RSA Among Dozens of Firms Breached by Zero-Day Attacks

May 4, 2011
46 Comments

This is the second installment of a multi-part series examining the tools and tactics used by attackers in the RSA breach and other recent network intrusions characterized as “ultra-sophisticated” and “advanced persistent threats.”  If you missed the first piece, please check out Advanced Persistent Tweets: Zero-Day in 140 Characters.

The recent data breach at security industry giant RSA was disconcerting news to the security community: RSA claims to be “the premier provider of security, risk, and compliance solutions for business acceleration” and the “chosen security partner of more than 90 percent of the Fortune 500.”

The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests. What’s more, the assailants moved their operations from those sites very recently, after their locations were revealed in a report published online by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security.

In RSA’s explanation of the attack, it pointed to three domains that it claimed were used to download malicious software and to siphon sensitive data taken from its internal networks: Good[DOT]mincesur[DOT]com, up82673[DOT]hopto[DOT]org and www[DOT]cz88[DOT]net. But according to interviews with several security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.

What’s more, the same domains were sending and receiving Internet connections from dozens of Fortune 500 companies during that time, according to Atlanta-based Damballa, a company that mines data about malware attacks using a network of sensors deployed at Internet service providers and large enterprises around the world. Damballa monitors the domain name system (DNS) servers at those networks, looking for traffic between known good hosts and known or suspected hostile locations.

Gunter Ollmann, Damballa’s vice president of research, said that for more than a year his company has been monitoring the three malicious sites that RSA said were involved in the theft of its intellectual property, and that many other major companies have had extensive communications with those hostile domains during that time. He added that his company is not in a position to name the other companies impacted by the breach, and that Damballa is helping federal authorities with ongoing investigations.

“There is lots of malware that have relied on those domains for command and control,” Ollmann said. “We know who the victims are, roughly how many devices within those victim organizations were compromised, and are still compromised.  RSA was not the only victim of these attacks.”

Continue reading

Advanced Persistent Tweets: Zero-Day in 140 Characters

May 3, 2011
21 Comments

The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the Chinese developers of those attack tools left clues aplenty about their identities and locations, with one apparent contender even Tweeting about having newly discovered a vulnerability days in advance of its use in the wild.

Zero-day threats are attacks which exploit security vulnerabilities that a software vendor learns about at the same time as the general public  does;   The vendor has “zero days” to fix the flaw before it gets exploited. RSA and others have labeled recent zero-day attacks as the epitome of the so-called “advanced persistent threat” (APT), a controversial term describing the daily onslaught of digital assaults launched by attackers who are considered highly-skilled, determined and possessed of a long-term perspective on their mission. Because these attacks often result in the theft of sensitive and proprietary information from the government and private industry, the details usually are shrouded in secrecy when law enforcement and national security investigators swoop in.

Open source information available about the tools used in recent attacks labeled APT indicates that some of the actors involved are doing little to cover their tracks: Not only are they potentially identifiable, they don’t seem particularly concerned about suffering any consequences from their actions.

Bragging rights may play a part in the attackers’  lack of duplicity. On Apr. 11, 2011, security experts began publishing information about a new zero-day attack that exploited a previously unknown vulnerability in Adobe‘s Flash Player software, a browser plug-in installed in 96 percent of the world’s Microsoft Windows PCs .  The exploit code was hidden inside a Microsoft Word document titled “Disentangling Industrial Policy and Competition Policy.doc,” and reportedly was emailed to an unknown number of U.S. government employees and contractors.

Four days earlier, on Apr. 7, an individual on Twitter calling himself “Yuange” and adopting the humble motto “No. 1 hacker in China top hacker in the world,” tweeted a small snippet of exploit code, apparently to signal that he had advance knowledge of the attack:

call [0x1111110+0x08].

It wasn’t long before malware researchers were extracting that exact string from the innards of a Flash exploit that was landing in email inboxes around the globe.

Tweeting a key snippet of code hidden in a zero-day exploit in advance of its public release may seem like the hacker equivalent of Babe Ruth pointing to the cheap seats right before nailing a home run. But investigators say the Chinese Internet address used to download the malicious files in the early hours of the April Flash zero-day attacks — 123.123.123.123 — was in some ways bolder than most because that address  would appear highly unusual and memorable to any reasonably vigilant network administrator.

This wasn’t the first time Yuange had bragged about advance knowledge of impending zero-day attacks. On Oct. 27, 2010, he boasted of authoring a zero-day exploit targeting a previously unknown vulnerability in Mozilla’s Firefox Web browser:

Wrote the firefox 0day. You may see “for(inx=0’inx<0x8964;inx++). You should know why 0x8964 here.

That same day, experts discovered that the Web site for the Nobel Peace Prize was serving up malicious software that exploited a new vulnerability in Firefox. An analysis of the attack code published by a member of Mozilla’s security team revealed the exact code snippet Yuange had tweeted.

On February 28, 2011, Yuange taunted on Twitter that new zero-day traps were being set:

ready? new flash 0day is on the way.

On Mar. 14, Adobe acknowledged that a new Flash flaw was being exploited via a booby-trapped Flash component tucked inside of Microsoft Excel files. Three days after that, EMC’s security division RSA dropped a bombshell: Secret files related to its widely used SecurID authentication tokens had been stolen in “an extremely sophisticated cyber attack.” A follow-up blog post from RSA’s Uri River two weeks later stated that the break-in was precipitated by the zero-day Adobe had warned about on Mar. 14, and that the lure used in the attack on RSA was an Excel file named “2011 Recruitment Plan.”

Continue reading

Advertisement

‘Weyland-Yutani’ Crime Kit Targets Macs for Bots

May 2, 2011
51 Comments

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

Continue reading

FBI: $20M in Fraudulent Wire Transfers to China

April 27, 2011
51 Comments

The Federal Bureau of Investigation warned this week that cyber thieves have stolen approximately $20 million  over the past year from small to mid-sized U.S. businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies located near the country’s border with Russia.

The FBI said that between March 2010 and April 2011, it identified twenty incidents in which small to mid-sized organizations had fraudulent wire transfers to China after their online banking credentials were stolen by malicious software. The alert was sent out Tuesday in cooperation with the Internet Crime Complaint Center and the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium. The alert notes that actual victim losses are $11 million, suggesting that victim banks were able to claw back some of the fraudulent transfers.

The FBI says it doesn’t know who is behind these fraudulent transfers, but that the intended recipients are companies based in the Heilongjiang province of the People’s Republic of China, and that these firms are registered in port cities that are located near the Russia-China border. The agency says the companies all use the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also include the words “economic and trade,” “trade,” and “LTD”. The recipient entities usually hold accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

From the advisory (PDF):

“In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing email or by visiting a malicious Web site. The malware harvests the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating that the bank Web site is under maintenance or is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account funds are then transferred to the Chinese economic and trade company bank account.”

Continue reading

Millions of Passwords, Credit Card Numbers at Risk in Breach of Sony Playstation Network

April 26, 2011
59 Comments

Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information of up to 70 million customers.

In a post to the company’s PlayStation blog, Sony spokesman Patrick Seybold said the breach occurred between April 17 and April 19, and that user information on some PlayStation Network and Qriocity music streaming accounts was compromised. The company said it had engaged an outside security firm to investigate what happened, that it was rebuilding its system to better secure account information, and that it would soon begin notifying customers about the incident by email.

From that blog post:

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.”

In short, if you have a PlayStation account, your name, address, email, birthday, user name and password have been compromised, and if you gave Sony a credit card number to fund your account, that and the card’s expiration date may also may have been taken (Sony says no card security codes were lost). Obviously, this becomes a much bigger problem for users who have ignored advice about how to choose and use passwords: If you are a Sony customer and picked a password for your PlayStation account that matched the password for the email account you used to register at Sony, change your email password now.

The first signs of trouble came nearly a week ago, when the PlayStation network went offline. Sony subsequently published at several blog posts apologizing for the outage. On April 22, Sony acknowledged that its networks had been breached, and a day later the company said it was rebuilding its system, but it didn’t disclose the extent of the breach until today. Judging by the comments left on the company’s blog post today, many PlayStation users are irate over having been kept in the dark for so long about the severity of a breach that potentially affects their personal and financial information.

Continue reading

SpyEye Targets Opera, Google Chrome Users

April 26, 2011
73 Comments

The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers.

The author of the SpyEye trojan formerly sold the crimeware-building kit on a number of online cybercrime forums, but has recently limited his showroom displays to a handful of highly vetted underground communities. KrebsOnSecurity.com recently chatted with a member of one of these communities who has purchased a new version of SpyEye. Screenshots from the package show that the latest rendition comes with the option for new “form grabbing” capabilities targeting Chrome and Opera users.

SpyEye component in version 1.3.34 shows form grabbing options for Chrome and Opera

Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard, but this kind of tracking usually creates too much extraneous data for the attackers, who mainly are interested in financial information such as credit card numbers and online banking credentials. Form grabbers accomplish this by stripping out any data that victims enter in specific Web site form fields, snarfing and recording that data before it can be encrypted and sent to the Web site requesting the information.

Both SpyEye and ZeuS have had the capability to do form grabbing against Internet Explorer and Firefox for some time, but this is the first time I’ve seen any major banking trojans claim the ability to target Chrome and Opera users with this feature.

Continue reading

Where Did That Scammer Get Your Email Address?

April 25, 2011
53 Comments

You’ve seen the emails: They claim to have been sent by a financial institution in a faraway land, or from a corrupt bureaucrat in an equally corrupt government. Whatever the ruse, the senders always claim to need your help in spiriting away millions of dollars. These schemes, known as “419,” “advance fee” and “Nigerian letter” scams seemingly have been around forever and are surprisingly effective at duping people. But where in the world do these scammers get their distribution lists, and how did you become a target?

Some of the more prolific spammers rely on bots that crawl millions of Web sites and “scrape” addresses from pages. Others turn to sellers on underground cybercrime forums. Additionally, there are a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, you can expect to pay about a penny per 1,000 addresses.

One long-running, open-air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. This enterprise is based in New Delhi, India, and advertises its email lists as “100% opt-in and 100 percent legal to use.” I can’t vouch for the company’s claims, but one thing seems clear: Many of its clients are from Nigeria, and many are fraudsters.

Stretching conspicuously across the middle of the site’s home page is a big green message to the site’s Nigerian clientele: “Don’t waste money/times/resources sending [Western Union or Moneygram], Use local deposit option.” The ad links to a page with a list of payment options, which shows that Nigerian customers can pay for their email lists by wiring the money directly from their bank accounts at several financial institutions in Lagos. BuyEmails.org further advises that, “Due to tremendously high rate of fraudulent payments we do not accept Credit Cards or PayPal.  E-Gold has closed, so we don’t accept it either.”

The site sells dozens of country-specific email lists.  Other lists are for oddly specific groups. For example, you can buy a list of one million insurance agent emails for $250. 300 beans will let you reach 1.5 million farmers;  $400 closes on 4 million real estate agents. Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of 6 million prospective work-at-home USA residents for just $99. A list of 1,041,977 USA Seniors (45-70 years old) is selling for $325.

Continue reading

Adobe Reader, Acrobat Update Nixes Zero Day

April 21, 2011
21 Comments

Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

The patch released today addresses two critical flaws. Adobe pushed out a patch for the standalone Flash Player last week, but that same vulnerable component exists in Adobe Reader and Acrobat. Initially, Adobe said it was only aware of attacks on the Flash Player but, in the the latest advisory, it acknowledged the existence of public reports that hackers have been sending out poisoned PDFs that exploit the Flash flaw. Malwaretracker.com, for example, reported that it was receiving reports of malicious PDFs attacking the Flash bug as early as Apr. 17.

The Reader/Acrobat patch also addresses another critical bug (a flaw in the CoolType library of Reader & Acrobat) that could allow attackers to install malicious software. Not much information is public about this vulnerability, except that Poland’s CERT is credited with reporting it. Adobe spokesperson Wiebke Lips said the company was not aware of any exploits in the wild targeting this bug.

The advisory for the latest version is here. Users on Windows and Macintosh can grab the update using the product’s update mechanism. To manually check for an update, open your Reader or Acrobat and choose Help > Check for Updates.

Are Megabreaches Out? E-Thefts Downsized in 2010

April 19, 2011
24 Comments

The number of financial and confidential records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a decrease that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations of all sizes are dealing with more frequent  and smaller breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent.

These are some of the conclusions drawn from Verizon‘s fourth annual Data Breach Investigations Report. The report measures data breaches based on compromised records, including the theft of Social Security numbers, intellectual property, and credit card numbers, among other things.

It’s important to note at the outset that Verizon’s report only measures loss in terms of records breached. Many businesses hit by cyber crooks last year lost hundreds of thousands of dollars apiece when thieves stole one set of records, such as their online banking credentials.

The data-rich 74-page study is based on information gleaned from Verizon and U.S. Secret Service investigations into about 800 new data compromise incidents since last year’s report (the study also includes an appendix detailing 30 cybercrime cases investigated by the Dutch National High Tech Crime Unit).

Although the report examines the data from more breaches in a single year than ever before (the total Verizon/US Secret Service dataset from all previous years included just over 900 breaches), Verizon found that the total number of breached records fell from 361 million in 2008 to 144 million in 2009 to just 4 million last year.

A good portion of the report is dedicated to positing what might be responsible for this startling decline, but its authors seem unwilling to let the security industry take any credit for it.

“An optimist may interpret these results as a sign that the security industry is WINNING! Sorry, Charlie”, the report says. “While we’d really like that to be the case, one year just isn’t enough time for such a wholesale improvement in security practices necessary to cut data loss so drastically.”

The study suggests a number of possible explanations. For example:

-There were relatively few huge data heists. Those which had been responsible for the majority of the breached records in the past few years were breaches involving tens of millions of stolen credit and debit cards. Those high profile attacks may have achieved fame and fortune for the attackers, but they also attracted a lot of unwanted attention.  Many of the past megabreaches ended in the capture and arrest of those responsible, such the case of Albert Gonzales, the former Secret Service informant who was sentenced last year to 20 years in prison for his role in the theft of 130 million credit and debit card numbers from card processing giant Heartland Payment Systems. “Those that wish to stay out of jail may have changed their goals and tactics to stay  under the radar,” the report notes. “This could be one of the chief reasons behind the rash of ‘mini breaches’ involving smaller organizations.”

-Megabreaches of years past flooded criminal underground markets with so many stolen card numbers that their value plummeted. Criminals’ attention may have turned to stealing other lower profile data types, such as bank account credentials, personal information and intellectual property. In other words, criminals might opt to let the markets clear before stealing more huge quantities or selling what they already had purloined. “It’s worth noting that a lot of the cards that were stolen over the last few years in these megabreaches probably are going to start expiring soon,” said Bryan Sartin, director of investigative response at Verizon Business. “So we could be in a holding pattern right now.”

Continue reading

Time to Patch Your Flash

April 15, 2011
47 Comments

If it seems like you just updated your Flash Player software to plug a security hole that attackers were using to break into computers, you’re probably not imagining things: Three weeks ago, Adobe rushed out a new version to sew up a critical new security flaw. Today, Adobe issued a critical Flash update to eliminate another dangerous security hole that criminals are actively exploiting.

This new update addresses a vulnerability first detailed here at KrebsOnSecurity.com on Tuesday, and Adobe deserves credit for responding quickly with a patch. But there are few things that are simple about updating Flash, which ships in a dizzying array of version numbers and for many users must be deployed at least twice to cover all browsers. In addition, users may have to uninstall the existing version before updating to guarantee a trouble-free install. Also, Adobe Air will need to be updated if that software also is already installed. Finally, fixing this same vulnerability in Adobe Reader and Acrobat will require installing another patch, which won’t be out for at least another 10 days.

Continue reading