Downclimb: Summit Route’s Weekly Cyber News Recap
2015.06.07 – 2015.06.14: https://SummitRoute.com

Quotes

“A cyberattack’s effect on reputation (rather than more direct costs) is the biggest cause of concern for CISOs. The actual intellectual property or data that might be affected matters less than the fact that any intellectual property or data is at risk.” RAND corporation

 

“Or maybe it was just a case of prey drive, or ego-tripping – the urge of the hunter to hang the head of a big lion on a wall.” Eugene Kaspersky on the motivation of Duqu 2 to attack Kaspersky

 

“If there’s a country that for some reason has an interest in the details of our products, there’s a much easier and obviously much cheaper way of getting them. We license much of our technology – that’s our business, and we’re happy to get new partners!” Eugene Kaspersky, again on Duqu 2

 

“Because you don’t know if your organization is compromised or not, it exists in both states. By looking, you will have infected it. #APT” Kiran Bandla

 

“Why do we always have to assume the worst? Maybe the Chinese just want to send birthday cards to all our federal workers.” Tim Siedell

Top stories

Duqu 2

Kaspersky found a new version of the Duqu malware on their own network. Kaspersky released a report, and CrySyS (original founders of Stuxnet and the first Duqu) published their findings related to the similarities between Duqu and Duqu 2.

Some interesting points:

• It has no persistence mechanism! Runs almost entirely in memory and touches disk only to get some initial executions.
• Uses scheduled tasks to get that execution.
• To bypass white-listing the malware exists as a .msi and is thus started by the Windows application msiexec.
• To avoid detection by next-generation malware detection platforms and analysts a decryption key is passed to the malware when it starts.
• Multiple encryption and compression algorithms have been seen used by this malware along with name changes, this indicates that the attackers built into their framework the ability to constantly change their TTPs and make signatures of all types difficult to create.
• Runs in memory and hops to new processes, and patches them using SSE2 CPU extension instructions (possibly to avoid emulation analysis frameworks?).
• In order to identify processes, instead of looking for them directly, it looks at all of them, hashes them, and identifies the processes of interest based on if the hashes of the name match what it is looking for.
• Uses Kaspersky’s own applications that are installed on the system order to hide and protect the malware.
• It uses an interesting technique to communicate with it’s driver. For userland code to communicate with a driver, it needs to know the name of a file or object controlled by the driver. Since both the user code and kernel code need to know the name of the same thing, this often get’s hard-coded as a value, which means security products can look for this named object. Duqu 2 randomly generates this object name in such a way that it will change every time the system boots, but both the user and driver code can each generate the same value each time.
• Used a 0-day (patched already in the June 9th Patch Tuesday) to escalate to kernel privileges
• Hooks system API functions PsGetCurrentProcessId, PsLookupProcessByProcessId and Kaspersky specific KlGetStringRef. You don’t see a lot of rootkit functionality like this anymore in APT malware because it tends to attract more attention instead of hiding something.
• For some of it’s code injection (process hollowing) into trusted processes, it starts processes in a suspended state and disables DEP to simplify code injection.
• Various modules including:
  • Collecting PuTTY hosts and session data, VNC client passwords, login data from Chrome and Firefox, and many others.
  • MySQL server discovery on the network.
  • Enumerates DHCP servers on a network.
• Like the original Duqu, it logs almost all of it’s own activities to an encrypted log so it can keep track of any bugs or failures of itself.
• Includes various strings and TTPs to misattribute it to other threat actors, which stood out because no other “mistakes” were made by the authors (all PE timestamps were changed, debug paths removed, etc.)
• Targeted and successfully compromised (at least for a while) a security company.
• Both Duqu2 and Equation Group were spying on the same target, indicating perhaps that these are competing groups (although many other assumptions are plausible).

Write-ups:

• Kaspersky write-up: https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
• Crysys write-up: http://blog.crysys.hu/2015/06/duqu-2-0/

Blind Return Oriented Programming

Post (and accompanying PDF) from Zsolt Imre of NCC group on the state-of-the-art BROP applied to Nginx and MySQL, which was originally shown in a paper titled “Hacking Blind”, but replicating the work proved difficult, so this post shows how to overcome those challenges.

• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/blind-return-oriented-programming/

Escaping VMware Workstation through COM1

Detailed write-up on a Guest to Host escape by Kostya Kortchinsky using the printer virtualization layer.

• https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/

Windows 10 to offer application developers new malware defenses

Microsoft provides a Antimalware Scan Interface (AMSI) to better detect maliciousness, especially in powershell scripts and other dynamic languages. This post shows how it works and why it’s needed.

• http://blogs.technet.com/b/mmpc/archive/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses.aspx

Triton under the hood

Explanation of how Triton (released last week) works.

• http://blog.quarkslab.com/triton-under-the-hood.html

Poisonous MD5 – Wolves Among the Sheep

FireEye MAS uses MD5’s to keep track of which files it has scanned before so it won’t rescan the same files. MD5 hash collisions can be created today. This post shows how to “poison” FireEye’s product by first passing in a “sheep” (good file) and then a “wolf” (malicious file) which each have the same MD5 so that the “wolf” will not be scanned, and thus not detected.

• http://blog.silentsignal.eu/2015/06/10/poisonous-md5-wolves-among-the-sheep

Hostile Subdomain Takeover using Heroku/Github/Desk + more

This is an interesting attack that shows how various SaaS offerings can be abused if you forget to update your DNS settings after you stop using a SaaS offering.

• http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using

Iterative Defense

In case you missed it, there have been a lot more blog postings on Summit Route this week beyond just Downclimb. These are:

• The Coventry Conundrum of Threat Intelligence
• Iterative Defense and The Intruder’s Dilemma
• Iterative Defense Architecture

Newspaper News

• Hack of government employee records discovered by product demo: In what is probably one of the greatest marketing events for an infosec company, it has been revealed that the OPM breach was actually detected during a sales demonstration of an infosec product, a product called CyFIR for network forensics from CyTech Services.

Business

• Rapid7 files S-1: Rapid7 is the company behind Nexpose and Metasploit. They will be publicly traded under the symbol RPD.
• Menlo Security emerges from stealth and secures $25M Series B: Menlo Security renders the web in the cloud and then provides users with a view of what was rendered, sort of like how Chrome’s rendering processes work, except imagine the render process is on a separate machine. They raised $25M in order to fund a marketing campaign to get the word out about their product, bringing their total funding to date to $35M.
• White House tells agencies to tighten up cyber defenses ‘immediately’: The White House has directed all federal agencies to fix their known vulnerabilities and improve their security in the next 30 days, in what some believe will be a feeding frenzy for security vendors. Unfortunately, there seems to be no punishment if they fail to improve their security, and no budget to assist them in doing so. Or to put it another way, nothing will improve.

Conference materials and publications

• NorthSec: Videos are up from this conference in Montreal, Canada two weeks ago.
• AppSecEU 2015: Videos are up from this conference in Amsterdam from two weeks ago.
• Circle City Con: Videos are up from this conference in Indianapolis, Indiana this week.
• Exploring Control Flow Guard in Windows 10
• ROPecker: A Generic and Practical Approach For Defending Against ROP Attack: This expands on the work of the 1st place BlueHat (Microsoft security) prize winner from 2012, KBouncer, by leveraging the Last Branch Recording (LBR) feature of Intel processors.
• Security and Your Apps: Apple iOS 9.0 brings with it some important security requirements for apps:
  • By default, apps cannot make HTTP requests and the TLS connections they are allowed to make must comply with best practice: TLSv1.2 with forward secrecy, no known-insecure cryptographic primitives (RC4 encryption, SHA-1 certificate signatures), and key size requirements (2048 bits for RSA, 256 bits for EC.
  • Apps must work with IPv6.
• DevOops & How I Hacked You](https://gist.github.com/carnal0wnage/6f9debf11abcc9a5bf0a): Presentation from Devops Days this week in DC by Ken Johnson and Chris Gates.

Tools

• Intel Kernel-Guard Technology (IKGT): Intel Kernel-Guard Technology (IKGT) is a policy specification and enforcement framework for ensuring runtime integrity of kernel and platform assets from Intel. It can be used to achieve immutability and runtime integrity of critical resources such as kernel code pages, kernel pagetable mappings, kernel interrupt descriptor table (IDT), control registers (CRs), and more. Tutorial on running IKGT with CoreOS is here.
• Claimsman: Claimsman logs all file handle creation on Windows systems. The goal is to be able to see who has accessed a certain file, or within a time frame did anyone access a certain file? This could be useful for identifying what attackers accessed on a system.
• Moving Fast with Software Verification: Paper (and code) from Facebook on using formal verification in a static analysis tool as part of their software development cycle on production code. Interestingly, it can focus on the incremental changes of a developer’s check-in, instead of the whole application.

“Shape analysis, separation logic, compositional analysis… Facebook hit formal verification bingo, and it scales” Dan Guido

• Amazon adds VPC Flow Logs: Amazon Virtual Private Cloud (VPC) is Amazon’s technology to allow you to create a logically isolated virtual network in the AWS cloud. This new offering allows you to see source and destination IP addresses, ports, and some other basic info. Surprisingly important information you could not previously see.

Other reads

• Research report on using JIT to trigger RowHammer: Detailed write-up on a very strong (but not successful) attempt at exploiting RowHammer via JIT.
• ObRegisterCallbacks and countermeasures: Reversing of the Windows kernel callback functions and how to use them directly with DKOM.
• The Elastic Botnet Report: Detailed report on a botnet that infects ElasticSearch instances. Do not expose your ElasticSearch instances to the Internet. They have no security on them.
• We used sock puppets in /r/netsec last year (and are sorry we did): Research was carried out on social media and mailing lists in order to test influencing online channels by creating fake accounts. This includes manipulating /r/netsec on reddit. This is yet another reason to read Downclimb, because I don’t do this, and I filter through the garbage and propaganda for you. :)
• Reverse Engineering Windbg Commands for Profit: Shows how to identify and reverse some undocumented features on Windows by looking at how windbg does some things.
• How Plex is doing HTTPS for all its users: An explanation of an existing wide scale automated TLS certificate deployment.
• The Defender’s Dilemma: Charting a course toward cybersecurity: Massive (162 page) report from the RAND corporation. It’s based on the responses from 18 CISO’s. As it is huge, there are two summaries. One is an unbiased summary, and the other (from Krypt3ia) is a more negative review. My biggest take-away was the quote at the start of this Downclimb post, that CISO’s care more about the affect to the reputation of the company than they do about the impact on the data. What I conclude is sadly that CISO’s would likely be more interesting in a Public Relations offering to help in the event of a compromise than they would in something that helps protect their data better.