Search the Community

Reflected File Download RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain. Read more: http://dl.packetstormsecurity.net/papers/presentations/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

A Chinese APT group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer 9, to compromise a popular news site late last year. The group’s aim was to gain access to computers at several U.S. defense and financial firms by setting up a watering hole attack on the site that would go on to drop a malicious .DLL. Researchers with Invincea and iSIGHT Partners worked in tandem to dig up information about the group, which was able to compromise a part of Forbes.com’s website that appears to users before they’re ported over to articles they’ve clicked on. That portion of the site, Forbes.com’s Thought of the Day, is powered by a Flash widget. According to researchers with Invincea the group was able to use a zero day vulnerability to hijack that widget for a short period, from Nov. 28 to Dec. 1. Over the course of those four days, the group targeted visitors to the site who worked at a handful of unnamed U.S. defense and financial firms. Researchers with iSIGHT discovered that in addition to the Flash flaw, the attackers also exploited an Internet Explorer vulnerability, a zero day that helped attackers bypass Address Space Layout Randomization (ASLR) in IE 9. While the Adobe bug, a buffer overflow (CVE-2014-9163) was patched back on Dec. 9, the ASLR mitigation bypass (CVE-2015-0071) was one of many patched yesterday in Microsoft’s monthly Patch Tuesday round of patches, an update that was especially heavy on Internet Explorer fixes. In a technical writeup of the attack yesterday, Invincea explained how Forbes’ site was able to redirect to an IP address, load the Flash exploit, and drop a DLL, hrn.dll, to be loaded into the machine’s memory. “Once in memory, the exploit gains administrative privileges and opens a command prompt,” Invincea’s executive summary reads, “Next the victim system was scanned to report on its current patch levels, network mapping, and complete IP configuration, including any VPN connections.” Both firms agreed to set their disclosures for yesterday to coincide with Microsoft’s patching of the Internet Explorer bug. While Chinese APT groups have been in the news lately – some reports have already pinned last week’s Anthem breach on shadowy hackers from the PRC – several firms are already familiar with the APT group behind this campaign. FireEye, first published research on the group back in 2013, referring to the collective as the Sunshop Group. Researchers there caught the group carrying out a campaign that hit a series of victims – a science and technology journal, a website for evangelical students, etc. – by exploiting an IE zero day and several Java bugs in May of that year. Throughout its research, dating back to 2010, iSIGHT has taken to calling the group Codoso Team. This attack, like others its linked back to them, used similar malware (Derusbi) and called on a command and control (C+C) domain its been seen using in the past as well. Regardless of what it goes by, the group has been seen targeting U.S. government entities, the military/defense sector, and financial services groups for at least five years running. FireEye found the same group was also responsible for hacking the Nobel Peace Prize Committee website in 2010. That attack also used a watering hole and made use of a browser (Firefox) zero day. While neither iSIGHT or Invincea could give concrete numbers regarding the number of victims Codoso was able to compromise with this campaign, both were firm in their stance that the attacks were highly targeted in nature and only visitors who worked at the defense and financial firms were infected. Sursa

Talk about determination. Hackers strung together zero-day vulnerabilities in Flash and Internet Explorer and then compromised Forbes.com so that the attacks would compromise financial services and defense contractor employees visiting the site, researchers said. The November breach of Forbes compromised the Thought of the Day page that is displayed briefly upon visiting the site. The page downloaded attack code exploiting a vulnerability in what then was a fully updated version of Adobe Flash. To bypass Address Space Layout Randomization—a mechanism built into Flash and many other applications to make drive-by attacks harder—the Forbes page downloaded a second attack. The latter attack exploited a then-zero-day vulnerability in IE that allowed the Flash exploit to successfully pierce the exploit mitigation defense. From start to finish, the attack took about seven seconds. "In the world of cyber threats, the chained 0-day exploit is a unicorn—the best known attack with chained 0-days was the Stuxnet attack allegedly perpetrated by US and Israeli intelligence agencies against Iran's nuclear enrichment plant at Natanz as part of an operation known as Olympic Games," a blog post detailing the attack explained. "Given the highly trafficked Forbes.com website, the exploit could have been used to infect massive numbers of visitors." Instead, only visitors from US Defense and financial services firms were hacked. Adobe patched the Flash vulnerability, designated as CVE-2014-9163, in early November. Microsoft fixed CVE-2015-0071 on Tuesday. The Forbes.com compromise is believed to have started in late November and lasted for a few days. The incident, which was uncovered by researchers from security firms Invincea and iSIGHT Partners, underscores the ingenuity and determination of today's hackers. Any one of the key ingredients of the hack—the Flash bug, the IE flaw, or the compromise of Forbes.com—wasn't enough to penetrate the defenses of defense contractors or financial services firms. But by stringing them together, the attackers were able to achieve their goals. It also helps explain why even minor software flaws that don't by themselves allow for remote code execution—for instance an escalation of privilege bug or a disclosure flaw—nonetheless pose a significant threat to end users. Source

Chinese hackers have launched a wave of man-in-the-middle (MITM) attacks capable of stealing emails, contacts and passwords is targeting Microsoft Outlook users in the country. Greatfire.org, a group that reports on and works to combat Chinese government online censorship and surveillance, reported uncovering the campaign this week. "On January 17, we received reports that Microsoft's email system, Outlook (which was merged with Hotmail in 2013), was subjected to a MITM attack in China," read the Greatfire threat advisory. "This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers." The attack reportedly uses a bogus certificate to push a malicious alert to Outlook users that siphons information from the victim's account if it is opened. "Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a 'continue' button and ignore the warning message," explained the advisory. "If users do click on the 'continue' button, all of their emails, contacts and passwords will be logged by the attackers." The number of affected Outlook users remains unknown, although a Microsoft spokesperson confirmed to V3 that the firm is aware of the attacks. "We are aware of a small number of customers impacted by malicious routing to a server impersonating Outlook.com. If a customer sees a certificate warning, they should contact their service provider for assistance," they said. Greatfire believes that the Chinese government is responsible for the attacks, citing similarities to previous attacks it believed were state sponsored. "Because of the similarity between this attack and previous, recent MITM attacks in China on Google, Yahoo and Apple, we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack," it said. "If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor." The attack on Apple's iCloud occurred at the end of 2014 and was serious enough for CEO Tim Cook to fly to China. F-Secure security advisor Sean Sullivan told V3 that the Outlook attacks follow a similar pattern to the iCloud campaign and warned business users visiting China to be extra cautious. "This case appears similar to the move against iCloud back in October. Any business person travelling or working in China should use a VPN (or other measures) to access their email - or else pay very careful attention to warning messages," he said. "If you're doing business in China, be very mindful of the situation. I'd even recommend using separate hardware for the trip." Jason Steere, director of technology strategy at FireEye, mirrored Sullivan's sentiment, pointing out that, even if focused on monitoring Chinese citizens alone, the attacks could cause trouble for Western professionals visiting the country. "I suspect this attack is more about gathering intel on Chinese citizens - using international mail systems to communicate information that they could not do with a Chinese web platform due to censorship," he told V3. "However, many other people are collateral damage with information exposed that I'm sure they would prefer not to be picked up. "Anything sent or received, such as usernames, passwords, holidays, journalist sources, new stories, personal information etc, would all have been exposed during the time of the attack. "All of that information can be collected and used for intel, surveillance etc." The attack on Outlook comes less than a month after Chinese authorities began blocking local access to Google services including Gmail. Prior to the Google blockade the Beijing government mounted a mass censorship campaign that cut off access to thousands of websites, applications and cloud services in November 2014. Source

A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrates how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence. The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Spiegel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea's networks—which initially leveraged South Korean "implants" on North Korean systems, but eventually consisted of the NSA's own malware—played a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors. Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out "Tailored Access Operations" on a variety of targets, while also building the capability to do permanent damage to adversaries' information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed by the NSA and possibly other members of the "Five Eyes" intelligence community, which was also included in the dump. The code appears to be from the Five Eyes joint program "Warriorpride," a set of tools shared by the NSA, the United Kingdom's GCHQ, the Australian Signals Directorate, Canada's Communications Security Establishment, and New Zealand's Government Communications Security Bureau. It's not clear from the report whether the keylogger sample came from the cache of documents provided by former NSA contractor Edward Snowden or from another source. As of now, Appelbaum and Der Spiegel have not yet responded to a request by Ars for clarification. However, Appelbaum has previously published content from the NSA, including the NSA's ANT catalog of espionage tools, that were apparently not from the Snowden cache. Pwning the pwners The core of the NSA's ability to detect, deceive, block, and even repurpose others' cyber-attacks, according to the documents, are Turbine and Turmoil, components of the Turbulence family of Internet surveillance and exploitation systems. These systems are also connected to Tutelage, an NSA system used to monitor traffic to and from US military networks, to defend against attacks on Department of Defense systems. When an attack on a DoD network is detected through passive surveillance (either through live alerts from the Turmoil surveillance filters or processing by the Xkeyscore database), the NSA can identify the components involved in the attack and take action to block it, redirect it to a false target to analyze the malware used in the attack, or do other things to disrupt or deceive the attacker. This all happens outside of DOD's networks, on the public Internet, using "Quantum" attacks injected into network traffic at a routing point. But the NSA can also use others' cyberattacks for its own purposes, including hijacking botnets operated by other actors to spread the NSA's own "implant" malware. Collection of intelligence of a target using another actor's hack of that target is referred to within the signals intelligence community as "fourth party collection." By discovering an active exploit by another intelligence organization or other attacker on a target of interest, the NSA can opportunistically ramp up collection on that party as well, or even use it to distribute its own malware to do surveillance. In a case study covered in one NSA presentation, the NSA's Tailored Access Office hijacked a botnet known by the codename "Boxingrumble" that had primarily targeted the computers of Chinese and Vietnamese dissidents and was being used to target the DOD's unclassified NIPRNET network. The NSA was able to deflect the attack and fool the botnet into treating one of TAO's servers as a trusted command and control (C&C or C2) server. TAO then used that position of trust, gained by executing a DNS spoofing attack injected into the botnet's traffic, to gather intelligence from the bots and distribute the NSA's own implant malware to the targets. Using QuantumDNS, a DNS injection attack against botnet traffic, the NSA was able to make infected PCs believe its server was part of the command and control network. / The NSA then used its position within the botnet to drop the NSA's own "insert" onto affected computers in the botnet. Spying on spies spying on spies spying... Things get even more interesting in the case of the NSA's urgent need to gather more intelligence from North Korea's networks. In a question-and-answer posting to the NSA's intranet, an NSA employee recounted a "fifth party" collection that occurred when the NSA hacked into South Korea's exploit of North Korean computers—and ended up collecting data from North Korea's hack of someone else: That meant that at one point, the NSA was collecting information via a South Korean implant that had in turn been collected by a North Korean implant. It's not clear whether the NSA's TAO used the existing South Korean malware as an avenue to drop its own, as happened with the "Boxingrumble" botnet. The poster also noted another occasion when, during an attempt to hack into another target they were trying to exploit, the NSA discovered, "there was another actor that was also going against them and having great success because of a zero day they wrote." The NSA captured the zero day exploit in its passive collection and "were able to repurpose it," the NSA employee recounted. "Big win." Source

The Social-Engineer Toolkit is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time. SET is a product of TrustedSec, LLC - An Information Security consulting firm located in Cleveland, Ohio. Download: https://github.com/trustedsec/social-engineer-toolkit

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Download: https://github.com/carmaa/inception

Two power plants in the US were affected by malware attacks in 2012, a security authority has said. US authorities did not specify which plants had been hit - and to what extent In its latest quarterly newsletter, the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said "common and sophisticated" attacks had taken place. Malware had infected each plant's system after being inadvertently brought in on a USB stick, it said. The ICS-CERT said it expected a rise in the number of similar attacks. Malware can typically used by cyber-attackers to gain remote access to systems, or to steal data. In the newsletter, authorities said: "The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive's operation. "The employee routinely used this USB drive for backing up control systems configurations within the control environment." And at a separate facility, more malware was found. "A third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades," the report said. "Unknown to the technician, the USB-drive was infected with crimeware. "The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks." Physical effects The authority did not go into explicit details regarding the malware itself, but did stress that the use of removable media had to be reviewed and tightened. "Such practices will mitigate many issues that could lead to extended system downtime," it said. "Defence-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber-events." In recent years, power plants have been the target of increasingly destructive malware and viruses - a bridge between damage in a digital sense, such as data loss of theft, and actual physical infrastructure. In 2010, the Stuxnet virus was said to have damaged critical parts of Iran's nuclear infrastructure. Security firm Symantec research said it believed Stuxnet had been designed to hit motors controlling centrifuges and thus disrupt the creation of uranium fuel pellets. A UN weapons inspector later said he believed the attack had set back Iran's nuclear programme. No country has claimed responsibility for the attack, but a New York Times report last year, written by the author of a book on the attacks, pointed the finger at the US. Journalist David E Sanger wrote that the US had acted with the co-operation of Israel. Via BBC News - US plants hit by USB stick malware attack