ISSSource White Papers

Posts Tagged ‘attackers’

Thursday, March 26, 2015 @ 03:03 PM gHale

Attackers can exploit an Android vulnerability discovered a year ago to trick users into downloading malicious apps from third-party stores, researchers said.

The “Android Installer Hijacking” vulnerability affects half of all Android users. When first discovered, the flaw was in nearly 90 percent of all Android installations, said researchers at Palo Alto Networks.

Rise in Android App Issues
Android, iOS Apps Vulnerable to FREAK
Google Android OS Holes
Malware Attack Targets Android

The flaw allows attackers to change or replace a seemingly benign Android application with malware during installation, and without user knowledge. It can end up exploited to compromise the target device fully, and harvest any information and sensitive data found on it.

“Android supports the ability to install apps from the Google Play store as well as from the local file system. Google Play downloads Android packages (APKs) to a protected space of the file system. Third party app stores and mobile advertisement libraries usually download APK files to unprotected local storage (e.g. /sdcard/) and install the APK files directly,” said Palo Alto Networks researcher Zhi Xu.

“Both methods use a system application called PackageInstaller to complete the installation. On affected platforms, we discovered that the PackageInstaller has a ‘Time of Check’ to ‘Time of Use’ vulnerability. In layman’s terms, that simply means that the APK file can be modified or replaced during installation without the user’s knowledge. The Installer Hijacking vulnerability affects APK files downloaded to unprotected local storage only because the protected space of Play Store app cannot be accessed by other installed apps.”

There are several ways in which this vulnerability can end up exploited, but the good news is the Android Security Team has not detected any attempts to exploit this vulnerability on user devices.

Devices with Android version 4.3 may contain this vulnerability (it depends on the vendor). Devices with Android version 4.2 and earlier all have this vulnerability.

Android version 4.4 and later versions fixed this flaw, so users should update to one of these versions (if possible).

Monday, November 10, 2014 @ 08:11 AM gHale

A new technique is coming into play by attackers which allow them to fool even more users into believing they are entering their information in a legitimate web form.

Instead of replicating a legitimate website like an e-commerce site, the attackers need only to set up a phishing page with a proxy program which will act as a relay to the legitimate site, and create a few fake pages for when users need to enter their personal and financial information, said researchers at Trend Micro.

Malware Targets iOS, Mac OS X
Trojan Attack Rate Growing
Android Malware Tough to Remove
Images can Attack in Android Apps

“So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user,” said Trend Micro Senior Threat Researcher Noriaki Hayashi said in a blog post.

“It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response,” Hayashi said.

In the spotted attack, users end up directed to the malicious site by clicking on a search result they got by entering a product’s name. The attackers used a number of blackhat SEO techniques to make the URL appear in the results. But spam emails and messages also work to lure potential victims to the malicious site.

The actual attack begins when the user clicks on the “Add to Basket” button on the legitimate site. That is where the attacker has re-written the function so the user ends up redirected to a spoofed e-cart page that leads to more fake pages simulating the checkout process.

The first page asks the victims to enter their personal information (name, address, phone number) as well as their email address and password. The second one requests the entry of credit card information (including the card’s security code). The third one asks for additional information sometimes required to authorize a transaction.

Once the victims submitted all this information, they will receive a fake confirmation email for the purchase to the email address submitted. With all that, the attacker completes the task.

“So far, we have only identified this attack targeting one specific online store in Japan. However, if this attack becomes more prominent, it could become a very worrying development: This makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites,” Hayashi said.

This approach makes phishing websites easier to set up, and very difficult for the owners of the legitimate websites to detect.

Tuesday, August 5, 2014 @ 07:08 PM gHale

The “Pitty Tiger” advanced persistent threat (APT) group may have been active for over six years, researchers said.

The activities of the Pitty Tiger group first came to light in mid-July by the cybersecurity unit at Airbus Defense & Space. Airbus researchers determined the attackers, which they believe operate out of China have been active since at least 2011. However, researchers at FireEye found more evidence suggesting they have been targeting organizations for much longer.

IoT Devices Vulnerable to Attacks: Report
Spam Indicates Security Vulnerabilities
Organizations ‘More Vulnerable Than They Think’
Endpoints Need More Security: Report

FireEye said the group uses spear phishing emails, social engineering, email phishing pages, malware and other tools to accomplish their goals. The spear phishing emails analyzed by FireEye were in French, English and Chinese.

In one attack against a French company, the attackers sent out emails written in English and French that appeared to come from someone within the targeted organization. The malicious messages carried harmless-looking Microsoft Word documents that were set up to drop a first-stage payload, Backdoor.APT.Pgift (Troj/ReRol.A), by exploiting both old (CVE-2012-0158) and new (CVE-2014-1761) vulnerabilities affecting the Microsoft Office suite.

Once it infects a computer, the Trojan sends some information on the compromised device back to its command and control (C&C) server, after which it downloads the second-stage malware.

This wasn’t the first time researchers identified an attack using Backdoor.APT.Pgift. They found the same threat at the beginning of this year in a campaign targeting an organization in Taiwan. This and the idea quite a few of the C&C servers used by the cybercriminals are on .tw domains, indicates the attackers have an interest in Taiwan, FireEye researchers said.

The threat group has been using several pieces of malware over the past years. Based on samples that connected to the domain names used in their operations, FireEye said the attackers relied on PoisonIvy during 2008 and 2009.

Backdoor.APT.PittyTiger1.3 (CT RAT) has also seen use, most likely as a second-stage malware since it provides attackers with a remote shell on the compromised system.

Backdoor.APT.PittyTiger is a piece of malware leveraged by the group in 2012 and 2013. The threat is capable of capturing screenshots, uploading and downloading files, and providing a remote shell. Backdoor.APT.Lurid, and variants of Gh0st RAT, including Paladin RAT and Leo RAT, have also seen action by the Pitty Tiger group, FireEye researchers said.

Click here for more information on the APT.

Monday, June 9, 2014 @ 11:06 AM gHale

Attackers are exploiting commonly-used business applications to bypass security controls, a new report said.

Common sharing applications such as email, social media, and video remain the attack vehicles of choice for cybercriminals, but are often only the start of multi-phased attacks rather than the focus of threat activity, according to Palo Alto Networks’ Application Usage and Threat Report.

Ineffective Password Security Practices
Insider Threat Real; Protection Weak
Aware of Info Loss, Data Still Not Secured
Major Update to ICS Security Guide

In one part of the report, 34 percent of the 2100 applications observed use SSL encryption. As a result, network administrators are unaware of what applications on their networks use unpatched versions of OpenSSL, which can leave them exposed to vulnerabilities such as Heartbleed.

In addition, Palo Alto Networks found 99 percent of all malware logs ended up generated by a single threat using UDP; attackers also use applications like FTP, RDP, SSL, and NetBIOS to mask their activities.

It is one thing to point out weaknesses, but it is another to offer ways to correct them. Palo Alto Networks said areas enterprises could improve include:
• Deploy a balanced safe enablement policy for common sharing applications. The way to ensure success is documentation of the policies, education of users, and periodically updating the policy.
• Control unknown traffic. Every network has unknown traffic that is small, averaging 10 percent of bandwidth, researchers said. This high-risk traffic can end up controlled. Controlling unknown UDP/TCP will cut out a significant volume of malware.
• Determine and selectively decrypt applications that use SSL. Selective decryption, in conjunction with enablement policies, can help businesses uncover and eliminate potential hiding places for cyber threats.

The Application Usage report comes from raw data occurring from activity happening on enterprise networks, and not through a user-based survey. The data gathered for the reports comes from evaluation units of the company’s firewalls deployed at potential customer locations. This most recent report ended up based on analysis of traffic data collected from 5,500 network assessments and billions of threat logs over a 12-month span between March 2013 and March 2014, the company said.

Click here to view the report visualization.

Friday, January 10, 2014 @ 03:01 PM gHale

As more companies focus on mobility, it is no real surprise the lack of security on devices continues to be low hanging fruit for attackers.

Even in banking, where security experts always say it is among the most secured industries.

But when it comes of mobile apps, is it?

Mobile Alert: Bug in Smartphone
Pulling RSA Keys by Listening
Air Gaps Not Even Secure
Resilience Metrics can Beat Threats

IOActive researcher Ariel Sanchez analyzed 40 mobile banking applications for iOS devices to see if they’re secure or not. The apps belong to the 60 top banks across the globe.

Sanchez found 40 percent of the apps tested are vulnerable to Man-in-the-Middle (MitM) attacks because they don’t validate the authenticity of SSL certificates.

On top of that, 20 percent of them have the Position Independent Executable (PIE) and Stack Smashing Protection disabled, which makes them susceptible to memory corruption attacks, Sanchez said in a blog post.

Ninety percent of the apps don’t have jailbreak detection. The same percentage contain a number of non-SSL links when surfing the app, allowing cybercriminals to intercept traffic and inject arbitrary code for phishing purposes.

Attackers can also abuse insecure UIWebView implementations in over half of the tested apps to inject JavaScript.

When it comes to two-factor authentication, which is a great mechanism to protect against impersonation attacks, the researcher found 70 percent of the iOS banking apps don’t have it.

Meanwhile, 40 percent of the applications expose sensitive information through log files, such as crash reports. The data leaked by the log files can end up used to develop Zero Day exploits.

Thirty percent of the tested programs contain hardcoded credentials in the code.

“By using hardcoded credentials, an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users,” Sanchez said.

One more point of interest for attackers is 20 percent of app activation codes, the ones sent during the initial setup process, send the information in plaintext (HTTP).

To add more salt to the security wounds, the file systems of some programs store sensitive information, including bank account details and transaction history, in unencrypted databases, Sanchez said.

From a defensive perspective, the following recommendations could mitigate the most common flaws:
• Ensure that all connections end up performed using secure transfer protocols
• Enforce SSL certificate checks by the client application
• Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
• Improve additional checks to detect jailbroken devices
• Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
• Remove all debugging statements and symbols
• Remove all development information from the production application

Wednesday, August 21, 2013 @ 05:08 PM gHale

The use of the right-to-left override (RLO) character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or a registry key, is seeing a rebirth.

Malware writers have been using the RLO technique for years, as it’s a simple and effective method for disguising the names of malicious files. Typically, attackers will try to make their malware appear to be something benign, such as a music player or setup file for a popular application. The RLO technique helps then accomplish this goal.

Malware Variant Branches Out
Poison Ivy RAT in Separate Attacks
PoisonIvy Variant Avoids Detection
U.S. Grid ‘Highly Vulnerable’
Wireless Field Sensors Vulnerable

Malware authors give a malicious file a name that is somewhat close to a legitimate file name, and append an extension such .exe. But hidden in the file name will be a Unicode character that will reverse the order of the characters that follow it. So, for example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg” when the Unicode character ends up used after the word “malware.”

Security researchers and malware analysts have known about this technique for quite a while, but it is beginning to surface once again.

Researchers at Microsoft have seen new malware samples attempting to impersonate the Google service that keeps software updated on users’ machines, and the malware is using the RLO technique in order to look like a legitimate registry key.

The malware is Sirefef, which is about a year old. It uses the RLO method to trick users into thinking the entries it puts into the infected machine’s registry are legitimate ones.

“The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation,” said Raymond Roberts of Microsoft.

When the Sirefef malware infects a new machine, it creates a registry entry that looks identical to the legitimate Google Update service. Even clicking on the entry to view its properties will show what appears to be a legitimate entry, aside from some odd-looking characters in the path of the executable. However, looking at the registry entry without Unicode support will reveal the problem. The Sirefef registry entry will show up as “etadpug” and the key will contain a slew of random characters rather than the description of the legitimate Google Update service.

“This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not,” Roberts said. “It may make it difficult for someone doing a cursory check to determine if they are infected.”

Wednesday, August 14, 2013 @ 03:08 PM gHale

A “loophole” in Google Cloud Messaging (GCM) lets attackers control some nasty Android Trojans.

Cyber criminals use Google Cloud Messaging, the service that allows Android developers to send data from their servers to their apps installed on Android devices, as a command and control (C&C) server for their malware, said researchers at Kaspersky labs.

Mobile Alert: Android Woes Continue
Mobile Malware: Organized, Profitable
Record Malware Growth Globally
Cracking iOS Mobile Hotspot Passwords

Most of these pieces of malware send SMS messages to premium rate numbers, steal messages and contacts, and display shady advertisements that might lead to other malicious elements.

One example is Trojan-SMS.AndroidOS.OpFake.a, which, according to Kaspersky, ended up installed over 1 million times on Android devices, particularly by users from Russia and other Commonwealth of Independent States (CIS) countries.

The threat is capable not only of sending SMS messages to premium rate numbers, but also of stealing messages and contacts, deleting SMSs, and sending out messages with links to malicious applications. The malware can also start and stop its activity automatically, and it can even update itself.

The malicious applications go out as popular applications and games.

Once an Android device suffers infection, the cyber criminals use the Google service to send out commands to the Trojans and record their activities. Because attackers use GCM, experts warn it’s impossible to block access to the C&C directly from the infected smartphone.

Kaspersky said the only way to block these attacks is for Google to terminate the developer accounts utilized by the cybercriminals. The company notified the search engine giant and provided it with the GCM developer IDs utilized in the malware attacks.

Kaspersky researchers said they identify over 12,000 new samples of mobile malware each month and 97 percent of these threats target the Android platform.

Monday, July 22, 2013 @ 06:07 PM gHale

Attackers are using a known, but uncommon method of maintaining access to an already compromised server by hiding backdoors inside the headers of legitimate image files, researchers said.

More than a dozen sites suffered from this method of attack, said website security firm Sucuri’s chief technology officer Daniel Cid. However, he didn’t mention if there was any evidence to connect all of them to a single source. At present, the company is still investigating while they work with their clients.

Targeted Malware Attacks in Asia, Europe
Chinese APT Worked through Cloud
Espionage Campaign Uncovered
Utility Blackouts as a Weapon
Synching Up a Reliable Power Grid

They found the images on a previously compromised webserver. In the cases they’ve seen so far, including the ‘bun.jpg’ case covered on the Sucuri blog, the website was either running an outdated version of WordPress (a popular CMS platform used by millions of domains), or outdated versions of Joomla, which is an alternate platform similar to WordPress.

The images themselves “still load and work properly,” Cid said.

“In fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site,” he said. “This is a curious steganographic way to hide the malware.”

Once the server suffers compromise, the attackers will modify the image’s EXIF headers and re-upload the image. At this stage, the image renders normally, and most webmasters won’t notice anything off. However, should the compromise end up discovered and the server’s security tightened, the image provides a firm hold the attackers will later use in order to regain access.

Using the exif_read_data function in PHP to read the image’s headers, and the preg_replace function to execute the embedded commands; the attackers can keep control over a webserver long after the user patches the vulnerable software and the server’s other core files. This happens because the image’s MAKE header has “/.*/e” as a keyword — this is the ‘eval’ modifier, used to execute the content fed to preg_replace.

Once the header parses, Sucuri’s researchers discovered base64 encoded lines, that when decoded offered the final part to the backdoor itself, a function that will execute any content delivered to it via POST. Using this, an attacker can issue commands, or call for shell scripts hosted remotely and execute them. Moreover, depending on how the server ends up configured, the commands issued to the backdoor could be running with elevated privileges.

Cid explained they found the backdoors during memory examinations after a client requested help recovering from a breach. When questioned about detection, he added unless modified to detect these kinds of patterns within a given file, IDS and IPS systems wouldn’t have prevented this type of attack.

“The thing I recommend the most is file integrity monintoring,” Cid said. “If you can detect files being modified, then you can discover this type of attack.”

Monday, July 8, 2013 @ 03:07 PM gHale

With all the public incidents where hackers attacked various organizations, it is still apparent companies do not prioritize cyber security as a strategic competency.

Corporations must develop a proactive strategy so they do not have to react when there is a threat or security breach, said a group of Iowa State University (ISU) researchers.

Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness
Breach Discovery: 10 Hours
Security Breach Fantasy Land

The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, companies can no longer considers security a necessary cost of business, said Anthony Townsend, an associate professor of supply chain and information systems in ISU’s College of Business.

“If you have an active and aggressive security team in the organization, you don’t have to get hacked,” Townsend said. “It’s like leaving your door unlocked. If a burglar comes to your house and can just walk through the door, well, that’s easy for him. But if he has to jimmy the lock and there’s good security, he’ll go someplace else.”

Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, said Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cyber security until there is a problem, it’s too late.

“On a more global perspective, there needs to be more IT expertise at the very top of corporations,” DeMarie said. “The way organizations use information technology is critical to the success of a company. If you’re not doing it well, it doesn’t matter how great your product or service is, that can be enough to shut down a business.”

Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, said Brian Mennecke, an associate professor of supply chain and information systems. He expects businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.

“I think increasingly that’s what we’re going to see with organizations moving more of these sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves,” Mennecke said.

On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot stay safe at home.

“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke said.

Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement.

Making cyber security a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie said a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.

“A cyber attack could be devastating to some companies,” DeMarie said. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”

But DeMarie, Townsend and Mennecke see a strong cyber security system as a competitive edge to attract new clients and customers.

“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend said.

Security will increasingly become a greater priority for customers and clients as more business functions end up handled online and digitally. Townsend said the organization with the stronger security presence will have the advantage.

Monday, June 17, 2013 @ 07:06 PM gHale

Security usually ends up being a matter of vigilance, so the longer it takes to understand the system is under attack, the harder it will become to ward off the bad guys.

That is why businesses are vulnerable to security breaches due to their inability to properly analyze or store big data, according to a new report out by security firm, McAfee.

Security Breach Fantasy Land
Botnet Hurt, so are Researchers
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached

The ability to detect data breaches within minutes is critical in preventing data loss, yet only 35 percent of firms said they have the ability to do this. In fact, 22 percent said they would need a day to identify a breach, and five percent said this process would take up to a week. On average, organizations said it takes 10 hours for a company to recognize a security breach.

“If you’re in a fight, you need to know that while it’s happening, not after the fact,” said Mike Fey, executive vice president and worldwide CTO at McAfee. “This study has shown what we’ve long suspected — that far too few organizations have real-time access to the simple question ‘am I being breached?’ Only by knowing this, can you stop it from happening.”

Nearly three quarters (73 percent) of respondents said they can assess their security status in real-time and they also responded with confidence in their ability to identify in real-time insider threat detection (74 percent), perimeter threats (78 percent), Zero Day malware (72 percent) and compliance controls (80 percent).

However, of the 58 percent of organizations that said they suffered a security breach in the last year, 24 percent found it within minutes. In addition, when it came to actually finding the source of the breach, 14 percent could do so in minutes, while 33 percent said it took a day and 16 percent said a week.

This false confidence highlights a disconnect between the IT department and security professionals within organizations.

The study of 855 incidents showed 63 percent took weeks or months for security professional to find them. On the other side, the stolen data was out the door from these organizations within seconds or minutes in 46 percent of the cases.

On average, companies are storing 11-15 terabytes of security data a week, a figure that Gartner Group predicts will double annually through 2016. To put that in perspective, 10 terabytes is the equivalent of the printed collection of the Library of Congress.

Despite storing such large volumes of data, 58 percent of firms admitted to only holding on to it for less than three months.

Archived Entries