According to a recent survey, nearly half of all consumers believe that their smartphones and other mobile devices are less secure than their laptop or desktop computers. In the same survey, only 36% of respondents said they trust online retail sites to keep their personal data safe. Still, holiday shopping from mobile phones increased by Read more…
With the PCI DSS 3.0 release only 6 months away, compliance should be on every merchant’s mind. Nevertheless, these regulations often come as an afterthought, especially for Level 3 and Level 4 businesses. As the number of online shoppers continues to grow, there are more and more opportunities for cybercriminals to strike. Increased vigilance on Read more…
We’ve always been told to “read the fine print before you sign on the dotted line,” but let’s be frank. In today’s digital world, all we want to do is play that new game, test that new app and hear that new song. The fine print seems like an unnecessary barrier to our fun. Most Read more…
“Malware” is a shortened version of the words malicious software. It is defined as: a generic term used to describe any type of software or code specifically designed to exploit a computer/mobile device or the data it contains, without consent. Most malware is designed to have some financial gain for the cybercriminal. Whether they are Read more…
Zero-days progress into attack kits before patches are available
In the first quarter of 2013, we spotted quite a few zero-day vulnerabilities affecting Oracle Java, Adobe Flash, Adobe Reader, and Microsoft Internet Explorer being exploited in the wild. This blog discusses the details of these zero-days exploited to spread malware in the first quarter of 2013.
Java zero-day vulnerabilities
During the month of January 2013, we saw some interesting Oracle Java SE zero-day issues being actively exploited in the wild. On January 13, 2013, Oracle released a security alert for Oracle Java Runtime Environment Multiple Remote Code Execution Vulnerabilities (CVE-2013-0422) to address multiple vulnerabilities in Java SE. The first vulnerability occurs in the way the public “getMBeanInstantiator” method in the “JmxMBeanServer” class is used to obtain a reference to a private “MBeanInstantiator” object, and then retrieving arbitrary Class references using the “findClass” method. The second vulnerability occurs because of using the Reflection API with recursion in a way that bypasses a security check by the “java.lang.invoke.MethodHandles.Lookup.checkSecurityManager” method due to the inability of the “sun.reflect.Reflection.getCallerClass” method to skip frames related to the new reflection API.
Immediately, after patching CVE-2012-0422, Oracle alerted the public about Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-3174) being exploited in wild to execute arbitrary code. Specifically, the issue occurs when the “MethodHandle” abstract class is used to invoke a method in the “sun.misc.reflect.Trampoline” class. This can allow the Security Manager to be bypassed.
On February 1, 2013, Oracle released a massive patch update for Java SE addressing 50 vulnerabilities. The Critical Patch Update (CPU) was originally scheduled for February 19, however it was released well in advance because of the exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers. The details about this vulnerability are currently unknown. On February 19, Oracle released an updated Critical Patch Update (CPU) with an additional five fixes, bringing the total of fixes in the February 2013 CPU to 55.
On March 4, 2013, Oracle released yet another security alert about Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-1493). This issue is prone to a remote code execution vulnerability that leads to arbitrary memory read and writes in the JVM process. This allows attackers to corrupt the memory and disable the Security Manager component.
Figure 1. Untrusted Applet exploits a vulnerability to disable the Security Manager and access system resources
The exploit conditions for all these vulnerabilities are the same i.e. they are remotely exploitable, without authentication, to execute arbitrary code in the context of the currently logged-in user. To successfully exploit the vulnerabilities, an attacker must entice an unsuspecting user into visiting a specially crafted webpage that contains a malicious applet. Successful exploits can impact the availability, integrity, and confidentiality of a user’s system. Please note that these vulnerabilities do not affect Java running on servers, standalone Java desktop applications, or embedded Java applications.
Adobe Flash and Adobe Reader zero-day vulnerabilities
On February 7, 2013, Adobe released a security bulletin, APSB13-04, that included fixes for Adobe Flash Player Buffer Overflow Vulnerability (CVE-2013-0633) and Adobe Flash Player Remote Memory Corruption Vulnerability (CVE-2013-0634) which also affected the Adobe Flash application. These vulnerabilities were exploited in targeted attacks through spear phishing email messages targeting numerous industries. CVE-2013-0633 is a remote buffer-overflow vulnerability and CVE-2013-0634 is a remote memory-corruption vulnerability. An attacker can exploit these issues and execute arbitrary code in the context of the application or cause denial-of-service conditions. The samples discovered in-the-wild were delivered by tricking users into opening a Microsoft Word document sent as an email attachment that contains malicious Flash (SWF) content. These issues can also be exploited by enticing a user to visit a specially crafted site. Symantec detects these threats as Bloodhound.Flash.19 and Bloodhound.Flash.20.
On February 20, Adobe released a security bulletin, APSB13-07, that contained fixes for two interesting zero-day vulnerabilities, Adobe Acrobat And Reader Remote Code Execution Vulnerability (CVE-2013-0640) and Adobe Acrobat And Reader Remote Code Execution Vulnerability (CVE-2013-0641), affecting Adobe Reader X. The exploit for these issues worked in the latest versions of Adobe Reader and Adobe Acrobat that were available at the time, including versions X and XI, which both have a sandbox protection feature.
Figure 2. CVE-2013-0640 and CVE-2013-0641 vulnerabilities combine to bypass sandbox
The exploit was highly sophisticated and contained multiple evasion techniques, including heavily obfuscated JavaScript, ROP-only shellcode, and a multi-staged payload. The exploit worked in two stages. The first stage exploited the first vulnerability to have a code execution inside the sandboxed process in order to drop a malicious DLL file as the payload. The second stage used this payload to exploit the second vulnerability in a broker process and bypass the sandbox protection to drop the malware. Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as Trojan.Swaylib.
On February 26, 2013, the Adobe Product Security Incident Response Team (PSIRT) announced the availability of new security updates for Adobe Flash Player. This was the third time in February that they patched their code. The latest security bulletin, APSB13-08, addressed three Flash vulnerabilities, two of which were exploited in wild. These issues were used in targeted attacks that trick a user into visiting a site that contains malicious Flash (SWF) content. The exploits used for Adobe Flash Player Unspecified Security Vulnerability (CVE-2013-0643) and Adobe Flash Player Remote Code Execution Vulnerability (CVE-2013-0648) were designed to target the Mozilla Firefox browser. Specifically, the issue related to CVE-2013-0648 exists in the “ExternalInterface ActionScript” feature and CVE-2013-0643 exists because of a permissions issue with the Flash Player Firefox sandbox.
Microsoft Internet Explorer vulnerability
On December 27, 2012, a new Internet Explorer zero-day vulnerability was discovered being exploited in wild. Although this is not a 2013 zero-day, the exploitation of this issue continued into the first quarter of 2013. On January 14, 2013, Microsoft released a security bulletin containing fixes for this issue. The vulnerability occurred because of a user-after-free error when handling the “CButton” object in the mshtml.dll file. Certain popular websites were compromised to host the exploit as a part of a watering hole style attack. When users visited the compromised website, their computers were infected with malware, allowing attackers to extract valuable and sensitive information. Symantec had earlier published a research document surrounding watering hole attacks (The Elderwood Project) detailing targets, growing trends, and attack platforms that have been seen since 2009.
On March 16, 2013, we saw Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1288) being exploited in wild. The issue occurred when handling the “CParaElement” object that was already freed and reused later and thus triggering the vulnerability. The issue was already patched by Microsoft on March 12, 2013. Discovering new zero-days can be a costly and time consuming business for malware authors. So it is speculated that the attackers may have reverse-engineered the patches to understand this vulnerability and craft an exploit. Though most systems would have already been patched, there would still be many unpatched systems during the first few days that attackers can compromise.
Conclusion
In total, we observed 11 zero-day vulnerabilities exploited in the first three months of 2013 affecting Oracle Java, Adobe Flash, Adobe Reader, and Microsoft Internet Explorer, which is quite high. This shows an increase in the finding and exploiting of zero-days. Plus the issues were discovered in popular applications allowing for maximum damage. Most of these flaws can be exploited over the Internet by enticing users to visit a site hosting the exploit. We also observed the attackers have started digging deeper to find vulnerabilities in the sandbox protection features of applications in order to bypass the restrictions for complete exploitation. A number of these flaws are used in different exploit kits and sold on the underground market.
Symantec recommends users to follow these best security practices:
The Online Certificate Status Protocol (OCSP) is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website. Naturally OCSP speed is considered one of the main criteria for quality, as browsers reach out to webservers and confirm that the SSL certificate is valid.
It is the first criteria, but certainly not the only one. Most of the major Certificate Authorities (CAs) measure similarly in OCSP speeds according to reputable third party tests, some trending slightly lower or higher. Mindful investments in infrastructure and architecture keep the speed battle going, and competition is fierce. But there are four aspects to OCSP and the whole SSL certificate verification structure that should be considered, and held equal in importance.
A second factor is reliability. When a Certificate Authority is tricked into issuing a legitimate SSL certificate for third party fraudulent activities, the entire industry can suffer a loss of trust. A few years ago, DigiNotar went out of business after they had a reliability failure when an attacker obtained fraudulent certificates for several dozen Internet domains. In return, the major Web browser vendors had to remove all trust from DigiNotar’s certificates, and the CA folded. Reliability creates trust. A CA needs reliable, audited business practices for authentication and revocation alike.
Availability is the simplest to talk about to a lay person: Either a site is up or it’s down. Either an OCSP response returns or it does not. These are simple concepts, but reputation can still play a factor. If your company is known to have major outages, and by major let’s define longer than 10 minutes at a time, your reputation for availability will start to suffer. There are sites dedicated to tracking the uptime of various vendors for online availability, so clearly it matters to consumers and businesses alike.
Fourth there’s security, both physical and logical. To maintain a public CA, your physical and logical security must be beyond reproach. Your business continuity and disaster planning has to be extensive. CAs invest in security infrastructure, building or buying malware-protection systems, conducting regular audits, and run vulnerability assessments to cover all known vectors of attack. Multi-layer security and continuous monitoring is expensive, but a necessary part of overhead to protect the integrity of the business and the consumer.
Smaller and local CAs globally often discover that the overhead and expense of running a mainstream commercial CA is too high, and sometimes they go out of business. But none of these four core components to OCSP, or indeed the whole commercial CA security ecosystem, can be sacrificed for any other and still maintain a web of trust on the internet.
Read more about PKI, OCSP, and best practices HERE.
The Online Trust Alliance has published a whitepaper on CA best practices as well HERE.
Contributor: Avdhoot Patil
Promotion for Telugu movies has gained momentum in the world of phishing as they continue to be targeted with phishing scams. The phishing site featuring the movie “Brindavanam” is one example. In a more recent case, phishers used a captivating song from the Telugu movie, “Saitan” as bait.
The phishing site displayed a picture from a captivating musical number from the movie “Saitan” starring Telugu actress, Santosh Samrat, and Sri Lankan film and teledrama actress, Akarsha, on the left side of the phishing page. The picture from the musical number was taken from the legitimate movie website. The phishing site was titled, “Samantha & Kajal Very Hot Song” but in fact, these celebrities were not a part of this movie. Phishers used the popularity of these celebrities to attract large numbers of Samantha and Kajal fans.
The phishing page then encouraged users to enter their login credentials and stated that after logging in, they could watch the video. After a user’s login credentials were entered, users were redirected to the legitimate movie website which featured a different song from a different movie, “Ye Maya Chesave”, starring Naga Chaitanya and Samantha Ruth Prabhu.
Due to the intimate nature of the musical number and the use of misleading names, phishers were probably hoping for a large audience, increasing the number of user credentials they could steal. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes. The phishing site was hosted on a server based in Montreal, Canada.
Internet users are advised to follow best practices to avoid phishing attacks:
Question of the week: Since I have been using avast! I have been conscious of staying secure online. Does it matter which search engine I use? Is one safer than the other? Thanks for using avast! to protect your computer. Yours is a great question, but maybe not one that people consider when thinking about the […]
2013 年版の『インターネットセキュリティ脅威レポート』では、世界 157 の国や地域から 6,900 万件を超える攻撃の検出情報をまとめ、脅威を取り巻く現状を明らかにしています。今回のレポートでは、標的型攻撃や小規模企業に対する攻撃の増加に加えて、新たな脅威も続々と登場していることを報告しています。
標的型攻撃、ハックティビズム、情報漏えい
標的型攻撃は 2012 年に 42 パーセントの増加を示し、1 日当たりの平均攻撃件数も 116 件に達しました。これはデータ窃盗や産業スパイ事例の増加傾向とも一致しています。攻撃の標的にも変化が見られるようで、これらの標的型攻撃のうち、小規模企業が占める比率が 2011 年に比べて大きくなりました。従業員数 250 人未満の企業を標的とする攻撃件数が全標的型攻撃のうち 31 パーセントと、前年の 3 倍に達しています。そうした小規模企業からも貴重なデータを盗み出せること、そして小規模企業の防御が貧弱であることに攻撃者が気付きはじめたのは明らかです。業種別に見ると製造業が最多となり、標的型攻撃の 24 パーセントを占めています。
標的型攻撃のなかでも顕著な変化が、「水飲み場」型攻撃の登場です。狙った標的がアクセスしそうな Web サイトを改ざんし、その Web サイトにアクセスした標的のコンピュータにマルウェアを侵入させるという手口です。この手口を首尾よく広めたのが「Elderwood」という名前で知られるグループで、わずか 1 日で 500 社もの企業が感染被害に遭いました。
情報漏えいの件数は 2012 年になって減少しましたが、盗み出された個人情報の数は逆に増加し、ほぼ 2 億 4,000 万件に達しています。盗み出された個人情報の大多数は医療や教育、政府機関に関連するものでした。また、外部からの攻撃による情報漏えいの報告数が大半を占める一方で、内部に原因のある攻撃のリスクも依然として無視できません。
脆弱性の悪用とツールキット
ゼロデイ脆弱性は 2012 年は 14 件に増加し、脆弱性の総数は 5,291 件に達しました。モバイル環境における脆弱性も増加し、2012 年には 416 件見つかりました。サイバー犯罪者は、これらの脆弱性を悪用して標的のセキュリティを危殆化するので、パッチや更新が定期的に適用されていない場合、特に無防備になります。新しい脆弱性が見つかるペースは鈍化しているにもかかわらず、攻撃が 30 パーセントも増加したのは、IT 部門におけるそうした怠慢が最大の理由でしょう。
技術的なスキルを持ち合わせていなくても、悪用ツールキットを使えば誰でもサイバー犯罪に手を染められるようになりました。過去に見つかった、ブラウザやプラグインの脆弱性を攻撃に利用できるからです。2012 年には、Web ベースの全攻撃のうち実に 41 パーセントを、Blackhole と呼ばれる悪用ツールキットが占めていました。
ソーシャルネットワーク、モバイル、クラウド
ソーシャルネットワークはスパムの新しい発信源です。ソーシャルメディアを利用した攻撃のうち、56 パーセントが偽の広告でした。ソーシャルネットワークサイトでは個人情報が公開されており、しかもリンクやデータが他のユーザーと共有される傾向も高いため、スパム行為がますます容易になっています。そのほか、マルウェアをインストールさせる偽の「いいね」ボタンや、ユーザーを欺いて偽のブラウザ拡張機能をダウンロードさせる手口も横行しています。
モバイル環境における脆弱性も増え、Apple 社の iOS だけでも 387 件が報告されました。一方 Android プラットフォームでは 13 件の脆弱性しか見つかっていませんが、市場シェアが大きいことやオープンプラットフォームであること、そしてアプリケーションの配布手段が複数あることから、モバイルを狙う脅威の大部分が Android デバイスを標的にしていることも事実です(163 件中 158 件、ただし、重複分はカウントせず)。全体で見ると、モバイルマルウェアは 2012 年に 58 パーセントも増加しています。
クラウドコンピューティングを導入する企業も増えており、全体的に見ればコスト削減とともにセキュリティが向上していますが、クラウドもセキュリティ上の問題と無縁ではありません。信頼性の高くないクラウドプロバイダからでさえ、データを引き出すことは簡単ではありませんが、そのようなプロバイダを攻撃すれば膨大な量のデータが手に入ることに攻撃者も気付いています。今後は、クラウドのインフラを支えている仮想マシンも攻撃されるようになると予測されます。
スパム、フィッシング、マルウェア
ソーシャルメディアを利用したスパムが増加し、司法当局がボットネットを取り締まるなかで、従来型のスパムは減少を続け、電子メールの総数に占める比率は 2011 年の 75 パーセントから 2012 年には 69 パーセントにまで下がりました。定番のコンテンツとしては、医薬品関連にかわってアダルト/セックス/出会い系のスパムが主流となり、スパム総数の 55 パーセントを占めています。減少しているとはいえ、日々送信されるスパムメールは依然として 300 億通を数えます。サイバー犯罪者の戦術上の変化は、電子メールによるフィッシングの減少にも表れており、電子メールの総数に対する比率は、2011 年の 299 通当たり 1 通から、414 通当たり 1 通へと減少しています。
マルウェアは、電子メール 291 通当たり 1 通の割合で発見され、そのうち 23 パーセントには、悪質なコードが埋め込まれた Web サイトにリンクする URL が記載されていました。Web ベースの攻撃は、毎日およそ 247,350 件が遮断されており、2011 年と比較して 30 パーセントも増加しています。また 2012 年は、Mac を明確に狙ったマルウェアが初めて大規模に拡散した年でもありました。Java の脆弱性を悪用した Flashback による攻撃では、60 万台以上もの Mac コンピュータが感染しました。Mac 固有の脅威の数は現在、全体に増加傾向にあります。そのほか、コンピュータをロックしたうえでユーザーに身代金の支払いを要求するランサムウェアなどの新しいマルウェア攻撃も登場しています。
脅威を取り巻く最新の現状について詳しくは、『インターネットセキュリティ脅威レポート』の全編(英語)を参照してください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。