Friday, March 6, 2015

Angler and the new threats

What I am writing is not a "news" anymore, but it is like a "consciousness raising" about the incredible job the guys behind Angler Exploit kit did.

But, let me start from the beginning. For everybody out there do not know what an Exploit Kit is I found out a clear and nice description from McAfee Labs:
An exploit kit is an off-the-shelf software package containing easy-to-use packaged attacks on known and unknown (zero-day) vulnerabilities. These toolkits exploit client-side vulnerabilities, typically targeting the web browser and applications that can be accessed by the web browser. Exploit kits can also track infection metrics and have robust control capabilities
Angler is one of several Exploit Kits available for attackers. Actually Angler Exploit Kit has become the most advanced, much more powerful and the best exploit kit available in the market so far, beating the infamous BlackHole exploit kit, with a host of exploits including zero-days and new techniques added to it. 

What makes Angler so great are the following two characteristics: Domain Shadowing (”DSH“) and Filess Infection "Filess".

One of the newest techniques bheind Angnler Exploit Kit is the so called “Domain Shadowing”. Domain Shadowing, first appeared in 2011, is the process of using "users domain registration logins" to create subdomains used to spread the malware content. Nik Biasini from the Cisco Talos Group did a great job in describing the differences between the classic Fast Flux DNS Techniques and the Domain Shadowing technique implemented in Angler Exploit Kit. The following image (taken from Talos Description) shows the difference between the most common Fast Flux Versus the recent Domain Shadowing.

Fast Flux VS Domain Shadogin (from Talos Description)

While fast flux is continuously changing the DNS record value (well there are plenty variants of it, so please forgive my generalization) in order to confuse analysis, domain shadowing makes use af many real dns stolen account to make them redirect to malicious content. This techniques is "a way more complex" to be realized since the bot maker needs to compromise DNS records and/or DNS credentials.

Filess Infection is another great new feature introduced into the Angler ExploitKit. The obvious difference between Filess injection and File injection is in the way the Exploitkit drops and loads the new payloads. The following image clearly shows the difference between the two techniques. On the left side a file injection in which the Exploit kit saves the malicious .ddl into a temp directory and later on it loads the malicious .dll from the disk (This approach preserves easy persistance but it mostly subjected to AV discovery).

File injection VS Filess injection
On the right side of the image the process directly loads into memory the downloaded stream running it through a new thread. This method makes it harder the persistence and makes it easier the network detection but it makes almost impossible the host detection by AV engines.  The following screenshot shows a piece of code that makes this happen by (I did follow the steps in here):

  1.  Read first page of the file which includes DOS header, PE header, section headers etc. 
  2. Fetch Image Base address from PE header and determine if that address is available else allocate another area. (Case of relocation) 
  3. Map the sections into the allocated area 
  4. Read information from import table and load the DLLs 
  5. Resolve the function addresses and create Import Address Table (IAT). 
  6. Create initial heap and stack using values from PE header.
  7. Create main thread and start the process.
Filess Execution Example. Code goes from left to right (it's the sam file)

Nowadays we are even experiences Powelinks (CVE-2012-0158, which makes storing payloads into registry) and Filess Combo, which makes Angler even more undetectable.

Following a McAfee graph showing the variance of several Exploit kits during 2014. Angler got 14 variances in few months,  Amusing !

Exploit Kits in 2014 (McAfee)


Friday, February 13, 2015

Notorious Hacking Groups.

Knowing your "enemies" is always a good exercise before developing every protection. Different attackers have different techniques and belong to different groups. Each group owns strict beliefs and attacks in a well known way. In this post I want to examine some of the most notorious hacking groups in the history until now (February 2015) in order to show how attackers "attack" and how they live in community.

The following list wont be a complete and / or an exhaustive list of cyber attackers groups, it is mainly based on my memories and public available informations.

I'd like to start with 414s hacking group (1980). For what I know it's not an active hacking group anymore. It broke into dozens of high-profile computer systems, including Los Alamos National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific Bank. It has been one of the first group to be organized over IRC and to act together in order to reach the common goal.

Another hacking group born in 80s was the PHIRM. In 1985 a Phrack magazine article brought the group into the public eye, and they began to take on new members. In 1987 two of the founders, Archangel and Stingray, co-authored a report on Cleveland's Freenet. In 1989 the group published a definitive guide to breaking security on Bank of America home banking systems. 

The Cult Of Dead Cow (cDc) is probably the biggest hacking group of late 80s. Its famous logo still appear in some of the underground tools out there. The group is the maker of the term "Hacktivism" and became famous to fight with the Hong Kong Blondes (a Chineese Hacking Group).
cDc Logo                                 
In the late 1990s, the cDc worked with a group of Chinese dissidents called "The Hong Kong Blondes." The goal of the Hong Kong Blondes was to disrupt computer networks within the People's Republic of China in order to allow PRC citizens to access censored content online. The Hong Kong Blondes were, arguably, one of the first hacktivist groups. The cDc advised the group on strong encryption techniques, among other things.[17][18][19][20] The cDc formally severed ties with the Hong Kong Blondes in December 1998.
Chaos Computer Club (CCC) is a Germany based hacking group. The CCC describes itself as "a galactic community of life forms, independent of age, sex, race or societal orientation, which strives across borders for freedom of information...." In general, the CCC advocates more transparency in government, freedom of information, and the human right to communication.
  
Level Seven was a hacking group during the mid to late 90's. Eventually dispersing in early 2000 when nominal head 'vent' was raided by the FBI on February 25, 2000. They became famous after the attack to NASA and Sharaton Hotels.

Milw0rm is a group of "hacktivists" best known for penetrating the computers of the Bhabha Atomic Research Centre (BARC) in Mumbai. The group conducted hacks for political reasons,[3] including the largest mass hack up to that time, inserting an anti-nuclear weapons agenda and peace message on its hacked websites.

NCPH Network Crack Program Hacker Group is one of the first Chinese hacker group based out of Zigong in Sichuan Province. While the group first gained notoriety after hacking 40% of the hacker association websites in China,[2] their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007. iDefense linked the GinWui rootkit, developed by their leader Tan Dailin (Wicked Rose) with attacks on the US Department of Defense in May and June 2006. iDefense linked the group with many of the 35 zero-day attack and proof-of-concept codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download.

Lizard Squad is the hacking group known for targeting the PlayStation Network and Xbox Live services. It mainly acts as a black hat group and it has been pubblically revealed on August 2014. It is a very discussed hacking group since many parties say they claim fake attacks.

LulzSec is another group of hackers originating in 2011 and quite famous in the underground community. Organized by Sabu, LulzSec have been accused to compromised user accounts of Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline several times.
Lulz Sec Logo
TeslaTeam is a group of black-hat computer hackers from Serbia established 2011. The group was mainly famous for their defacements techniques (tools). They mainly targeted political groups, Albanian websites and including news organizations and human rights groups. TeslaTeam is currently the only virtual army in Serbia to openly launch cyber attacks.

SEA (Sirian Electronic Army) is a group of computer hackers who support the government of Syrian President Bashar al-Assad. Using spamming, defacement, malware (including the Blackworm tool), phishing, and denial of service attacks, it mainly targets political opposition groups and western websites including news organizations and human rights groups. The Syrian Electronic Army is the first public, virtual army in the Arab world.

Anonymous, is maybe the most discussed and famous (right now) a group of hacktivist originating in 2003. A website nominally associated with the group describes it as "an internet gathering" with "a very loose and decentralized command structure that operates on ideas rather than directives". The group became known for a series of well-publicized publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites.

Anonymous Logo
 Beginning in June 2011, hackers from Anonymous and LulzSec collaborated on a series of cyber attacks known as "Operation AntiSec". On June 23, in retaliation for the passage of the immigration enforcement bill Arizona SB 1070, LulzSec released a cache of documents from the Arizona Department of Public Safety, including the personal information and home addresses of many law enforcement officers.

Wednesday, January 28, 2015

Romantic Cyber Attack Process

From time to time, even if we are now in 2015, I find people that do not truly believe in cyber attacks having confused ideas on how cyber attackers do their job. So, even if what I am writing is wellknown for most of you, I want to briefly describe a romantic process behind current cyber attacks to public and/or private infrastructures (Not SCADA based).

The following image, borrowed from CERT-EU-SWP, shows a tipycal atack flow in 2014/2015. The attacker performs the designed initial attack phase (step 1) by compromising the victim's machine (nowadays the most frequent "phase one" are implemented through: Exploiting, Spear-Phishing or Watering hole, etc..).


From: CERT-EU-SWP Protection from Kerberos Golden Ticket
Once the attacker has succesfuly compromised the victim's machine (which often, but not always, means to have direct access to that machine) he/she needs to escalate local privileges (2) in order to proceed with horizontal propagation (phase 4). Several known techniques are available to escalate local privileges such as: Expoiting local vulnerabilityes, 0Days, Dumping SAM File, Hidden Passwords, Weak Permissions on Processes, DLL Preloading, Writing permission on Win32, Windows Services running as system, Window AT commands, etc... 
Horizontal propagation is one of the most exiting phase for the attacker since he/she can explore, for the first time ever (assuming a complete black box attack),  the victim network trying to tamper with horizontal attack tecniques the entire targeted network.
Note: some attackers prefer to penetrate neighbors machines through a generic exploiting process, other attackers prefer to use network tricks to compromise the attacked network comunication and some other attackers prefer to own network infrastructures (such as: router, smart switch, dns, dhcps, etcs)  before end point machines.
Based on my personal experience the most expedient way to perform horizontal propagation is through the "pass-the-hash" technique (or "pass-the-tickets" in case of Kerberos)  [here, here]. In order to reach the horizontal propagation (phase 4) the attacker needs to harvest hashes or Tickets (deending on targeted infrastructure). Harvesting hashes is a relative simple phase that could be reached by searching for logged in user accounts, looking for services (applications) hosting a password or to wait/force a remote user to log in. Thanks to the pass-the-hash technique attackers could assure persistent access to target network having a continuos and unlimited access to target enviroment. The described process is by far the most used attacking process implemented so far but is not the only one. No contermeasures will be discussed on this "blog post", only the romantic cyber attack proces. :]

Sunday, January 11, 2015

Getting Persistence With No Malware

One of the most challenging task for attackers is to get persistence into the hacked machine. Malware was the perfect way to get this task done: basically a simple Malware, implementing a persistence technique such as:
  • Getting into the "startup folder"
  • Installing a rootkit on user/system executable
  • DLL search hijacking
  • "Run" Registry keys
  • "UserInit" Registry key
  • WinLogon Events
  • Scheduled Tasks
  • Programs with aspected naming convention
  •  ...
was able to guarantee persistence on the victim's machine. But all these persistence techniques leave visible traces on the victims system. Day by day tools ( MicAutoruns, RegRipper, DLLSearchOrder, etc..) and analysts learned how to detect persistence giving to the attacker only few hours of activity.

During the past months attackers discovered a new way to getting persistence without Malware. The "Golden Ticket Attack" which is basically a Forged Kerberos Key Distribution Center which can be used to generate any valid Kerberos Ticket for every known users !
In a nutshell, if you have domain admin/local admin access on an Active Directory forest/domain, you can manipulate Kerberos tickets to get unauthorized access. A golden ticket attack is one in which you create a Kerberos-generating ticket that is good for 10 years or however long you choose.
One of the best (for what I know) attack implementation is provided by mimikats.

mimikats: usage example


The described tool implementing this specific pass-the-hash (pass-the-ticket) attack is public available and could be used from attackers to gain persistence on a target domain. Obtaining the needed requirements to implement this attack is not a trivial task, but it is really possible. A great article released by Microsoft on pass-the-hash mitigations is freely downloadable here. If you are a Security Manager, please invest some of your time to read it.

Monday, January 5, 2015

Indusrtial Control Systems: an Interview

Industrial Control System Security is a great challenge in nowadays production environments but often is one of the last sake of production managers.
"SCADA (supervisory control and data acquisition) is a system operating with coded signals over communication channels so as to provide control of remote equipment (using typically one communication channel per remote station). The control system may be combined with a data acquisition system by adding the use of coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions. It is a type of industrial control system (ICS). Industrial control systems are computer-based systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large-scale processes that can include multiple sites, and large distances."


CopadataMagazine on Scada Security

Tuesday, December 23, 2014

PDF Versions Malicious Content Distribution

While attack vectors based on Malicious PDF are a well known topic (SANS, Didier's tools), understanding how those vectors are spread up nowadays is an interesting "research" (at least in my personal opinion). Recently, Yoroi 's toolset gave me the ability to analize almost 2k PDF per hour, so I decided to analyze an entire hour of captures harvested from many different sources (mainly emails, repositories and http streams) and to put my findings in this quick and dirty post just to fix them in my "diary".

Since PDF are one of the most used document format, attackers figured out how to make them malicious.The following image shows a romantic attack vector used to infect a victim through PDF Malware. The infected PDF wraps up an object content which eventually downloads a payload from Internet (for example a .exe or junk of bytes excetuded "directly in memory") and runs it. The payload might perform several tasks such as: reading/writing fylesystem, executing objects, sniffing passwords, listening for contents, substitute content and so on and so forth, making the original PDF malicious.
Romantic Attack Path driven by PDF
A commonly used way to implement the downloader is through JavaScript which is able to run on PDF in order to introduce simple effects, anchors and dynamisms. The following image shows a simple JavaScript downloader hidden into a PDF.

A Romantic PDF Malware Object
My curiosity was about discovering how many malicious PDF over 2k PDF total I was able to find. By using simple scripts I was able to automize the 'first level of analysis' including:
  • Downloading PDF from internal/external sources
  • Automatize Detection (I borrowed some code from pdfid.py by Didier)
  • Calculating simple statistics on analyzed Malware
A NodeJs downloader script grabs the entire files from Yoroi's internal repository as follows (you might use the same code to download from google or whatever you like).

A simple downloader script
Once the PDF has been locally saved, a python script starts its execution to analyze the PDF content. The following image shows a piece of code taken from Didier's tools (pdfid.py) that has been used to build the automatic first stage analyzer in oder to extract content.

Analyze PDF content from pdfid.py by  Didier Stevens
A post processing static analyzer runs to figure out the "stream content maliciousness". After several hours of computational analysis (ok, performances and timing were not an issues in my case since what I did was just for personal curiosity) I came out with the following results:

Total PDF analyzed: 1988
Total Size on Disk: 1.83GB

Figuring out the most affected PDF version was my next step. The following graph shows the distribution of malicious content (JS, Encrypted and Embedded File) found in 1988 PDFs.

Malicious Content Over PDF Version

If we assume the analyzed set of data as "significant set of data" we might assert that PDF1.1 and PDF1.7 are the most safe PDF versions regarding malicious JS, EncryptedContent and Embedded Executalbes. Less than ten (10) malicious contents were found in both versions. Contrary PDF1.6 and PDF1.4 result as the most "affecteed" PDF versions. But malicious contents might hid after EOF and use the PDF as a passive carrier. The following graph shows the distribution of malicious content found after the End Of File.

Malicious Content after EOF

If we assume the analyzed set of data as "significant set of data" we might assert that PDF version 1.1 and PDF version 1.2 are the most safe versions against malicious content after the End Of File. Surprisingly PDF version 1.7 is not "so safe" anymore. Comparing the averall data I came out with the following pie chart in where we might appreciate the fact that PDF version 1.4 is the most affected of malicious contents. We might see PDF version 1.3, PDF version 1.5 and PDF version 1.6 following it.  

Overall Malicious Content By Type

Not much conclusions here: if you are working with these versions most (1.4,1.3,1.5), you'd better watch out since the probability to get a Malware PDF is higher than other PDF versions.

Just remember we are assuming the data I collected as significant data because comming from many different organizations within different businesses.

I do have an open question so far:
  1. Does it make sense for anti-malware engines ponderate the use of computational resources depending of what PDF version is currently processing? For example: if an anti-Malware is running analysis on PDF version 1.6 should it allocate more computational resource (RAM, CPU, IO, etc.) rather then if it is analysing PDF version 1.1 ?
 

Thursday, December 4, 2014

Operation Clever

I knew the presence of "Clever" Malware, actually with no real evidence, (at that time I didn't know "Clever" it was its future name) from a cyber friend of mine who worked with me on Malware evasion techniques. I knew Iranian hackers were getting better and better, but what I did not know was the high cyber security level they reached ! (NOTE: PrivEsc is a clear plagiarism of MS10-015 ! I do agree to Cylance).  Cylance did a great job in putting al the information and all the spread analysis together discovering this incredible targeted cyber attack originated from Iran. Are you wondering when and where did we hear about Iranian hackers ? No problem, let's take a look to a clear timeline from Cylance showing Iranian-centric attacks either as victims (on the left) and attackers (on the right)

From Cylance Report
If you are wondering how Cylance  knows about the attacks' origin ... well, the answer is straight into the code. If you reverse Clever Malware (BTW, you want to download it from  here) you'll see : Persian names, most ips and DNA written into the code belong to Iranians, ASN belonging to Iranian companies, the entire infrastructure is hosted in Netafraz.com an Iranian provider, and so on.

The initial compromise techniques according to Cylance where simple and well known even if having them all together into an unique piece of Malware make this attack "spectacular"! Quoting the report:
  • "Initial compromise techniques include SQL injection, web attacks, and creative deceptionbasedattacks – all of which have been implemented in the past by Chinese and Russian hacking teams.  
  • Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows privilege escalations, and were coupled with automated, worm-like propagation mechanisms. 
  • Customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. "
One of the most difficult questions to be answered is "What the most attacked country" ? Well, it's going to be easy answering to such a question talking about numbers but considering opportunities and economy speaking... almost all the top countries (economy wise) in the world have been targeted.


Targeted Countries, taken from Cylance Report



Interesting the way the attackers want to make sure the victims are not coming from IRAN. The following image show how the shell client controls the IP location. The code handles the XML response from freegeoip.net, and displays the information as different colors based on different attributes. For instance, if the string “ERROR” is in the response, the text is displayed with the color magenta. If the string IRAN is in the response, the text is displayed with the color red. It should be noted that no other country name contains the substring IRAN. 

Piece of Shell Creator from Cylance Report

The entire system has been detected to use at least two different proxies: CCProxy (a China and MiddleEast based company) and Squid (OpenSource, world wide).  Interesting the way the attackers made use of CCProxy sources [... thinking about it ...] From the proxy configurations Cylance folks figured out IPS, Usernames and Passwords of Command -and- Controls belonging. They did find that domains, usernames and password were attributable to Tarh Andishan. Quoting Cylance Report:

"Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The operators of the blog IranRedLine.org, which comments on Iran’s nuclear weapons efforts, has mentioned in multiple posts having been the target of debilitating brute-force authentication attacks from IP addresses registered to the same Tarh Andishan team found in Cleaver. In one of IranRedLine.org’s blog posts8, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research; however, the phone number listed under the registrant contact information has yet to be completely validated."
The Clever Malware owns many ways to be delivered from spread phising to watering leak. Once the Malware is dropped into the victims PC, it grabs local and network credentials (by using standard techniques) and use them to spread itself through PsExec, SMB shares, DLL injections etc, making it wormable. Clever Malware grabs user infos and sends them to external sources through FTP servers, SMTP Servers, SOAP based servers and if needed ssh controllers. Clever Malware uses a common version of TinyZBot (ut to 2013) to communicate back to ComandAndContols.

It is a pretty nice piece of Malware which, in my personal point of view, shows how easy could be  making a world wide targeted attack having good development skills and wise "underground knowledge". "Undergraund Knowledge" is useful to re-use piece of malware, shellcode generators, encryptors, proxies, spreading techniques, infection vectors, multiple stage infections, etc... in order to avoid new developments or new infection processes; development  skills are useful to fit all the re-used software together and to make it working.