Posts Tagged ‘attackers’
Tuesday, May 14, 2013 @ 05:05 PM gHale
It’s no secret when it comes to attack platforms, Java is tops among the bad guys.
Besides enjoying installation pretty much across the board, it also has what attackers drool over, a ton of vulnerabilities.
While Oracle does a fine job fixing holes, bugs, and vulnerabilities, at the end of the day do users actually patch all the issues. Attackers know the answer to that one: No.
Attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities, researchers said. It’s a concern, especially for companies like Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to reverse engineer. Again, that works because users do not always patch.
Microsoft is very good at getting users to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers focus most of their attention on older flaws for which there are already patches.
Research from Microsoft shows there has been a spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity centered on patched vulnerabilities in Java. Part of the reason for this may be attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.
“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723,” said Microsoft’s Jeong Wook Oh. “The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities.”
“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7,” the Microsoft researcher said. “So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”
Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a Zero Day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications.
Wednesday, May 1, 2013 @ 02:05 PM gHale
Whether users install a patch or not, attackers like to jump on Adobe Reader vulnerabilities to drop malware onto their targets’ computers.
Quite a few advanced persistent threat (APT) campaigns are now relying on those very security holes.
At least three APTs rely on the CVE-2013-0640 vulnerability to distribute malware, said researches at Trend Micro. This exploit remains well known because it saw use in the MiniDuke campaign.
One of the campaigns that use the PDF exploit is Zegost. Experts identified PDF documents, written in Vietnamese, that are very similar to the files used in the MiniDuke attacks.
The dropped files and data are similar, their number is similar, and their purposes are also very much the same. However, the payload dropped in the Zegost attacks isn’t connected in any way with the MiniDuke malware payload.
Another series of malicious PDFs were in the PlugX campaigns. Cyber criminals, possibly not related to each other, have attempted to drop various versions of PlugX on the computers of users from Japan, India and South Korea.
While there have been some similarities between the Zegost and the MiniDuke operations, the researchers said these PlugX attacks are different.
“Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal,” said Nart Villeneuve, senior threat researcher at Trend Micro.
“At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.”
Friday, April 5, 2013 @ 05:04 PM gHale
Bitcoin’s digital currency has not escaped the notice of attackers, many of whom are turning their attention to finding ways to use the system for their own gains like introducing new pieces of malware.
There is now a piece of malware in circulation that is using Skype as a spreading mechanism and then using infected machines’ processing power to mine Bitcoins.
The new malware is sending links to Skype users with a message encouraging them to click to see a photo of themselves online. The campaign began yesterday and is still ongoing, with thousands of victims clicking on the malicious link every hour, according to an analysis by Dmitry Bestuzhev of Kaspersky Lab.
“The initial dropper is downloaded from a server located in India. The detection rate on VirusTotal is low. Once the machine is infected it drops to the system many other pieces of malware. Downloads come from the Hotfile.com service. At the same time the malware connects to its C2 server located in Germany,” Bestuzhev said.
Once the malware is on the victim’s machine, it goes about the business of usurping the PC’s processing power to mine for Bitcoins. The Bitcoin network relies on a complex system to create each Bitcoin and verify the currency is valid and being spent by the owner of those Bitcoins. Part of that process requires quite a bit of processing power, and that’s what the attackers behind this malware campaign are after.
Here’s how the Bitcoin Project explains the mining process:
“Bitcoin mining is the process of making computer hardware do mathematical calculations for the Bitcoin network to confirm transactions and increase security. As a reward for their services, Bitcoin miners can collect transaction fees for the transactions they confirm along with newly created bitcoins. Mining is a specialized and competitive market where the rewards are divided up according to how much calculation is done,” the Project said.
The malware, identified as Trojan.Win32.Jorik.IRCbot.xkt, causes a massive spike in the CPU usage on an infected machine, Bestuzhev said.
Wednesday, February 20, 2013 @ 03:02 PM gHale
Adobe released a security bulletin today that fixes a vulnerability in its Reader and Acrobat products found just one week ago.
The vulnerability, which attackers are jumping on and taking advantage of, could cause a crash of either and software and potentially allow a bad guy take control of the affected system.
For PC users, there is a sense of urgency to update as Adobe confirmed attackers are leveraging two of the vulnerabilities (CVE-2013-0640 and CVE-2013-0641) in targeted attacks designed to trick Windows users into opening a malicious PDF file attached in an email.
Mac and Linux users are not immune to this flaw, they just simply are not under attacker’s microscope at this juncture.
The security patches are available for software on Windows, Mac, and Linux. The following is a list of upgrades:
• Users of Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Reader XI (11.0.02).
• For users of Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader X (10.1.6).
• For users of Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh, who cannot update to Adobe Reader XI (11.0.02), Adobe has made available the update Adobe Reader 9.5.4.
• Users of Adobe Reader 9.5.3 and earlier 9.x versions for Linux should update to Adobe Reader 9.5.4.
• Users of Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh should update to Adobe Acrobat XI (11.0.02).
• Users of Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh should update to Adobe Acrobat X (10.1.6).
• Users of Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh should update to Adobe Acrobat 9.5.4.
Windows and OS X users can use the product’s update feature (Help => Check for Updates).
Monday, January 28, 2013 @ 12:01 PM gHale
Attackers are hitting Web servers with infected Apache modules that also backdoor Secure Shell (SSH) services in order to steal login credentials from administrators and users.
These attackers are replacing all of the SSH binary files on the compromised servers with backdoored versions designed to send the hostname, username and password for incoming and outgoing SSH connections to attacker-controlled servers, researchers from Web security firm Sucuri said.
The attack modifies the SSH daemon, and every SSH binary with their main goal being to steal passwords, said Daniel Cid, Sucuri’s chief technology officer.
By doing this, it allows the attackers to regain control of a compromised server if the passwords get changed or to compromise additional servers if users access them from the compromised server via SSH.
In cases investigated by Sucuri, the server administrator removed the rogue Apache module and changed his password, but the infection re-appeared a few days later, Cid said.
Denis Sinegubko, the creator of the Unkmask Parasites website security scanner said there were a wave of incidents that involved attackers obtaining administrator (root) access to Web servers and installing rogue Apache modules during August and September 2012. The purpose of the modules was to inject rogue iframes into legitimate websites hosted on those servers.
This website infection method continued to see use during the following months and the attacks linked to a cybercriminal toolkit called DarkLeech sold on hacker forums.
It’s not clear whether the SSH backdoor is actually a new feature of DarkLeech. The backdoor was not part of an early version of the toolkit analyzed by Sucuri researchers, but it keeps changing so it’s hard to know for sure, Cid said.
It’s hard to say with certainty how the servers with the SSH backdoor suffered compromise in the first place, because in most cases the server logs were gone by the time Sucuri had the chance to analyze them, Cid said. However, the infection ended up on servers that had weak root passwords or were running outdated versions of Plesk — a Web-hosting control panel.
On servers that use the RPM Package Manager administrators should run the “rpm -Va” command in order to check the integrity of their software packages, Cid said. “If you see any change to the SSH binaries, it is a red flag,” he said.
Simply checking when the files were last modified using the “ls -la” command won’t reveal anything suspicious because the attackers change the mtime (last modification time) timestamps of the backdoor files to match those of the original files, Cid said.
If this SSH backdoor is found on a server, it’s better to completely reinstall it from scratch because you never know what else might be there, Cid said.
Monday, January 7, 2013 @ 04:01 PM gHale
There are serious vulnerabilities in Cisco VoIP (voice over Internet protocol) telephones as attackers could easily insert malicious code into a phone and start eavesdropping on private conversations from anywhere in the world.
“It’s not just Cisco phones that are at risk. All VoIP phones are particularly problematic since they are everywhere and reveal our private communications,” said Columbia University Computer Science Professor Salvatore Stolfo. “It’s relatively easy to penetrate any corporate phone system, any government phone system, any home with Cisco VoIP phones—they are not secure.” Stolfo researched the issue with Columbia Engineering’s Computer Science PhD candidate Ang Cui.
Cui and Stolfo analyzed the phones’ firmware (the software running in the computer inside the phone) and they were able to identify vulnerabilities. One concern was with embedded systems widely used and networked on the Internet, including VoIP phones, routers, and printers, and have focused their research on developing new advanced security technology to protect these systems.
“Binary firmware analysis is commonly used to identify faulty software by the ‘white hat’ hackers and security scientists and researchers like our team,” Stolfo said. “We performed this analysis to demonstrate a new defense technology, called Software Symbiotes, (can) protects them from exploitation.”
Software Symbiotes safeguards embedded systems from malicious code injection attacks into these systems, including routers and printers.
“This is a host-based defense mechanism that’s a code structure inspired by a natural phenomenon known as symbiotic defensive mutualism,” Cui said. “The Symbiote is especially suitable for retrofitting legacy embedded systems with sophisticated host-based defenses.”
The researchers see these Symbiotes as a kind of digital life form that tightly co-exists with arbitrary executables in a mutually defensive arrangement.
“They extract computational resources (CPU cycles) from the host while simultaneously protecting the host from attack and exploitation,” Cui said. “And, because they are by their nature so diverse, they can provide self-protection against direct attack by adversaries that directly target host defenses.”
“We envision a general-purpose computing architecture consisting of two mutual defensive systems whereby a self-contained, distinct, and unique Symbiote machine is embedded in each instance of a host program,” Stolfo said. “The Symbiote can reside within any arbitrary body of software, regardless of its place within the system stack. It can be injected into an arbitrary host in many different ways, while its code can be ‘randomized’ by a number of well-known methods.”
The Symbiote, which at runtime must successfully execute in order for the host to operate, then monitors its host’s behavior to ensure it continues to operate correctly, and, if not, it stops the host from doing harm. Removal, or attempted removal, of the Symbiote renders the host inoperable.
“The beauty of the Symbiote,” Cui said, “is that it can be used to protect all kinds of embedded systems, from phones and printers to ATM machines and even cars — systems that we all use every day.”
Cisco released a patch to repair these vulnerabilities but it is ineffective, the researchers said.
“It doesn’t solve the fundamental problems we‘ve pointed out to Cisco,” Cui said. “We don’t know of any solution to solve the systemic problem with Cisco’s IP Phone firmware except for the Symbiote technology or rewriting the firmware.”
Wednesday, January 2, 2013 @ 05:01 PM gHale
A piece of backdoor malware can infect Java-based HTTP servers and allows attackers to execute malicious commands on the underlying systems.
The threat, known as BKDR_JAVAWAR.JG, comes in the form of a JavaServer Page (JSP), a type of Web page that can only deploy and serve from a specialized Web server with a Java servlet container, such as Apache Tomcat, said researchers at antivirus vendor Trend Micro.
Once this page deploys, the attacker can access it remotely and can use its functions to browse, upload, edit, delete, download or copy files from the infected system using a Web console interface. This is similar to the functionality provided by PHP-based backdoors, commonly known as PHP Web shells.
“Aside from gaining access to sensitive information, an attacker gains control of the infected system through the backdoor and can carry out more malicious commands onto the vulnerable server,” Trend Micro researchers said in a blog post.
This JSP backdoor can undergo installation by other malware already running on the system that hosts the Java-based HTTP server and Java servlet container or it can download when browsing to malicious websites from such a system.
According to Trend Micro’s technical notes, the malware targets systems running Windows 2000, Windows Server 2003, Windows XP, Windows Vista and Windows 7.
“Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager,” the Trend Micro researchers said. “Using a password cracking tool, cybercriminals are able to login and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server.”
In order to protect their servers from such threats, administrators should use strong passwords that are not easy to crack by using brute force tools, should deploy all security updates available for their systems and software and should avoid visiting unknown and untrusted websites, the Trend Micro researchers said.