Public Java Exploit Amps Up Threat Level

November 30, 2011

An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.

On Monday, I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog today, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.

Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X and even Linux systems.

This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).

Continue reading

DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists

November 30, 2011

The FBI is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to prevent victims from noticing simultaneous high-dollar cyber heists.

The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves who are using a modified version of the ZeuS Trojan called “Gameover.” The rash of thefts come after a series of heavy spam campaigns aimed at deploying the malware, which arrives disguised as an email from the National Automated Clearing House Association (NACHA), a not-for-profit group that develops operating rules for organizations that handle electronic payments. The ZeuS variant steals passwords and gives attackers direct access to the victim’s PC and network.

In several recent attacks, as soon as thieves wired money out of a victim organization’s account, the victim’s public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

A few of the attacks have included an odd twist that appears to indicate the perpetrators are using money mules in the United States for at least a portion of the heists. According to an FBI advisory, some of the unauthorized wire transfers from victim organizations have been transmitted directly to high-end jewelry stores, “wherein the money mule comes to the actual store to pick up his $100K in jewels (or whatever dollar amount was wired).”

The advisory continues:

“Investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come to pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as ‘pending’ and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time) and the jeweler is out whatever jewels the money mule was able to obtain.”

The attackers also have sought to take out the Web sites of victim banks. Jose Nazario, manager of security research at Arbor Networks, a company that specializes in helping organizations weather large cyber attacks, said that although many of the bank sites hit belong to small to mid-sized financial institutions, the thieves also have taken out some of the larger banks in the course of recent e-heists.

“It’s a disturbing trend,” Nazario said.

Nazario said the handful of attacks he’s aware of in the past two weeks have involved distributed denial-of-service (DDoS) assaults launched with the help of “Dirt Jumper” or “Russkill” botnets. Dirt Jumper is a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground, and is made to be surreptitiously installed on hacked PCs. The code makes it easy for the botnet owner to use those infected systems to overwhelm targeted sites with junk traffic (KrebsOnSecurity.com was the victim of a Dirt Jumper botnet attack earlier this month).

Security experts aren’t certain about the strategy behind the DDoS attacks, which are noisy and noticeable to both victims and their banks. One theory is that the perpetrators are hoping the outages will distract the banks and victims.

“The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found),” the FBI said.

Continue reading

Advertisement

Attempted Malvertising on KrebsOnSecurity.com

November 29, 2011

Members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity.com, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”

Last week, I listed the various ways this blog and its author has been “honored” over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called Darkode.com sought to fraudulently place a rogue ad on KrebsOnSecurity.com. The ad was made to appear as though it was advertising BitDefender antivirus software. Instead, it was designed to load a malicious domain: sophakevans. co. cc, a site that has been associated with pushing fake antivirus or “scareware.”

The miscreants agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on my site. Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval.

Darkode members plot to purchase a rogue ad on KrebsOnSecurity.com. They failed.

I learned about this little stunt roughly at the same time it was being planned; Much to the constant annoyance of the site administrators, I secretly had gained access to Darkode and was able to take this screen shot of the discussion. The incident came just a few weeks after I Tweeted evidence of my presence on Darkode by posting screenshots of the forum. The main administrator of Darkode, a hacker who uses the nickname “Mafi,” didn’t appreciate that, and promised he and his friends had something fun planned for me. I guess this was it. Interestingly, Mafi also is admin at malwareview.com and is the developer of the Crimepack exploit kit.

Continue reading

New Java Attack Rolled Into Exploit Kits

November 28, 2011

A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools.

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button.

A few weeks back, researcher Michael ‘mihi’ Schierl outlined how one might exploit this particular Java flaw. Over the weekend, I stumbled on a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized along the same lines as described by Schierl. Below is a recording of a video posted by one of the members that shows the attack in action.

Continue reading

Apple Took 3+ Years to Fix FinFisher Trojan Hole

November 23, 2011

The Wall Street Journal this week ran an excellent series on government surveillance tools in the digital age. One story looked at FinFisher, a remote spying Trojan that was marketed to the governments of Egypt, Germany and other nations to permit surreptitious PC and mobile phone surveillance by law enforcement officials. The piece noted that FinFisher’s creators advertised the ability to deploy the Trojan disguised as an update for Apple’s iTunes media player, and that Apple last month fixed the vulnerability that the Trojan leveraged.

Image: spiegel.de

But the WSJ series and other media coverage of the story have overlooked one small but crucial detail: A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw.

The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title: According to Apple, as of June 2011, there were approximately a quarter billion installations of iTunes worldwide.

Apple did not respond to requests for comment. An email sent Wednesday morning to its press team produced an auto-response stating that employees were already on leave for the Thanksgiving holiday in the United States.

I first wrote about this vulnerability for The Washington Post in July 2008, after interviewing Argentinian security researcher Francisco Amato about “Evilgrade,” a devious new penetration testing tool he had developed. The toolkit was designed to let anyone send out bogus automatic update alerts to users of software titles that don’t sign their updates. I described the threat from this toolkit in greater detail:

Why is this a big deal? Imagine that you’re at an airport lounge, waiting to board your flight, and you pop open your laptop to see if you can hop on an open wireless network. Bear in mind that there are plenty of tools available that let miscreants create fake wireless access points for the purposes of routing your connection through their computer. You connect to that fake network, thinking you can check your favorite team’s sports scores. A few seconds later, some application on your system says there’s a software update available. You approve the update.

You’re hosed.

Or maybe you don’t approve the update. But that may not matter, because in some cases, auto-update features embedded in certain software titles will go ahead and download the update at that point, and keep nagging you until you agree to install it at a later date.

Evilgrade leveraged a flaw in the updater mechanism for iTunes that could be exploited on Windows systems. Amato described the vulnerability:

“The iTunes program checks that the binary is signed by Apple but we can inject content into the description as it opens a browser, with a malicious binary so that the user thinks its from Apple,” Amato said of his attack tool.

Emails shared with KrebsOnSecurity show that Amato contacted Apple’s security team on July 11, 2008, to warn them that the iTunes update functionality could be abused to push out malicious software. According to Amato, Apple acknowledged receipt of the report shortly thereafter, but it did not contact him about his findings until Oct. 28, 2011, when it sent an email to confirm his name and title for the purposes of crediting him with reporting the flaw in its iTunes 10.5.1 patch release details. Interestingly, Apple chose to continue to ignore the vulnerability even after Amato shipped a significant feature upgrade to Evilgrade in Oct. 2010.

The length of time Apple took to patch this significant security flaw is notable. In May 2006, I undertook a longitudinal study of how long it took Apple to ship security updates for its products. In that analysis, I looked at two years’ worth of patches issued to fix serious security bugs in Apple’s Mac OS X operating system, as well as other Apple software applications like iTunes. I found that on average, 91 days elapsed between the date that a security researcher alerted Apple to an unpatched flaw and the date Apple shipped a patch to fix the problem. In that study, I examined patch times for four dozen flaws, and the lengthiest patch time in that period was 245 days.

Continue reading

DHS Blasts Reports of Illinois Water Station Hack

November 22, 2011

The U.S. Department of Homeland Security today took aim at widespread media reports about a hacking incident that led to an equipment failure at a water system in Illinois, noting there was scant evidence to support any of the key details in those stories — including involvement by Russian hackers or that the outage at the facility was the result of a cyber incident.

Last week, portions of a report titled “Public Water District Cyber Intrusion” assembled by an Illinois terrorism early warning center were published online. Media outlets quickly picked up on the described incident, calling it the “first successful target of a cyber attack on a computer of a public utility.” But in an email dispatch sent to state, local and industry officials late today, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that after detailed analysis, DHS and the FBI “have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.” The ICS-CERT continued:

“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.  Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”

The statement is the most strongly worded yet from DHS refuting the alleged cyber incident in Illinois. The story broke on Nov. 17, when Joe Weiss, managing partner of Applied Control Solutions, a security consultant for the control systems industry, published a blog post about a disclosure he reported reading from a state terrorism intelligence center about a cyber intrusion into a local water plant that resulted in the burnout of a water pump. The break-in reportedly allowed intruders to manipulate the supervisory control and data acquisition system, or “SCADA” networks that let plant operators manage portions of the facility remotely over the Internet. Within hours of that post, media outlets covering the story had zeroed in on the Curran-Gardner Water District as the source of the report.

Weiss has repeatedly declined to share or publish the report, but he cited large portions of it in my story from last week. The language and details reported in it stand in stark contrast to the DHS’s version of events. According to Weiss, the report, marked sensitive but unclassified, stated:

“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia. The SCADA system that was used by the water district was produced by a software company based in the US. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.”

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

“This network intrusion is the same method of attack recently used against the MIT Server,” the water district alert stated. “The water district’s attack and the MIT attack both had references to PHPMyAdmin in the log files of the computer systems. It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database, and if any additional systems have been attacked as a result of this theft.”

Weiss blogged about the ICS-CERT statement, and said he can’t figure out how the two accounts could be so different. He notes that the day after his blog post, Don Craven, chairman of the Curran-Gardner Water District, was quoted on a local ABC News affiliate television interview saying that there was “some indication that there was a breach of some sort into a software program, a SCADA system, that allows remote access to the wells and the pumps and those sorts of things” (see video below).

Continue reading

DDoS Attack on KrebsOnSecurity.com

November 21, 2011

Last week, not long after I published the latest installment in my Pharma Wars series, KrebsOnSecurity.com was the target of a sustained distributed denial-of-service (DDoS) attack that caused the site to be unavailable for some readers between Nov. 17 and 18. What follows are some details about that attack, and how it compares to previous intimidation attempts.

The DDoS was caused by incessant, garbage requests from more than 20,000+ PCs around the globe infected with malware  that allows criminals to control them remotely for nefarious purposes. If you’ve noticed that a few of the features on this site haven’t worked as usual these past few days, now you know why. Thanks for your patience.

I shared the log files of the attack with Joe Stewart, director of malware research at Dell SecureWorks. Stewart discovered that the botnet responsible for hitting my site appears to have been created with Russkill, a commercial crimeware kit that is sold for a few hundred bucks on the hacker underground. Russkill, sometimes called Dirt Jumper, does its dirty work by forcing infected systems to rapidly request the targeted site’s homepage.

Stewart said he suspects — but can’t prove – that the control center for this botnet is noteye.biz, based on traffic analysis of Internet addresses in the logs I shared with him.

“I did not already have [noteye.biz] under monitoring so it is impossible to say for sure what targets were hit in the past,” Stewart wrote in an email. He noted that the same attacker also apparently runs a Dirt Jumper botnet at xzrw1q.com, which also is currently attacking Ukrainian news site genshtab.censor.net.ua, and kidala.info (“kidala” is Russian slang for “criminal,” and kidala.info is a well-known Russian crime forum).

“According to my logs this botnet did attack your site back in April, so this is some additional circumstantial evidence that suggests the noteye.biz [control network] may have been involved in the recent attack on your site,” Stewart wrote.

As Stewart notes, this is not the first time my site has been pilloried, although it was arguably the most disruptive. In October 2010, a botnet typically used to spread spam for rogue Internet pharmacies attacked krebsonsecurity.com, using a hacked Linux server at a research lab at Microsoft, of all places.

I’ve spoken at more than a dozen events this year, and the same question nearly always comes up: Do you ever get threatened or attacked? For the most part, the majority of the threats or intimidation attempts have been light-hearted.

Yes, occasionally crooks in the underground will get a bit carried away – as in these related threads from an exclusive crime forum, where I am declared the “enemy of carding;” or in the love I received from the guys at Crutop.nu, a major Russian adult Webmaster forum (the site now lives at Crutop.eu).

Continue reading

Cyber Intrusion Blamed for Hardware Failure at Water Utility

November 18, 2011

A recent cyber attack on a city water utility in Illinois may have destroyed a pump and appears to be part of a larger intrusion at a U.S. software provider, new information suggests. The incident is the latest to raise alarms about the security protecting  so-called supervisory control and data acquisition system, or “SCADA” networks — increasingly Internet-connected systems designed to monitor and control complex industrial networks.

CNN is reporting that federal officials are investigating the attack, but quoted a Department of Homeland Security official downplaying the incident. Wired.com says the focus of the attack may be the Curran-Gardner Public Water District near Springfield, Ill. The Register quotes DHS’s Peter Boogaard saying the agency and the FBI are gathering facts surrounding the report of a water pump failure, but that “at this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The incident was first reported in a state cyber fusion notice dated Nov. 10, and soon was summarized on the blog by Joe Weiss, managing partner of Applied Control Solutions, a SCADA systems security firm. Weiss criticized the lack of response and alerting by the US-CERT, Department of Homeland Security, and the information sharing and analysis center (ISAC) run by the water industry.

Weiss read KrebsOnSecurity sections of the report, which traced the origin of the attack to Russian Internet addresses.

“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia.”

The alert also indicates that this attack may be linked to a SCADA provider that also serves other industries, in addition to the water sector. From the alert:

“The SCADA system that was used by the water district was produced by a software company based in the US. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.”

The intrusions apparently took place over several months, during which time the attackers remotely logged into the water district’s SCADA networks and toggled systems off and on, eventually causing the failure of a water pump at the facility.

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

The notice also stated that the method of attack appears to be similar to the recent compromise of servers at the Massachusetts Institute of Technology (MIT), which involved security weaknesses around phpMyAdmin, a popular Web-based database administration tool.

“This network intrusion is the same method of attack recently used against the MIT Server,” the water district alert stated. “The water district’s attack and the MIT attack both had references to PHPMyAdmin in the log files of the computer systems. It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database, and if any additional systems have been attacked as a result of this theft.”

Michael Assante, president and CEO of the National Board of Information Security Examiners and a former chief security officer for the North American Electric Reliability Corporation (NERC), said the attack highlights the potential pitfalls of utilities increasingly turning to off-the-shelf commercial solutions and remote access to trim costs in an era of tight state and local budgets.

Continue reading

Pharma Wars: The Price of (in)Justice

November 17, 2011

I spoke this week at Govcert 2011, a security conference in Rotterdam.  The talk drew heavily on material from my Pharma Wars series, about the alleged proprietors of two competing rogue Internet pharmacies who sought to destroy the others’ reputation and business and ended up succeeding on both counts. Here is the latest installment.

For those who haven’t been following along, I’ve put together a cheat sheet on the main players, the back story and the conflict. Click here to skip this section.

Actors

Pavel Vrublevsky: Co-founder and Former chief executive officer of ChronoPay, until recently a major processor of electronic payments in Russia. Vrublevsky has been accused of running an illegal business, a rogue Internet pharmacy affiliate program called Rx-Promotion, and is currently in prison awaiting trial on unrelated cybercrime charges. Known to business partners as “Red” or “RedEye.”

Igor Gusev: Co-founded ChronoPay with Vrublevsky in 2003. Had a falling out with Vrublevsky in 2005, left ChronoPay and started the Internet pharmacy affiliate programs GlavMed and SpamIt. The latter was closed in Sept. 2010, and Gusev has been charged with running an illegal business. He is still at large.

Dmitry Stupin: Gusev’s right-hand man. Helped to build SpamIt and GlavMed. The logs below are from a set of logs leaked to several download sites that contain thousands of conversations between Stupin and Gusev. The logs were obtained shortly after the police detained Stupin as part of the criminal investigation into Gusev.

Conflict: Two former business partners-turned-competitors try to sabotage each others’ business and to get the other arrested.

The Conversation

The conversation below takes place between Feb. 21 and 23, 2010, and is a chat log between Gusev and Stupin. Gusev already knows there are plans to file criminal charges against him, which indeed come just seven months after this conversation was recorded. The two are discussing plans to pay more than $1.5 million to politicians and law enforcement to obtain a criminal prosecution of Vrublevsky.

Several attendees at Govcert 2011 asked about the likelihood of Vrublevsky serving time, if convicted. This chat may provide a clue. In the middle of the following conversation, Gusev says he has secured promises that if arrested, Vrublevsky “would remain in prison and would not be able to pay his way out,” Gusev wrote. “He is going to lose a large portion of his business and will be left with no money to fight the war.”

Continue reading

Title Firm Sues Bank Over $207k Cyberheist

November 14, 2011

A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime.

Sometime before June 2010, crooks infected computers of Vienna, Va. based Global Title Services with the ZeuS Trojan, giving them direct access to the company’s network and online banking passwords at then-Chevy Chase Bank (now Capital One). On June 1, 2010, the thieves made their move, and began sending a series of unauthorized wire transfers to money mules, individuals who were hired to help launder the funds and relay them to crooks overseas.

The first three wires totaled more than $200,000. When Global Title’s owner Priya Aurora went to log in to her company’s accounts 15 minutes prior to the first fraudulent transfers went out, she found the account was locked: The site said the account was overdue for security updates.

When Aurora visited the bank local Chase branch to get assistance, she was told she needed to deal with the bank’s back office customer service. Between June 2 and June 8, the thieves would send out 15 more wires totaling nearly $1.8 million. The bank ultimately was able to reverse all but the first three fraudulent wires on June 1.

Capital One declined to comment for this story, citing the ongoing litigation.

Global Title is suing Capital One, alleging the bank failed to act in good faith and failed to implement commercially reasonable security procedures for its online banking clients. The lawsuit notes that at the time of the breach, Capital One’s online banking system used single-factor authentication; it allowed commercial clients to log in and to transfer millions of dollars using nothing more than a username and password.

Continue reading