Home   Blog   Twitter   Database  

Christmas Eve email asked Oz telcos for metadata retention costs by Jan 9th

7-day extension allowed for questions inc. 36-month retention option and benefits to telcos of storing data

Australian telecommunications companies and internet service providers were given until January 9th, 2015 to offer an estimate of what it will cost them to comply with data retention laws, and appear to have been told of that deadline on Christmas Eve.…

Posted: 25 Dec 2014 | 2:43 pm

SSCC 178 - Are we there yet? [PODCAST]

Here's the latest episode of our weekly security podcast. Enjoy...and "Happy Holidays," whether you're away on vacation yourself, or a sysadmin enjoying the time when everyone else is on vacation!

Posted: 24 Dec 2014 | 4:39 am

MBR Wiper Attacks Strike Korean Power Plant

In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees’ inboxes.

Malware Behavior

We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper. In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.

Figure 1. List of legitimate service names used by TROJ_WHAIM.A

 

Similarities to Previous MBR Attacks?

This particular MBR-wiping behavior, while uncommon, has been seen before. We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.

There are also similarities to the previous MBR wiper attacks as well. All three attacks mentioned earlier overwrite the MBR with certain repeated strings. This attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

Figure 2. Screenshot of ‘Who Am I’ message seen upon bootup of infected systems

Destructive Malware and Demands

It has been claimed that the attack on Sony Pictures was because of that studio’s production of the film The Interview. While we cannot independently verify the veracity of these claims, something similar has happened with this incident. We’ve noticed a particular Twitter user tweeting his demands toward the affected company, and if not met, would subsequently release various KHNP documents. Among these demands are the shutdown of nuclear power plants in Korea (nuclear provides for 29% of South Korean electricity requirements).

No Definitive Attribution

While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related. All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.

These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors. This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.

With additional insights by Abraham Camba, MingYen Hsieh, and Rika Gregorio

Update as of 11:29 P.M. PST, December 23, 2014

Upon further analysis, we confirmed that TROJ_WHAIM.A checks if the current date and time is Dec 10, 2014 11:00 AM or later. If it meets this condition, it sets the registry, HKEY_LOCAL_MACHINE\SOFTWARE\PcaSvcc\finish to 1, thus triggering the MBR infection. Otherwise, it sleeps for a minute and checks the system time again.

Aside from the MBR infection capabilities and overwriting certain strings, another similarity of this attack to the March 2013 incident is its ‘time bomb’ routine. A certain action is set in motion once the indicated date/time by the attackers is reached by the infected system.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

MBR Wiper Attacks Strike Korean Power Plant

Posted: 23 Dec 2014 | 3:18 pm

Who do you trust?

Normally when we post a video, it's of somebody that you know quite well (Mikko). But today… we'd like to post a video of somebody that you might not know and who speaks highly of us (here in the Labs). The feeling is mutual.

Who? Our CEO, Christian Fredrikson.

From his first day at F-Secure, he's come across as the kind of guy who would be the last person off the boat (or die trying).

Below is a presentation he gave two weeks ago to a group in Helsinki in which he asks: Who do you trust?

Christian Fredrikson
Trusted cloud services a key for European success

From our point of view — he's another good example of why you can trust F-Secure.

On 19/12/14 At 01:26 PM

Posted: 19 Dec 2014 | 3:38 am

Chthonic: a New Modification of ZeuS

In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:

Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.

The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

Infection

We have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:

When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.

Sample message with CVE-2014-1761 exploit

Sample message with CVE-2014-1761 exploit

In the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim computer. In the example above, the file is downloaded from a compromised site – hxxp://valtex-guma.com.ua/docs/tasklost.exe.

The Andromeda bot downloaded the downloader from hxxp://globalblinds.org/BATH/lider.exe.

Downloading the Trojan

Once downloaded, the downloader injects its code into the msiexec.exe process. It seems that the downloader is based on the Andromeda bot's source code, although the two use different communication protocols.

Example of common functionality of Andromeda and Chthonic downloaders

Example of common functionality of Andromeda and Chthonic downloaders

Differences in communication protocols used by Andromeda and Chthonic C&C

Differences in communication protocols used by Andromeda and Chthonic C&C

The Chthonic downloader contains an encrypted configuration file (similar encryption using a virtual machine was used in KINS and ZeusVM). The main data contained in the configuration file includes: a list of С&С servers, a 16-byte key for RC4 encryption, UserAgent, botnet id.

The main procedure of calling virtual machine functions

The main procedure of calling virtual machine functions

After decrypting the configuration file, its individual parts are saved in a heap - in the following format:

Chthonic_5

This is done without passing pointers. The bot finds the necessary values by examining each heap element using the RtlWalkHeap function and matching its initial 4 bytes to the relevant MAGIC VALUE.

The downloader puts together a system data package typical of ZeuS Trojans (local_ip, bot_id, botnet_id, os_info, lang_info, bot_uptime and some others) and encrypts it first using XorWithNextByte and then using RC4. Next, the package is sent to one of the C&C addresses specified in the configuration file.

In response, the malware receives an extended loader – a module in a format typical of ZeuS, i.e., not a standard PE file but a set of sections that are mapped to memory by the loader itself: executable code, relocation table, point of entry, exported functions, import table.

Code with section IDs matching the module structures

Code with section IDs matching the module structures

It should be noted that the imports section includes only API function hashes. The import table is set up using the Stolen Bytes method, using a disassembler included in the loader for this purpose. Earlier, we saw a similar import setup in Andromeda.

Fragment of the import setup function in Andromeda and Chthonic

Fragment of the import setup function in Andromeda and Chthonic

Header of a structure with module

Header of a structure with module

The extended loader also contains a configuration file encrypted using the virtual machine. It loads the Trojan's main module, which in turn downloads all the other modules. However, the extended loader itself uses AES for encryption, and some sections are packed using UCL. The main module loads additional modules and sets up import tables in very much the same way as the original Chthonic downloader, i.e. this ZeuS variant has absorbed part of the Andromeda functionality.

The entire sequence in which the malware loads, including the modules that are described below, is as follows:

Chthonic_9

Modules

Trojan-Banker.Win32.Chthonic has a modular structure. To date, we have discovered the following modules:

Name Description Has a 64bit version
main Main module (v4.6.15.0 - v4.7.0.0) Yes
info Collects system information Yes
pony Module that steals saved passwords No
klog Keylogger Yes
http Web injection and formgrabber module Yes
vnc Remote access Yes
socks Proxy server Yes
cam_recorder Recording video from the web camera Yes

The impressive set of functions enables the malware to steal online banking credentials using a variety of techniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer remotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam and microphone.

Injections

Web injections are Chthonic's main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim.

For example, for one of the Japanese banks the Trojan hides the bank's warnings and injects a script that enables the attackers to carry out various transactions using the victim's account:

Online banking page screenshots before and after the injection

Online banking page screenshots before and after the injection

Interesting functions in injected script

Interesting functions in injected script

The script can also display various fake windows in order to obtain the information needed by the attackers. Below is an example of a window which displays a warning of non-existent identification problems and prompts the user to enter TAN:

Fake TAN entry window

Fake TAN entry window

Our analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.

Below is a fragment of injected code, which replaces everything between title and body closing tags with the following text:

Chthonic_13

And here is the script itself:

Chthonic_14

Additionally, the bot receives a command to establish a backconnect connection if the injection is successful:

Chthonic_15

Coverage

There are several botnets with different configuration files. Overall, the botnets we are aware of target online banking systems of over 150 different banks and 20 payment systems in 15 countries. The cybercriminals seem most interested in banks in the UK, Spain, the US, Russia, Japan and Italy.

Chtonic target distribution by country

Chtonic target distribution by country

It is worth noting that, in spite of the large number of targets on the list, many code fragments used by the Trojan to perform web injections can no longer be used, because banks have changed the structure of their pages and, in some cases, the domains as well. It should also be noted that we saw some of these fragments in other bots' config files (e.g., Zeus V2) a few years back.

Conclusion

We can see that the ZeuS Trojan is still actively evolving and its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the ZeuS source code having been leaked. As a result, it has become a kind of framework for malware writers, which can be used by anyone and can easily be adapted to cybercriminals' new needs. The new Trojan – Chthonic – is the next stage in the evolution of ZeuS: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader.

What all of this means is that we will undoubtedly see new variants of ZeuS in the future.

A few md5:

12b6717d2b16e24c5bd3c5f55e59528c
148563b1ca625bbdbb60673db2edb74a
6db7ecc5c90c90b6077d5aef59435e02
5a1b8c82479d003aa37dd7b1dd877493
2ab73f2d1966cd5820512fbe86986618
329d62ee33bec5c17c2eb5e701b28639
615e46c2ff5f81a11e73794efee96b38
77b42fb633369de146785c83270bb289
78575db9f70374f4bf2f5a401f70d8ac
97d010a31ba0ddc0febbd87190dc6078
b670dceef9bc29b49f7415c31ffb776a
bafcf2476bea39b338abfb524c451836
c15d1caccab5462e090555bcbec58bde
ceb9d5c20280579f316141569d2335ca
d0c017fef12095c45fe01b7773a48d13
d438a17c15ce6cec4b60d25dbc5421cd

Posted: 18 Dec 2014 | 3:00 am

Wild Wild West – 12/2014

Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SedKit”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.

wildwildwest_1214

Posted: 13 Dec 2014 | 5:16 pm

Collection of Pcap files from malware analysis

Update:Dec 13. 2014 


Despite rare updates of this post, we have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps!









Update:Dec 31. 2013 - added new pcaps

I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is.

I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.

These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.

All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.

Each file has the following naming convention:
BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.

I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.

Thank you




Download


Download all together or separately.

All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.



APT PCAPS

See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

Download all together or separately.
  1. 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
  2. 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
  3. 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
  4. 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
  5. 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
  6. 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
  7. 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
  8. 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
  9. 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
  10. 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
  11. 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
  12. 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
  13. 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
  14. 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
  15. 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
  16. 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
  17. 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
  18. 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
  19. 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
  20. 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
  21. 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
  22. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
  23. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
  24. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
  25. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
  26. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
  27. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
  28. BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
  29. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
  30. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
  31. PDF_CVE-2011-2462_Pdf_2011-12.pcap
  32. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
  33. OSX_DocksterTrojan.pcap

CRIMEWARE PCAPS

See Library of Malware Traffic Patterns for the corresponding sample downloads and other details

Download all together or separately.
  1. 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
  2. 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
  3. 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
  4. 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
  5. 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
  6. 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
  7. 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
  8. 2013-08-15 BIN_torpigminiloader-pcap.zip
  9. 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
  10. 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
  11. 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
  12. 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
  13. 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
  14. 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
  15. 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
  16. 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
  17. 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
  18. 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
  19. 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
  20. 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
  21. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
  22. 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
  23. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
  24. 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
  25. 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp 
  26. BIN_CitadelPacked_2012-05.pcap
  27. BIN_CitadelUnpacked_2012-05.pcap
  28. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
  29. BIN_Darkmegi_2012-04.pcap
  30. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
  31. BIN_dirtjumper_2011-10.pcap
  32. BIN_DNSChanger_2011-12.pcap
  33. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
  34. BIN_Googledocs_macadocs_2012-12.pcap
  35. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
  36. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
  37. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
  38. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
  39. BIN_purplehaze-2012-01.pcap
  40. BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
  41. BIN_Ramnitpcap_2012-01.pcap
  42. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
  43. BIN_SpyEye_2010-02.pcap
  44. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
  45. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
  46. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
  47. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
  48. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
  49. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
  50. BIN_Tinba_2012-06.pcap
  51. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
  52. BIN_Xpaj_2012-05.pcap
  53. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
  54. BIN_ZeusGameover_2012-02.pcap
  55. BIN_Zeus_2010-12.pcap
  56. EK_Blackholev1_2012-03.pcap
  57. EK_Blackholev1_2012-08.pcap
  58. EK_Blackholev2_2012-09.pcap
  59. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
  60. EK_Phoenix_2012-04.pcap
  61. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -  credit malware.dontneedcoffee.com


Posted: 12 Dec 2014 | 9:55 pm

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

The following rule detects activity related to this exploit kit:

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

References:

[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf

       

Posted: 28 Oct 2014 | 9:30 pm

A More Realistic Perspective on Cybersecurity from the Director of the NSA

A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.


NSA Rodgers Urges Cyber-Resiliency

Posted: 19 Sep 2014 | 2:46 pm