In the course of my systems engineer duties at FireEye, I get the chance to speak with security professionals at a lot of organizations. Many of them seem confident that their email security gateways or email software-as-a-service (SaaS) providers can safeguard them from spear-phishing attacks.
Here are some of the typical comments I hear from companies:
- “My email security provider has specific phishing filters, so we’re confident that we have eliminated the risk of an infection via a spear-phishing email.”
- “Our users receive virtually zero spam, so the solution works just fine.”
- “The contents of the email quarantine are so accurate that we don’t bother checking any more.”
- “We have a strict attachment policy and multiple AV engines within our email security solution. That adds a very high level of protection from malware threats.”
In general, people believe that the email security headache has been solved. So they tend to relegate it to a secondary concern, far below Web security.
That could be a huge mistake. While spam filters and other email security tools have defanged many high-volume campaigns, they’re futile against some of the most dangerous targeted, personalized attacks.
Ukrainian protesters. (Credit: Ryan Anderson. Used under Creative Commons CC-BY-SA-3.0 license.)
In April 2005, General Boris Miroshnikov, head of the Russian police’s cybercrime division (Department К for “Кибер” or “Cyber”), announced that Russian hackers were the “best in the world.” At DEF CON 13 that year, I explained how Soviet scientists had honed their reverse engineering skills on Western products for decades during the Cold War. More recently, Western reporting such as Tom Kellermann’s “Peter the Great versus Sun Tzu” and FireEye’s “World War C” suggests that Eastern European hackers are still more advanced and stealthy than their peers around the world. Ukraine was even called the world’s newest “haven for hackers.”
So, given the current political crisis in Ukraine, it seems like a good time to ask, what role is there for computer hackers in political revolutions? And could computer hacking play a decisive role in this would-be revolution? If we assume that there are two basic antagonists in this struggle – the government and the protesters – which side benefits the most from the existence of a strong hacker culture?
This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.
Our report provides further proof that cyber espionage is a reality in today’s world. First, attackers appear to have no financial incentive to hit these targets. Instead, the goal appears to be collecting time-sensitive geopolitical information — in this case, insight into the intense international diplomacy surrounding Syria’s ongoing civil war.
FireEye was able to access just one of 23 command-and-control (CnC) servers responsible for managing cyber espionage against a handful of countries. But how many more countries were attacked? How many more CnC servers are a part of this attack campaign? Only the attackers know for sure — but the known scope of their efforts implies that this was only the tip of a much larger iceberg.
Since we began writing this report, this APT has continued its cyber espionage activities. Furthermore, we have recently located an additional cluster of Ke3chang activity.
In our last post, we warned of a new Windows local privilege escalation vulnerability being used in the wild. We noted that the Windows bug (CVE-2013-5065) was exploited in conjunction with a patched Adobe Reader bug (CVE-2013-3346) to evade the Reader sandbox. CVE-2013-3346 was exploited to execute the attacker’s code in the sandbox-restricted Reader process, where CVE-2013-5065 was exploited to execute more malicious code in the Windows kernel.
In this post, we aim to describe the in-the-wild malware sample, from initial setup to unrestricted code execution.
CVE-2013-3346: Adobe Reader ToolButton Use-After-Free
CVE-2013-3346 was privately reported to ZDI by Soroush Dalili, apparently in late 2012. We could fine no public description of the vulnerability. Our conclusion that the sample from the wild is exploiting CVE-2013-3346 is based upon the following premises:
- CVE-2013-3346 is a use-after-free condition with ToolButton objects.
- The Adobe Reader patch that addresses CVE-2013-3346 also stops the in-the-wild exploit.
CVE-2013-3346 Exploitation: Technical Analysis
- Make a parent ToolButton with a callback CB
- Within the callback CB, make a child ToolButton with a callback CB2
- Within the callback CB2, free the parent ToolButton
FireEye Labs has identified a new Windows local privilege escalation vulnerability in the wild. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP.
This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit.
Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it.
The following actions will protect users from the in-the-wild PDF exploit:
1) Upgrade to the latest Adobe Reader
2) Upgrade to Microsoft Windows 7 or higher
This post was intended to serve as a warning to the generic public. We are collaborating with the Microsoft Security team on research activities. Microsoft assigned CVE-2013-5065 to this issue.
We will continue to update this blog as new information about this threat is found.
[Update]: Microsoft released security advisory 2914486 on this issue.
FireEye recently identified a malicious mobile application that installs a fake banking application capable of stealing user credentials. The top-level app acts as a bogus Google Play application, falsely assuring the user that it is benign.
FireEye Mobile Threat Prevention platform detects this application as Android.KorBanker. This blog post details both the top-level installer as well as the fake banking application embedded inside the top-level app.
The app targets the following banks, all of which are based in Korea.
- Hana Bank
- IBK One
- KB Kookmin Bank
- NH Bank
- Woori Bank
- Shinhan Bank
Once installed, the top-level application presents itself as a Google Play application. It also asks the user for permission to activate itself as a device administrator, which gives KorBanker ultimate control over the device and helps the app stay hidden from the app menu.
On an average day in the UK more than 100 .co.uk domain websites are hacked according to the statistics in the Zone-h.org online database.
Website hacks are increasing the volume of targeted attacks today. If we look at industry statistics, more than 80 percent of websites have vulnerabilities that would mean they would not meet OWASP Top 10 tests (source: Veracode). In addition, the U.S. CERT believes that 75 percent of new attacks specifically target the application layer of systems in order to exploit these weaknesses.
Why does Web security matter? Website watering hole attacks are becoming increasingly popular with attackers – if they can plant an invisible iframe that redirects a user from a legitimate website, they can push a user to a compromised website hosting a cocktail of exploits to attack the client computer connecting to it. We have see some great examples in the media over recent months including high profile sites like the Council of Foreign Relations and U.S. Department of Labor.
Among the targets this year – the UK Mole Valley website in August. Why was Mole Valley website hack interesting? Continue reading
As 2013 draws to a close, FireEye researchers are already looking ahead to 2014 and the shifting threat landscape. Expect fewer Java zero-day exploits and more browser-based ones. Watering-hole attacks may supplant spear-phishing attacks. And thanks to an emerging class of mobile malware, the security landscape is about to get a lot more complicated.
Those are just a few of the predictions of the FireEye engineering and labs team, which assembled a forecast for the coming year.
We set out to get 10 predictions — but got 15. Nostradamus would be proud. (Predictions after the break…)
The SIEM (Security Information and Event Management) concept is heading into the third phase of its evolution.
In the first phase, SIM (Security Information Management) products developed to collect logs from multiple sources to aid in compliance and “log review” activities.
In the second phase, SEM (Security Event Management) emerged to find security events. SEM correlated multiple items across application, host, and network security logs to help security analysts detect and respond to attacks.
These two activities have provided little value to many organizations. While they may have seemed reasonable in theory, they were not designed from the ground up to solve the business problems that organizations actually face.
The SIEM product space has spurred novel database concepts, computationally expensive correlation algorithms, and complex tools for managing large amounts of log information. But ultimately, these approaches have failed to solve the real problem customers face in managing their security. They address the wrong problem because they started by looking at the symptoms — lots of logs that produce largely meaningless information.
The real business problem is to know exactly when an incident has occurred, respond to it (ideally in a real-time, automated fashion where appropriate), and prevent it from happening again. All the device configuration, log correlation logic, data storage, compute power, and bandwidth required to correlate disparate logs into a set of possible events to investigate produces a lot of work for analysts with far too many false positives.
For this reason, we’ve started too see companies changing the way they use SIEM products. Call it the third stage of SIEM’s evolution.
Vulnaggressive Characteristics in Mobile Apps and Libraries
FireEye mobile security researchers have discovered a rapidly-growing class of mobile threats represented by popular ad libraries affecting apps with billions of downloads. These ad libraries are aggressive at collecting sensitive data and able to perform dangerous operations such as downloading and running new code on demand. They are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. We have published some of our findings in our two recent blogs about these threats: “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions” and “Update: Ad Vulna Continues”.
As we reported in our earlier blog “Update: Ad Vulna Continues”, we have observed that some vulnaggressive apps have been removed from Google Play, and some app developers have upgraded their apps to a more secure version either by removing the vulnaggressive libraries entirely or by upgrading the relevant libraries to a more secure version which address the security issues. However, many app developers are still not aware of these security issues and have not taken such needed steps. We need to make a community effort to help app developers and library vendors to be more aware of these security issues and address them in a timely fashion.
To aid this community effort, we present the data to illustrate the changes over time as vulnaggressive apps are upgraded to a more secure version or removed from Google Play after our notification. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting. Continue reading