Downclimb

2014.10.31

RSS feed

Downclimb: Summit Route's Weekly Infosec News Recap
2014.10.24 – 2014.10.31: https://SummitRoute.com

Top stories

Anti-Russia News

FireEye released a long report on an assumed Russian threat group they are labeling as APT28[1]. The most interesting part of this report wasn't the report itself but rather the market's reaction, which caused FireEye's stock to shoot up 8.7% on the day of the release of the report. Much like Mandiant's APT1 report that was used for political reasons against China, the purpose of this report is to be used politically against Russia. Keep in mind that Mandiant is part of FireEye now, so they have experience with this technique.

Discussion of the exact same threat was discussed last week by TrendMicro, where they referred to this threat as "Pawn Storm". This threat has also gone by the names Sofacy and Sednit. FireEye simply slapped a new name on it and a greater anti-Russian sentiment. With the new "APT" prefix, this will be easier for politicians to discuss as they are already comfortable with discussing APT1.

We also found out this week that White House computers were hacked by Russians[2]. Previously with the anti-China sentiment of 2013, news that China had hacked White House computers was released a little over a month after the APT1 report[3].

Russian entities are hacking US computers (and have been and so have Chinese entities), and that is wrong, but it is important to distinguish what is new information that you can use to defend your networks, and what is simply rallying public opinion.

From a technical perspective, the only new detail in the APT28 report was that the threat uses email for exfil, which few networks are able to detect. Immunity announced this week that their Innuendo product for pen-testing takes advantage of that and can communicate through Outlook[4].

  1. APT28 report - http://www.fireeye.com/resources/pdfs/apt28.pdf
  2. White House staff hacked by Russians this week - http://www.washingtonpost.com/world/national-security/hackers-breach-some-white-house-computers/2014/10/28/2ddf2fa0-5ef7-11e4-91f7-5d89b5e8c251_story.html
  3. White House staff hacked by Chinese in 2013 - http://www.nytimes.com/2011/06/04/technology/04hack.html?_r=0
  4. Immunity's Innuendo leveraging Outlook - http://seclists.org/dailydave/2014/q4/25

Vulns in strings, wget, and tnftp

lcamtuf points out the dangers of running the "strings" command on a file due to it's use of the libbfd library to detect the executable format[1]. This follows on j00ru's discussion from last week of the vulnerabilities in many of the tools that researchers rely on. Vulns were also found recently in wget[2] and tnftp (comes with OS X).

  1. strings: http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html
  2. wget: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
  3. tnftp: http://seclists.org/oss-sec/2014/q4/459

Kaspersky hooking engine analysis

An analysis of Kaspersky's PURE 3.0 Total Security product using volatility, and some IDA Pro and Windbg. The analysis identifies inline hooks, IAT and EAT hooks, SSDT hooks, filter drivers, and kernel callbacks. It doesn't go into what these hooks do, but it's a nice overview of how to find these hooks.

How the JP Morgan breach was discovered

JP Morgan found out about it's breach due to someone discovering a cache of stolen user information which included information from a charity site associated with JP Morgan. The attackers used the same IP address for that breach as they did in the big JP Morgan breach. The take-away here is that even for small attacks, look for clues that might help you find the same attackers going after the more valuable data of your company.

Conference materials and publications

Tools

  • osquery: Facebook released an open-source tool to query information on OS X and Linux hosts using SQL. This is similar to WMI for Windows, but for the Linux based operating systems and at a level of abstraction that allows you to make the same query across various distributions. Slides here.

Other reads