Critical Security Updates for Adobe Reader, Java

February 20, 2013
26 Comments

Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java.

javaiconThe Java update comes amid revelations by Apple, Facebook and Twitter that employees at these organizations were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines. According to Bloomberg News, at least 40 companies were targeted in malware attacks linked to an Eastern European gang of hackers that has been trying to steal corporate secrets.

Oracle’s update brings Java on Windows systems to Java SE 7 Update 15, and Java 6 Update 41. Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin. To find out if you have Java installed, visit java.com and click the “Do I have Java?” link below the big red button. Existing users can update Java from the Java Control Panel, clicking the Update tab and then the “Update Now” button.

Apple has issued an update that brings Java up-to-date on security patches but also disables the Java plugin from Web browsers on the system. Apple also issued a malware removal tool that it said should remove from Macs the most common variants of malware that used the most recent Java exploits. Continue reading

Bit9 Breach Began in July 2012

February 20, 2013
24 Comments

Malware Found Matches Code Used Vs. Defense Contractors in 2012

Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors.

bit9Earlier this month, KrebsOnSecurity broke the story of the breach at Waltham, Mass.-based Bit9, which involved the theft of one of the firm’s private digital certificates. That certificate was used to sign malicious software, or “malware” that was then sent to three of the company’s customers. Unlike antivirus software, which tries to identify and block known malicious files, Bit9’s approach helps organizations block files that aren’t already digitally signed by the company’s own certificates.

After publishing a couple of blog posts about the incident, Bit9 shared with several antivirus vendors the “hashes” or unique fingerprints of some 33 files that hackers had signed with the stolen certificate. KrebsOnSecurity obtained a list of these hashes, and was able to locate two malicious files that matched those hashes using Virustotal.com — a searchable service and database that lets users submit suspicious files for simultaneous scanning by dozens of antivirus tools.

The first match turned up a file called “media.exe,” which according to Virustotal was compiled and then signed using Bit9’s certificate on July 13, 2012. The other result was a Microsoft driver file for an SQL database server, which was compiled and signed by Bit9’s cert on July 25, 2012.

Asked about these findings, Bit9 confirmed that the breach appears to have started last summer with the compromise of an Internet-facing Web server, via an SQL injection attack. Such attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server.

In an exclusive interview with KrebsOnSecurity, Bit9 said it first learned of the breach on Jan. 29, 2013, when it was alerted by a third party which was not a customer of Bit9. The company believes that the trouble began last July, when an employee started up a virtual machine that was equipped with an older Bit9 signing certificate which hadn’t been actively used to sign files since January 2012.

Harry Sverdlove, Bit9’s chief technology officer, said the company plans to share more details about its investigation into the intrusion in a post to be published Thursday on Bit9’s blog. For instance, he said, the control server used to coordinate the activities of the malware sent by the attackers traced back to a server in Taiwan.

Sverdlove said Bit9 will not reveal the identities of the customers that were apparently the true target of the breach; he would only characterize them as “three non-critical infrastructure entities.” Sverdlove said although it is clear now that Bit9 was hacked as a jumping-off point from which to launch more stealthily attacks against a handful of its customers, that reality hardly softens the blow.

“Although it doesn’t make us feel any better, this wasn’t a campaign against us, it was a campaign using us,” Sverdlove said. “We don’t take any solace in this, but the good news is they came after us because they weren’t able to come after our customers directly.”

It’s not clear why the attackers waited so long to use the stolen certs, but in any case Bit9 says the unauthorized virtual machine remained offline from August through December, and was only turned on again in early January 2013.

Continue reading

Advertisement

DDoS Attack on Bank Hid $900,000 Cyberheist

February 19, 2013
40 Comments

A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.

Ascent1At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.

KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.

Ascent was unaware of the robbery at the time, but its bank would soon verify that a series of unauthorized transactions had been initiated on the 24th and then again on the 26th. The money mule I spoke with was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.

Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.

“It said the bank was offline for 24 hours, and we couldn’t get in to the site,” Shope said. “We called the bank and they said everything was fine.”

But soon enough, everything would not be fine from Bank of the West’s end. Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline. It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan — a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.

Continue reading

Zero-Day Flaws in Adobe Reader, Acrobat

February 15, 2013
34 Comments

Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobat software to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products.

adobeshatteredThe company issued an advisory about the threat on Wednesday, which confirms many of the details first disclosed by security firm FireEye earlier this week. FireEye has since posted a follow-up blog entry that sheds some additional light on how this attack works.

According to Adobe, there are two vulnerabilities in play here, and they exist in the latest versions of its software, including Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier for Windows and Macintosh, and Adobe Reader 9.5.3 for Linux.

Adobe says it is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message. The software maker added that it is in the process of working on a fix for these issues.

Continue reading

Exploit Sat on LA Times Website for 6 Weeks

February 13, 2013
39 Comments

The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.

On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast. 

latimesKubec checked Avast’s telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least December 23, 2012.

Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on Feb. 2 and 3. But Manning said this was the result of a glitch in Google’s display ad exchange, not a malware attack on the company’s site.

“The LA Times, along with dozens of other Google ad exchange users including the New York Times, the Guardian, CNET, Huffington Post and ZDNet, were, to varying degrees, blocked by malicious script warnings,” Manning wrote in an email to KrebsOnSecurity. “The impacted sections of our site were quickly cleared and there was never any danger to users.”

Unfortunately, Avast and others continued to detect exploits coming from the news site. Manning subsequently acknowledged that the Google display ad issue was a separate and distinct incident, and that the publication’s tech team was working to address the problem.

Malicious code served by offersanddeals.latimes.com

Malicious code served by offersanddeals.latimes.com

It’s not clear how many readers may have been impacted by the attack, which appears to have been limited to the Offers and Deals page of the latimes.com Web site. Site metrics firm Alexa.com says this portion of the newspaper’s site receives about .12 percent of the site’s overall traffic, which according to the publication is about 18 million unique visitors per month. Assuming the site was compromised from Dec. 23, 2012 through the second week in February 2013, some 324,000 LA Times readers were likely exposed to the attack.

Continue reading

Fat Patch Tuesday

February 12, 2013
25 Comments

Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework.

winiconFive of the 12 patches Microsoft released today earned its most dire “critical” label, meaning these updates fix vulnerabilities that attackers or malware could exploit to seize complete control over a PC with no help from users.

Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer; other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining critical patch fixes a flaw that is present only on Windows XP systems.

Updates are available via Windows Update or from Automatic Update. A note about applying these Windows patches: Today’s batch includes an update for .NET, which in my experience should be applied separately. In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works. Consider applying the rest of the patches first, rebooting, and then installing the .NET update, if your system requires it.

And for the second time in a week, Adobe has released an update for its Flash Player software. This one addresses at least 17  distinct vulnerabilities; unlike last week’s emergency Flash Update, this one thankfully doesn’t address flaws that are already actively being exploited, according to Adobe. Check the graphic below for the most recent version that includes the updates relevant to your operating system. This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Continue reading

Yahoo! Pushing Java Version Released in 2008

February 11, 2013
31 Comments

At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

sitebuilderYahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

Continue reading

Security Firm Bit9 Hacked, Used to Spread Malware

February 8, 2013
86 Comments

Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

bit9Waltham, Massachusetts-based Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.

But earlier today, Bit9 told a source for KrebsOnSecurity that their corporate networks had been breached by a cyberattack. According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9’s own encryption keys.

That last bit is extremely important, because Bit9 is a default trusted publisher in their software, which runs on customer PCs and networks as an “agent” that tries to intercept and block applications that are not on the approved whitelist. The upshot of the intrusion is that with a whitelist policy applied to a machine, that machine will blindly trust and run anything signed by Bit9.

An hour after being contacted by KrebsOnSecurity, Bit9 published a blog post acknowledging a break-in. The company said attackers managed to compromise some of Bit9’s systems that were not protected by the company’s own software. Once inside, the firm said, attackers were able to steal Bit9’s secret code-signing certificates.

“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,” Bit9’s Patrick Morley wrote. “As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product.  Our investigation also shows that our product was not compromised.”

The company said it is still investigating the source of the breach, but said that it appears that at least three of its customers were sent malware that was digitally signed with Bit9’s certificate.

Continue reading

Critical Flash Player Update Fixes 2 Zero-Days

February 7, 2013
28 Comments

Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems.

brokenflash-aAdobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 – is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment.

Adobe also warned that a separate flaw — CVE-2013-0633 — is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash content. The company said the exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows (i.e. Internet Explorer users).

Updates are available for Windows, Mac, Linux and Android users. The latest Windows and Mac version is v. 11.5.502.149, and is available from this link. Those who prefer a direct link to the OS-specific downloads can grab them here. To find out if you have Flash installed and what version your browser may be running, check out this page.

flash115502149

Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. 11.5.31.139 for Windows, Macintosh and Linux. Likewise, Internet Explorer 10 for Windows 8 also includes an auto-update feature, which should bring Flash to version 11.3.379.14 for Windows.

Adobe’s advisory notes that the vulnerability that has been used to attack both Mac and Windows users was reported with the help of the Shadowserver Foundation, the federally funded technology research center MITRE Corporation, and aerospace giant Lockheed Martin‘s computer incident response team. No doubt there are some interesting stories about how these attacks were first discovered, and against whom they were initially deployed.

Microsoft, Symantec Hijack ‘Bamital’ Botnet

February 7, 2013
16 Comments

Microsoft and Symantec said Wednesday that they have teamed up to seize control over the “Bamital” botnet, a multi-million dollar crime machine that used malicious software to hijack search results. The two companies are now using that control to alert hundreds of thousands of users whose PCs remain infected with the malware.

bamitalThe tech firms said their research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google.

Users of machines infected with Bamital are likely to see a Web page like the one pictured at right the next time they search for something online. That’s because Microsoft convinced a judge at the U.S. District Court for the Eastern District of Virginia to give it control over the infrastructure that Bamital used to coordinate the search hijacking activities of host PCs.

On Wednesday, technicians working on behalf of both Microsoft and Symantec raided data centers at Leaseweb USA in Manassas, Va., and ISPrime in Weekawken, New Jersey, accompanied by U.S. federal marshals. The two companies are now using the botnet’s control channels to communicate with infected PCs and to notify affected users.

According to Microsoft’s lawsuit, Bamital is most often installed via drive-by downloads, which use exploit kits stitched into hacked and malicious Web sites. Microsoft said the bad guys behind the botnet exclusively used the Phoenix Exploit Kit, a malware tool that uses vulnerabilities in Web browsers to silently install malware.

Bamital alters the organic search results on the host machine, redirecting victims away from sites as indexed by the major search providers toward pages that provide advertising and referral commissions to affiliate marketers. Redmond included several examples in its petition to the court, such as when a victim with Bamital searches for Microsoft Halo, and upon clicking the top link in the results is taken to a completely different set of search engine results.

Microsoft employees (left) at ISPrime, a hosting facility in New Jersey.

Microsoft employees (left) at ISPrime, a hosting facility in New Jersey.

Microsoft said Bamital also orders infected systems to participate in “click fraud,” or to generate automated Internet traffic by instructing those computers — without the owner’s knowledge or intervention — to connect to any Web site chosen by the botmasters. Meanwhile, the owner of the infected computer – even if they were sitting at the computer – would not see the hidden browser.

It’s not hard to see why threats like Bamital are so prevalent: An estimated $12.7 billion was spent on Internet advertising in 2012, and click fraud is taking a huge bite out of the expected returns. Microsoft’s own research indicates that 22 percent of all ad-clicks are fraudulent.

Continue reading