Blog

Information and insight on today's advanced threats from the leader in advanced threat prevention.

All Posts


Crimeware or APT? Malware’s “Fifty Shades of Grey”

Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.

Remote access tools, or RATs, are an integral part of the cybercrime toolbox. For example, a recent FireEye investigation into XtremeRAT revealed that it had been propagated by spam campaigns that typically distribute Zeus variants and other banking-focused malware. This tactic may stem in part from the realization that compromising retailers can net millions of credit card numbers in one fell swoop.

Malware designed to compromise point-of-sale (POS) systems is not a new phenomenon. But we have seen a recent surge in malware that specifically targets these systems (e.g. Chewbacca, Dexter, BlackPOS and JackPOS). Moreover, POS malware is being deployed in an increasingly targeted manner. For example, some attacks against retailers have been characterized as “APT style” attacks —  a designation traditionally reserved for malware-based espionage sponsored on some level by nation-states.

The extent to which such attacks are targeted, and not opportunistic, is unclear. The attackers could be singling out specific retailers in advance. Or they could be targeting an entire industry, simply capitalizing on opportunities that arise.

In this blog post, we examine one case that clearly illustrates the nature of this problem.

Continue reading »

Occupy Your Icons Silently on Android

FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing websites or the malicious app itself without notifying the user. Google has acknowledged this issue and released the patch to its OEM partners.

Normal vs. Dangerous Permissions: A Background

Android Open Source Project (AOSP) classifies Android permissions into several protection levels: “normal”, “dangerous”, “system”, “signature” and “development” [1][2][3].

Dangerous permissions “may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities”. In contrast, normal permissions are automatically granted at installation,  “without asking for the user's explicit approval (though the user always has the option to review these permissions before installing)” [1].

On the latest Android 4.4.2 system, if an app requests both dangerous permissions and normal permissions, Android only displays the dangerous permissions, as shown in Figure 1. If an app requests only normal permissions, Android doesn’t display them to the user, as shown in Figure 2.

Figure 1. An Android app asks for one dangerous permission (INTERNET) and some normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS). Android doesn’t notify the user about the normal permissions.

Figure 1. An Android app asks for one dangerous permission (INTERNET) and some normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS). Android doesn’t notify the user about the normal permissions.

Figure 2. An Android app asks for normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS) only. Android doesn’t show any permission to the user.

Figure 2. An Android app asks for normal permissions (Launcher’s READ_SETTINGS and WRITE_SETTINGS) only. Android doesn’t show any permission to the user.

Normal Permissions Can Be Dangerous

We have found that certain “normal” permissions have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites.

The ability to manipulate Android home screen icons, when abused, can help an attacker deceive the user. There’s no surprise that the com.android.launcher.permission.INSTALL_SHORTCUT permission, which allows an app to create icons, was recategorized from “normal” to “dangerous” ever since Android 4.2. Though this is an important security improvement, an attacker can still manipulate Android home screen icons using two normal permissions: com.android.launcher.permission.READ_SETTINGS and com.android.launcher.permission.WRITE_SETTINGS. These two permissions enable an app to query, insert, delete, or modify the whole configuration settings of the Launcher, including the icon insertion or modification. Unfortunately, these two permissions have been labeled as “normal” since Android 1.x.

As a proof of concept attack scenario, a malicious app with these two permissions can query/insert/alter the system icon settings and modify legitimate icons of some security-sensitive apps, such as banking apps, to a phishing website. We tested and confirmed this attack on a Nexus 7 device with Android 4.4.2. (Note: The testing website was brought down quickly and nobody else ever connected to it.) Google Play doesn’t prevent this app from being published and there’s no warning when a user downloads and installs it. (Note: We have removed the app from Google Play quickly and nobody else downloaded this app.)

Lastly, this vulnerability is not limited to Android devices running AOSP. We have also examined devices that use non-AOSP Launchers, including Nexus 7 with CyanogenMod 4.4.2, Samsung Galaxy S4 with Android 4.3 and HTC One with Android 4.4.2. All of them have the protection levels of com.android.launcher.permission.READ_SETTINGS and WRITE_SETTINGS as “normal”.

Google acknowledged this vulnerability and has released the patch to its OEM partners. Many android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users.

References:

  1. http://developer.android.com/guide/topics/manifest/permission-element.html
  2. https://android.googlesource.com/platform/frameworks/base/+/master/core/res/AndroidManifest.xml
  3. https://android.googlesource.com/platform/packages/apps/Launcher2/+/master/AndroidManifest.xml

Annual M-Trends Report Looks Beyond the Breach

Since 2010, Mandiant’s annual threat report, “M-Trends” has provided the industry with in-depth analysis and insight based on hundreds of advanced threat investigations conducted during the previous calendar year for the U.S. government, the defense industrial base and commercial organizations. As a leader in combating advanced threats, FireEye stresses the continuous education that needs to take place in order to be one step ahead of attackers. That is why it is with great excitement that I present the fifth installment of M-Trends.

2013 was an explosive year for the cybersecurity industry; a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents. In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention.

This year’s report compiles incident response trends from hundreds of clients in more than 30 industry sectors. Some highlights include:

  • The time it takes to detect a compromise continues to improve
    The median number of days it takes an organization to discover a network breach dropped to 229 days in 2013 from 243 in 2012. This improvement is incremental relative to the drop from 416 days in 2011. However, organizations can unknowingly be breached for years. The longest time an attacker operated undetected in a network before being discovered was six years and three months in 2013.
  • Organizations are yet to improve their ability to detect breaches
    In 2012, 37 percent of organizations detected breaches on their own. This number dropped only minimally, to just 33 percent in 2013.
  • Phishing emails largely look to capitalize on trust in IT departments
    44 percent of the phishing emails observed in attacks investigated by Mandiant sought to impersonate the IT departments of the target’s workplace. The vast majority of these emails were sent on Tuesday, Wednesday and Thursday.
  • Political conflicts increasingly have cyber components that impact private organizations
    In the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber-attacks that impacted the private sector. Specifically, Mandiant investigated incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of organizations with the primary motive of raising awareness for their political cause.
  • Suspected Iran-based threat actors conduct reconnaissance on energy sector and state governments
    Multiple investigations of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities at energy sector companies and state government agencies. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.

Click here to request a copy of the report.

Let us know your thoughts by leaving a comment below.

DLL Side-Loading: Another Blind-Spot for Anti-Virus

Last month, I presented a talk at the RSA USA Conference on an increasingly popular threat vector called “Dynamic-Link Library Side-Loading” (DLL Side-Loading). As with many vulnerabilities, this exploit has existed for a rather long time and is the result of Microsoft looking to make binary updates easier for Windows developers through the Windows side-by-side (WinSxS) assembly feature.

Now, though, advanced persistent threat (APT) developers are using the innocuous DLL Side-Loading method to sneak malware past anti-virus (AV) scanners as the infected files run in-memory. In doing-so, the malicious payload is using a benign application to be built in memory, meaning that the malware does not sit running in the file system where AV scans take place. In the figure below, you can see an example of how this all plays out:

DLLpic

For a real-life example: in 2013, attackers exploited the executable originally developed by Fortune 50 company using this technique in a highly targeted attack. In such an attacks, the malware places a spoofed, malicious DLL file in a Windows’ WinSxS directory so that the operating system loaded the spoofed DLL instead of the legitimate file. Furthermore, because the file in-question was white-listed by hash in a public database, AV simply ignores it altogether.

In response to the growing use of DLL Side-Loading in APTs, we have developed a full paper that describes the history of DLL Side-Loading and its role in the malware and software engineering arenas which you can review here: http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf

 

 

Real World vs Lab Testing: The FireEye Response to NSS Labs Breach Detection Systems Report

Today, NSS Labs released a report detailing the performance of several vendors’ ability to detect advanced attacks.  We declined to participate in this test because we believe the NSS methodology is severely flawed. In fact, the FireEye product they used was not even fully functional, leveraged an old version of our software and didn’t have access to our threat intelligence (unlike our customers).  We did participate in the BDS test in 2013 and at that time we also commented on the flaws of the testing methodology.  In fact, we insisted that the only way to properly test was to run in a REAL environment.  NSS declined to change their testing methodology so we declined to participate in the most recent test, results of which have been published today. When NSS tested our product a year ago, they used a sample set that included 348 total samples.  FireEye detected 201 of 348 total samples.  Of the 147 “missed” samples:

  • 11 were non-malicious.
  • 19 were corrupted (as to why other vendors detected these because some vendors scored higher – close to 100% – means that their detection engines are based on hashes which will match regardless of whether the sample is malicious).
  • 117 were duplicates (as to why FireEye didn’t receive credit for detecting these, we never received a response from NSS).

Clearly, nobody could take this approach seriously—it was a major mismatch versus what we see in the wild.

Understanding advanced threats still represents a black hole for many in today’s security industry. The test unfortunately perpetuates a general failure by many to fully understand and appreciate the inner workings of advanced threats that continue to plague organizations despite millions invested in legacy security technologies. In this case, the test contained a number of flaws that security professionals should thoroughly understand before taking these results at face value. 

Issue #1:  Poor sample selection.   Specifically:

  • NSS mostly relied on VirusTotal to download payloads (clear text executable files).  The NSS sample set doesn’t include Unknowns, Complex Malware (Encoded/Encrypted Exploit Code & Payload), and APTs.   Almost by definition, APTs use new or updated code to bypass detection, which is standard procedure.  However, NSS used a known corpus of malware.  Advanced threats are in, out, and cleaned-up in minutes.  In the past, the malware samples used in the NSS tests were available on VirusTotal (an aside: the oldest sample on VirusTotal is from 2006 and the median sample age is 17.2 months).  By contrast, when tests specifically leverage malware samples that are new and unknown, antivirus detection rates fall dramatically.  For example, the Imperva study found that antivirus detected only 5% of malware.  The other vendors in the NSS report are built for detecting known malware.  By relying on VirusTotal, NSS missed out on AK-47s and spent time analyzing pea shooters.
  • Even for Payloads, NSS doesn’t perform Forensics Analysis to understand if the sample is malicious, goodware or corrupt (can’t execute).  NSS gives a positive score as long as a vendor sees the sample on the wire, even if the sample is not actually malicious.

 

Issue #2:  Differing definitions of advanced malware: Vendors and test agencies differ in how they define advanced malware. The NSS test confused Adware, Spyware, & APTs and accounted for Adware and Spyware as APTs.  For instance, some of the NSS tests expected Adware to be classified as malware.  In this series of tests, Adware that changes the home page of the browser, but does not infect the system in any other way, must be flagged as malware by a product in order to receive a positive score. FireEye solutions wait for true malicious behavior to avoid false alerts.  In the aforementioned case, the page load of the new home page would be analyzed to identify if the change was truly malicious or not.

Issue #3:  Poor test methodology. Specifically, the NSS test:

  • Doesn’t account for the use of zero day exploits.  There were no zero day exploits in the test sample. This is difficult to do.  Testing for zero days requires having a zero day on hand or developing one yourself, which is expensive.  Finding new malware that utilizes zero day exploits is where FireEye thrives.  In 2013, we found 11 exploitable zero days as well as countless malware campaigns used in cyber espionage, warfare or crime.  This year, we have already uncovered two zero days.
  • Did not have access to our security intelligence in the cloud.  Unlike our customers, the FireEye appliances were NOT connected to our Dynamic Threat Intelligence cloud to get latest content updates, virtual machines and detection capabilities.

We respect NSS and the work they do—especially for IPS – and their testing methodology for BDS is also more suited to testing IPS products. However, we believe the issues we identified with their evaluation of advanced threats are indicative of the security industry’s broader lack of knowledge regarding sophisticated attacks. FireEye is designed to supplement legacy signature and reputation based technologies to protect against advanced threats—and the NSS tests didn’t properly gauge our capabilities.  Our product’s efficacy is proven by how well we protect customers in real-world deployments. Consider that in 2013, FireEye:

  • Found 11 exploitable zero day vulnerabilities, with two uncovered so far in 2014.  (By comparison, among the top 10 cyber security companies ranked by security-related revenue, only 2 other zero-day vulnerability were reported in 2013.)
  • Tracked more than 40 million callbacks.
  • Tracked more than 300 separate APT campaigns.
  • Deployed more than 2 million virtual machines globally.

Any lab test is fundamentally unable to replicate the targeted, advanced attacks launched by sophisticated criminal networks and nation-states. The best way to evaluate FireEye is for organizations to deploy our technology in their own environment and they will understand why we are the market leader in stopping advanced attacks.  We believe it is erroneous for NSS to compare security efficacy, performance, and cost in the same graphic, because doing so assumes that all three buying criteria are all equally important.  In our experience, security efficacy is much more important than the others.  In fact, most users and vendors are moving toward a malware prevention, detection, and response architecture.

In August 2013, IDC issued a report, Worldwide Specialized Threat Analysis and Protection 2013–2017 Forecast and 2012 Vendor Shares.  This report identified and ranked vendors claiming to stop advanced malware attacks.  FireEye was listed as the top vendor based on market share (38%) compared to the nearest competitor with 14% market share.  The market is voting with dollars based on their real-world experience while under real-world attacks from advanced threats.

APT1: The State of the Hack One Year Later

A little over a year ago, Mandiant released a report that brought the term “Advanced Persistent Threat” (APT) into the public conversation and made these types of targeted attacks top of mind for government and commercial organizations around the world. Recently, FireEye COO, Kevin Mandia took the stage at RSA USA 2014 to take a look back and share his perspective on the activities that led to the release of the APT1 report and the aftermath.

While the initial report caused a media frenzy, unquestionably, the most important part of the story is the aftermath. Mandiant released the report to elevate the dialogue and address the frustration of organizations that were throwing money at cybersecurity problems and still facing attacks. Yet, the results were not what we expected.

Watch the video below for Kevin’s full speech and feel free to drop a comment below to continue the discussion.

Android.MisoSMS : Its Back! Now With XTEA

FireEye Labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft.

Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.

FireEye Mobile Threat Prevention customers are already protected from both variants.

Continue reading »

A Little Bird Told Me: Personal Information Sharing in Angry Birds and its Ad Libraries

Many popular mobile apps, including Rovio’s ubiquitous Angry Birds, collect and share players’ personal information much more widely than most people realize.

Some news reports have begun to scratch the surface of the situation. The New York Times reported on Angry Birds and other data-hungry apps last October. And in January, the newspaper teamed up with public-interest news site ProPublica and U.K. newspaper the Guardian for a series of stories detailing how government agencies use the game (and other mobile apps) to collect personal data. Even the long-running CBS show 60 Minutes reported earlier this month that Rovio shares users’ locations.

The Android version of Angry Birds in the Google Play store, updated on March 4, continues to share personal information. In fact, more than a quarter billion users who create Rovio accounts to save their game progress across multiple devices might be unwittingly sharing all kinds of information—age, gender, and more — with multiple parties. And many more users who play the game without a Rovio account are sharing their device information without realizing it.

Once a Rovio account is created and personal information uploaded, the user can do little to stop this personal information sharing. Their data might be in multiple locations: Angry Birds Cloud, Burstly (ad mediation platform), and third-party ad networks such as Jumptap and Millennial Media. Users can avoid sharing personal data by playing Angry Birds without Rovio account, but that won’t stop the game from sharing device information.

In this blog post, we examine the personal information Angry Birds collects. We also demonstrate the relationships between the app, the ad mediation platform, and the ad clouds — showing how the information flows among the three. We also spell out the evidence, such as network packet capture (PCap) from FireEye Mobile Threat Prevention (MTP), to support our information flow chart. Finally, we reveal how the multi-stage information sharing works by tracking the code paths from the reverse-engineered source code.

Continue reading »

Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370

While many advanced persistent threat (APT) groups have increasingly embraced strategic Web compromise as a malware delivery vector, groups also continue to rely on spear-phishing emails that leverage popular news stories. The recent tragic disappearance of flight MH 370 is no exception. This post will examine multiple instances from different threat groups, all using spear-phishing messages and leveraging the disappearance of Flight 370 as a lure to convince the target to open a malicious attachment.

“Admin@338” Targets an APAC Government and U.S. Think Tank

The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.

The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group’s activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:

IP Address First Seen Last Seen
103.31.241.110 2013-08-27 2013-08-28
174.139.242.19 2013-08-28 2013-08-31
58.64.153.157 2013-09-03 2014-03-07
59.188.0.197 2014-03-07 2014-03-19

Continue reading »

Threat Research


Filter by Category:


Crimeware or APT? Malware’s “Fifty Shades of Grey”

Some cybercriminals build massive botnets to use unsuspecting endpoints for spam, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.

Remote access tools, or RATs, are an integral part of the cybercrime toolbox. For example, a recent FireEye investigation into XtremeRAT revealed that it had been propagated by spam campaigns that typically distribute Zeus variants and other banking-focused malware. This tactic may stem in part from the realization that compromising retailers can net millions of credit card numbers in one fell swoop.

Malware designed to compromise point-of-sale (POS) systems is not a new phenomenon. But we have seen a recent surge in malware that specifically targets these systems (e.g. Chewbacca, Dexter, BlackPOS and JackPOS). Moreover, POS malware is being deployed in an increasingly targeted manner. For example, some attacks against retailers have been characterized as “APT style” attacks —  a designation traditionally reserved for malware-based espionage sponsored on some level by nation-states.

The extent to which such attacks are targeted, and not opportunistic, is unclear. The attackers could be singling out specific retailers in advance. Or they could be targeting an entire industry, simply capitalizing on opportunities that arise.

In this blog post, we examine one case that clearly illustrates the nature of this problem.

Continue reading »

DLL Side-Loading: Another Blind-Spot for Anti-Virus

Last month, I presented a talk at the RSA USA Conference on an increasingly popular threat vector called “Dynamic-Link Library Side-Loading” (DLL Side-Loading). As with many vulnerabilities, this exploit has existed for a rather long time and is the result of Microsoft looking to make binary updates easier for Windows developers through the Windows side-by-side (WinSxS) assembly feature.

Now, though, advanced persistent threat (APT) developers are using the innocuous DLL Side-Loading method to sneak malware past anti-virus (AV) scanners as the infected files run in-memory. In doing-so, the malicious payload is using a benign application to be built in memory, meaning that the malware does not sit running in the file system where AV scans take place. In the figure below, you can see an example of how this all plays out:

DLLpic

For a real-life example: in 2013, attackers exploited the executable originally developed by Fortune 50 company using this technique in a highly targeted attack. In such an attacks, the malware places a spoofed, malicious DLL file in a Windows’ WinSxS directory so that the operating system loaded the spoofed DLL instead of the legitimate file. Furthermore, because the file in-question was white-listed by hash in a public database, AV simply ignores it altogether.

In response to the growing use of DLL Side-Loading in APTs, we have developed a full paper that describes the history of DLL Side-Loading and its role in the malware and software engineering arenas which you can review here: http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf

 

 

Android.MisoSMS : Its Back! Now With XTEA

FireEye Labs recently found a more advanced variant of Android.MisoSMS, the SMS-stealing malware that we uncovered last December — yet another sign of cybercriminals’ growing interest in hijacking mobile devices for surveillance and data theft.

Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.

FireEye Mobile Threat Prevention customers are already protected from both variants.

Continue reading »

A Little Bird Told Me: Personal Information Sharing in Angry Birds and its Ad Libraries

Many popular mobile apps, including Rovio’s ubiquitous Angry Birds, collect and share players’ personal information much more widely than most people realize.

Some news reports have begun to scratch the surface of the situation. The New York Times reported on Angry Birds and other data-hungry apps last October. And in January, the newspaper teamed up with public-interest news site ProPublica and U.K. newspaper the Guardian for a series of stories detailing how government agencies use the game (and other mobile apps) to collect personal data. Even the long-running CBS show 60 Minutes reported earlier this month that Rovio shares users’ locations.

The Android version of Angry Birds in the Google Play store, updated on March 4, continues to share personal information. In fact, more than a quarter billion users who create Rovio accounts to save their game progress across multiple devices might be unwittingly sharing all kinds of information—age, gender, and more — with multiple parties. And many more users who play the game without a Rovio account are sharing their device information without realizing it.

Once a Rovio account is created and personal information uploaded, the user can do little to stop this personal information sharing. Their data might be in multiple locations: Angry Birds Cloud, Burstly (ad mediation platform), and third-party ad networks such as Jumptap and Millennial Media. Users can avoid sharing personal data by playing Angry Birds without Rovio account, but that won’t stop the game from sharing device information.

In this blog post, we examine the personal information Angry Birds collects. We also demonstrate the relationships between the app, the ad mediation platform, and the ad clouds — showing how the information flows among the three. We also spell out the evidence, such as network packet capture (PCap) from FireEye Mobile Threat Prevention (MTP), to support our information flow chart. Finally, we reveal how the multi-stage information sharing works by tracking the code paths from the reverse-engineered source code.

Continue reading »

Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370

While many advanced persistent threat (APT) groups have increasingly embraced strategic Web compromise as a malware delivery vector, groups also continue to rely on spear-phishing emails that leverage popular news stories. The recent tragic disappearance of flight MH 370 is no exception. This post will examine multiple instances from different threat groups, all using spear-phishing messages and leveraging the disappearance of Flight 370 as a lure to convince the target to open a malicious attachment.

“Admin@338” Targets an APAC Government and U.S. Think Tank

The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.

The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group’s activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:

IP Address First Seen Last Seen
103.31.241.110 2013-08-27 2013-08-28
174.139.242.19 2013-08-28 2013-08-31
58.64.153.157 2013-09-03 2014-03-07
59.188.0.197 2014-03-07 2014-03-19

Continue reading »

Security Perspective


Filter by Category:


Annual M-Trends Report Looks Beyond the Breach

Since 2010, Mandiant’s annual threat report, “M-Trends” has provided the industry with in-depth analysis and insight based on hundreds of advanced threat investigations conducted during the previous calendar year for the U.S. government, the defense industrial base and commercial organizations. As a leader in combating advanced threats, FireEye stresses the continuous education that needs to take place in order to be one step ahead of attackers. That is why it is with great excitement that I present the fifth installment of M-Trends.

2013 was an explosive year for the cybersecurity industry; a result of Mandiant’s APT1 report, The New York Times breach, and other organizations coming to the forefront to openly discuss their own incidents. In addition, President Obama discussed concerns about cyber-attacks in his annual State of the Union address. This was a huge step for the industry in terms of bringing advanced attacks to the forefront of the nation, and the world’s, attention.

This year’s report compiles incident response trends from hundreds of clients in more than 30 industry sectors. Some highlights include:

  • The time it takes to detect a compromise continues to improve
    The median number of days it takes an organization to discover a network breach dropped to 229 days in 2013 from 243 in 2012. This improvement is incremental relative to the drop from 416 days in 2011. However, organizations can unknowingly be breached for years. The longest time an attacker operated undetected in a network before being discovered was six years and three months in 2013.
  • Organizations are yet to improve their ability to detect breaches
    In 2012, 37 percent of organizations detected breaches on their own. This number dropped only minimally, to just 33 percent in 2013.
  • Phishing emails largely look to capitalize on trust in IT departments
    44 percent of the phishing emails observed in attacks investigated by Mandiant sought to impersonate the IT departments of the target’s workplace. The vast majority of these emails were sent on Tuesday, Wednesday and Thursday.
  • Political conflicts increasingly have cyber components that impact private organizations
    In the past year, Mandiant responded to an increased number of incidents where political conflicts between nations spawned cyber-attacks that impacted the private sector. Specifically, Mandiant investigated incidents where the Syrian Electronic Army (SEA) compromised external-facing websites and social media accounts of organizations with the primary motive of raising awareness for their political cause.
  • Suspected Iran-based threat actors conduct reconnaissance on energy sector and state governments
    Multiple investigations of suspected Iran-based network reconnaissance activity indicates that threat actors are actively engaging in surveillance activities at energy sector companies and state government agencies. While these suspected Iran-based actors appear less capable than other nation-state actors, nothing stands in the way of them testing and improving their capabilities.

Click here to request a copy of the report.

Let us know your thoughts by leaving a comment below.

Real World vs Lab Testing: The FireEye Response to NSS Labs Breach Detection Systems Report

Today, NSS Labs released a report detailing the performance of several vendors’ ability to detect advanced attacks.  We declined to participate in this test because we believe the NSS methodology is severely flawed. In fact, the FireEye product they used was not even fully functional, leveraged an old version of our software and didn’t have access to our threat intelligence (unlike our customers).  We did participate in the BDS test in 2013 and at that time we also commented on the flaws of the testing methodology.  In fact, we insisted that the only way to properly test was to run in a REAL environment.  NSS declined to change their testing methodology so we declined to participate in the most recent test, results of which have been published today. When NSS tested our product a year ago, they used a sample set that included 348 total samples.  FireEye detected 201 of 348 total samples.  Of the 147 “missed” samples:

  • 11 were non-malicious.
  • 19 were corrupted (as to why other vendors detected these because some vendors scored higher – close to 100% – means that their detection engines are based on hashes which will match regardless of whether the sample is malicious).
  • 117 were duplicates (as to why FireEye didn’t receive credit for detecting these, we never received a response from NSS).

Clearly, nobody could take this approach seriously—it was a major mismatch versus what we see in the wild.

Understanding advanced threats still represents a black hole for many in today’s security industry. The test unfortunately perpetuates a general failure by many to fully understand and appreciate the inner workings of advanced threats that continue to plague organizations despite millions invested in legacy security technologies. In this case, the test contained a number of flaws that security professionals should thoroughly understand before taking these results at face value. 

Issue #1:  Poor sample selection.   Specifically:

  • NSS mostly relied on VirusTotal to download payloads (clear text executable files).  The NSS sample set doesn’t include Unknowns, Complex Malware (Encoded/Encrypted Exploit Code & Payload), and APTs.   Almost by definition, APTs use new or updated code to bypass detection, which is standard procedure.  However, NSS used a known corpus of malware.  Advanced threats are in, out, and cleaned-up in minutes.  In the past, the malware samples used in the NSS tests were available on VirusTotal (an aside: the oldest sample on VirusTotal is from 2006 and the median sample age is 17.2 months).  By contrast, when tests specifically leverage malware samples that are new and unknown, antivirus detection rates fall dramatically.  For example, the Imperva study found that antivirus detected only 5% of malware.  The other vendors in the NSS report are built for detecting known malware.  By relying on VirusTotal, NSS missed out on AK-47s and spent time analyzing pea shooters.
  • Even for Payloads, NSS doesn’t perform Forensics Analysis to understand if the sample is malicious, goodware or corrupt (can’t execute).  NSS gives a positive score as long as a vendor sees the sample on the wire, even if the sample is not actually malicious.

 

Issue #2:  Differing definitions of advanced malware: Vendors and test agencies differ in how they define advanced malware. The NSS test confused Adware, Spyware, & APTs and accounted for Adware and Spyware as APTs.  For instance, some of the NSS tests expected Adware to be classified as malware.  In this series of tests, Adware that changes the home page of the browser, but does not infect the system in any other way, must be flagged as malware by a product in order to receive a positive score. FireEye solutions wait for true malicious behavior to avoid false alerts.  In the aforementioned case, the page load of the new home page would be analyzed to identify if the change was truly malicious or not.

Issue #3:  Poor test methodology. Specifically, the NSS test:

  • Doesn’t account for the use of zero day exploits.  There were no zero day exploits in the test sample. This is difficult to do.  Testing for zero days requires having a zero day on hand or developing one yourself, which is expensive.  Finding new malware that utilizes zero day exploits is where FireEye thrives.  In 2013, we found 11 exploitable zero days as well as countless malware campaigns used in cyber espionage, warfare or crime.  This year, we have already uncovered two zero days.
  • Did not have access to our security intelligence in the cloud.  Unlike our customers, the FireEye appliances were NOT connected to our Dynamic Threat Intelligence cloud to get latest content updates, virtual machines and detection capabilities.

We respect NSS and the work they do—especially for IPS – and their testing methodology for BDS is also more suited to testing IPS products. However, we believe the issues we identified with their evaluation of advanced threats are indicative of the security industry’s broader lack of knowledge regarding sophisticated attacks. FireEye is designed to supplement legacy signature and reputation based technologies to protect against advanced threats—and the NSS tests didn’t properly gauge our capabilities.  Our product’s efficacy is proven by how well we protect customers in real-world deployments. Consider that in 2013, FireEye:

  • Found 11 exploitable zero day vulnerabilities, with two uncovered so far in 2014.  (By comparison, among the top 10 cyber security companies ranked by security-related revenue, only 2 other zero-day vulnerability were reported in 2013.)
  • Tracked more than 40 million callbacks.
  • Tracked more than 300 separate APT campaigns.
  • Deployed more than 2 million virtual machines globally.

Any lab test is fundamentally unable to replicate the targeted, advanced attacks launched by sophisticated criminal networks and nation-states. The best way to evaluate FireEye is for organizations to deploy our technology in their own environment and they will understand why we are the market leader in stopping advanced attacks.  We believe it is erroneous for NSS to compare security efficacy, performance, and cost in the same graphic, because doing so assumes that all three buying criteria are all equally important.  In our experience, security efficacy is much more important than the others.  In fact, most users and vendors are moving toward a malware prevention, detection, and response architecture.

In August 2013, IDC issued a report, Worldwide Specialized Threat Analysis and Protection 2013–2017 Forecast and 2012 Vendor Shares.  This report identified and ranked vendors claiming to stop advanced malware attacks.  FireEye was listed as the top vendor based on market share (38%) compared to the nearest competitor with 14% market share.  The market is voting with dollars based on their real-world experience while under real-world attacks from advanced threats.

APT1: The State of the Hack One Year Later

A little over a year ago, Mandiant released a report that brought the term “Advanced Persistent Threat” (APT) into the public conversation and made these types of targeted attacks top of mind for government and commercial organizations around the world. Recently, FireEye COO, Kevin Mandia took the stage at RSA USA 2014 to take a look back and share his perspective on the activities that led to the release of the APT1 report and the aftermath.

While the initial report caused a media frenzy, unquestionably, the most important part of the story is the aftermath. Mandiant released the report to elevate the dialogue and address the frustration of organizations that were throwing money at cybersecurity problems and still facing attacks. Yet, the results were not what we expected.

Watch the video below for Kevin’s full speech and feel free to drop a comment below to continue the discussion.

Clarifying the Origins of FireEye

Today, Bloomberg Businessweek reported on the methods hackers used to steal millions of credit card numbers from Target. In the report, FireEye was mentioned as having discovered the attack prior to the broad discovery by Target as well as providing services to the CIA. It is FireEye policy to not publically identify our customers and, as such, we cannot validate or comment on the report’s claims that Target, the CIA, or any other companies are customers of FireEye.

Additionally, certain follow-on media coverage has reported that the CIA was involved with the founding of FireEye. These claims are not true. To clear any misconceptions in the market, we wanted to provide more information about how FireEye was founded. Continue reading »