Downclimb: Summit Route's Weekly Infosec News Recap
2015.02.13 – 2015.02.22: https://SummitRoute.com
"20 years ago today I was captured by the U.S. Government for a little hacking in the 1990's. Now they pay me to do the same! #WINNING" Kevin Mitnick
"Threat Intel is the new AV.
With the same success rates." Josh Pitts
"Anyone else see the irony in a firm that failed to protect banks from #Carbanak intrusions then claiming credit for discovering its damage?" Anup Ghosh
"Stay in school and study English, kids. There is money to be made as a spearphish copy editor." Jerry Bell
Kaspersky SAS conference
Kaspersky holds an annual conference. This year it was held in Cancun, Mexico. They made 3 big announcements about malware threats they have discovered that have been in existence for a long time. Anup Ghosh, CEO of Invincea, makes the important points that there are now two types of marketing campaigns being used by the security industry:
- Type I campaigns that claim to be able to detect threats with post facto knowledge (something that has been easily possible since the 90s). These announcements are released after someone else detects a threat.
- Type II campaigns that describes threats they've discovered but failed to detect or stop until recently.
Kaspersky discussed a new, advanced actor that has been around since 1996 called Equation Group.
Carbanak: Bank hackers stole $300M-$1B
Kaspersky broke the story that a group has been hacking banks around the world since 2013 and has stolen at least $300M, possibly $1B. Kaspersky is referring to this group as Carbanak, but it is the same group that Fox-IT and Group-IB discussed in December in their report on a group they referred to as Anunak.
- Initial story: http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=1
- Detailed report: https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
- Group-IB and Fox-IT report on the same group: http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf
Kaspersky described this as their discovery of the first Arabic threat actor, but Snorre Fagerland first discussed this malware (Palebot) back in 2011.
- Kaspersky's story: https://threatpost.com/first-arabic-cyberespionage-operation-uncovered/111068
- Snorre's post from 2011: https://web.archive.org/web/20130308090454/http://blogs.norman.com/2011/malware-detection-team/palebot-trojan-harvests-palestinian-online-credentials
Lenovo computers have been discovered to have software called SuperFish installed on them. This has added an additional root certificate to the computers and the private key for that root certificate is readily available. This means that MiTM attacks against these Lenovo computers can read and modify even SSL traffic. This is bad and Forbes, the WSJ, and other major publications have announced this as a major loss of trust in the company. However, the stock price of Lenovo remains unchanged, indicating the business community doesn't really care right now, or doesn't understand the implication. Microsoft has added a check for this certificate to their anti-malware protection so this issue is largely resolved.
We can expect greater scrutiny in the future on the third-party software added to computers. This has already started with people looking for similar software to SuperFish by looking for other software that uses the Komodia library which was responsible for the root certificate issue. Other software (and their private certificates) can be found here.
Facebook released information about other vendors they have seen MiTM'ing their traffic, similar to what SuperFish was doing.
Although Lenovo should not have included this software to begin with, their response has been laudable. One impressive action they took was to open-source their removal tool.
- SuperFish issue: http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-history-of-malware-and-surveillance/
- Other software and their private keys: https://gist.github.com/Wack0/17c56b77a90073be81d3
- Other software Facebook believes does MiTM: https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339
- Lenovo's open-source removal tool: https://github.com/lenovo-inc/superfishremoval
Race condition exploits
The bitcoin trading platform exco.in is shutting down due to a user having used a race condition that resulted in them being able to steal all funds from the service. As web services scale, they run into race conditions as many services attempt to read and write the same resources. By applying a DDoS attack, these races can be evoked more effectively by the attacker. Auditing for race conditions is much more difficult than other vulnerabilities, and there are fewer tools that can detect or attempt to evoke these.
Megaupload Programmer Sentenced to a Year in Prison
After 3 years of harassment by the US DOJ, the Estonian programmer Andrus Nomm signed a plea agreement to spend a year in prison in the US for his involvement with having helped developed the download site Megaupload. Megaupload is run by Kim Dotcom in the New Zealand, who has also had his share of harassment from authorities there, all stemming from Hollywood's RIAA.
- State Department still has hackers on it's network after 3 months: Despite being discovered 3 months ago, the State Department is supposedly still seeing signs of the same hackers on it's networks and has been unable to remove them.
- Check Point acquires Hyperwise: Hyperwise is a stealth-mode private company started in 2013 and is headquartered in Tel Aviv, Israel. Due to it being stealth, the only information about the company is the meaningless statement that they have a "CPU-level threat prevention engine". Check Point is also an Israel-based company.
- Synack raises $25M in Series B: Synack connects bug finders with companies. Synack vets the hackers, crowdsources the work to them, and only pays them when they find bugs, instead of paying them hourly rates like most companies. Additionally, the probing is continuous, as opposed to most pen-testing situations where the pen-testing company is hired for only a week or two per year.
Publications and Conference materials
- BSidesTO: BSides in Toronto from November
- Babar analysis: GDATA analysis suspected French intelligence agency malware
- American citizen is sueing the Ethiopian government for installing spyware on laptop
- Virtual machine introspection on modern hardware: Lecture at CrySys Labs.
- Glibc Adventures: The Forgotten Chunks: glibc exploitation
- Searching for Zeus: Bit9 blog post shows the troubles the security industry has to deal with as sometimes legitimate software shows the same traits that are expected would only appear with malware. This also begs the question of how do you really decide something is legitimate when the software could be misused or may not actually be wanted by the user?