Author Archives: Hacker Medic

The four most important online security events of 2014

From major vulnerabilities to cyberespionage, Symantec looks at what the past year has brought and what it means for the future.

events-2014-concept-600x315-socialmedia.jpg

With such an array of security incidents in 2014—from large-scale data breaches to vulnerabilities in the very foundation of the web—it’s difficult to know which to prioritize. Which developments were merely interesting and which speak of larger trends in the online security space? Which threats are remnants from the past and which are the indications for what the future holds?

The following are four of the most important developments in the online security arena over the past year, what we learned (or should have learned) from them, and what they portend for the coming year.

The discovery of the Heartbleed and ShellShockBash Bug vulnerabilities
In spring 2014, the Heartbleed vulnerability was discovered. Heartbleed is a serious vulnerability in OpenSSL, one of the most common implementations of the SSL and TLS protocols and used across many major websites. Heartbleed allows attackers to steal sensitive information such as login credentials, personal data, or even decryption keys that can lead to the decryption of secure communications.

Then, in early fall, a vulnerability was found in Bash, a common component known as a shell, which is included in most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is, itself, based around Unix). 

Known as ShellShock or the Bash Bug, this vulnerability allows an attacker to not only steal data from a compromised computer, but also to gain control over the computer itself, potentially providing them with access to other computers on the network.

Heartbleed and ShellShock turned the spotlight on the security of open-source software and how it is at the core of so many systems that we rely on for e-commerce. For vulnerabilities in proprietary software we just need to rely on a single vendor to provide a patch. However, when it comes to open-source software, that software may be integrated into any number of applications and systems. This means that an administrator has to depend on a variety of vendors to supply patches. With ShellShock and Heartbleed there was a lot of confusion regarding the availability and effectiveness of patches. Hopefully this will serve as a wake-up call for how we need greater coordinated responses to open-source vulnerabilities, similar to the MAPP program

Moving forward, new threats like these will continue to be discovered in open-source programs. But while this is potentially a rich, new area for attackers, the greatest risk continues to come from vulnerabilities that are known, but where the appropriate patches aren’t being applied. This year’s Internet Security Threat Report showed that 77 percent of legitimate websites had exploitable vulnerabilities. So, yes, in 2015 we’ll see attackers using Heartbleed or ShellShock, but there are hundreds of other unpatched vulnerabilities that hackers will continue to exploit with impunity.

Coordinated cyberespionage and potential cybersabotage: Dragonfly and Turla
The Dragonfly group, which appears to have been in operation since at least 2011, initially targeted defense and aviation companies in the US and Canada, before shifting its focus mainly to energy firms in early 2013. Capable of launching attacks through several different vectors, its most ambitious attack campaign compromised a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This gave the attackers full access to systems where this software was installed. While this provided the attackers with a beachhead into target organizations in order to carry out espionage activities, many of these systems were running ICS programs used to control critical infrastructure such as petroleum pipelines and energy grids. While no cybersabotage was seen in these attacks, no doubt the attackers had the ability and could have launched such attacks at any time. Perhaps they chose to lie in wait and were interrupted before they could move on. 

Dragonfly also used targeted spam email campaigns and watering hole attacks to infect targeted organizations. Similarly, the group behind the Turla malware also uses a multi-pronged attack strategy to infect victims through spear-phishing emails and watering hole attacks. The watering hole attacks display extremely targeted compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. The attackers would also save their most sophisticated surveillance tools for high-value targets. Turla’s motives are different to Dragonfly, however. The Turla attackers are carrying out long-term surveillance against embassies and government departments, a very traditional form of espionage. 

Both the Dragonfly and Turla campaigns bear the hallmarks of state-sponsored operations, displaying a high degree of technical capability and resources. They are able to mount attacks through multiple vectors and compromised numerous third-party websites, with their apparent purpose being cyberespionage—and sabotage as a secondary capability for Dragonfly. 

These campaigns are just examples of the many espionage campaigns we see on an almost daily basis. This is a global problem and shows no sign of abating, with attacks such as Sandworm also leveraging a number of zero-day vulnerabilities. Given the evidence of deep technical and financial resources these attacks are very likely state-sponsored. 

Credit cards in the crosshairs
The lucrative business of selling stolen credit or debit card data on the black market makes these cards a prime target for bad guys. 2014 saw several high-profile attacks targeting point-of-sale (POS) systems to obtain consumers’ payment card information. One factor making the US a prime target is the failure to adopt the chip-and-PIN system, known as EMV (Europay, MasterCard and VISA), which offers more security than magnetic stripe-based cards. The attacks used malware which can steal the information from the payment card’s magnetic stripe as it is read by the computer and before it is encrypted. This stolen information can then be used to clone that card. Because EMV card transaction information is uniquely encoded every time, it’s harder for criminals to pick up useful payment data pieces and use them again for another purchase. However, EMV cards are just as susceptible to being used for fraudulent online purchases.

Apple Pay, which basically turns your mobile phone into a “virtual wallet” by using near-field communication (NFC) technology, was also launched in 2014. NFC is a type of communication that involves wirelessly transmitting data from one hardware device to another physical object nearby, in this case a cash register. 

While NFC payment systems have been around for a while now, we expect to see an uptick in consumer adoption of this technology in the coming year, as more smartphones support the NFC standard. It’s worth noting that while NFC systems are more secure than magnetic stripes, there is still a possibility of hackers exploiting them, although this would require the bad guys to target individual cards and wouldn’t result in large scale breaches or theft like we have seen in the US. However, the payment technology used won’t protect against retailers who aren’t storing payment card data securely, they’ll still need to be vigilant in protecting stored data. 

Increased collaboration with law enforcement 
Now, for a bit of good news: 2014 saw many examples of international law enforcement teams taking a more active and aggressive stance on cybercrime by increasingly collaborating with the online security industry to take down cybercriminals.

Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry-level hackers right up to sophisticated cybercriminal groups. In May of 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on the use of Blackshades (also known as W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, providing information that allowed the agency to track down those suspected of involvement. 

Just one month later, the FBI, the UK’s National Crime Agency, and a number of international law enforcement agencies, working in tandem with Symantec and other private sector parties, significantly disrupted two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. This resulted in the FBI seizing a large amount of infrastructure used by both threats. 

While these takedowns are part of an ongoing effort, we won’t see cybercrime disappearing overnight. Both private industry and law enforcement will need to continue to cooperate to have long-lasting impact. As the rate and sophistication of cyberattacks grows, we expect to see a continuation of this trend of collaboration to track down cybercriminals and stop them in their tracks.

So, there you have it, my take on the four most important online security events of 2014. Of course, there’s still a few weeks left before we ring in 2015, so we may yet see other events arise, but you can trust that Symantec is here and that we’ve got your back, no matter what the future may bring!

CloudyOmega ??: ??????????????????????????????????

今回の攻撃は、LadyBoyle の実行グループや HiddenLynx など、他の悪名高い攻撃グループと密接なつながりのある攻撃グループによって実行されています。

ジャストシステム社は、一太郎製品群(日本語オフィススイートソフトウェア)のゼロデイ脆弱性を修正するための更新を公開しました。この脆弱性は、日本の組織を標的とする攻撃で活発に悪用されています。

今回の攻撃では、悪質な一太郎文書ファイルが添付された電子メールが標的の組織に送信されます。シマンテック製品は、このファイルを Bloodhound.Exploit.557 として検出します。ペイロードには、Backdoor.EmdiviBackdoor.Korplug、または Backdoor.ZXshell が含まれている可能性がありますが、これらはすべて、侵入先のコンピュータから機密情報を盗み取るためのものです。

電子メールの内容は標的となる組織の業務に応じて異なりますが、いずれも最近の日本における政治的な出来事に関するものです。悪質な添付ファイルを一太郎で開くと、ペイロードが投下されるとともに文書が表示されます。この手の攻撃では、多くの場合、文書ビューアをクラッシュさせてから再起動してクリーンな文書を開くことによって、正規の文書に見せかけようようとします。今回の攻撃では、一太郎をクラッシュさせることなく文書を開いてペイロードを投下するため、被害者は、バックグラウンドで実際に起こっていることに気が付きません。

CloudyOmega
以前にブログで取り上げたとおり、パッチ未適用の一太郎の脆弱性に対する攻撃は、今に始まったことではありません。しかし、調査の結果、今回のゼロデイ攻撃は、日本のさまざまな組織を標的とする継続的なサイバースパイ攻撃の一環であることがわかっています。シマンテックは、この攻撃を CloudyOmega と名付けました。ペイロードとしては Backdoor.Emdivi の亜種が常に利用されており、すべての攻撃において電子メールに添付されて標的のコンピュータに送り込まれます。多くの場合、添付ファイルは、偽のアイコンが表示された単純な実行可能ファイルですが、一部のファイルは各種ソフトウェアの脆弱性を悪用しています。今回の一太郎の脆弱性は、その 1 つにすぎません。攻撃グループの主な目的は、標的の組織から機密情報を盗み取ることです。ここでは、一連の攻撃活動の時系列、感染経路、マルウェアのペイロード、そして攻撃を実行しているグループについて考察します。

活動の時系列
最初の攻撃は少なくとも 2011 年まで遡ります。図 1 は、標的となった業種と攻撃件数を年別に示しています。攻撃は初期には非常に慎重に実行されていましたが、2014 年になってから本格化しました。これまでのところ、CloudyOmega 攻撃で最も多く狙われているのは公共部門です。このことが、攻撃グループの正体を探るための手掛かりになるでしょう。

CloudyOmega 1 edit.png
図 1. 標的の業種と攻撃件数の内訳

攻撃経路
攻撃に利用されている主な感染経路は電子メールです。

CloudyOmega 2 edit.png
図 2. 攻撃に使用された電子メールの例

図 2 は最近の攻撃で使用された電子メールの一例で、一太郎のゼロデイ脆弱性を悪用する攻撃の前段階となるものです。添付されている zip ファイルはパスワードで保護されており、中にはマルウェアが含まれています。皮肉なことに、セキュリティの基本対策(ベストプラクティス)に従って、パスワードは別の電子メールで送信すると記載されていますが、これは、正規の信頼できる送信元から届いたと信じこませようとしているにすぎません。本文には、添付ファイルに医療費の通知が含まれていることが簡潔に記載され、添付ファイルを Windows コンピュータで開くよう求めています。zip 内のファイルには Microsoft Word のアイコンが表示されていますが、Windows エクスプローラで確認できるように、実際には実行可能ファイルです。

CloudyOmega 3 edit.png
図 3. 添付されている「文書」は実際には悪質な実行可能ファイル

ペイロード
ペイロードは Backdoor.Emdivi であり、侵入先のコンピュータでバックドアを開きます。このマルウェアは CloudyOmega による一連の攻撃でのみ利用されており、2011 年に日本の化学会社に対する攻撃で初めて確認されました。Emdivi を使うと、リモートの攻撃者は、HTTP を介してコマンドの実行結果をコマンド & コントロール(C&C)サーバーに送信することができます。

Emdivi の亜種にはそれぞれ一意のバージョン番号があり、タイプ S またはタイプ T のいずれかに属します。一意のバージョン番号があるのは、Emdivi が体系的に管理されている証拠です。さらに、バージョン番号に単語を追加したものをベースにハッシュ値が生成され、暗号化キーとして使用されています。

タイプ S とタイプ T では次の機能が共通しています。

  • リモートの攻撃者が HTTP を介してコードを実行できる
  • Internet Explorer に保存されている認証情報を盗み取る

CloudyOmega 攻撃で主に使用されているのは、タイプ T です。C++ プログラム言語で記述されており、2011 年に攻撃が開始されてから継続的に進化を重ねています。セキュリティ企業やネットワーク管理者から自身を保護するための技術を備え、接続先の C&C サーバーのアドレスや保護メカニズムなど、タイプ T の重要な部分は暗号化されています。また、次のような自動分析システムやデバッガの存在を検出します。

  • 仮想マシン
  • デバッガ
  • サンドボックス

一方、タイプ S が一連の攻撃で使用されたのは 2 回だけです。タイプ S は同じソースコードに基づく .Net アプリケーションで、C&C インフラをタイプ T と共用しています。しかし、活動を継続するために不可欠な保護メカニズムや暗号化機能は備えていません。タイプ S について興味深いのは、インターネットからランダムに取得したとみられる日本語の文を使ってファイルのハッシュ値を変更する機能です。たとえば、図 4 のように、特殊相対性理論を説明する文が使用されています。

CloudyOmega 4 edit.png
図 4. Emdivi のタイプ S の亜種で使用されている日本語の文

Emdivi の通信先
Emdivi は、感染すると、ハードコード化された C&C サーバーに HTTP プロトコルを介して接続します。

これまでに、58 種類の Emdivi の亜種から、重複を含まず合計 50 件のドメインが特定されています。C&C サーバーとして利用された Web サイトは、ほぼすべてが小規模企業が所有するサイトや個人ブログなど、侵害された日本の Web サイトです。50 件の Web サイトのうち、13 個の IP アドレスに分布する 40 件は、日本に拠点を置く単一のクラウドホスティングサービスでホストされています。

CloudyOmega 5.png
図 5. 侵害された複数の Web サイトが、単一の IP アドレスでホストされている

侵害されたサイトは、さまざまな Web サイトプラットフォーム上で Apache や Microsoft Internet Information Services(IIS)など各種の Web サーバーソフトウェアによってホストされています。このことから、単一のソフトウェア製品や Web サイトプラットフォームの脆弱性を突かれて侵害されたのではないことが分かります。攻撃者は何らかの手段でクラウドサービス自体を侵害して、複数の Web サイトを Backdoor.Emdivi の C&C サーバーとして改ざんしたのです。

侵害されたクラウドホスティング会社には通知済みですが、このブログの執筆時点ではまだ返答がありません。

シマンテックでは、感染したコンピュータと Emdivi の C&C サーバーとの間のネットワーク通信を検知して遮断するために、次の 2 つの IPS シグネチャを提供しています。

ゼロデイ脆弱性と他のサイバー犯罪グループとのつながり
調査を進めるなかで一連の攻撃に関連する複数のサンプルが特定されたことから、他の攻撃グループとのつながりが見えてきました。

2012 年 8 月、CloudyOmega の攻撃者は Adobe Flash Player と AIR に存在する copyRawDataTo() の整数オーバーフローの脆弱性(CVE-2012-5054)を悪用して、日本の有名な組織を標的とする攻撃を実行しています。攻撃者は、脆弱性を悪用するように細工された SWF ファイルを含む Microsoft Word ファイルを送信しました。脆弱性の悪用に成功すると Backdoor.Emdivi がインストールされます。CVE-2012-5054 は同月に公表されたものであり、この攻撃で利用された当時はゼロデイ脆弱性でした。

さらに興味深いことに、2012 年の Emdivi 攻撃で使用された Flash ファイルと 2013 年の LadyBoyle 攻撃で使用された Flash ファイルは、非常によく似ています。

図 6 は、Adobe Flash Player に存在するリモートメモリ破損の脆弱性(CVE-2013-0634)の悪用を試みる LadyBoyle() コードを実行する、不正な形式の SWF ファイルを示しています。この Flash ファイルは、CloudyOmega グループと同じフレームワークを使って作成されたと思われますが、別の悪用コードが組み込まれています。

CloudyOmega 6 edit.png
図 6. 2013 年 2 月の LadyBoyle 攻撃で使用された不正な形式の SWF ファイル

両方の攻撃において、バックドアをインストールするための Adobe Flash のゼロデイ悪用コードを含む .doc ファイルが使用されています。2 つの攻撃を関連付ける証拠は他にはありませんが、Elderwood プラットフォームのブログで説明したとおり、単一の上位グループから複数のサブグループが派生して、それぞれが特定の業種を狙っている可能性が高いと考えられます。

一太郎の脆弱性を悪用する今回の攻撃では、収集された JTD ファイルのサンプル十数件はすべて、ペイロード以外はまったく同一のものでした。上位グループが複数のサブグループに、攻撃ツールキットの一部としてゼロデイ悪用コードを提供し、各グループがそれぞれマルウェアを選択して別々に攻撃を実行したものと思われます。今回のゼロデイ攻撃で Backdoor.Emdivi、Backdoor.Korplug、Backdoor.ZXshell という 3 つの異なるペイロードが確認されているのは、このためでしょう。

fig9_0.png
図 7. ゼロデイ悪用コードを共有する上位グループ

結論
CloudyOmega 攻撃を実行しているグループは、LadyBoyle の実行グループや HiddenLynx など、他の悪名高い攻撃グループと密接なつながりがあります。CloudyOmega 攻撃は 2011 年から確認されており、日本の組織を狙って執拗に活動を継続しています。今回、ゼロデイ脆弱性を悪用した攻撃が実行されたということは、攻撃グループは当面の間、活動を停止する気配がないということです。シマンテックセキュリティレスポンスは CloudyOmega グループに対して注意深く監視を続けていきます。

保護対策
一太郎製品をお使いのお客様は、できるだけ早くパッチを適用することを強くお勧めします。

シマンテック製品をお使いのお客様は、次の検出定義によって、CloudyOmega に関連する攻撃から保護されています。

ウイルス対策

侵入防止システム

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Microsoft Patch Tuesday – November 2014

      No Comments on Microsoft Patch Tuesday – November 2014
This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month’s issues are rated ’Critical’.

ms-tuesday-patch-key-concept-white-light 2_0.png

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month’s issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-nov

The following is a breakdown of the issues being addressed this month:

  1. MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

    Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.

    Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when a user downloads, or receives, and then opens a specially crafted Microsoft Office file that contains OLE objects.

  2. MS14-065 Cumulative Security Update for Internet Explorer (3003057)

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6349) MS Rating: Important

    An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

    Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6350) MS Rating: Important

    An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

    Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323) MS Rating: Important

    An information disclosure vulnerability exists when Internet Explorer does not properly restrict access to the clipboard of a user who visits a website. The vulnerability could allow data stored on the Windows clipboard to be accessed by a malicious site. An attacker could collect information from the clipboard of a user if that user visits the malicious site.

    Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339) MS Rating: Important

    A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, which could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack.

  3. MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

    Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) MS Rating: Critical

    A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets.

  4. MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

    MSXML Remote Code Execution Vulnerability (CVE-2014-4118) MS Rating: Critical

    A remote code execution vulnerability exists when Microsoft XML Core Services (MSXML) improperly parses XML content, which can corrupt the system state in such a way as to allow an attacker to run arbitrary code. The vulnerability could allow a remote code execution if a user opens a specially crafted file or webpage.

  5. MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

    Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.

    Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334) MS Rating: Important

    A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

    Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335) MS Rating: Important

    A remote code execution vulnerability exists in the context of the local user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

  6. MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)

    TCP/IP Elevation of Privilege Vulnerability (CVE-2014-4076) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows TCP/IP stack (tcpip.sys, tcpip6.sys) that is caused when the Windows TCP/IP stack fails to properly handle objects in memory during IOCTL processing.

  7. MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)

    Windows Audio Service Vulnerability (CVE-2014-6322) MS Rating: Important

    An elevation of privilege vulnerability exists in the Windows audio service component that could be exploited through Internet Explorer. The vulnerability is caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges.

  8. MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)

    TypeFilterLevel Vulnerability (CVE-2014-4149) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.

  9. MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

    SharePoint Elevation of Privilege Vulnerability (CVE-2014-4116) MS Rating: Important

    An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize page content in SharePoint lists. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.

  10. MS14-074 Vulnerability in Remote Desktop Protocol could allow Security Feature Bypass (3003743)

    Remote Desktop Protocol (RDP) Failure to Audit Vulnerability (CVE-2014-6318) MS Rating: Important

    A security feature bypass vulnerability exists in Remote Desktop Protocol (RDP) when RDP does not properly log failed logon attempts. The vulnerability could allow an attacker to bypass the audit logon security feature. The security feature bypass by itself does not allow an arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability.

  11. MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

    IIS Security Feature Bypass Vulnerability (CVE-2014-4078) MS Rating: Important

    A security feature bypass vulnerability exists in Internet Information Services (IIS) that is caused when incoming web requests are not properly compared against the ‘IP and domain restriction’ filtering list.

  12. MS14-077 Vulnerability in Active Directory Federation Services could allow Information Disclosure (3003381)

    Active Directory Federation Services Information Disclosure Vulnerability (CVE-2014-6331) MS Rating: Important

    An information disclosure vulnerability exists when Active Directory Federation Services (AD FS) fails to properly log off a user. The vulnerability could allow an unintentional information disclosure.

  13. MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)

    Microsoft IME (Japanese) Elevation of Privilege Vulnerability (CVE-2014-4077) MS Rating: Moderate

    An elevation of privilege vulnerability exists in Microsoft IME for Japanese that is caused when a vulnerable sandboxed application uses Microsoft IME (Japanese).

  14. MS14-079 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)

    Denial of Service in Windows Kernel Mode Driver Vulnerability (CVE-2014-6317) MS Rating: Moderate

    A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Countdown to Zero Day—Did Stuxnet escape from Natanz?

Symantec’s analysis on the Stuxnet worm features in new Kim Zetter book.

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

countdowncover.png
Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In the chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees”

This is a different story from the one that David Sanger’s sources painted in his New York Times article and in his book “Confront and Conceal”. Sanger states:

“. . . an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed [Stuxnet] to escape Iran’s Natanz plant and sent it around the world on the Internet.”

So which is right? Did Stuxnet originate outside of Natanz and spread all over the world with the hopes of eventually entering Natanz? Or did Stuxnet start inside of Natanz and accidentally escape due to a programming error?

Tracing the spread of Stuxnet
We actually covered how Stuxnet originated in a blog post in February 2011. Let’s start with whether it is possible to track Stuxnet’s origin back to specific companies in Iran.

Normally, it would not be possible to state with 100 percent accuracy where an infection started. However, in the case of Stuxnet version 1.x, the attackers left a trail behind which allows analysts to trace the specific genealogy of each sample. This is possible because every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected. As Stuxnet spreads from computer to computer, the list grows and grows. By examining this list, we can trace back from one entry to the next, extracting computer information from each entry. These are the breadcrumbs we can follow to get back to the original compromised computers.

What do the breadcrumbs look like?
Each entry in the list looks like the data shown in the following image. Although this may not make sense at first, by analyzing the code within Stuxnet, we can find out what each number represents.

stuxnetentry.png
Figure 2. List entry of compromised computers

Among other information, the computer name, domain name, date, and IP address are stored in each entry. We can extract information from previous data, which is shown in the following image.

stuxnetentrydetails.png
Figure 3. Details stored in each entry

By looking at each entry in the list embedded in any sample, we can see how the threat moved from one computer to the next. The real computer names and domains have been anonymized.

Figure 4. List of compromised computers from one sample shows how Stuxnet spread

In the previous image, we can see Stuxnet’s path through the first six compromised computers. This information was extracted from one sample. When we look at the first six infections from a different sample, we get the following path.

stuxnetpatha.png
Figure 5. List of compromised computers from another sample shows different movement pattern

The two samples’ first four entries are the same but after that, the samples moved in two different directions. At the fifth step, one sample compromised a computer on the WORKGROUP domain while the other sample compromised a computer on the MSHOME network.

Using this data, we graphed the spread of Stuxnet infections. See pages eight to ten of our Stuxnet whitepaper for more details.

stuxnetpathb.png
Figure 6. Spread of Stuxnet infections

Many computers and domains used generic names that do not provide much insight into the targets. For example, WORKGROUP and MSHOME—two default workgroup names—appear very frequently in the breadcrumb logs. However, we were able to identify all of the places where Stuxnet infections originated, and they were all in Iran.

The verdict
So did Stuxnet spread into Natanz as Zetter says or escape out of Natanz as Sanger reported?

Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz. In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work.

This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz.

Unfortunately, these breadcrumbs are only available for Stuxnet version 1.x. There was at least one previous version of Stuxnet released, version 0.5 (which we analyzed in our whitepaper), for which this infection path information is not available.

While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article. As a result, it is unlikely the 0.5 version is the subject of his article.

To make up your own mind, you should read Kim Zetter’s “Countdown to Zero Day”, which is out today.

3010060 – Vulnerability in Microsoft OLE Could Allow Remote Code Execution – Version: 2.0

Revision Note: V2.0 (November 11, 2014): Advisory updated to reflect publication of security bulletin.Summary: Microsoft has completed the investigation into a public report of a vulnerability. We have issued Microsoft Security Bulletin MS14-064 to add…

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 31.0

Revision Note: V31.0 (November 11, 2014): V31.0 (November 11, 2014): Added the 3004150 update to the Current Update section.Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported edit…

Operation CloudyOmega: Ichitaro zero-day and ongoing cyberespionage campaign targeting Japan

The campaign was launched by an attack group that has communication channels with other notorious attack groups including Hidden Lynx and the group responsible for LadyBoyle.

JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. This vulnerability is being actively exploited in the wild to specifically target Japanese organizations.

The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Bloodhound.Exploit.557. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell; however, all payloads aim to steal confidential information from the compromised computer.

The content of the emails vary depending on the business interest of the targeted recipient’s organization; however, all are about recent political events associated with Japan. Opening the malicious attachment with Ichitaro will drop the payload and display the document. Often such exploitation attempts crash and then relaunch the document viewer to open a clean document in order to trick users into believing it is legitimate. In this particular attack, opening the document and dropping the payload are done without crashing Ichitaro and, as such, users have no visual indications as to what is really happening in the background.

CloudyOmega
As Security Response previously discussed, unpatched vulnerabilities being exploited is nothing new for Ichitaro. However, during our investigation of this Ichitaro zero-day attack, we discovered that the attack was in fact part of an ongoing cyberespionage campaign specifically targeting various Japanese organizations. Symantec has named this attack campaign CloudyOmega. In this campaign, variants of Backdoor.Emdivi are persistently used as a payload. All attacks arrive on the target computers as an attachment to email messages. Mostly the attachments are in a simple executable format with a fake icon. However, some of the files exploit software vulnerabilities, and the aforementioned vulnerability in Ichitaro software is only one of them. This group’s primary goal is to steal confidential information from targeted organizations. This blog provides insights into the history of the attack campaign, infection methods, malware payload, and the group carrying out the attacks.

Timeline
The first attack of the campaign can be traced back to at least 2011. Figure 1 shows the targeted sectors and the number of attacks carried out each year. The perpetrators were very cautious launching attacks in the early years with attacks beginning in earnest in 2014. By far, the public sector in Japan is the most targeted sector hit by Operation CloudyOmega. This provides some clue as to who the attack group is.

CloudyOmega 1 edit.png
Figure 1. Targeted sectors and number of attacks

Attack vector
Email is the predominant infection vector used in this campaign.

CloudyOmega 2 edit.png
Figure 2. Sample email used in attack campaign

Figure 2 is an example of an email used in recent attacks prior to those exploiting the Ichitaro zero-day vulnerability. The emails include password-protected .zip files containing the malware. Ironically, the attackers follow security best practices by indicating in the first email that the password will be sent to the recipient in a separate email. This is merely to trick the recipient into believing the email is from a legitimate and trustworthy source. The body of the email is very short and claims the attachment includes a medical receipt. The email also requests that the recipient open the attachment on a Windows computer. The file in the attachment has a Microsoft Word icon but, as indicated within Windows Explorer, it is an executable file.

CloudyOmega 3 edit.png
Figure 3. Attached “document” is actually a malicious executable file

Payload
The malicious payload is Backdoor.Emdivi, a threat that opens a back door on the compromised computer. The malware is exclusively used in the CloudyOmega attack campaign and first appeared in 2011 when it was used in an attack against a Japanese chemical company. Emdivi allows the remote attacker executing the commands to send the results back to the command-and-control (C&C) server through HTTP.

Each Emdivi variant has a unique version number and belongs to one of two types: Type S and Type T. The unique version number is not only a clear sign that Emdivi is systematically managed, but it also acts as an encryption key. The malware adds extra words to the version number and then, based on this, generates a hash, which it uses as an encryption key.

Both Emdivi Type S and Type T share the following functionality:

  • Allow a remote attacker to execute code through HTTP
  • Steal credentials stored by Internet Explorer

Type T is primarily used in Operation CloudyOmega, has been in constant development since the campaign was first launched in 2011, and is written in the C++ programing language. Type T employs techniques to protect itself from security vendors or network administrators. Important parts of Type T, such as the C&C server address it contacts and its protection mechanisms, are encrypted. Type T also detects the presence of automatic analysis systems or debuggers, such as the following:

  • VirtualMachine
  • Debugger
  • Sandbox

Type S, on the other hand, was used only twice in the attack campaign. Type S is a .NET application based on the same source code and shared C&C infrastructure as Type T. However, protection mechanisms and encryption, essential features for threat survival, are not present in Type S. One interesting trait of Type S is that it uses Japanese sentences that seem to be randomly taken from the internet to change the file hash. For instance, in the example shown in Figure 4, it uses a sentence talking about the special theory of relativity.

CloudyOmega 4 edit.png
Figure 4. Japanese text used by Emdivi Type S variant

Who is Emdivi talking to?
Once infected, Emdivi connects to hardcoded C&C servers using the HTTP protocol.

So far, a total of 50 unique domains have been identified from 58 Emdivi variants. Almost all websites used as C&C servers are compromised Japanese websites ranging from sites belonging to small businesses to personal blogs. We discovered that 40 out of the 50 compromised websites, spread across 13 IP addresses, are hosted on a single cloud-hosting service based in Japan.

CloudyOmega 5.png
Figure 5. Single IP hosts multiple compromised websites

The compromised sites are hosted on various pieces of web server software, such as Apache and Microsoft Internet Information Services (IIS), and are on different website platforms. This indicates that the sites were not compromised through a vulnerability in a single software product or website platform. Instead, the attacker somehow penetrated the cloud service itself and turned the websites into C&C servers for Backdoor.Emdivi.

The compromised cloud hosting company has been notified but, at the time of writing, has not replied.

Symantec offers two IPS signatures that detect and block network communication between infected computers and the Emdivi C&C server:

Zero-day and links to other cybercriminal groups
During our research, multiple samples related to this attack campaign were identified and allowed us to connect the dots, as it were, when it came to CloudyOmega’s connections to other attack groups.  

In August 2012, the CloudyOmega attackers exploited the zero-day Adobe Flash Player and AIR ‘copyRawDataTo()’ Integer Overflow Vulnerability (CVE-2012-5054) in an attack against a high-profile organization in Japan. The attackers sent a Microsoft Word file containing a maliciously crafted SWF file that exploited the vulnerability. Once successfully exploited, the file installed Backdoor.Emdivi. As CVE-2012-5054 was publicly disclosed in the same month, the attack utilized what was, at the time, a zero-day exploit.

Interestingly, the Flash file that was used in an Emdivi attack in 2012 and the one used in the LadyBoyle attack in 2013 look very similar.

Figure 6 shows the malformed SWF file executing LadyBoyle() code that attempts to exploit the Adobe Flash Player CVE-2013-0634 Remote Memory Corruption Vulnerability (CVE-2013-0634). The Flash file seems to have been created using the same framework used by the CloudyOmega group, but with a different exploit.

CloudyOmega 6 edit.png
Figure 6. Malformed SWF file used in the LadyBoyle campaign in February 2013

Both attacks use a .doc file containing an Adobe Flash zero-day exploit that is used to install a back door. No other evidence connects these two different campaigns; however, as described previously in Symantec Security Response’s Elderwood blog, it is strongly believed that a single parent organization has broken into a number of subgroups that each target a particular industry.

In terms of the latest attack on Ichitaro, we collected a dozen samples of JTD files, all of which are exactly the same except for their payload. The parent organization, it would seem, supplied the zero-day exploit to the different subgroups as part of an attack toolkit and each group launched a separate attack using their chosen malware. This is why three different payloads (Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell) were observed in the latest zero-day attack.

fig9_0.png
Figure 7. Parent group sharing zero-day exploit

Conclusion
Operation CloudyOmega was launched by an attack group that has communication channels with other notorious attack groups including Hidden Lynx and the group responsible for LadyBoyle. CloudyOmega has been in operation since 2011 and is persistent in targeting Japanese organizations. With the latest attack employing a zero-day vulnerability, there is no indication that the group will stop their activities anytime soon. Symantec Security Response will be keeping a close eye on the CloudyOmega group.

Protection summary
It is highly recommended that customers using Ichitaro products apply any patches as soon as possible.

Symantec offers the following protection against attacks associated with Operation CloudyOmega:

AV

IPS

When tech support scams meet Ransomlock

      No Comments on When tech support scams meet Ransomlock
A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue.

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware, to remain successful they must evolve and adapt. Sometimes ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again they too borrow ideas from each other. We recently came across an example of this when we discovered a technical-support phone scam that uses a new ransomware variant (Trojan.Ransomlock.AM) that locks the user’s computer and tricks them into calling a phone number to get technical help to resolve the issue.

A game of two halves:

Ransomware

Ransomware can be divided into two main categories: Ransomware that simply locks the compromised computer’s screen (Trojan.Ransomlock), and ransomware that encrypts files found on the compromised computer (Trojan.Ransomcrypt, Trojan.Cryptowall, Trojan.Cryptolocker etc.).

This year we’ve observed a major role reversal in the ransomware landscape with the cryptomalware variants overtaking the ransomlock variants in prevalence. Ransomlock variants may have lost the lead to cryptomalware variants, but they are by no means out of the game and from time-to-time we do observed newcomers that add a fresh twist to the screen-locking business model.

Ransomlock 2.png

Figure 1. Top ten ransomware detections as of 11-07-14

Technical support scams

Technical support scams are definitely not new and have been around for quite some time now. In these scams, the crooks cold call random people, often claiming to be a well-known software company, and try to convince them that their computers are full of critical errors or malware. The end goal is to get onto the victim’s computer using a remote-access tool in order to convince users of problems, as well as to entice the victim into buying fake repair tools in order to fix the non-existent problems. The Federal Trade Commission states that this type of scam is one of the fastest growing cyberscams and several high-profile arrests have been made in recent times in a crackdown on the cybercriminals responsible. Technical support scams rely on potential victims being cold called and this can mean a lot of work for the scammers; however, some cybercriminals have now overcome this and have figured out a way to get the victims to call them.

When scams merge

We recently came across Trojan.Ransomlock.AM that, like its predecessors, locks the compromised computer’s screen. The locked screen displays a blue screen of death (BSoD) error message, but this is no ordinary BSoD!

In this BSoD, the message claims that the computer’s health is critical and a problem is detected and it asks the user to call a technical support number.

For the sake of research, we made a call to the number to see just what these crooks are up to.

Ransomlock 3 edit.png

Figure 2. Fake BSoD lock screen

According to the support engineer we spoke to, named “Brian,” the technical support company is called “Falcon Technical Support.” Once the number has been called, the scam follows the same modus operandi as most technical support scams; however, the most interesting thing here is the use of ransomware in order to get the user to call the scammers. Once the call has been made, the scammers have everything they need to convince the user their computer is infected with malware…because it is infected with Trojan.Ransomlock.AM.

ransomlock comic edit.png

Figure 3. The scammers get a bright idea

Trojan.Ransomlock.AM

Trojan.Ransomlock.AM has been observed being distributed and bundled with a grayware installer (detected as Downloader). This installer offers to install grayware applications such as SearchProtect and SpeedUPMyPc.

Upon execution, it installs the grayware as advertised but it also drops another file named preconfig.exe, which is the malware installer (detected as Trojan.Dropper). This second installer adds an entry on the infected computer so that when it restarts it will execute the final payload (diagnostics.exe) which is Trojan.Ransomlock.AM.

Trojan.Ransomlock.AM needs an internet connection to perform its dirty deeds. The malware first needs to send information from the compromised computer to the command-and-control (C&C) server, such as the hostname, IP address, screen resolution, and a random number. In exchange, the C&C server sends back the correct size image file to fit the whole screen. The information collected will also give the crooks a useful jump start when trying to convince the user their computer is in trouble, which other technical support scammers do not have. The malware, stolen information, and BSoD lock screen all help to strengthen the scammers’ social-engineering capabilities.

Fortunately, Trojan.Ransomlock.AM was first seen in September and does not have a high prevalence; however, as with any threat, this can quickly change. According to our telemetry, the threat is currently limited to the United States.

Symantec protection

Trojan.Ransomlock.AM is far from the most complex or resilient ransomware we’ve seen and is in fact very simple. The compromised computer may look locked but users can simply follow these steps to unlock the screen:

  1. Simultaneously press the Ctrl+Alt+Delete keys on the keyboard
  2. Open Task Manager
  3. Search for the malware name (it should be diagnostics.exe) and end the process
  4. When the screen is unlocked, go to the registry editor by clicking on the Start button, then Run, and typing REGEDIT
  5. Delete the registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”Diagnostics” = “[PATH TO MALWARE]”
  6. You should also delete the file folder from the directory

Users of Symantec products can simply perform a full scan to safely remove Trojan.Ransomlock.AM.

Symantec has the following detections in place to protect against this threat:

Antivirus detections

Symantec advises users to be extra careful when calling or receiving a call from a technical call center. Users should be cautious and always check the company’s identity. If you need assistance with a computer-related issue, contact a reputable bricks-and-mortar computer repair shop or your IT support team if it’s your work computer that is affected.