Monthly Archives: October 2015

CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits



The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.


It has now made its way to Exploit Kit

Angler EK :
2015-10-29
CVE id confirmed by by Anton Ivanov ( Kaspersky )

Angler EK successfully exploiting Flash 19.0.0.207
2015-10-29
Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e


Not replayable fiddler sent to VT

Out of topic sample loaded by bedep :
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)

2016-03-12
Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and Eset

Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge
Fiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zip

Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it
CVE-2015-7645 in Nuclear Pack on 2015-10-30
Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4

Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)
Fiddler sent to VT

Magnitude:
2015-11-10
Magnitude trying to exploit CVE-2015-7645
2015-11-10
Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo Hirvonen
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.

Spartan :
2015-11-12
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well

Spartan pushing Pony and Alphacrypt via CVE-2015-7645
2015-11-12

Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) 
Fiddler sent to VT

Neutrino:
Most probably appeared 2015-10-16
Necurs being dropped by Neutrino via CVE-2015-7645
2015-11-17
Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff
(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )
Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)

Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro

Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

“And the winner is… Compliance!”

Disclaimer: My comments below are based upon quotes from both Twitter and The Times of London on the UK’s TalkTalk breach; as a result the subsequent investigation and analysis may find that some of the assertions are in fact incorrect. I will post clarifying statements should this happen to be the case. I am not … Read More

A DoubleClick https open redirect used in some malvertising chain



In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.

The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.

As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)

Earlier this year they were using https bit.ly,

2015-07-11 - bit.ly as https url shortener
tiny url

2015-07-11 - tiny url as https url shortener

or goo.gl url shortener



2015-06-12 - goo.gl as https url shorterner


 and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.eu

Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer
(how/why? same payload : Reactorbot  srvdexpress3 .com)
Different Legit part of the chain
2015-09-29
then 2 weeks ago mediacpm.com and wrontoldretter.eu )

https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).
Once discovered a way to Sig this is to flag the ssl certificate being used.

Those days they are using a DoubleClick https open redirect.

VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK
GB - 2015-10-15

Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .com

Doubleclick has been informed about the issue.

Post Publication Readings :
The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint
Let’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

POLL: Do you use two-factor authentication?

October is National Cyber Security Awareness Month in the US, and European Cyber Security Month in Europe. Basically, institutions in these two countries have decided that it’s time for people to get serious about cybersecurity. And they’re right to do it – according to F-Secure’s Business Security Insider blog, there was 81 cyberattacks every minute in 2014.

So hacking is a serious business for these attackers. And one security measure that experts would like to see used more widely is two-factor authentication.

 

Two-factor (or multi-factor) authentication refers to using more than one piece of information to safeguard access to accounts. Many popular services, such as Facebook and Twitter, offer it to users. However, very few services require it. It’s really more of an option for people interested in having a little bit of extra security for their accounts. A recent survey from Google points out that 89 percent of security experts use two-factor authentication for at least one of their online accounts.

But it’s less popular amongst non-experts. Only 62 percent of non-expert respondents to Google’s survey used two-factor authentication. Other studies indicate that two-factor authentication may be even less popular, with one recent consumer survey finding that 56 percent of respondents were unfamiliar with two-factor authentication.

Although two-factor authentication has been around for ages, it’s starting to become offered by many online services. Passwords are currently the standard in account security, but adding in two-factor authentication adds an extra layer of security. It basically means anyone that gets access to your password will essentially only have “half a key” to your account.

So why don’t more people use it? After all, nearly 80 percent of people are open to alternatives to traditional passwords. One reason might be that it’s too difficult or inconvenient. But the widespread use of mobile devices is making this much easier. Email and SMS messages seem to be easiest and the most popular, with one study finding almost 90 percent of participants using two-factor authentication did so by receiving a code through SMS or email, which they could then enter into a website to confirm their identity.

Another reason could be availability. It’s up to companies and organizations providing online accounts to offer two-factor authentication to customers. This website provides a pretty good list of different online services offering two-factor authentication, so it’s a pretty handy resource. You can also use the site to send tweets to companies not offering two-factor authentication (so don’t hesitate to send a message if you want someone providing you with a service to improve their account security features).

If you crunch the numbers provided by the site, you can get an idea about how common two-factor authentication is for different kinds of services:

  • Cryptocurrencies: 96%
  • Identity Management: 93%
  • Cloud Computing: 77%
  • Gaming: 69%
  • Hosting/VPS: 69%
  • Email: 65%
  • Domains: 65%
  • Developers: 63%
  • Communication: 62%
  • Backup and Sync Services: 60%
  • Investing: 38%
  • Banking and Financial Services: 35%
  • Health: 30%
  • Finance: 28%
  • Education: 25%
  • Entertainment: 7%

So two-factor authentication is definitely more prominent in some industries than others. F-Secure Security Advisor Sean Sullivan says that it’s definitely worth choosing services offering two-factor authentication, especially for important accounts that you use daily, or contain really sensitive information.

“You should figure out what accounts are critical and focus on securing those by using strong, unique passwords and two-factor authentication,” he says. “Lots of companies will offer a monthly or periodic two-factor authentication check, which requires you to enter a code you receive via SMS into a pre-defined phone or computer. It’s really worth having a primary email account with one of these services, as you can centralize information there instead of spreading it around, which makes it easier to stay in control of your accounts.”

Next time you’re thinking about setting up an online account somewhere, you may want to circle back to whether or not they offer two-factor authentication. With the number of devices expected to explode as the Internet of Things becomes more and more popular, it only makes sense to consider whether you’re information is as secure as you’d like.

[ Image by momentcaptured1 | Flickr ]

The ‘Safe Harbor’ ruling divides the ‘old world’ and ‘new world’

This week’s ruling by the European Court of Justice striking down the 2000 “Safe harbor” agreement between the European Union and and the United States was celebrated as vindication by privacy activists, who saw the decision as a first major international consequence of the Snowden revelations detailing the extraordinary extent of mass surveillance being conducted by the U.S. and its allies.

“The safe harbor agreement allowed U.S. companies to self-certify they abided by EU-strength data protection standards,” Politico’s David Meyer reported. “This gave them a relatively simple mechanism to start legally handling Europeans’ personal data.”

That simple mechanism did not abide by the Commissions own privacy standards, the Court decided.

“The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law,” the EFF’s Danny O’Brien wrote.

A new Safe Harbor agreement is currently being negotiated and the Court’s ruling seems designed to speed that up. But for now many companies — especially smaller companies — and users are now in a sort of a legal limbo.

And that legal limbo may not be great news for your privacy, according to F-Secure Security Advisor Sean Sullivan, as it creates legal uncertainty that could easily be exploited by government spy agencies and law enforcement.

“Uncertainty is their bread and butter,” he told me.

To Sean, this ruling and the urge to break the old agreement without a new one yet in place represent an “old world” view of the Internet where geography was key.

The U.S. government has suggested that it doesn’t need to respect borders when it comes to companies like Microsoft, Facebook and Google, which are headquartered in the U.S. but do business around the world. Last month, the Department of Justice said it could demand Microsoft turn over Hotmail data of any user, regardless where s/he lives.

“The cloud doesn’t have any borders,” Sean said. “Where stuff is located geographically is kind of quaint.”

You can test this out by using an app like Citizen Ex that tests your “Algorithmic Citizenship.” Sean, an American who lives in Finland, is identified as an American online — as much of the world would be.

What Europe gave up in privacy with Safe Harbor was, to some, made up for in creating a cohesive marketplace that made it easier for businesses to prosper.

Facebook and Google warned that the U.S.’s aggressive surveillance risked “breaking the Internet.” This ruling could be the first crack in that break.

Avoiding a larger crackup requires a “new world” view of the Internet that respects privacy regardless of geography, according to Sean. He’s hopeful that reform comes quickly and democratically in a way that doesn’t require courts to force politicians’ hands.

The U.S. showed some willingness to reform is surveillance state when it passed the USA FREEDOM Act — the first new limitations on intelligence gathering since 9/11. But more needs to be done, says the EFF. The digital rights organization is calling for “reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333.”

Without these reforms, it’s possible that any new agreement that’s reached between the U.S. and Europe might not reach the standards now reaffirmed by the European Court of Justice.

QOTD – Cyber Guardians

Cybersecurity professionals are the new guardians of big changes in the organization. Such professionals must practice business resiliency and adaptability, because they are now so integrated with digital business decisions that leaders cannot tell where business ends and cybersecurity begins. 
The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do — to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organization.
-- Christian Byrnes, Managing Vice President at Gartner

Src: Gartner Says Cybersecurity Professionals Are the New Guardians of Digital Change - Yahoo Finance

Recruiter and SEO response templates

I’m normally sympathetic to technology recruiters, but some are just hopeless.  These, I have no sympathy for.  An the SEO spammers, no sympathy for any of them.  Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.

For the recruiters:

[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed.  As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.

I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers.  That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time.  Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.

The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:

I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm.  We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.

In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course.  If not, please remove this, and every other Security BSides affiliated email from your lists.

Yes, I can be a bit of an ass, but it is occasionally justified.

Jack