Search the Community

The Angler Exploit Kit continues to evolve at an alarming rate, seamlessly adding not only zero-day exploits as they become available, but also a host of evasion techniques that have elevated it to the ranks of the more formidable hacker toolkits available. Researchers at Cisco’s Talos intelligence team today reported on a technique used in a recent Angler campaign in which attackers are using stolen domain registrant credentials to create massive lists of subdomains that are used in rapid-fire fashion to either redirect victims to attack sites, or serve as hosts for malicious payloads. The technique has been called domain shadowing, and it is considered the next evolution of fast flux; so far it has enabled attackers to have thousands of subdomains at their disposal. In this case, the attackers are taking advantage of the fact that domain owners rarely monitor their domain registration credentials, which are being stolen in phishing attacks.They’re then able to create a seemingly endless supply of subdomains to be used in additional compromises. “It’s one thing that people just don’t do,” said Craig Williams, security outreach manager for Cisco Talos. “No one logs back into their registrant account unless they are going to change something, or renew it.” Researchers Nick Biasani and Joel Esler wrote that Cisco has found hundreds of compromised accounts—most of them GoDaddy accounts—and control up to 10,000 unique domains. “This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses,” Biasini and Esler said. “Additionally, these subdomains are being rotated quickly minimizing the time the exploits are active, further hindering analysis. This is all done with the users already registered domains. No additional domain registration was found.” Cisco said the campaign began in earnest in December, though some early samples date back to September 2011; more than 75 percent of subdomain activity, however, has occurred since December. There are multiple tiers to the attack, with different subdomains being created for different stages. The attacks start with a malicious ad redirecting users to the first tier of subdomains which send the user to a page serving an Adobe Flash or Microsoft Silverlight exploit. The final page is rotated heavily and sometimes, those pages are live only for a few minutes, Cisco said. “The same IP is utilized across multiple subdomains for a single domain and multiple domains from a single domain account,” Biasini and Esler wrote. “There are also multiple accounts with subdomains pointed to the same IP. The addresses are being rotated periodically with new addresses being used regularly. Currently more than 75 unique IPs have been seen utilizing malicious subdomains.” Domain shadowing may soon supercede fast flux, a technique that allow hackers to stay one step ahead of detection and blocking technology. Unlike fast flux, which is the rapid rotation of a large list of IP addresses to which a single domain or DNS entry points, domain shadowing rotates in new subdomains and points those at a single domain or small group of IP addresses. “When you think about it, this is likely the next evolution of fast flux. It allows attackers an easy way to come up with domains they can use in a short amount of time and move on,” Williams said. “It doesn’t cost them anything and it’s tough to detect because it’s difficult to use blocklisting technology to defend against it. It’s not something we’ve observed before.” The attackers have zeroed in almost exclusively on GoDaddy accounts since the registrar is by far the biggest on the Internet; for now, that is the only commonality to the attacks carried out in this Angler campaign, Cisco said. “The accounts are largely random so there is no way to track which domains will be used next. Additionally, the subdomains are very high volume, short lived, and random, with no discernible patterns,” Biasini and Esler wrote. “This makes blocking increasingly difficult. Finally, it has also hindered research. It has become progressively more difficult to get active samples from an exploit kit landing page that is active for less than an hour. This helps increase the attack window for threat actors since researchers have to increase the level of effort to gather and analyze the samples.” Williams, meanwhile, warns that as security technologies catch up to domain shadowing, there is a risk that mitigations could impact legitimate traffic. “If the block list is made incorrectly, it could block both bad and legitimate traffic and harm an innocent victim,” Williams said. “If you know an attacker has credentials, you could make the case to block everything associated with a domain. That could also block the legitimate domain.” Source

Attackers behind the Angler Exploit Kit have added a tweaked version of an exploit for a patched Internet Explorer use-after-free vulnerability. Microsoft patched the vulnerability (MS14-056) in last October’s round of Patch Tuesday updates but that hasn’t stopped attackers from adding the vulnerability to the exploit toolkit. Similar to exploits disclosed in October, the sample Angler is using has been modified to bypass IE’s mitigation technology MEMPROTECT. According to Dan Caselden, a ?staff research scientist at FireEye who blogged on Friday about the vulnerability being included in Angler , this one is a use after free with MSHTML!CTitleElement that MEMPROTECT was not originally supposed to mitigate. Caselden claims the attack angle is interesting on its own because it focuses on IE deployments that use MEMPROTECT – introduced in July 2014 – but added that the vulnerability also cements the idea that attackers remain interested in compromising IE, especially against users running nearly five-month-old versions of it. Still, the use after free is not a generic exploit – some of its techniques weren’t necessary, Caselden adds – and going forward attackers will still have to find their way around the MEMPROTECT technology. “Some of the employed techniques (particularly the modified garbage collection routine) were not necessary,” Caselden wrote, “So in the future, exploit authors will need to find a reliable way around the delayed free, or bugs with another object that falls outside of the CMemoryProtector’s domain.” Chinese researchers with Keen team (a/k/a k33nteam) first talked about how (.PDF) to exploit a use after free vulnerability against MEMPROTECT at the Taiwanese security conference Hitcon X over the summer and went describe how it bypasses memory protection and isolated heap in Windows 8.1 shortly after the bug was patched by Microsoft, in a blog entry last October. Caselden gets much deeper into the exploit and points out the similarities from k33nteam’s proof of concept and the Angler sample on FireEye’s blog. For example, unlike the October exploit, this one can also optionally serve up a Flash zero day (CVE-2015-0313) – one of the three that plagued the Adobe software last month – that was also previously seen being used by Angler. Microsoft introduced MEMPROTECT, or MemoryProtection, in a July 2014 patch for IE and while the heap mitigation technology isn’t failsafe, it was thought to be effective against use after free vulnerabilities. For a short period it seemed as if the move would curb the number of IE exploits spotted in the wild, as attackers wouldn’t have to reuse dated IE use after free exploits. Naturally attackers were able to come up with ways around this. Attackers that have long had it out for Microsoft’s Internet Explorer and continue to take old, since-patched exploits and add them to their exploit kits just to see what sticks. In January attackers added a nasty, previously unknown Flash zero day that targeted IE on Windows 7 and 8 to the kit. An analysis of Angler last month called it the most sophisticated kit on the market, namely because it’s been the fastest to integrate newly released zero days and because its obfuscation is reportedly at the top of its game. Source

Security experts are still trying to assess the effects of the reported attack on SIM card manufacturer that resulted in the theft of millions of encryption keys for mobile phones around the world, but it’s safe to say that the operation has caused reverberations throughout the industry and governments in several countries. The attack, reported by The Intercept, is breathtaking in its scope and audacity. Attackers allegedly associated with the NSA and GCHQ, the British spy agency, were able to compromise a number of machines on the network of Gemalto, a global manufacturer of mobile SIM cards. The attackers have access to servers that hold the encryption keys for untold millions of mobile phones, allowing them to monitor the voice and data communication of those devices. The document on which the report is based was provided by Edward Snowden, and it says in part, “Gemalto–successfully implanted several machines and believe we have their entire network…” If true, that would mean that the attackers had access to far more than just those SIM encryption keys. Gemalto officials said in a statement that they were previously unaware of this operation. “The publication indicates the target was not Gemalto per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” the statement says. Security researchers have said since the beginning of the NSA scandal–and before that, in some cases–that the agency and its allies have an intense interest in monitoring mobile communications. Mobile networks present different challenges than traditional computer networks do for attackers, but they are not insurmountable ones for organizations with the resources of NSA and GCHQ. Gemalto, as one of the larger SIM manufacturers on earth, would be a natural target for signals intelligence agencies, as it provides products to hundreds of wireless providers, including Verizon, AT&T and Sprint. Bruce Schneier, CTO of CO3 Systems and a noted cryptographer, said that this operation may represent the most serious revelation of the Snowden documents. “People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards,” Schneier said on his blog. “I think this is one of the most important Snowden stories we’ve read.” The Gemalto revelation could have long-term effects for the technology industry and its relations with the government in the United States and UK. The relationships already have been strained by past revelations of NSA operations against infrastructure owned by companies such as Google, Yahoo and many others. This latest revelation likely won’t help matters. But White House officials aren’t worried. “We certainly are aware of how important it is for the United States government to work with private industry; that there are a lot of situations in which our interests are pretty cleanly aligned. And there are certainly steps that the U.S. government has taken in the name of national security that some members of private industry haven’t agreed with. But I do think that there is common ground when it comes to — and this is a principle that I’ve cited before — it’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so,” Josh Earnest, White House press secretary, said during a briefing on Friday. Source

The Regin malware platform used to steal secrets from government agencies, banks and GSM network operators caught the attention of security experts who called it one of the most advanced attack platforms that has been studied, surpassing Flame, Duqu, even Stuxnet. Researchers at Kaspersky Lab said Regin could be tuned to attack large organizations or even individuals, pointing out that noted cryptographer Jean Jacques Quisquater was one of its first public victims. Today, details about a pair of Regin modules were released by Kaspersky’s Global Research and Analysis Team, one module used for lateral movement, while the other establishes a backdoor in order to move data off compromised machines. The researchers, Costin Raiu and Igor Soumenkov, concede that the modules, named Hopscotch and Legspin, have likely been put out of commission by those responsible for Regin and replaced by new modules. Attribution, meanwhile, remains another mystery to Regin, though some were quick to pin either the U.S. National Security Agency, or the U.K.’s GCHQ as the perpetrators. Regin was revealed in November by Kaspersky Lab, which said it has been detected on Windows computers belonging to 27 organizations in 14 countries, most of those in Asia and the Middle East. The GSM (Global System for Mobile Communication) characteristic to Regin is a relatively unique feature to APT-style attacks, and particularly concerning given the lax security used in mobile communication protocols. The attackers were able to steal credentials from an internal GSM Base Station Controller belonging to a large telecom operator that gave them access to GSM cells in that particular network, Kaspersky Lab said. Base Station Controllers manage calls as they move along a mobile network, allocating resources and mobile data transfers. With this kind of access, the attackers knew information about calls processed by particular cells, and were able to redirect calls, activate other cells and steal data. “At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations,” Raiu said at the time. Today’s report provides an in depth analysis of two of four modules belonging to Regin (hashes, compile dates, file type and size are listed on the Securelist blog). “Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” the researchers wrote. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.” Hopscotch, for example, is a standalone tool used by the attackers for lateral movement. It relies on stolen credentials to authenticate itself on remote computers, and contains no exploits, Raiu and Soumenkov said. “The module receives the name of the target machine and an optional remote file name from the standard input (operator),” Raiu and Soumenkov wrote. The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.” The module creates a new service to launch a payload extracted from a remote server using a two-way encrypted channel, one that forwards input from the operator to the payload, the other writes data from payload to the standard output. The executable injects itself into a new process for persistence and the remote operator can interact with the module. “Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation,” Raiu and Soumenkov wrote. Legspin is another standalone module; this one is a command line utility for computer administration, and operates as a backdoor. “It is worth noting that the program has full console support and features colored output when run locally,” Raiu and Soumenkov wrote. “It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.” There are clues within the module that hint it was developed around 2002-2003; it also uses legacy API functions such as NetBIOS, which was deprecated from Windows with the launch of Vista. This module gives the remote attacker an interactive command prompt, and a long list of commands at their disposal, including the ability to retrieve and upload files, connect to a remote share, retrieve server configuration data, create processes, much more. “It’s worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions,” the researchers wrote. “This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.” Source