case of China, it seems that GitHub may have just become another piece of fodder for the internet wars. The reality though is that no matter the political aegis, GitHub was taken down with a Dd0S because of an unencrypted session that was allowed to Baidu.

The bigger story here is though, that DdoS is incredibly hard to mitigate and everyone is vulnerable to it. As a means of political protest or just an attack to force a company into some kind of complicity, DdoS is not going anywhere. This is because our systems are inherently vulnerable to these attacks and until such time as the code is adjusted to disallow these attacks, they will happen regularly.

For more on DdoS go here

Your Private Data Available Through Anonymous Shares On-line

Our lives are digital now.

Everything we do on-line leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we’re our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.

Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that’s not entirely true.

In fact, depending on how you’ve configured the device, your backups are freely available on-line to anyone who knows what they’re looking for.

http://www.csoonline.com/article/2906137/cloud-security/lost-in-the-clouds-your-private-data-has-been-indexed-by-google.html

Analysis:

Google ‘Dorking’ as mentioned above in the Da’esh story is an easy way to not only gather data on users but to also gain access to their data and systems. In the case of the story at CSO it was easy to Google with certain terms and strings to locate users systems that were insecure and on-line. Many of these systems were in fact routers that had been turned on with default settings or mistakenly configured incorrectly.

This is an object lesson for everyone and you all should consider this not only as a personal security issue but also a corporate one. Imagine if you will that you have an IT person who is bringing work home, or worse still, has configured a router or a NAS device to share in this way to the Internet. This is actually a scenario that was discovered and offered up a compromise to the companies whole infrastructure.

Many of the cases just involve personal information. However, there have been cases like the one cited above as well as cleared individuals sharing out FOUO/NOFORN/CONFIDENTIAL information as well so this is certainly not only a personal issue. Please consider talking to your employees about these types of data breaches at home that could lead to breaches at your company as well.

  1. Malware & Crimeware

Superfish! Lenovo Pre-Installed Malware

Does your Lenovo computer have Superfish VisualDiscovery adware (a.k.a. spyware) installed? It’s possible if you purchased a Lenovo PC any time in September of 2014 and thereafter.

This Superfish software intercepts the Lenovo user’s traffic so that the user sees ads displayed that reflect their browsing habits. The problem with this targeted advertising scheme is that it comes with a vulnerability that makes it easy for hackers to attack.

Superfish enables targeted advertising by installing what’s called a trusted root CA certificate.

http://www.finextra.com/blogs/fullblog.aspx?blogid=10681

Analysis:

These threat intelligence reports have covered the idea of ‘Supply Chain Tampering’ in the past but this one should set bells off for anyone buying a computer from any vendor. The alleged adware with a trusted CA according to Lenovo was nothing to worry about. However it was proven out that this adware/malware could be used by others to compromise the systems entirely.

Though Lenovo considered this form of advertising inside access and routing as legal and ok, it is in fact not. Just as Sony considered that adding a RAT (remote access tool) to their DVD’s in the past and were called on it, this is wholly inappropriate and in fact degrades the security of whole organizations as well as individuals who may purchase their hardware.

Now that this is out in the open, if you have these systems within your network you should remove the adware/trojan as well as inform any home users that might be in your work at home or bring your own computer offering to remove this as well. If left as is today, post all the reporting on it there could be compromise because exploit code is already in the wild.

To remove SuperFish go here

Kilim Facebook Worm Hooks with Sexy Pics

Security experts have warned of a new Facebook worm using adult content as a lure to trick desktop users into downloading malware.

The authors behind this version of the Kilim worm have “gone to great lengths to anonymize themselves” and circumvent browser protections, Malwarebytes senior security researcher, Jérôme Segura, wrote in a blog post.

If they click on what appears to be a video file promising to show “sex photos of teen girls,” victims are redirected via two ow.ly links – first to an Amazon Web Services page and then a malicious site, videomasars.healthcare, which apparently checks their computer.

http://www.infosecurity-magazine.com/news/kilim-facebook-worm-promises-sexy/

Analysis:

One of the more common techniques in malware delivery and phishing attacks is the promise of sexual content. That this is being leveraged in Facebook is only more effective because of Facebook’s prevalence on the net. Additionally, the use of obfuscated shortened links like bit.ly and owl.ly is common as well and should be filtered if possible in your environment to disallow these attacks.

As organizations, you should have some form of web filtering in place but often times these slip up and let such content through. Please keep up with the filtering and leverage systems like BlueCoat and Websense as a front line tool against these types of attacks.

The Hanjuan Exploit Kit and Malvertising

Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.

Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com that the issue has been resolved.

http://www.scmagazine.com/hanjuan-exploit-kit-leveraged-in-malvertising-campaign/article/405455/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

Analysis:

Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

Another name for this type of attack could be ‘drive by’ as well but the point here is that nothing is safe. Ad’s on sites can in fact be the infection points for systems that are looking at the page and this is a risk to all environments.

Whether it be an iframe attack or a click through to a malicious domain, these types of attacks are myriad on-line and should be a concern for all security departments in corporations. What can be done though? It is a hard thing to keep up with and prevent users from clicking or just visiting legitimate sites that may be compromised temporarily.

The best thing that you can do is have the measures in place (Websense/BlueCoat/Barracuda etc) to monitor the online traffic of your users and get alerts on sites that may be compromised. It is then your job to locate the users who may have gone to these sites and scan their systems for compromise. Having a program of means to keep up with these types of attacks (RSS feeds etc) as well will help your security team to detect and deter these attacks from happening.

Android Malware Risk to Almost 50 percent of all Devices

Millions of Android devices have been found vulnerable to cyber attack following a security flaw allowing malware to replace legitimate apps, hacker Zhi Xu has found.

Almost half of Android phones may be affected, with the flaw allowing dangerous malicious apps to be downloaded without the user’s knowledge, collecting personal data from the infected device.

http://www.itpro.co.uk/security/24295/android-malware-flaw-a-risk-to-almost-50-per-cent-of-devices

Analysis:

As mobile computing becomes more prevalent and operating systems like Android take more market share, your employees and you are at more risk to compromise. In the case of this malicious application installation it has been shown that nearly fifty percent of all phones are vulnerable.

With the advent of ‘Bring your own device’ and just general use of these phones, tablets, and devices the risk for compromise has increased geometrically. It is important that your security programs include keeping up on vulnerabilities to these devices as well as being aware of the intricacies involved in private individuals devices, their use, and where the security rubber meets the privacy road.

A compromise of a device not only means that the end user’s data is at risk but also the corporations as well as their network infrastructure.

Trojan.Siggen6.31836

New variants of malware come and go with depressing regularity, but some have capabilities that offer more cause for concern than others.

The latest piece of scary software comes from researchers at security company Doctor Web who have uncovered a new Trojan dubbed BackDoor.Yebot that’s capable of carrying out a wide range of destructive actions on an infected machine.

It’s spread via another piece of malware, Trojan.Siggen6.31836. When launched on the target machine, this injects its code into the svchost.exe, csrss.exe, lsass.exe and explorer.exe processes. After sending a request to the remote server it then downloads and decrypts BackDoor.Yebot and transfers control to it. Some features of Trojan.Siggen6.31836 are encrypted (and can be decrypted only while it’s being executed). It also incorporates mechanisms to verify the virtual machine in a target system and bypass User Account Control.

http://betanews.com/2015/03/24/multi-purpose-backdoor-trojan-threatens-windows-systems/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN

Analysis:

Multiple vector infection malware is more common today. Once the code has been allowed on the system it will infect many .dll files or others that are common to the operating system as a means to stay entrenched on the system. This is called ‘persistence’ and is the status quo. It is also important to note that these types of malware then in turn call out to command and control systems to gather more malware for that same persistence should the primary infection be detected and removed.

In the case of this particular malware it is important to understand the multiplicity of infections as well as the many means that it then creates to exfil your data out of your domain as well as the rapidity that this can happen at. What this means is that not only by the time an infection is detected, it already has had ample time to export your data to the adversaries.

Please note that this is not part of some exotic malware campaign by a nation state actor, this is in fact crimeware!

Bitcoin blockchain exploitation could allow for malware spreading

Bitcoin’s blockchain can do more than store transactions, according to new research from Kaspersky that demonstrates the way in which the cryptocurrency’s ledger can be used to store malware control mechanisms or provide access to illicit content.

http://www.scmagazine.com/kaspersky-researcher-details-blockchain-vulnerability/article/406218/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

Analysis:

As with anything on the Internet and in computing, the technology can be turned against you. In this case it is the primary means for Bitcoin (a crypto currency) to track it’s amounts and use can be used to infect systems. This likely will not be a big deal for many companies as yet because Bitcoin is still not in use widely by corporations.

However, it is important to note that any users of the currency might fall prey to these attacks and those persons may work for you and use systems that not only connect to their daily lives but also your network as well.

  1. Vulnerabilities

DRAM ROWHAMMER

Description: A vulnerability was reported in some dynamic random-access memory (DRAM) devices. A local user can obtain elevated privileges on the target system.

A local user can run a program that repeatedly accesses a row of memory to cause bits in adjacent rows to flip. This can be exploited to execute arbitrary code on the target system with kernel-level privileges.


http://www.securitytracker.com/id/1031863

Analysis:

This is a local exploit that can cause a flipping of bits in certain brands of DDR3 RAM. This then would result in compromising kernel level processes on the system attacked.

Technical Report: http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

We have shown two ways in which the DRAM rowhammer problem can be exploited to escalate privileges. History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to.

This is a problem for various brands of laptops and desktops that use the specific RAM mentioned in the article. Please consider looking at the systems in your environment and what RAM they use to insure that you are not at a higher risk through mono-cultures in hardware.

FREAK

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability

Analysis:

As stated above in this report the FREAK vulnerability is just one of a few that have come out over the last year. This section will rely more on the technical aspects of the vulnerability but the statement above must be repeated;

The FREAK vulnerability is just another in a line of vulnerabilities now being sought in the SSL framework. Once the first of these types of attacks was discovered, the SSL framework became a target for a lot of scrutiny by researchers both good and bad. As time progresses expect to see mo

Fully Patched Versions of Firefox, Chrome, and IE 11, & Safari hacked in PWN2OWN contest

re attacks on this fundamental protocol which could compromise your whole environment.

This is important to you because SSL is the basis for many secure transactions on-line and in your network. Once this has been broken by making a session insecure, an attacker can then steal credentials and then further exploit networks and systems. It is important that your organization keeps up with these vulnerabilities and manages them.

Please click the links above to the CVE and the technical specs for this vulnerability and remediate in your networks.

Security Advisory Feeds

Newsnow offers an aggregation of security advisories that is very helpful if you do not already have an RSS feed aggregated.

http://www.newsnow.co.uk/h/Technology/Security/Advisories?JavaScript=1&searchheadlines=&search=&Period=17&Page=1

Analysis:

The importance of advisories and news sources to a security program cannot be overstressed. If you do not already aggregate security RSS feeds you should start to look toward doing so.

Websense XSS Vuln

Users of Websense Data Security that are reviewing DLP incidents can be attacked via cross site scripting. This issue can be exploited using a specially crafted email, or by sending a specially crafted HTTP request through the Websense proxy. The attacker-supplied code can perform a wide variety of attacks, such as stealing session tokens, login credentials, performing arbitrary actions as victims, or logging victims’ keystrokes.

http://packetstormsecurity.com/files/130898/websensees-xss.txt

Analysis:

Websense is a very common solution for web filtering and DLP for mid sized companies. This current vulnerability could lead to compromise of your internal networks as well as all the data within the DLP/Websense system. If you are running Websense with a DLP (Data Loss Prevention) module please go to the following link and update your console:

This issue is resolved in TRITON APX Version 8.0. More information about

the fixed can be found at the following location:

http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0

  1. Directed Threats Data

<enter your own data here from IDS/SIEM/AV/LOG CORRELATION> for your own organization and report on what you are seeing on your network.

TITLE:

Analysis:

TITLE:

Analysis:

TITLE:

Analysis:

WORD FORMAT: HERE

Written by Krypt3ia

2015/04/07 at 15:27

One Response

Subscribe to comments with RSS.

  1. […] Billets en relation : 07/04/2015. Global Threat Intelligence Report March 2015 : krypt3ia.wordpress.com/2015/04/07/global-threat-intelligence-report-march-2015/ 07/04/2015. IWC CIR 20150407 : http://www.informationwarfarecenter.com/CIR/IWC-CIR-2015-April-7.pdf […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: