With almost a million new potential malware samples being seen a day, it is becoming increasingly critical to bulk up the speed at which malware can be processed to filter out what needs manual analysis, what needs to be sandboxed and what can be handled by mere static processing.
Recently, I spoke at Analyze 2015 about extracting malware configurations at scale and some of our early experiences in building a system to do exactly that. So far, we’ve been able to process almost 6,000 configurations successfully for the month of May using that system. This can be analyzed further for actionable intelligence but it has also led to some interesting findings.
By running the IP addresses of the command and control (C2s) we retrieved for the various RAT families, we were able to determine the top ten global cities with the highest number of RAT controllers using the Maxmind GeoIP database (90% confidence level). Please note, this should not be interpreted to mean anything other than the RAT controller resides in a given city, not that there is specific nation-state involvement.
In June 2015, we published Fidelis Threat Advisory #1017 and a blog post on unrelated hostile cyber criminal activity based on the exploitation of CVE-2014-4114, using a novel technique leading to zero antivirus detections for this well-known vulnerability. What originally drew our attention was the fact that cyber criminals were now leveraging the vulnerability that was initially exploited by advanced persistent threat (APT) actors in October 2014.
Yesterday (June 15, 2015), CitizenLab published a report revealing that hostile actors were using precisely the same technique involving CVE-2014-4114 against Tibetan and pro-democracy Hong Kong groups. While no explicit attribution was made in the report, preliminary analysis suggests that actors working in the interest of a government may be behind this activity. Suspected Chinese government-affiliated cyber espionage actors have historically conducted cyber operations against these groups to monitor their developments.
During our research, we noticed that several files had the same original creation date (2011) and author (“aaa”) in the PowerPoint metadata. We traced this file to the original document: a PowerPoint document written in Chinese about China Cloud Computing Technology, entitled “Big Data as a Means of Ensuring Internet Security for the Military”(approximate translation). While the contents of that document had been removed, it is clear that someone had built and distributed phishing messages using it as the original PowerPoint document. The document is publicly available, but obscure enough for this to be a very interesting finding.
Kaspersky Lab discovered a new version of Duqu, a virus commonly linked to Israel’s intelligence agency on its own network and three luxury European hotels that had hosted nuclear negotiations between Iran and other world powers. The spyware was designed with over 100 discrete modules which allowed the program to compress video feeds, target communications from phones and Wi-Fi networks and take control of elevator microphones and alarm systems.
Businesses using Oracle Micros point-of-sale systems are being targeted by a new malware program called MalumPoS. The new malware, identified by researchers at TrendMicro looks for payment card track data – the information that’s encoded on the magnetic strip of payment cards – in the memory of processes associated with Oracle Micros.
Adobe released software updates to fix at least 13 security holes in its Flash Player software on June 10. Microsoft also issued patches for at least 36 flaws in Windows and associated software. The majority of Microsoft’s patches addressed issues in Internet Explorer along with Office, Windows OS and Windows Media Player
A proof-of-concept attack has been published that exploits a flaw in Mail.app, the default iOS e-mail program which allows attackers to steal iCloud passwords. Since the release of version 8.3 in April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages which allows for the exploit to download a form from a remote server that looks identical to the legitimate iCloud log-in prompt.
Hackers tied to Syria have claimed responsibility for an attack on the Army’s homepage on June 8 that led military officials to take the site down. Army officials said that no classified or personally identifiable information was compromised because Army.mil does not have any classified information.
Nigerian 419 scammers have long been known for their involvement in advanced fee fraud scams where individuals were contacted via letter or e-mail with a business proposal. However, in the past year, these actors have begun to embrace the sophisticated techniques seen in recent high profile and successful criminal and espionage campaigns. Earlier this week we published a more detailed report on recent cyber crime activity leveraging vulnerabilities first exploited by espionage actors. Nigerian groups are suspected of being behind some of this activity.
In May 2015, the computer security firm Panda released a report identifying hostile cyber activity directed against companies involved in the oil industry it dubbed “Operation Oil Tanker." While the attack seemed to bear the hallmark of an advanced persistent threat (APT) actor based on the targeted nature and the intended victims, researchers concluded that the perpetrators were Nigerian 419 operators, according to the report.
As a digital forensic investigator, you almost always have a variety of tools at your disposable. The trick becomes knowing which tool is best for the job. Let’s say you walk into the office on Monday morning and find an email from your supervisor, a case just came in and the client wants a detailed forensic examination in just a couple days. As usual, the first step is to decide which examination tool is the best option. In this case we need one that will help us meet the very tight deadline while not sacrificing on the quality of the examination.
This decision is never an easy one for a digital investigator to make so I decided to help make it a little easier by evaluating some of the most common digital forensics tools available and give a high level overview of how each one performed in this particular instance.
For this case I examined EnCase 6.18, EnCase 7.10, FTK 5.6 and X-Ways 18.0. Each of these tools was used to verify the integrity of a forensic image, conduct file signature analysis, conduct file hash analysis and lastly run a keyword search. All common digital forensics processes. I recognize there are different types of keyword searching (index and raw searching). In this evaluation I used a raw, non-indexed keyword search with uniform search settings across the tools.
Fidelis Cybersecurity analysis has identified unrelated cyber criminal activity leveraging the vulnerability cited in CVE-2014-4114, which was initially exploited by advanced persistent threat (APT) actors in October 2014. Notably, some of this recent activity demonstrated actors implementing a technique that bypassed antivirus detection by saving a PowerPoint document in which malware executed once the document was opened in Slide Show presentation format. The identification of cyber crime actors, particularly Nigerian 419 scam operators, attempting to exploit CVE-2014-4114 demonstrates how quickly cyber criminals are trying to exploit a vulnerability previously associated with espionage actors, using similar tactics, techniques, and procedures (TTP) to maximize their chances of success, with additional innovation as seen with these samples.
We identified threat actors using weaponized PowerPoint documents that exploited CVE-2014-4114 to create an executable dropper that entrenched different malware in the victim system based on the actor’s choosing.
In order for the exploit to trigger, the malicious document must be opened in Slide Show presentation format (e.g. PPSX or PPS or by selecting to view the document presentation mode from PowerPoint). We observed that the adversary is saving the document in PPS format in order to bypass all antivirus detection. See APPENDIX B for more details.
Based on our observations, multiple seemingly unrelated cyber crime campaigns of varying sophistication levels are targeting the CVE-2014-4114 vulnerability. We believe that cyber criminals, particularly Nigerian 419 actors, are now seeking to exploit vulnerabilities first leveraged by espionage actors. If true, this would represent an evolution in 419 actor TTPs from previous operations.
Hackers working for the Chinese government breached the Office of Personnel Management (OPM) in December 2014 compromising the personal information of 4 million current and former U.S. federal government employees. This was the second breach at OPM in less than a year. After the first breach, discovered in March 2014, OPM deployed new tools and capabilities to the network, one of which was used to discover the second breach. The intruders accessed the network using spear-phishing and a zero-day vulnerability. Private researchers have linked the attack to the same group responsible for the breach at Anthem in March 2015.
Heartland Payment Systems, the victim of a January 2009 data breach, announced on June 1 that some electronics including four computers believed to contain personal information of customers were stolen from its payroll office. The computers were stolen as part of a burglary and may have compromised the personal information of 2,200 customers but there is no evidence the information has been accessed or used in a fraudulent manner as of June 1.
According to Der Spiegel, Russia is the chief suspect in the recent hack of the Bundestag. The German government is not publicly accusing Russia but sources have claimed that indications point towards a state-sponsored attack. The sophisticated trojan used in the attack, was similar to malware used in a 2014 attack on a German data network and compromised 20,000 accounts on the Bundestag network.
Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode are vulnerable to exploits that remotely overwrite the firmware that boots up the machine. Researcher, Pedro Vilaca discovered the exploit that attacks the BIOS protections immediately after a Mac restarts from sleep mode when the protection mechanism known as FLOCKDN is deactivated. The exploit is not expected to be used on a large scale but only in highly targeted attacks.
A state-funded advanced persistent threat group known as OceanLotus has been stealing information from Chinese government agencies and maritime institutions since 2012.This marks the first time Chinese researchers have come forth with a major technical report detailing APT attacks against China. Ninety-two percent of OceanLotus’s targets were based in China, mostly in Beijing.
Note: Much of this information has been taken from an English translation of Qihoo 360’s SkyEye Labs report, and has been interpreted accordingly. The original report in Chinese can be foundhere.
In May 2015, the Chinese Internet company Qihoo 360’s SkyEye Labs accused an advanced persistent threat (APT) hacker group named “OceanLotus” of stealing Chinese government information. Specifically, the company claimed the activity was in direct employ of a hostile foreign government.
According to the English-translation of the report, the activity has been targeting China since April 2012, targeting maritime institutions, shipping enterprises, Chinese government departments, and research institutes, and stealing sensitive information. Two primary tactics have been identified: socially engineered e-mails with attractive lures designed to entice recipients to click on attachments with embedded Trojans, and what is best described as watering hole attacks. More than 100 OceanLotus Trojan program samples of four different types of Trojans had been planted in computers in 29 Chinese provincial regions, and 36 countries, according to SkyEye Labs.
The activity started in April 2012 employing the “watering hole” technique, but then stopped for a period of two years. It commenced again in February 2014 in the form of spearphishing. Despite the fact that this activity targeted other countries, 92% of the victims were located in China, with Beijing suffering the lion’s share of attacks.
The Department of Homeland Security recently announced that over the next couple of months its U.S. Computer Emergency Readiness Team (US-CERT) would begin using two emerging technical specifications – STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information)– to automate how cyber threat information will be shared with the public and private sectors.
Sharing cyber threat information has been identified as a necessary contributor to help mitigate cyber threats. To continue to bolster these efforts, in February 2015, the President signed an executive order promoting the sharing of cybersecurity information between the government and the private and public sectors. Complementing the executive order, Congress is trying to pass a bill that will indemnify organizations from incurring liability for sharing potentially damaging information. This “one-two” punch may be the catalyst needed for public and private organizations to readily share information with one another because the same actor groups are generally using the same tools, tactics, techniques and procedures to target both sectors.
Cyber threat information sharing has not traditionally enjoyed a tremendous amount of success, particularly in the private sector, although there are isolated cases such as the Financial Services Information Sharing and Analysis Center (ISAC) that have yielded positive results. Two potential reasons for this are cultural and technical.