The Red October RAT (Remote Access Tool) which has been extensively analyzed by Kaspersky appears to have continued its development. The Finnish Foreign Ministry has disclosed that they were the victims of a penetration attack going on over four years. The tool used in the attack was specifically described as “not Red October”, however there were similarities. The research and analysis of the attack is ongoing, but it appears to have first been detected earlier this year. The attack targeted data traffic between the Ministry and the EU, and the Finns have rather nebulously said that they believe “China or Russia” is the originating actor.
A pair of dueling intelligence exploitation revelations have given the ongoing Snowden releases a run for their money. The first is the allegation that Russia provided poisoned gifts to delegates at the G20 summit. The complementary USB sticks and telephone chargers which they distributed to attendees came with trojan software installed (in the case of the USB sticks) while the cell phone chargers had the ability to slurp data from phones connected to them and send it onward to quarters unknown. Apparently the malware accessories were first recognized as hacking devices by Herman Von Rompuy’s staff. There have been official statements that the devices were not used by any heads of states, but there are indications they may have been picked up by various members of their staffs. Russia has made an official denial of any involvement with the hacking attack, instead stating that this revelation is merely an attempt to distract the world from the NSA spying scandal. There has also been a report published (first in Russian media) that Russian customs officials had seized a number of electric coffeepots, imported from China, which when plugged in search for unlocked wireless networks and then start distributing malware and sending spam emails.
Undoubtedly this sort of situation is not what futurists predicting an “Internet of Things” anticipated. However, we must come to the conclusion that with ubiquitous computing will come ubiquitous malware and exploitative software. It may not yet be time to lie awake at night worrying if your toaster is hacking into your email and changing the controls on your fridge and your TiVo, but the hour certainly draws near.
The Blackhole Exploit Kit, one of the more popular methods of delivering criminal malware to unsuspecting users, has run into a number of difficulties in the last few days. The leading crimeware kit, which has usually been updated as often as twice a day to stay ahead of antivirus detection rules, has not been updated in over a week. This comes amid rumors of the arrest of “Paunch”, the kit’s creator, in Russia. Russian authorities have confirmed the arrest to Europol and news agencies.
The Blackhole kit is by far the most popular exploit injection architecture in recent use, and typically operates through using infected sites to foist java vulnerabilities and criminal malware on unsuspecting surfers, though it has also been used to attack users through phishing emails with links to malicious sites. While other services are used to manage the development of the specific exploit payloads (Zeus is a standout in this category), the objective of the Blackhole kit and similar programs is serving these payloads up to users using java and other platform vulnerabilities. The arrest of “Paunch” will no doubt lead to the market migrating to other service providers. It must be remembered that this niche is incredibly lucrative- user licenses for Blackhole cost up to $50 per day, or $500 per month.
Dan Gifford – MCySec Media Manager
Bruce Schneier has recently published a series of articles on the ways that the users of the TOR network and others have been targeted with exploits by the NSA’s Tailored Access Operations group. He has also posted a full explanation on his blog. The attacks run generally as follows:
1. Through pervasive surveillance and traffic sharing agreements with telecommunications companies (under project code names such as Stormbrew, Fairview, Oakstar and Blarney) customer http traffic is collected.
2. Using data analysis tools with names like Turbulence, Turmoil and Tumult, connections leaving the TOR network’s exit nodes and connecting to other servers on the internet are found.
3. These individual connections are then exploited using a man-in-the-middle (MiTM) attack where servers positioned strategically around the world (a system called QUANTUM) respond and impersonate the server the TOR user is attempting to connect to. This works if the QUANTUM server is closer in physical distance to the TOR exit node than the exit node is to the TOR user’s target server, allowing the commands to reach there first. Ideally, nothing is noticed by the TOR user, as attacks of this nature can actually pass the user through to their originally intended server.
4. As needed, TOR users can be redirected by QUANTUM onto a different set of servers run by the Tailored Access Operations group, called FOXACID.
5. The FOXACID servers look like normal webpages, but if someone is directed to a specific tag url, the server executes specific exploits against the target user’s machine. Most of these exploits have targeted the Firefox browser, and often the specific version of the Firefox browser “bundled” with TOR by the TOR foundation. Phishing has also been used to induce users to click on FOXACID tags. Once exploited, a trojan is downloaded to the target user’s machine, which then calls home to a separate subset of FOXACID servers, called FRUGALSHOT. The FRUGALSHOT servers perform more exploits as needed to ensure the integrity of the compromise and allow further monitoring of the target’s activities. The target’s real IP address (bypassing their TOR network connection) is also obtainable.
The bottom line is that a structured system has been revealed which subverts the anonymity provided by the TOR network by installing malicious programs onto the computers of users. While various Computer Network Effect operations have come into view and been theorized lately, the generally thought was often that these attacks would be targeted at nation states rather than used in a wholesale manner against users whose national affiliation is not known beforehand. Obviously any assumptions along those lines was wrongheaded, and the targeting of general populations of internet users with exploit code and trojans has received the blessing of the US Government.
There remain methods of preventing this kind of attack, however. The best way to avoid it would be to use tails, which installs TOR and a Browser bundle as a LiveCD/ LiveUSB that cannot be written to, preventing any trojan software from installing and/or calling home with your actual IP address.
Dan Gifford – MCySec Media Manager
Security Researcher Brian Krebs has conducted an investigation of a number of identity theft portals active on the internet, where various ne’er-do-wells were able to purchase the personal information (social security numbers and full background check information) of anyone they pleased, including such luminaries as Beyonce, Kanye West and Jay Z and even First Lady Michelle Obama, CIA Director John Brennan, and former FBI Director Robert Mueller.
The service which Krebs honed in on, ssndob.ms, was apparently slurping their data from the primary companies on the “legitimate” side of background checks; Lexis-Nexus, Dun and Broadstreet, and Kroll Security. The ID thieves had penetrated the networks of those companies and added a number of their servers to a botnet. The admins of ssndob then used these computers to grab data from the databases of the companies. They also had control of a number of compromised accounts with conventional access to these databases.
The main impact of the hack is that it proves that so-called “Knowledge-Based Authentication” (KBA), a process where someone’s identity is determined by asking them questions from their history, such as places lived, cars owned, and recent bills paid, is not an effective security measure. Identity thieves have gotten the databases, and will no doubt continue to find access to them, which means that passing a KBA challenge is a trivial task for determined and well connected attackers. However, many of the alternatives such as biometric identifiers, come with their own problems. Establishing Identity is the hard problem of the information age.
Dan Gifford – MCySec Media Manager