Britain is splurging £265m on military cyber security – and that includes offensive capabilities, according to Defence Secretary Sir Michael Fallon.…
Posted: 21 Oct 2016 | 4:43 am
Posted: 21 Oct 2016 | 3:44 am
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.
Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this technology. One is CVE-2016-0165. The other is CVE-2016-3393.
Like most zero-day exploits found in the wild today, CVE-2016-3393 is used by an APT group we call FruityArmor. FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built entirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands from the operators are also sent in the form of PowerShell scripts.
In this report we describe the vulnerability that was used by this group to elevate privileges on a victim’s machine. Please keep in mind that we will not be publishing all the details about this vulnerability because of the risk that other threat actors may use them in their attacks.
To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an EoP exploit, which allows for a reliable sandbox escape.
In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.
The vulnerability is located in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys system module. This function parses the cmap table and fills internal structures. The CMAP structure looks like this:
The most interesting parts of this structure are two arrays – endCount and startCount. The exploit contains the next cmap table with segments:
To compute how much memory to allocate to internal structures, the function executes this code:
After computing this number, the function allocates memory for structures in the following way:
The problem is that if we compute the entire table, we will achieve an integer overflow and the cnt variable will contain an incorrect value.
In kernel, we see the following picture:
The code allocates memory only for 0x18 InternalStruct but then there is a loop for all the segments range (this value was extracted from the file directly):
Using the cmap table, the v44 variable (index) could be controlled and, as a result, we get memory corruption. To achieve it, the attacker can do the following:
What about Windows 10? As most of you know, the font processing in Windows 10 is performed in a special user mode process with restricted privileges. This is a very good solution but the code has the same bug in the TTF processing.
As a result, if you load/open this font exploit in Windows 10, you will see the crash of fontdrvhost.exe:
Kaspersky Lab detects this exploit as:
We would like to thank Microsoft for their swift response in closing this security hole.
* More information about the FruityArmor APT group is available to customers of Kaspersky Intelligence Services. Contact: firstname.lastname@example.org
Posted: 20 Oct 2016 | 1:56 am
This entry is the last part of a four-part blog series discussing the different techniques ransomware uses to affect users and organizations. These techniques show that the best way to mitigate the risks brought about by this threat is to implement multiple layers of protection in different aspects of an enterprise network: from the gateway, to endpoints, to networks, and servers.
Read our previous posts here:
Our midyear security roundup noted how more than half of the files types encrypted by ransomware were directly related to enterprises – database files, SQL files, and web pages on servers were some of the file types that were most commonly targeted. These all reside on servers; for enterprises, ransomware on servers is a potent threat that needs to be dealt with. We will take a look at how ransomware has evolved to affect servers and what solutions currently exist to tackle this particular problem.
Affected via endpoints
In addition to being targeted directly, servers are frequently affected via ransomware indirectly as well, via the actions of ransomware on endpoints within the same network. File shares are a common way that this can happen; it is now commonplace for ransomware families to explicitly search for available network shares. Depending on the behavior of the ransomware, this may end up affecting the server more directly in the end.
Targeted by exploits
Beyond file shares, however, servers are at risk of being attacked directly. The usual attack vectors used by ransomware (such as phishing campaigns and malvertising) are not applicable. Instead, servers are subject to direct attacks via vulnerabilities.
Recent SAMSAM ransomware attacks that hit hospitals serve as a good example of how servers can become ransomware targets. In these incidents, vulnerabilities in JBoss (a Java-based web application server) were used to gain access to the servers within an organization. Webshells were added to these servers, allowing attackers to take control of these systems remotely.
From then on, files on the server itself would be targeted for encryption; alternately an attacker could try to laterally move within the affected network to try and seek other lucrative ransomware targets. The result is the same: files are encrypted and held for ransom by the attacker.
Attacking servers requires more time and effort than the more commonplace ransomware threats that hit individual systems, but the payoff is generally higher. For example, when the Hollywood Presbyterian Medical Center (located in Los Angeles, California) was hit by ransomware in February 2016, the hospital ended up paying 40 BTC in ransom. This was approximately US$ 17,000 at the time.
Vulnerable applications aren’t the only threat to organizations and their servers. Recently, it was reported that the FAIRWARE malware family gained access to servers via brute-force attacks. This attack primarily targeted web servers, and asked for 2 BTC in ransom.
FAIRWARE isn’t alone in carrying out brute force attacks. The Crysis ransomware family attempted to brute-force systems that had their Remote Desktop Protocol (RDP) ports open to the Internet. This could include both ordinary desktops and servers. An attacker would be able to gain access to the network via this brute-forced machine, opening the door to further attacks.
These attacks can be mitigated by security solutions detecting suspicious activity on the network (a feature that is part of Deep Security, as we will discuss later), as well as proper application of best practices. The use of non-default passwords and disallowing logins from remote networks can also help mitigate this threat.
Similarities to targeted attacks
The similarities of a sophisticated ransomware attack targeting servers should be apparent: access is gained to the organization via some means, then this access is used to gain further information about the target. Once a suitable target is chosen, the appropriate action is taken: for targeted attacks, this is theft; for ransomware, encryption.
This suggests that some of the solutions aimed at targeted attacks may be effective for dealing with ransomware as well. One solution that may be particularly effective is a proper patch management strategy.
Lagging Behind in the Patching Game
Any business knows it’s a tricky balance act between protecting the enterprise environment while maintaining business operations. IT administrators face the seemingly impossible task of supporting daily operations and creating uptime of critical services, while securing the network perimeter. When a new patch has been released by security vendors, they will first need to test it before deploying it in the actual systems. Therefore, very often patching lands on the backburner – it requires restarting mission-critical systems and servers, which can put a burden on overall productivity and cause business interruptions. Of course, reluctance in quick patching, creates a critical window of exposure to enterprises.
To address these challenges, virtual patching has become available. Even if enterprises don’t immediately apply the related patches, their vulnerable servers are protected against crypto-ransomware. This solution technology permits IT administrators to protect vulnerable servers and endpoints without downtime and additional operational costs.
There is of course no silver bullet when it comes to ransomware. A multi-tier defense architecture is the most fool-proof way to tackle the ransomware threat and provide adequate risk mitigation. These steps include email and web protection, endpoint protection, a network solution and protection for your servers.
Trend Micro Deep SecurityTM is the prime solution to handle the risks for servers created by ransomware, whether physical, virtual or in the cloud. It performs this protection with 3 specific functions:
As pointed out before, patch management is a crucial measure when faced with malware that exploits vulnerabilities. Trend Micro Deep Security has a virtual patching feature with intrusion detection and prevention technologies. This comprehensive solution can protect organizations and enterprises from exploits and other related malware payload. Since threats and attacks using vulnerabilities are prevalent in today’s computing landscape, virtual patching is becoming an absolute baseline necessity – similar to what anti-virus and firewalls used to be.
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
Posted: 19 Oct 2016 | 1:00 am
The optimistic outlook is that the internet of things will be an enabling technology that will help make the people and physical systems of the world — health care, food production, transportation, energy consumption — smarter and more efficient.
The pessimistic outlook? Hackers will have something else to hack. And consumers accustomed to adding security tools to their computers and phones should expect to adopt similar precautions with internet-connected home appliances.
“If we want to put networked technologies into more and more things, we also have to find a way to make them safer,” said Michael Walker, a program manager and computer security expert at the Pentagon’s advanced research arm. “It’s a challenge for civilization.”
To help address that challenge, Mr. Walker and the Defense Advanced Research Projects Agency, or Darpa, created a contest with millions of dollars in prize money, called the Cyber Grand Challenge. To win, contestants would have to create automated digital defense systems that could identify and fix software vulnerabilities on their own — essentially smart software robots as sentinels for digital security.
A reminder of the need for stepped-up security came a few weeks after the Darpa-sponsored competition, which was held in August. Researchers for Level 3 Communications, a telecommunications company, said they had detected several strains of malware that launched attacks on websites from compromised internet-of-things devices.
The post Stepping up security for an Internet-of-Things World appeared first on CyberESI.
Posted: 18 Oct 2016 | 7:42 am
A PHP script was sent to me by reader Nuno who got this from a hacked Joomla website and wanted to know what this was. He said this script was prepended to several legitimate PHP files. Looking into this a bit, I found that this is related to WordPress hacks via MailPoet back in 2014 according to Sucuri (here and here).
The original script from 2014 is pretty much the same as this one after you deobfuscate it so it appears that its creator updated the obfuscation layer since then. Here’s what the 2014 script looks like:
And then it was modified some time later.
This is what the PHP script looks like today.
At the bottom is the code that deobfuscates the above. I make the following change as you can see.
And I get the deobfuscated result.
However, the result gets truncated. It’s probably because there’s HTML-looking tags in there so I have to modify my change to this:
Now I can get the entire script.
After I unescape it, I can see at the bottom a call to the deobfuscation function. I repeat the same step as above.
To get this:
I keep doing this for two more rounds and I end up with this. The for-loop at the bottom deobfuscates the last remaining blobs by passing it to the “oo1” and “oo2” functions above.
I grab functions from the previous rounds and put them all here. Finally you can see what this does.
The script gets some HTTP info, randomly selects a domain (33db9538 .com, 9507c4e8 .com, e5b57288 .com, or 54dfa1cb .com), and makes a request to its C&C using one of five methods until one works. The HTTP GET requests look something like this:
hxxp://54dfa1cb .com/743373?nBcDCJtttnWOB7AFwE6JSD2%252 B9FWohBE48s54engkXvlo7MmPmabcMTRfK5tqJyYRYA4xsNOviBQDEFq2uGAIfWs%253 D.vxcX.60JI.vXyZAJNtdCnP.%252FkaXEZd1
hxxp://33db9538 .com/941577?cqzyJtttwfqjfH%252FwfN8k7f%252 FSpz9SnXR016abcKoeOzkdP9zUs2oUlKyoGy6DqbbxOPukqZ5y%252FDEFLjNyQU2GGmY%253 D.Uazm.Bfm5.UXyZLzR9z6bi.EPWaPjBl
None of the sites were responding with anything useful at the time of this writing so I don’t know what the payload is but if it’s the same as it was back in 2014 then backdoors are created on the site and overwrites legitimate files in the process.
This is what all of the C&C websites look like:
If you get hit by this then you would probably need to do a fair amount of cleanup, restore from backups, or rebuild your site to ensure no backdoors are left behind.
VT: 2 / 54
VT: 8 / 54
VT: 4 / 54
Posted: 15 Oct 2016 | 5:42 pm
I saw a webcast done by Peter Ewane and Javvad Malik recently. The summary of what Peter had to say and Q&A follows; you can also view the recorded webcast.
Malware can be a lot of things. It can be a virus, a worm, spyware, a Trojan horse, or ransomware. It’s basically any malicious program that you would not want on your computer.
Lately it has become common to see malware hide in the Windows Registry. Why the Windows registry? The Windows registry is quite large and complex, which means there many places where malware can insert itself to achieve persistence. A good example of this behavior is Poweliks. Poweliks sets a null entry utilizing one of the built-in Windows APIs, ZwSetValueKey, which allows it to create a registry key with an encoded data blob. I’m not sure why the Windows API allows a null entry, but it does. This is one of the many ways that malware can utilize the Windows registry to hide out, autostart, and maintain persistence on many systems.
Here’s an OTX pulse on Poweliks: https://otx.alienvault.com/browse/pulses/?q=POWELIKS
Process injection is exactly what it sounds like. It is injecting some bits of code into a running process. Malware leverages process injection techniques to hide code execution and avoid detection by utilizing known “good” processes such as svchost.exe or explorer.exe. To inject itself into known good processes, malware writers use built-in Windows APIs. One of them is setting debug. When a process sets as debug, it gains access to many of the debug API calls, such as attaching to other processes and instructing processes to allocate additional memory. Once a process has allocate more memory, then a malicious process can inject whatever code it wishes into that process.
A great example of malware that uses process injection is Poison Ivy. Poison Ivy's process injection is one of my favorites not only because it is very well known but also because it is used in many campaigns, and does process injection slightly differently than other kinds of malware. When malware allocates a chunk of memory, normally that chunk of memory is “contiguous”, so at the end of a memory block, it will allocate another memory block and inject code there. Poison Ivy does what we call “sharding.” Instead of having one giant memory block, it has a whole bunch of tiny memory blocks split all over the process and sometimes in various processes. A great example of malware that uses process injection is Poison Ivy. Poison Ivy's process injection is one of my favorites not only because it is very well known but also because it is used in many campaigns, and does process injection slightly differently than other kinds of malware. When malware allocates a chunk of memory, normally that chunk of memory is “contiguous”, so at the end of a memory block, it will allocate another memory block and inject code there.
Here’s an OTX pulse on Poison Ivy: https://otx.alienvault.com/browse/pulses/?q=poison%20ivy
Another technique related to process injection is process hollowing. ‘Hollowing’ is a process where you take a known good process and start it in a suspended state. When that code is loaded and about to execute, you scoop some of the good code out (like with an ice cream scoop). Now there is available space where a bad guy can place whatever code they like, maybe change a few headers on the top and bottom to make everything seem okay, and then restart the execution process. As far as a user knows, this process looks like a normal system process started by Windows. It is therefore much more difficult for reverse engineers and memory forensics people to analyze.
Dridex is a very good example of a malware family that often uses process hollowing. Here’s an OTX pulse on Dridex:
Process List Unlinking is another key concept. A process is anything that is running on your computer, whether it be in user space or kernel space. Process List Unlinking involves a double-linked list that contains all “active” processes. It’s important because unlinking will result in a process being hidden from all “active” tools. This can be done using ZwSystemDebugControl() or by mapping \Device\PhysicalMemory. Inside the process list is a list of every single process that is running and inside the process object is forward-pointed and backwards-pointed into the process in front of it or the process behind it to make a double-linked list.
A Flink to the process before it and then Blink to the one in front of it effectively removes the process from the list. More advanced malware will take this a step further and after they remove that process from the list, they will also write over that bit of memory, so even with memory forensics you wouldn't be able to locate that process.
There are tools that security researchers can use to find hidden malicious code, such as
This is an example bit of code that somebody would use to unlink from the process list.
Malware can also hide by manipulating the DLL list. Just like the process list, a DLL list has a double-linked list that points to the DLL in front and behind, and again just like the process lists are APIs that can be called to rewrite entries in the DLL list, remove that DLL entry and wipe out that bit of memory to help hide the malware from memory forensics or from backup tools. This is used a lot in rootkit activity. Here’s a graphic explaining DLL lists:
Here we have another example of code used to unlink from the DLL list:
You can see where it is writing over the one in front, the one behind, and then wiping out the memory and the zero memory function call. One other thing to remember about DLL and process list linking is that all that can be done from the user space, so I don't need kernel-level administrative rights.
Kernel modules are the next level down. A kernel module is any of the modules that is loaded into the kernel. Like the DLL and process list, the kernel modules have their own list that can be queried with APIs and return every kernel module that is loaded. There are also debug APIs that can remove one DLL module from the list and zero it out. This is especially important because at the kernel level when something is zeroed out it makes it lot harder to find. This access is like ring zero access - definitely associated with rootkit activity. Generally, a piece of malware will execute in user space and then try a kernel-level exploit to get kernel administrative access; it then drops the main rootkit, which would then zero itself out inside the kernel module list process list. At this point, the malware is very well hidden and it will be very difficult to find.
How Kernel Module List Unlinking Works:
JAVVAD: So most malware sandboxes can’t deal with samples that remain dormant for a considerable amount of time before execution, such as Keranger. Have any new techniques been developed to overcome this?
PETER: Yes, there are a couple of different ways to overcome that. One way to tell malware remains dormant involves a certain amount system time. One way to manipulate that is to make the time go faster on the virtual machine, so every millisecond is actually ten minutes or every millisecond is actually five hours, defeating the dormant malware by waiting it out.
JAVVAD: How can AlienVault detect the malware hiding techniques that were described in the presentation?
PETER: Excellent question. One of the ways we can detect various hiding techniques described in the presentation, is based upon Windows logging. One example of such detection would be a processes acquiring the ability to utilize the built in Windows debug capabilities. There are known "Good" applications that use those functions, but outside of them it looks suspicious when other processes outside that circle utilize those debug capabilities which when then can alert on.
JAVVAD: Do you have anything to detect CryptoLocker or any other similar type family of ransomware?
PETER: Yes, we have correlation rules for CryptoLocker and various ransomware families.
JAVVAD: Is it anything specific that makes Ransomware different to look for compared to other sorts of malware, or is it pretty much the same techniques that you use?
PETER: These techniques are more about hiding. Ransomware generally is not very good at hiding, that is not its job. Its job is to be loud and in your face. So generally we can look for that being loud and in your face or any sort of network detector, so like it is connecting to known bad domains, etcetera.
JAVVAD: Is there a tool that can utilize OTX to scan a raw memory image file for IoCs?
PETER: What I would personally recommend is while you can't import memory images into OTX yet, you can use a tool such as Volatility to pull out IP and/or domains depending on what you want to scan, and then you can cross-reference with OTX based on the information that you pull up from the memory image.
JAVVAD: What is the general turnaround time between the AlienVault team capturing a sample of the zero-day attack and actually producing signatures?
PETER: That is hard to give an exact answer to because every bit of malware is different and every zero-day is different. Sometimes it can be a couple of hours, sometimes it may take longer than that.
JAVVAD: Yes. I will just add to that, actually. Last year, Adobe released a zero-day, and actually because the IoCs were being reused from previous campaigns, effectively we were blocking that zero-day three months prior to Adobe actually publicly announcing it. So it is not always the case that zero-days produce effects.
Peter Ewane is a security researcher at AlienVault. Follow him on Twitter https://twitter.com/eaterofpumpkin
Javvad Malik is the security advocate at AlienVault. Follow him on Twitter https://twitter.com/J4vv4D
Posted: 3 Oct 2016 | 6:00 am
Posted: 23 Aug 2016 | 9:19 pm