Linux GNU firebrand Richard Stallman says Windows and Apple's OS X are malware, Amazon is Orwellian, and anyone who trusts the internet-of-things is an ass.…
Posted: 24 May 2015 | 11:58 pm
Posted: 23 May 2015 | 2:38 pm
In an interesting turn of events, a C&C used in the Carbanak targeted attack campaign now resolves to an IP linked to the Russian Federal Security Service (FSB).
Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 188.8.131.52. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.
Figure 1. Information on systemsvc.net
For those who are not familiar, Carbanak is a targeted attack campaign that hit banks and financial organizations earlier this year. Based on reports, it employed methods and techniques such as spear phishing email and exploits, commonly seen in targeted attacks. Accordingly, attackers did intelligence gathering about their target networks in order to infiltrate it.
I checked for other interesting details in the other IOCs but didn’t find anything related to this particular anomaly. I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service. It is also possible that the owner of the domain had done this as a prank.
A reverse lookup on the IP addresses revealed that there are several other domains resolving to it apart from systemsvc.net.
Figure 2. Other domains resolving to the FSB Russia
We will monitor this further and post updates when they’re available.
Posted: 22 May 2015 | 4:33 am
We have recently come across a method of getting personal information that was interesting from the technical point of view. Our customer received an email saying that someone had used his Live ID to distribute unsolicited email, so his account would be blocked. The email suggested that, to prevent the account from being blocked, the customer should follow the link and fulfill the service’s new security requirements.
This sounds very much like a typical phishing email. The victim is expected to click on the link that will take him to a fake site imitating the official Windows Live page, enter data which will be sent to the scammers, etc. However, to our surprise, the link from the scam email actually led to the Windows Live website and the cybercriminals did not make any attempt to get the victim’s login and password. Their scam was much more sophisticated than that.
Then why is it dangerous to follow the link if it does lead to the official Microsoft service?
The scam email
This is because the Live ID account can also be used for authorization with other services – Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger, OneDrive, etc. The attack does not result in the fraudster getting direct access to these services on behalf of his victim, but it does enable the attacker to steal personal information contained in the user profiles for these services and subsequently use it for fraudulent purposes.
Having followed the link in the email, we are taken to the official live.com service, where we are asked to authenticate using our login and password.
After successful authentication, the user’s login and password are not intercepted by the fraudsters as one might suppose (and as it usually happens); the user does get authenticated on live.com. But after this they receive a curious prompt from the service:
Some application requests permission to automatically log into our account, view our profile information and contact list and access the list of e-mail addresses. By clicking “Yes” we assign it these rights – in effect providing its creators with our personal information, our contacts’ email addresses, our friends’ nicknames and real names, etc.
Do not give the right to access your personal data to applications that you do not know or trustTweet
Since in this case we know nothing about the application or its authors, we can only assume that the data collected will be used for fraudulent purposes. Once again – the login and password do remain confidential.
Technically, this is not very complicated. There is a special open protocol for authorization, OAuth, which allows resource owners to give third parties limited access to their protected resources without sharing their credentials. The protocol is commonly used by the developers of web applications for social networks if these applications require some data for their operation, such as the ability to access the contact list. It is convenient for users because once they are authenticated with the service they do not have to enter their credentials every time an application requests authorization.
This is the first time we have come across a phishing email used by fraudsters to put these techniques into practiceTweet
The security flaws of the OAuth protocol have been known for quite a while: in early 2014, a student from Singapore described possible techniques for stealing user data after authentication. However, this is the first time we have come across a phishing email used by fraudsters to put these techniques into practice.
In our case, after clicking on the link hxxps://login.live.com/oauth20_authorize.srf?client_id=00xxx4142735&scope=wl.signin%20wl.basic%20wl.emails%20wl.contacts_emails&response_type=code&redirect_uri=hxxp://webmail.code4life.me/hot/oauth-hotmail.php, which was received in a scam email, a user is taken to the authentication page where (s)he is asked to assign certain rights to an application. The list of rights requested is encoded in the link’s parameters. If the user agrees, (s)he is redirected to a landing page (hxxp://webmail.code4life.me/hot/oauth-hotmail.php) whose URL includes an “access token” (hxxp://webmail.code4life.me/hot/oauth-hotmail.php?code=36cef237-b8f6-9cae-c8e4-ad92677ba) after the “code” parameter, which is then intercepted by the application right from the address bar. The “access token” is then used by the application to access protected resources. It is worth noting that the capabilities offered by OAuth are not limited to authentication and authorization. A token received during authorization can be used for integrating a web service’s or social network’s functionality into your own resource, including the ability to read and write posts, access the news feed, the Wall, etc.
If you take a closer look at the link, you can see the following parameters: wl.signin, wl.basic, wl.emails, and wl.contacts_emails. These parameters are used to encode the permission levels requested by the application:
There are many other parameters, which give permissions to access the user’s and their contacts’ photos, date of birth, the list of meetings and important events. In fact, a scammer can use this information to create a person’s profile, including information on what the user’s activities are when going out, the user’s friends and people (s)he meets, etc. This profile can then be used for criminal purposes.
The victim's information is gathered in order to send spam or to launch spear phishing attacksTweet
Further research enabled us to find a few similar phishing emails containing links to the official Microsoft service. In all cases, attackers asked the user to provide the same information (profile data, email addresses, contacts). Only the addresses of the landing pages hosting the scammers’ application were different.
It should be noted that some applications designed for social networks also use the OAuth protocol.
Example of rights assigned to an application on Facebook
An application created by scammers might request the victim’s permission to publish posts and pictures on the Wall, to read and send private messages, to add entries in guest books. These features can be used to distribute spam or links to phishing or malicious sites.
In the case discussed above, information is most likely gathered in order to send spam to the contacts in the victim’s address book or to launch spear phishing attacks.
To avoid falling victim to scammers, do not follow links received by email or in private messages on social networks. Most importantly, do not give the right to access your personal data to applications that you do not know or trust. Before you agree, carefully read the descriptions of the account access rights which the application will get and assess the threat level. You can also search the Internet for information and feedback on the application requesting these rights. Any social networking site or web service also allows users to view the rights of currently installed applications in account/profile settings and cancel some of the permissions if necessary.
Example of Google access rights assigned to an application
If you have found out that an application is already distributing spam or malicious links on your behalf, you can send a complaint to the administration of the social networking site or web service and the application will be blocked. If you want to log on to a service or social networking site, it is best to go directly to the official website by manually entering its address in the browser. And, of course, keep the databases of your antivirus software with integrated anti-phishing protection up to date.
Posted: 21 May 2015 | 3:00 am
|Exploit Pack Table Update 20|
|Click to view or download from Google Apps|
|Gong Da / GonDad||Redkit 2.2||x2o (Redkit Light)||Fiesta (=Neosploit)||Cool Styxy||DotkaChef|
|Angler||FlashPack = SafePack||White Lotus||Magnitude (Popads)||Nuclear 3.x||Sweet Orange|
|CK||HiMan||Neutrino||Blackhole (last)||Grandsoft||Private EK|
|CVE-2012-4792*||CVE-2013-2465||CVE-2013-2465*||and + all or some||CVE-2013-2423||CVE-2013-1347|
|CVE-2013-0634||* switch 2463*<>2465*||from the previous||CVE-2013-2423|
|CVE-2013-3897||Possibly + exploits||version||CVE-2013-2460|
|* removed||from the previous|
|Sakura 1.x||LightsOut||Glazunov||Rawin||Flimkit||Cool EK (Kore-sh)||Kore (formely Sibhost)|
|and + all or some||CVE-2013-1690||CVE-2013-2423||CVE-2013-2471||CVE-2013-2463|
|from the previous|
|Styx 4.0||Cool||Topic EK||Nice EK|
|CVE-2013-2423||and + all or some|
|CVE-2013-2463||from the previous|
"Flash pack" (presumably the same as before)
"Quicktime" - CVE-2010-1818 ?
If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .
- Blackhole 1.2.1 (Java Rhino added, weaker Java exploits removed)
- Blackhole 1.2.1 (Java Skyline added)
- Sakura Exploit Pack 1.0 (new kid on the block, private pack)
- Phoenix 2.8. mini (condensed version of 2.7)
- Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)
Merry Christmas Packread analysis at
read analysis at
|Sava Pack |
read analysis at
Old (2009), added just for
|Zero Pack |
62 exploits from various packs (mostly Open Source pack)
LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well.
It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack.
It is using
Go1Pack (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack
- Eleonore 1.6.4
- Eleonore 1.6.3a
Posted: 12 May 2015 | 9:05 pm
On 24/04/15 At 12:37 PM
Posted: 24 Apr 2015 | 1:37 am
There has been a slew of malicious Word documents attached to email purporting to be invoices, receipts, etc. This particular one caught my eye but I’m not sure if this is an old trick. I just haven’t seen this method used before and thought it was quite clever.
Here’s the email that had a zipped file attached. The zipped file contained a Word document. The email in poor English says, “Thank you for payment. Your invoice…is attached. Thank you for your business – we appreciate it very much.”
Opening the Word document, first thing you’ll notice is the security warning and below it a bunch of garbled text. A message above it says, “If you document have incorrect encoding – enable macro.”
Clicking on the “Enable Content” button then reveals the invoice, making this (slightly) more believable and possibly enough to convince the unsuspecting recipient.
Using OfficeMalScanner, the macros, specifically the one called “ThisDocument” can be dumped to a file for analysis.
Let’s try it with OleDump. It nicely shows the objects inside of the document.
We can also dump the ‘ThisDocument’ object.
Looking at the macro, we can see a bunch of string concatenation going on and typical garbage in between legitimate VBA code.
A quarter ways in, there’s some URLs to take note of.
Basically the VBA macro builds a VBS script and writes it out.
Interestingly, this VBS calls up a Powershell file. How vogue. It’s now very clear what it’s doing — downloading and executing a file from Internet then downloading an image for statistics and cleaning up.
Let me download the file…
And see what VirusTotal has to say…
Regarding that image download, here’s what it is:
The image’s download stats are in that red box. Not sure how many are victims vs security folks but that could be an impressive number.
Going back to the macro, I wanted to find out how it “decrypted” the gibberish into text. Near the bottom, I see reference to “findText” and “secondText” followed by some clean-up code.
The findText subroutine shows that it looks for content between “<select></select>” tags then deletes it.
The secondText routine looks for “<inbox></inbox>” tags and changes the contents’ font color to black.
Ah! It’s not doing any decryption, it’s just some clever sleight of hand. The invoice text was there all along, hidden with white text. Here you can see the hidden content in green.
Posted: 6 Mar 2015 | 8:24 pm
Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.
FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.
We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.
The techniques used by this group have evolved over the years.
Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:
As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.
We cover these tools using the following rules with USM:
- Web compromises
The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:
The following rule detects activity related to this exploit kit:
- Phishing campaigns
This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.
Inspecting the content of the malicious redirect we can alert on this activity using the following rule:
Posted: 28 Oct 2014 | 9:30 pm
A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.
The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.
Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.
At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.
If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.
Posted: 19 Sep 2014 | 2:44 pm