Malware Spy Network Targeted Israelis, Palestinians

November 12, 2012

Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets.

The discovery, by Oslo-based antivirus and security firm Norman ASA, is the latest in a series of revelations involving digital surveillance activity of unknown origin that appears designed to gather intelligence from specific targets in the Middle East.

Norman’s experts say the true extent of the spy network came into focus after news of a cyber attack in late October 2012 that caused Israeli authorities to shut down Internet access for its police force. According to press reports, that incursion was spearheaded by a booby-trapped email that was made to look as if it was sent by Benny Gantz, the chief of general staff of the Israel Defense Forces.

Security vendor Trend Micro suggested that the initial target of that attack were systems within the Israeli Customs agency, and said the malware deployed was a version of Xtreme RAT, a Remote Access Trojan that can be used to steal information and receive commands from a remote attacker. According to Trend, the latest iterations of Xtreme Rat have Windows 8 compatibility, improved Chrome and Firefox password grabbing, and improved audio and desktop capture capabilities features.

All of the malware files Fagerland discovered as part of this campaign were signed with this phony Microsoft certificate.

Snorre Fagerland, a senior virus researcher at Norman, said he examined a sample of the Trojan used to deploy the malware in that attack, and found that it included a rather telltale trait: It was signed with a digital certificate that was spoofed to appear as though it had been digitally signed by Microsoft.

The faked digital certificate would not stand up to validation by Windows— or anyone who cared to verify it with the trusted root certificates shipped with Windows PCs. But it proved to be a convenient marker for Fagerland, who’s been scouring malware databases for other samples that used the same phony certificate ever since. So far, he’s mapped out an expanding network of malware and control servers that have been used in dozens of targeted email attacks (see graphic below).

“These malwares are set up to use the same framework, talk to same control servers, and have same spoofed digital certificate,” Fagerland said in an interview with KrebsOnSecurity. “In my view, they are same attackers.”

Fagerland discovered a vast network of command and control servers (yellow) that all bore the same forged Microsoft certificate and powered malware that targeted Israeli and Palestinian users.

Fagerland found that the oldest of the malicious files bearing the forged Microsoft certificate were created back in October 2011, and that the Arabic language email lures used in tandem with those samples highlighted Palestinian news issues. He observed that the attackers used dynamic DNS providers to periodically shift the Internet addresses of their control networks, but that those addresses nearly always traced back to networks in Gaza assigned to a hosting provider in Ramallah in the West Bank.

After about eight months of this activity, the focus of the malware operation pivoted to attacking Israeli targets, Fagerland discovered. When that happened, the attackers shifted the location of their control servers to networks in the United States.

Continue reading

Experts Warn of Zero-Day Exploit for Adobe Reader

November 7, 2012

Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground.

The finding comes from malware analysts at Moscow-based forensics firm Group-IB, who say they’ve discovered that a new exploit capable of compromising the security of computers running Adobe X and XI  (Adobe Reader 10 and 11) is being sold in the underground for up to $50,000. This is significant because — beginning with Reader X— Adobe introduced a “sandbox” feature  aimed at blocking the exploitation of previously unidentified security holes in its software, and so far that protection has held its ground.

But according to Andrey Komarov, Group-IB’s head of international projects, this vulnerability allows attackers to sidestep Reader’s sandbox protection. Komarov said the finding is significant because “in the past there was no documented method of how to bypass” Adobe Reader X’s sandbox to run code of the attacker’s choice on the target’s computer. The Russian firm produced the following video which they say demonstrates a sanitized version of the attack.

The exploit does have some limitations, Komarov said. For example, it can’t be fully executed until the user closes his Web browser (or Reader). And so far, they have only seen the attack work against Microsoft Windows installations of Adobe Reader.

Adobe spokeswoman Wiebke Lips said the company was not contacted by Group-IB, and is unable to verify their claims, given the limited amount of information currently available.

“Adobe will reach out to Group-IB,” Lips said. “But without additional details, there is nothing we can do, unfortunately— beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.”

Continue reading

Advertisement

Adobe Ships Election Day Security Update for Flash

November 6, 2012

Adobe has released a critical security update for its Flash Player and Adobe AIR software that fixes at least seven dangerous vulnerabilities in these products. Updates are available for Windows, Mac, Linux and Android systems.

Today’s update, part of Adobe’s regularly scheduled patch cycle for Flash, brings Flash Player to version 11.5.502.110 on Windows and Mac systems (other OS users see graphic below). Adobe urges users to grab the latest updates from its Flash Player Download Center, but that option pushes junk add-ons like McAfee VirusScan. Instead, download the appropriate version for your system from Adobe’s Flash Player Distribution page. Most users can find out what version of Flash they have installed by visiting this link.

The Flash Player installed with Google Chrome should soon be automatically updated to the latest Google Chrome version, which will include Flash Player 11.5.31.2 for Windows, Macintosh and Linux. Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser. Internet Explorer 10 users on Windows 8 can grab the update via Windows Update or from Microsoft’s site, or wait for the browser to auto-update the plugin.

Adobe’s advisory about this update is available here, including links to update AIR if you have that installed. An Adobe spokesperson said the company is not aware of any active attacks or exploits in the wild for any of the issues patched in this release. Nevertheless, it’s a bad idea to delay Flash updates; the software’s ubiquity makes it a primary target of malware and miscreants alike.

Cyberheists ‘A Helluva Wake-up Call’ to Small Biz

November 6, 2012

The $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the company’s coffers in an overnight heist in May 2012, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers.

The St. Louis, Missouri-based firm first learned that things weren’t quite right on Wednesday, May 30, 2012, when the company’s payroll manager logged into her account at the local bank and discovered that an oversized payroll batch for approximately $180,000 had been sent through late Tuesday evening.

The money had been pushed out of Primary Systems’ bank accounts in amounts between $5,000 and $9,000 to 26 individuals throughout the United States who had no prior interaction with the firm, and who had been added to the firm’s payroll that very same day. The 26 were “money mules,” willing or unwitting participants who are hired through work-at-home job schemes to help cyber thieves move money abroad. Most of the mules hired in this attack were instructed to send the company’s funds to recipients in Ukraine.

“The payroll manager contacted me at 8:00 a.m. that day to ask if I’d authorized the payroll batch, and I said no, it must have been a bank error,” said Jim Faber, Primary Systems’ chief financial officer. “I called the bank and said they said no, they did not make an error. That was a helluva wake-up call.”

The company’s financial institution, St. Louis-based Enterprise Bank & Trust, declined to comment. But of course, mistakes were made all around. Primary Systems’ employees failed to be wary of virus-laden email attachments, and relied too heavily on its firewalls and antivirus software to block attacks. The bank failed to bat an eyelash before processing a $180,000 transfer marked as “payroll” on a Tuesday, even though the company has always processed its payroll batch on Friday mornings. It also failed to flag as strange the overnight addition to Primary’s payroll of 26 new employees located in nearly as many states, even though almost all of the victim firm’s legitimate employees are based in Missouri.

The only parties to this crime who didn’t make missteps were the thieves. According to Faber, investigators believe the crooks cased the joint virtually before launching the heist, which came in just below the $200,000 threshold that would have prompted the bank to obtain verbal permission from Primary Systems for the transfer.

“If it was over $200k, [the bank] wouldn’t have allowed the transfer to happen without confirming it with us,” Faber said. “But this just flew right under that kickout. Our payroll is a lot less than that. This was six times our normal payroll and was in mid-week.”

Continue reading

DHS Warns of ‘Hacktivist’ Threat Against Industrial Control Systems

October 26, 2012

The U.S. Department of Homeland Security is warning that a witches brew of recent events make it increasingly likely that politically or ideologically motivated hackers may launch digital attacks against industrial control systems. The alert was issued the same day that security researchers published information about an undocumented software backdoor in industrial control systems sold by hundreds different manufacturers and widely used in power plants, military environments and nautical ships.

The information about the backdoor was published by industrial control systems (ICS) security vendor Digital Bond, which detailed how a component used in industrial control systems sold by 261 manufacturers contains a functionality that will grant remote access to anyone who knows the proper command syntax and inner workings of the device, leaving systems that are connected to the public open to malicious tampering.

In an interview with Ars Technica, Reid Wightman, a researcher formerly with Digital Bond and now at security firm ioActive, said there was “absolutely no authentication needed to perform this privileged command.” Of the two specific programmable logic controllers (PLCs) Wightman tested, both allowed him to issue commands that halted the devices’ process control.

“Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work,” Wightman told Ars. “Anybody on the network could shut off your laptop without needing your password. That would suck. And that’s the case here.”

Potentially aiding would-be attackers are specialized search engines like Shodan and the Every Routable IP Project, which were designed specifically to locate online devices that may be overlooked or ignored by regular search engines. Indeed, according to Wightman, a quick search using Shodan revealed 117 vulnerable devices directly connected to the Internet, although Wightman said he suspected the computer location service could turn up far more with a more targeted search. To complicate matters further, Wightman said tools for automating the exploitation of the backdoor will soon be made available for Metasploit, a penetration testing tool used by hackers and security professionals alike.

In an alert (PDF) issued Thursday, DHS warned that these search engines are being actively used to identify and access control systems over the Internet, and that combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.

“Multiple threat elements are combining to significantly increase the ICSs threat landscape,” DHS warned. “Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses. Asset owners should take these changes in threat landscape seriously…and should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”

But according to Digital Bond, asset owners — such as power utilities, water treatment facilities — aren’t moving fast enough to take such steps. Indeed, this is the driving premise behind “Project Basecamp,” the company’s endeavor to publish and expose control systems vulnerabilities: Only when control system operators begin to see how these vulnerabilities could be used to disrupt their operations will they be motivated enough to demand that ICS hardware and software vendors make security a priority.

“The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end,” the company explained on its blog. “Everyone knows PLC’s are vulnerable — or so we have heard for ten years now since the 9/11 attacks…Not only do they lack basic security features, they are also fragile. Warnings abound about the dangers of even running a port scan on a PLC. Yet even though “everyone knows” there has been little or no progress on developing even the option of purchasing a secure and robust PLC.”

The homepage of the Shodan search engine.

Continue reading

Adobe Ships Critical Fixes for Shockwave Player

October 23, 2012

Adobe has released a critical security update that plugs at least a half-dozen security holes in its Shockwave media player software.

Adobe recommends users of Adobe Shockwave Player 11.6.7.637 and earlier versions update to the newest version 11.6.8.638, available here. Updates are available for Windows and Mac systems. In its advisory on this update, Adobe says it is not aware of any active attacks against these flaws.

Before you try to update Shockwave, you should check to see if your system even has it installed. If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. If you update or install Shockwave, be on the lookout for pre-checked “extras”; my test installation of this update tried to foist a 30-day trial of Norton Internet Security.

Note that while Shockwave and Flash Player are both Adobe products, they are two separate things (Flash is far more abundant on the Web). I mention this because Flash Player still shows up as “Shockwave Flash” in Mozilla Firefox’s plugins listing. Incidentally, if you haven’t updated Flash Player to the latest version, you’ll want to take care of that now: The latest Flash Player update, released Oct. 8, fixes at least 25 security holes.

Service Sells Access to Fortune 500 Firms

October 22, 2012

An increasing number of services offered in the cybercrime underground allow miscreants to purchase access to hacked computers at specific organizations. For just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks.

The service I examined for this post currently is renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010. All of the machines for sale have been set up by their legitimate owners to accept incoming connections via the Internet, using the Remote Desktop Protocol (RDP), a service built into Microsoft Windows machines that gives the user graphical access to the host PC’s desktop. Businesses often turn on RDP for server and desktop systems that they wish to use remotely, but if they do so using a username and password that is easily guessed, those systems will soon wind up for sale on services like this one.

Pitching its wares with the slogan, “The whole world in one service,” Dedicatexpress.com advertises hacked RDP servers on several cybercrime forums. Access is granted to new customers who contact the service’s owner via instant message and pay a $20 registration fee via WebMoney, a virtual currency. The price of any hacked server is calculated based on several qualities, including the speed of its processor and the number of processor cores, the machine’s download and upload speeds, and the length of time that the hacked RDP server has been continuously available online (its “uptime”).

Though it is not marketed this way, the service allows users to search for hacked RDP servers by entering an Internet address range, an option that comes in handy if you are looking for computers inside of specific organizations. For instance, I relied on a list of the IP address ranges assigned to the companies in the current Fortune 500 listing (special thanks to online banking security vendor Greenway Solutions for their help on this front).

I made it about halfway through the list of companies in the Fortune 100 with names beginning in “C” when I found a hit: A hacked RDP server at Internet address space assigned to networking giant Cisco Systems Inc. The machine was a Windows Server 2003 system in San Jose, Calif., being sold for $4.55 (see screenshot below). You’ll never guess the credentials assigned to this box: Username: “Cisco,”; password: “Cisco”. Small wonder that it was available for sale via this service. A contact at Cisco’s security team confirmed that the hacked RDP server was inside of Cisco’s network; the source said that it was a “bad lab machine,” but declined to offer more details.

A hacked Win 2003 Server installation at Cisco Systems was on sale for $4.55.

Continue reading

Rogue Pharma, Fake AV Vendors Feel Credit Card Crunch

October 18, 2012

New research suggests that companies behind some of America’s best known consumer brands may be far more effective at fighting cybercrime than any efforts to enact more stringent computer security and anti-piracy laws.

Recent legislative proposals in the United States — such as the Stop Online Piracy Act —  have sought to combat online trafficking in copyrighted intellectual property and counterfeit goods by granting Internet service providers and authorities broader powers to prosecute offenders, and by imposing stronger criminal penalties for such activity. But recent data collected by academic researchers suggests that brand holders already have the tools to quash much of this activity.

Over the past two years, a team of academic researchers made hundreds of “test buys” at Web sites from 40 different shady businesses peddling knockoff prescription drugs, counterfeit software and fake antivirus products. The researchers, from George Mason University, the International Computer Science Institute, and the University of California, San Diego, posed as buyers for these products, which tend to be promoted primarily via hacked Web sites, junk email and computer viruses.

Test buys showed relationships between 40 affiliate programs and 25 banks, although a majority of the transactions filtered through a handful of banks in Azerbaijan, China, Georgia, Latvia, and Mauritius.

The test buys were intended to reveal relationships between the shadowy merchants and the banks that process credit and debit card transactions for these businesses. Following the money trail showed that a majority of the purchases were processed by just 12 banks in a handful of countries, including Azerbaijan, China, Georgia, Latvia, and Mauritius.

The researchers said they submitted the test buy results to a database run by the International AntiCounterfeiting Coalition, (IACC), a Washington, D.C.-based non-profit organization devoted to combating product counterfeiting and piracy. Several pharmacy and software vendors and IACC members whose trademarks were infringed in those transactions (the researchers said non-disclosure agreements prohibit them from naming the brands) used the data to lodge complaints with Visa (only Visa-branded debit cards were used to make the test buys).

Contracts between the banks and Visa and MasterCard stipulate that merchants are prohibiting from selling goods and services that are illegal in the country into which those goods or services are being sold. The credit card associations have a standard process for accepting complaints about such transactions, in which they warn the online merchant’s bank (including a notice of potential fines for noncompliance). After a complaint about such activity, the merchant’s bank conducts its investigation, and may choose to contest the issue if they believe it is in error. But if the bank decides not to challenge the complaint, then they will need to take action to prevent future such transactions, or else face an escalating series of fines from the card associations.

The researchers noticed that in case after case, merchant accounts that were used in fraudulent activity for some extended period of time before they filed a complaint with the IACC generally stopped being used within one month after a complaint was lodged. Neither Visa nor the IACC responded to requests for comment on this story.

Stefan Savage, a professor at UCSD’s Department of Computer Science and Engineering, said the data suggests that the private sector can have a major impact on cybercrime merely by going after the funding for these operations.

It doesn’t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities.  If you can purchase a product, then there’s a record of it and that record points back to the merchant account getting the money,” Savage said. “Visa and MasterCard frown on sales of illegal purchases made on their networks and will act appropriately on complaints from brandholders based on undercover purchases.”

Savage said it doesn’t take concerted action by all of the affected brands to have a major impact on the rogue businesses that incentivize this type of commerce. On the contrary, he said one software brandholder pursued the merchant banks tied to all of the group’s test buys for its products with such a ferocity and swiftness that it virtually shut down the market for pirated brand name software [a.k.a “OEM”] overnight.

“This vendor went after everything. They did it so quickly — and not only for their own products — that it all but shut down the entire OEM ecosystem,” Savage said. “A couple of [OEM affiliate programs] survived by getting rid of that company’s brand, but in the beginning, when people had no clue what’s going on, it shut down the entire business for everyone.”

FINES ‘RAINING DOWN ON MERCHANTS’

The researchers note that in mid-2011, Visa made a series of changes to their operating regulations that seem designed to specifically target on-line pharmacies and sellers of counterfeit goods. First, sales of goods categorized as pharmaceutical-related were explicitly classified as “high risk” (along with gambling and various kinds of direct marketing services), and acquirers issuing new contracts for high-risk e-commerce merchants required significantly more due diligence (including $100M in equity capital and good standing in risk management programs). Also, the new documents explicitly call out examples of illegal transactions including “Unlawful sale of prescription drugs,” and “Sale of counterfeit or trademark-infringing products or services,” among others. Finally, these changes include more aggressive fine schedules for noncompliance.

Some of the best evidence of the success of the test buys+complaints strategy comes directly from the folks operating the affiliate programs that reward spammers and miscreants for promoting fake antivirus, pirated software and dodgy pill sites. In June 2012, a leader of one popular pharmacy affiliate program posted a lengthy message to gofuckbiz.com, a Russian language forum that caters to a variety of such affiliate programs. In that discussion thread, which is now some 234 pages long, the affiliate program manager explains to a number of mystified forum members why the pharmacy programs have had so much trouble maintaining reliable credit card processing. Continue reading

Critical Java Patch Plugs 30 Security Holes

October 17, 2012

Oracle on Tuesday pushed out a bevy of security patches for its products, including an update to Java that remedies at least 30 vulnerabilities in the widely-used program.

The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the Java homepage.

Apple maintains supplies its own version of Java. Given the rapidity with which they have followed Oracle’s Java updates (ever since April 2012, when the Flashback worm used an unpatched Java flaw to infect more than 650,000 Macs), I would expect Apple to have an update ready soon. Update: Apple did release an update for Java, one that sees the Java plugin removed from all Mac-compatible browsers installed on the system.

Continue reading

The Scrap Value of a Hacked PC, Revisited

October 15, 2012

A few years back, when I was a reporter at The Washington Post, I put together a chart listing the various ways that miscreants can monetize hacked PCs. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk?,” are all common refrains from this type of user.

I recently updated the graphic (below) to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.

Next time someone asks why miscreants might want to hack his PC, show him this diagram.

One of the ideas I tried to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.

Continue reading