Posted: 19 Apr 2015 | 2:49 am
A Colombian hacker has been incarcerated for 10 years for spying on the local government’s peace talks with Marxist rebels, among other offences, Fox News Latino reports.…
Posted: 17 Apr 2015 | 10:16 am
On 17/04/15 At 02:35 PM
Posted: 17 Apr 2015 | 3:35 am
Long-running APT campaign Operation Pawn Storm has begun the year with a bang, introducing new infrastructure and zeroing in on targets including North Atlantic Treaty Organization (NATO) members and even the White House. This is according to the latest intelligence gleaned from Trend Micro’s ongoing research into the attack group, and comes as a follow-up to our widely publicized October 2014 report.
Operation Pawn Storm: A Background
Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media.
The group is composed of a determined group of threat actors active since at least 2007 with a very specific modus operandi. We so named it due to the attackers’ use of multiple connected tools and tactics to hit a specific target – a strategy mirroring the chess move of the same name.
The group used three very distinct attack scenarios. One was to send spear-phishing emails with malicious Microsoft® Office documents containing the information-stealing SEDNIT/Sofacy malware. Another was to inject selective exploits into legitimate Polish government websites, leading to the same malware. A final strategy was to send out phishing emails redirecting users to fake Microsoft Outlook Web Access (OWA) login pages.
Pawn Storm targeted mainly military, government and media organizations in the United States and its allies. We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government.
We also observed another update to Pawn Storm’s operations in February this year and found an iOS espionage app targeting Apple users.
What’s New with Operation Pawn Storm?
The first quarter of 2015 has seen a great deal of activity from the group. Most notably this involved setting up dozens of exploit URLs and a dozen new command-and-control (C&C) servers targeting NATO members and governments in Europe, Asia and the Middle East.
In a slightly different modus operandi from the usual, we observed Pawn Storm attackers sending out specially-crafted emails designed to trick users into clicking on a malicious link.
Figure 1. Sample spear-phishing email
In one case, the subject of the spam e-mail is the Southern Gas Corridor that the European Union initiated to become less dependent on Russian Gas. Other e-mails have similar geopolitical subjects, for example the Russian-Ukrainian conflict and the Open Skies Consultative Commission of the OSCE.
The emails usually have a link to what looks like a legitimate news site. When the target clicks on the link he will first load a fingerprinting script that feeds back details like OS, time zone, browser and installed plugins to the attackers. When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site. The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.
Figure 2. Screenshot of malicious HTML5 plugin
Same Old Tricks
Pawn Storm threat actors are also continuing with their phishing strategy. In fact, in autumn 2014 they set up a fake OWA webmail for a large US company which sells nuclear fuel to power stations.
Figure 3. Fake webmail login page of US company selling nuclear fuel
It’s not hard to see that a successful breach of this firm could lead to serious consequences. Other fake OWA servers include new ones targeting the armed forces of two European NATO members. A fake version of the webmail system of the NATO Liaison in the Ukraine was also put online in February this year.
White House Under Attack
Trend Micro has gathered evidence that the same group is eyeing the White House as a target. They targeted three popular YouTube bloggers with a Gmail phishing attack on January 26, 2015, four days after the bloggers had interviewed president Obama at the White House. This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place.
In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.
Organizations must remain on high alert for these kinds of attack, as Operation Pawn Storm hackers go to great lengths to make their emails appear legitimate. Military and government bodies in the US, Europe and Asia especially must invest in the right advanced cyber security tools to block phishing and malware downloads, and improve user training and education to mitigate the risk of attack.
Posted: 16 Apr 2015 | 5:11 am
Microsoft releases 11 Security Bulletins (MS15-032 through MS15-042) today, addressing a list of over 25 CVE-identified vulnerabilities for April of 2015. Critical vulnerabilities are fixed in Internet Explorer, Microsoft Office, and the network and graphics stacks. Most of the critical remote code execution (RCE) vulnerabilities reside in the IE memory corruption bugs for all versions of Internet Explorer (6-11) and the Microsoft Office use-after-free. updated: However, they appear to *almost* all be the result of private discoveries, at least, 24 of the 25. In reference to Office vulnerability CVE-2015-1641, "Microsoft is aware of limited attacks that attempt to exploit this vulnerability".
The Microsoft Office CVE-2015-1649 use-after free is a critical RCE impacting a variety of software and scenarios. The vulnerable code exists across desktop versions Word 2007, 2010, the Word Viewer and Office Compatibility apps, but not Word 2013 or Word for Mac. It's also critical RCE on the server-side in Word Automation Services on Sharepoint 2010 and Microsoft Office Web Apps Server 2010, but not SharePoint 2013 or Web Apps 2013.
As the new Verizon Data Breach 2015 report highlighted today, many exploits currently effective against targets are exploiting vulnerabilities patched long ago. According to their figures, many of the exploited CVE used on compromised hosts were published over a year prior. Microsoft provides Windows Update to easily keep your software updated, and Kaspersky products provide vulnerability scanners to help keep all of your software up-to-date, including Microsoft's. Please patch asap.
From the heap of vulnerabilities and fixes rated "Important", the Hyper-V DoS issue effects the newest Microsoft platform code: Windows 8.1 64-bit and Windows Server 2012 R2 (including the Server Core installation, which is fairly unusual). While the flawed code has not been found to enable EoP on other VMs within the Hyper-V host, attacked Hyper-V systems may lose management of all VMs in the Virtual Machine Manager.
Posted: 14 Apr 2015 | 10:58 am
|Exploit Pack Table Update 20|
|Click to view or download from Google Apps|
|Gong Da / GonDad||Redkit 2.2||x2o (Redkit Light)||Fiesta (=Neosploit)||Cool Styxy||DotkaChef|
|Angler||FlashPack = SafePack||White Lotus||Magnitude (Popads)||Nuclear 3.x||Sweet Orange|
|CK||HiMan||Neutrino||Blackhole (last)||Grandsoft||Private EK|
|CVE-2012-4792*||CVE-2013-2465||CVE-2013-2465*||and + all or some||CVE-2013-2423||CVE-2013-1347|
|CVE-2013-0634||* switch 2463*<>2465*||from the previous||CVE-2013-2423|
|CVE-2013-3897||Possibly + exploits||version||CVE-2013-2460|
|* removed||from the previous|
|Sakura 1.x||LightsOut||Glazunov||Rawin||Flimkit||Cool EK (Kore-sh)||Kore (formely Sibhost)|
|and + all or some||CVE-2013-1690||CVE-2013-2423||CVE-2013-2471||CVE-2013-2463|
|from the previous|
|Styx 4.0||Cool||Topic EK||Nice EK|
|CVE-2013-2423||and + all or some|
|CVE-2013-2463||from the previous|
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
- Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
- Blackhole 1.2.1 (Java Skyline added)
- Sakura Exploit Pack 1.0 (new kid on the block, private pack)
- Phoenix 2.8. mini (condensed version of 2.7)
- Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
Merry Christmas Packread analysis at
read analysis at
|Sava Pack |
read analysis at
Old (2009), added just for
|Zero Pack |
62 exploits from various packs (mostly Open Source pack)
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.
It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack
- Eleonore 1.6.4
- Eleonore 1.6.3a
Posted: 20 Mar 2015 | 8:48 pm
There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.
Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”
Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”
Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.
Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.
Let’s try it with OleDump. It nicely shows the objects inside of the document.
We can also dump the ‘ThisDocument’ object.
Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.
A quarter ways in, there’s some URLs to take note of.
Basically the VBA macro builds a VBS script and writes it out.
Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.
Let me download the file…
And see what VirusTotal has to say…
Regarding that image download, here’s what it is:
The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.
Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.
The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.
The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.
Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.
Posted: 6 Mar 2015 | 8:24 pm
Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.
FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.
We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.
The techniques used by this group have evolved over the years.
Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:
As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.
We cover these tools using the following rules with USM:
- Web compromises
The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:
The following rule detects activity related to this exploit kit:
- Phishing campaigns
This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.
Inspecting the content of the malicious redirect we can alert on this activity using the following rule:
Posted: 28 Oct 2014 | 9:30 pm
A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.
The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.
Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.
At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.
If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.
Posted: 19 Sep 2014 | 2:44 pm