Posts Tagged ‘attackers’

Friday, January 10, 2014 @ 03:01 PM gHale

As more companies focus on mobility, it is no real surprise the lack of security on devices continues to be low hanging fruit for attackers.

Even in banking, where security experts always say it is among the most secured industries.

But when it comes of mobile apps, is it?

RELATED STORIES
Mobile Alert: Bug in Smartphone
Pulling RSA Keys by Listening
Air Gaps Not Even Secure
Resilience Metrics can Beat Threats

IOActive researcher Ariel Sanchez analyzed 40 mobile banking applications for iOS devices to see if they’re secure or not. The apps belong to the 60 top banks across the globe.

Sanchez found 40 percent of the apps tested are vulnerable to Man-in-the-Middle (MitM) attacks because they don’t validate the authenticity of SSL certificates.

On top of that, 20 percent of them have the Position Independent Executable (PIE) and Stack Smashing Protection disabled, which makes them susceptible to memory corruption attacks, Sanchez said in a blog post.

Ninety percent of the apps don’t have jailbreak detection. The same percentage contain a number of non-SSL links when surfing the app, allowing cybercriminals to intercept traffic and inject arbitrary code for phishing purposes.

Attackers can also abuse insecure UIWebView implementations in over half of the tested apps to inject JavaScript.

When it comes to two-factor authentication, which is a great mechanism to protect against impersonation attacks, the researcher found 70 percent of the iOS banking apps don’t have it.

Meanwhile, 40 percent of the applications expose sensitive information through log files, such as crash reports. The data leaked by the log files can end up used to develop Zero Day exploits.

Thirty percent of the tested programs contain hardcoded credentials in the code.

“By using hardcoded credentials, an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users,” Sanchez said.

One more point of interest for attackers is 20 percent of app activation codes, the ones sent during the initial setup process, send the information in plaintext (HTTP).

To add more salt to the security wounds, the file systems of some programs store sensitive information, including bank account details and transaction history, in unencrypted databases, Sanchez said.

From a defensive perspective, the following recommendations could mitigate the most common flaws:
• Ensure that all connections end up performed using secure transfer protocols
• Enforce SSL certificate checks by the client application
• Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
• Improve additional checks to detect jailbroken devices
• Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
• Remove all debugging statements and symbols
• Remove all development information from the production application

Wednesday, August 21, 2013 @ 05:08 PM gHale

The use of the right-to-left override (RLO) character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or a registry key, is seeing a rebirth.

Malware writers have been using the RLO technique for years, as it’s a simple and effective method for disguising the names of malicious files. Typically, attackers will try to make their malware appear to be something benign, such as a music player or setup file for a popular application. The RLO technique helps then accomplish this goal.

RELATED STORIES
Malware Variant Branches Out
Poison Ivy RAT in Separate Attacks
PoisonIvy Variant Avoids Detection
U.S. Grid ‘Highly Vulnerable’
Wireless Field Sensors Vulnerable

Malware authors give a malicious file a name that is somewhat close to a legitimate file name, and append an extension such .exe. But hidden in the file name will be a Unicode character that will reverse the order of the characters that follow it. So, for example, a file named “malwaregpj.exe” will appear as “malwareexe.jpg” when the Unicode character ends up used after the word “malware.”

Security researchers and malware analysts have known about this technique for quite a while, but it is beginning to surface once again.

Researchers at Microsoft have seen new malware samples attempting to impersonate the Google service that keeps software updated on users’ machines, and the malware is using the RLO technique in order to look like a legitimate registry key.

The malware is Sirefef, which is about a year old. It uses the RLO method to trick users into thinking the entries it puts into the infected machine’s registry are legitimate ones.

“The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation,” said Raymond Roberts of Microsoft.

When the Sirefef malware infects a new machine, it creates a registry entry that looks identical to the legitimate Google Update service. Even clicking on the entry to view its properties will show what appears to be a legitimate entry, aside from some odd-looking characters in the path of the executable. However, looking at the registry entry without Unicode support will reveal the problem. The Sirefef registry entry will show up as “etadpug” and the key will contain a slew of random characters rather than the description of the legitimate Google Update service.

“This demonstrates yet another concerted attempt by malware to hide itself in plain sight by pretending to be something it is not,” Roberts said. “It may make it difficult for someone doing a cursory check to determine if they are infected.”

Wednesday, August 14, 2013 @ 03:08 PM gHale

A “loophole” in Google Cloud Messaging (GCM) lets attackers control some nasty Android Trojans.

Cyber criminals use Google Cloud Messaging, the service that allows Android developers to send data from their servers to their apps installed on Android devices, as a command and control (C&C) server for their malware, said researchers at Kaspersky labs.

RELATED STORIES
Mobile Alert: Android Woes Continue
Mobile Malware: Organized, Profitable
Record Malware Growth Globally
Cracking iOS Mobile Hotspot Passwords

Most of these pieces of malware send SMS messages to premium rate numbers, steal messages and contacts, and display shady advertisements that might lead to other malicious elements.

One example is Trojan-SMS.AndroidOS.OpFake.a, which, according to Kaspersky, ended up installed over 1 million times on Android devices, particularly by users from Russia and other Commonwealth of Independent States (CIS) countries.

The threat is capable not only of sending SMS messages to premium rate numbers, but also of stealing messages and contacts, deleting SMSs, and sending out messages with links to malicious applications. The malware can also start and stop its activity automatically, and it can even update itself.

The malicious applications go out as popular applications and games.

Once an Android device suffers infection, the cyber criminals use the Google service to send out commands to the Trojans and record their activities. Because attackers use GCM, experts warn it’s impossible to block access to the C&C directly from the infected smartphone.

Kaspersky said the only way to block these attacks is for Google to terminate the developer accounts utilized by the cybercriminals. The company notified the search engine giant and provided it with the GCM developer IDs utilized in the malware attacks.

Kaspersky researchers said they identify over 12,000 new samples of mobile malware each month and 97 percent of these threats target the Android platform.

Monday, July 22, 2013 @ 06:07 PM gHale

Attackers are using a known, but uncommon method of maintaining access to an already compromised server by hiding backdoors inside the headers of legitimate image files, researchers said.

More than a dozen sites suffered from this method of attack, said website security firm Sucuri’s chief technology officer Daniel Cid. However, he didn’t mention if there was any evidence to connect all of them to a single source. At present, the company is still investigating while they work with their clients.

RELATED STORIES
Targeted Malware Attacks in Asia, Europe
Chinese APT Worked through Cloud
Espionage Campaign Uncovered
Utility Blackouts as a Weapon
Synching Up a Reliable Power Grid

They found the images on a previously compromised webserver. In the cases they’ve seen so far, including the ‘bun.jpg’ case covered on the Sucuri blog, the website was either running an outdated version of WordPress (a popular CMS platform used by millions of domains), or outdated versions of Joomla, which is an alternate platform similar to WordPress.

The images themselves “still load and work properly,” Cid said.

“In fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site,” he said. “This is a curious steganographic way to hide the malware.”

Once the server suffers compromise, the attackers will modify the image’s EXIF headers and re-upload the image. At this stage, the image renders normally, and most webmasters won’t notice anything off. However, should the compromise end up discovered and the server’s security tightened, the image provides a firm hold the attackers will later use in order to regain access.

Using the exif_read_data function in PHP to read the image’s headers, and the preg_replace function to execute the embedded commands; the attackers can keep control over a webserver long after the user patches the vulnerable software and the server’s other core files. This happens because the image’s MAKE header has “/.*/e” as a keyword — this is the ‘eval’ modifier, used to execute the content fed to preg_replace.

Once the header parses, Sucuri’s researchers discovered base64 encoded lines, that when decoded offered the final part to the backdoor itself, a function that will execute any content delivered to it via POST. Using this, an attacker can issue commands, or call for shell scripts hosted remotely and execute them. Moreover, depending on how the server ends up configured, the commands issued to the backdoor could be running with elevated privileges.

Cid explained they found the backdoors during memory examinations after a client requested help recovering from a breach. When questioned about detection, he added unless modified to detect these kinds of patterns within a given file, IDS and IPS systems wouldn’t have prevented this type of attack.

“The thing I recommend the most is file integrity monintoring,” Cid said. “If you can detect files being modified, then you can discover this type of attack.”

Monday, July 8, 2013 @ 03:07 PM gHale

With all the public incidents where hackers attacked various organizations, it is still apparent companies do not prioritize cyber security as a strategic competency.

Corporations must develop a proactive strategy so they do not have to react when there is a threat or security breach, said a group of Iowa State University (ISU) researchers.

RELATED STORIES
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness
Breach Discovery: 10 Hours
Security Breach Fantasy Land

The cost to a corporation or the customer if hackers gain access to secure information is one factor to consider. With the growing demand for digitally shared data and information, companies can no longer considers security a necessary cost of business, said Anthony Townsend, an associate professor of supply chain and information systems in ISU’s College of Business.

“If you have an active and aggressive security team in the organization, you don’t have to get hacked,” Townsend said. “It’s like leaving your door unlocked. If a burglar comes to your house and can just walk through the door, well, that’s easy for him. But if he has to jimmy the lock and there’s good security, he’ll go someplace else.”

Companies are certainly not just sitting idly by, but too often those making the decisions about security lack information technology expertise, said Samuel DeMarie, an associate professor of management. If an organization waits to test the effectiveness of its cyber security until there is a problem, it’s too late.

“On a more global perspective, there needs to be more IT expertise at the very top of corporations,” DeMarie said. “The way organizations use information technology is critical to the success of a company. If you’re not doing it well, it doesn’t matter how great your product or service is, that can be enough to shut down a business.”

Connecting instantaneously with other firms is a necessity for businesses to share information quickly and efficiently. Unfortunately, it increases the security risk, said Brian Mennecke, an associate professor of supply chain and information systems. He expects businesses, especially small-to-midsize businesses, to outsource security as the threats to information systems become more complex.

“I think increasingly that’s what we’re going to see with organizations moving more of these sensitive operations that are vulnerable to attack, to platforms where they can trust a vendor to provide a higher level of security than they would be able to provide themselves,” Mennecke said.

On an individual level, Mennecke compares outsourcing security to the decision to purchase a bank lock box. It is a way to protect important documents that you fear cannot stay safe at home.

“There’s a cost involved, but there’s a greater good to achieve by making sure important documents and resources are maintained as secure,” Mennecke said.

Of course, there is also an inherent risk in outsourcing such a critical function as security. There is no 100 percent guarantee and it is difficult to repair the damage if a third party violates an agreement.

Making cyber security a priority within a firm’s operational plans is more than an investment; it’s a shift in the organizational culture. DeMarie said a company must weigh that investment with the potential costs and loss of business if hackers successfully shut down its information system.

“A cyber attack could be devastating to some companies,” DeMarie said. “Millions of dollars could be lost if they were shut down. I think a lot of companies just feel like they’ve got it covered. They hope their IT guys know what they’re doing.”

But DeMarie, Townsend and Mennecke see a strong cyber security system as a competitive edge to attract new clients and customers.

“A proactive and well-managed security function in the organization means your customer credit card numbers are safe. You’re not in the newspaper because you got hacked recently. It actually appears to convey a specific advantage in terms of customer retention and satisfaction with the firm knowing that you have decent security. It’s not an afterthought,” Townsend said.

Security will increasingly become a greater priority for customers and clients as more business functions end up handled online and digitally. Townsend said the organization with the stronger security presence will have the advantage.

Monday, June 17, 2013 @ 07:06 PM gHale

Security usually ends up being a matter of vigilance, so the longer it takes to understand the system is under attack, the harder it will become to ward off the bad guys.

That is why businesses are vulnerable to security breaches due to their inability to properly analyze or store big data, according to a new report out by security firm, McAfee.

RELATED STORIES
Security Breach Fantasy Land
Botnet Hurt, so are Researchers
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached

The ability to detect data breaches within minutes is critical in preventing data loss, yet only 35 percent of firms said they have the ability to do this. In fact, 22 percent said they would need a day to identify a breach, and five percent said this process would take up to a week. On average, organizations said it takes 10 hours for a company to recognize a security breach.

“If you’re in a fight, you need to know that while it’s happening, not after the fact,” said Mike Fey, executive vice president and worldwide CTO at McAfee. “This study has shown what we’ve long suspected — that far too few organizations have real-time access to the simple question ‘am I being breached?’ Only by knowing this, can you stop it from happening.”

Nearly three quarters (73 percent) of respondents said they can assess their security status in real-time and they also responded with confidence in their ability to identify in real-time insider threat detection (74 percent), perimeter threats (78 percent), Zero Day malware (72 percent) and compliance controls (80 percent).

However, of the 58 percent of organizations that said they suffered a security breach in the last year, 24 percent found it within minutes. In addition, when it came to actually finding the source of the breach, 14 percent could do so in minutes, while 33 percent said it took a day and 16 percent said a week.

This false confidence highlights a disconnect between the IT department and security professionals within organizations.

The study of 855 incidents showed 63 percent took weeks or months for security professional to find them. On the other side, the stolen data was out the door from these organizations within seconds or minutes in 46 percent of the cases.

On average, companies are storing 11-15 terabytes of security data a week, a figure that Gartner Group predicts will double annually through 2016. To put that in perspective, 10 terabytes is the equivalent of the printed collection of the Library of Congress.

Despite storing such large volumes of data, 58 percent of firms admitted to only holding on to it for less than three months.

Wednesday, June 12, 2013 @ 02:06 PM gHale

Vietnam, India, China, and Taiwan users were a part of an attack campaign that uses Microsoft Word documents rigged with exploits in order to install a backdoor program that allows attackers to steal information, researchers said.

The targeted attacks used specifically crafted Word documents as bait in spear-phishing emails sent to the intended victims, said researchers from security firm Rapid7. The goal of these documents was to exploit known vulnerabilities that affect unpatched installations of Microsoft Office.

RELATED STORIES
Malware Disguises as Antivirus
Self-Propagating Trojan Lives On
BIND 9 DoS Hole Patched
P2P Botnets Keep Growing

One of the malicious documents found by Rapid7 researchers is in Vietnamese and is about best practices for teaching and researching scientific topics. This suggests the targets of attacks were part of the Vietnamese academic community, Rapid7 researchers Claudio Guarnieri and Mark Schloesser said Friday.

A second document written in English discusses the state of telecommunication infrastructure, including GSM network coverage and Internet broadband availability, in Calcutta, India. The Rapid7 researchers believe this document targeted people working in the telecommunications industry in India or local government representatives.

When opened, the two documents attempt to exploit remote code execution vulnerabilities in the Windows common controls component. Identified as CVE-2012-0158 and CVE-2012-1856, respectively, these vulnerabilities affect Microsoft Office 2003, 2007 and 2010. Microsoft patched these vulnerabilities in 2012 as part of the MS12-027 and MS12-060 security bulletins.

Like a fine wine, these exploits age well as they consistently end up exploited by attackers, especially CVE-2012-0158. Two examples of targeted attacks where CVE-2012-0158 saw use include the NetTraveler and Hangover cyber espionage campaigns.

The malicious documents install a backdoor program called KeyBoy, after a text string found in one of the samples, said Rapid7 researchers. The malware registers a new Windows service called MdAdum that loads a malicious DLL (Dynamic Library Link) file called CREDRIVER.dll, the researchers said.

The KeyBoy malware steals credentials stored in Internet Explorer and Mozilla Firefox and installs a keylogger component that can steal credentials entered into Google Chrome. The backdoor program also allows the attackers to get detailed information about the compromised computers, browse their directories, and download or upload files from and to them, Rapid7 researchers said.

In addition, the malware can open a Windows command shell on the infected computers that can remotely to execute Windows commands, they said.

The backdoor samples collected by the Rapid7 researchers ended up compiled on April 1, suggesting the attacks are recent. The domain names used for the command-and-control servers contacted by the malware registered during April and May.

These attackers are definitely targeting users in several different countries, Guarnieri said. Rapid7 found evidence users in Taiwan, members of minority populations in China and possibly Western diplomats are targets of this campaign, he said.

“The campaign is not particularly sophisticated, the exploits are well known and the malware is fairly simple,” Guarnieri said. “However as we have seen in recent years, sophistication is not necessary for attackers to be successful and meet their ends. In fact the large majority of targeted attacks from and within the Asian region are generally very basic in complexity.”

Antivirus detection rates for the exploits and the backdoor malware are surprisingly low at the moment, he said. “For some reason this group didn’t receive particular attention (at least not publicly) so we expect detection to improve in the next days.”

Tuesday, June 11, 2013 @ 05:06 PM gHale

Spammers advertising a diet plan were leveraging an open redirect vulnerability in CNN’s website to trick Twitter users into thinking their malicious links lead to a legitimate website.

Since CNN addressed the vulnerability, spammers moved on to other sites and started abusing a similar open redirect vulnerability in Ask.com.

RELATED STORIES
Botnet Used in Huge Spam Plot
P2P Botnets Larger than Thought
New Trojan can Avoid Capture
Botnet Builds off Ruby on Rails Bug

The open redirect vulnerability ended up reported to ask.com back in 2010, but it’s still unfixed, said security expert Janne Ahlberg, who has been monitoring the spam campaign.

The spammers are also exploiting a similar security hole in a Yahoo site to convince potential victims their links point to a trustworthy website.

To increase their chances of success, they keep sending tweets to celebrities in hopes some of them will retweet their messages.

While CNN officials said they addressed one vulnerability, but E Hacking News’ Sabari Selvan said he identified another open redirect vulnerability in one of the media organization’s websites.

This flaw, which ended up reported to the company in 2010, is not the attack abused by the spammers, but it just goes to show companies continue to put band aids over the cut compared to assessing what the real problem is and making sure it ends up totally fixed.

Tuesday, May 14, 2013 @ 05:05 PM gHale

It’s no secret when it comes to attack platforms, Java is tops among the bad guys.

Besides enjoying installation pretty much across the board, it also has what attackers drool over, a ton of vulnerabilities.

RELATED STORIES
IBM Java Sandbox Bypass
Java Patched; New Holes Found
Malware Attacks Hit Constantly
Trojan Hides in File, Evades Sandbox

While Oracle does a fine job fixing holes, bugs, and vulnerabilities, at the end of the day do users actually patch all the issues. Attackers know the answer to that one: No.

Attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities, researchers said. It’s a concern, especially for companies like Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to reverse engineer. Again, that works because users do not always patch.

Microsoft is very good at getting users to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers focus most of their attention on older flaws for which there are already patches.

Research from Microsoft shows there has been a spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity centered on patched vulnerabilities in Java. Part of the reason for this may be attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.

“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723,” said Microsoft’s Jeong Wook Oh. “The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities.”

“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7,” the Microsoft researcher said. “So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”

Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a Zero Day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications.

Wednesday, May 1, 2013 @ 02:05 PM gHale

Whether users install a patch or not, attackers like to jump on Adobe Reader vulnerabilities to drop malware onto their targets’ computers.

Quite a few advanced persistent threat (APT) campaigns are now relying on those very security holes.

RELATED STORIES
Reader PDF Tracking Bug
Adobe Patches Platforms
Adobe Fixes 4 Flash Flaws
Flash, Reader, Java Fall in Contest

At least three APTs rely on the CVE-2013-0640 vulnerability to distribute malware, said researches at Trend Micro. This exploit remains well known because it saw use in the MiniDuke campaign.

One of the campaigns that use the PDF exploit is Zegost. Experts identified PDF documents, written in Vietnamese, that are very similar to the files used in the MiniDuke attacks.

The dropped files and data are similar, their number is similar, and their purposes are also very much the same. However, the payload dropped in the Zegost attacks isn’t connected in any way with the MiniDuke malware payload.

Another series of malicious PDFs were in the PlugX campaigns. Cyber criminals, possibly not related to each other, have attempted to drop various versions of PlugX on the computers of users from Japan, India and South Korea.

While there have been some similarities between the Zegost and the MiniDuke operations, the researchers said these PlugX attacks are different.

“Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal,” said Nart Villeneuve, senior threat researcher at Trend Micro.

“At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.”

 
 
Archived Entries