Downclimb: Summit Route’s Weekly Cyber News Recap
2015.07.05 – 2015.07.12: https://SummitRoute.com
Quotes
“So far all I’ve learned from @hackingteam leak is that all torrent clients are shit…” shuffle2
“‘Just lie about it’ seems to have been a pretty effective export control licensing strategy for #HackingTeam.” Paul McMillan
“Everybody that’s been breached or has security patches to release? Today is the day to bury infosec news!” the grugq on the day of the Hacking Team hack.
“Adobe has released a fix for the hackingteam 0day https://helpx.adobe.com/security/products/flash-player/apsa15-03.html don’t install the fix. uninstall the flash player, it’s better” hanno
Top stories
Hacking Team hacked
Hacking Team is an Italian company that provides complete offensive capability tooling (exploits, implants, etc.) and has previously been accused of providing such capabilities to repressive governments. This week 400GB of data from the company were posted to the Internet including email dumps and source code. This is a lot of data to comb through so new findings are being announced daily.
Key take-aways:
- In one situation, the callback servers used by Hacking Team’s malware went down. In order to regain access to them, Hacking Team worked with an Italian company to takeover the IP addresses associated with the callback servers, via BGP, so they could reconfigure the malware to use different servers[1].
- Hacking Team had a couple of 0-days, but not as extensive as some have feared of such organizations. One flash exploit was bought for $45K[2], which is less than the $105K this could have earned from the Pwn2Own competition. However, this 0-day did not include a sandbox escape (required for Pwn2Own) and did not include exclusivity, which means he could (and likely did) sell elsewhere. Exclusivity would cost 3x, so you can assume there must have been a few other buyers.
- They had an iOS implant, but it required physical access to a phone to install it because a couple of UI prompts need to be allowed[3]. It used no exploits, only an enterprise code signing cert in order to install the app without the app needing to be in the Apple App Store. This gives some evidence of the difficulty and cost of finding iOS exploits.
- They had legitimate code signing certificates for iOS enterprise apps (from Apple), and Windows software (from Symantec), made out directly to Hacking Team. This shows you shouldn’t depend on the fact that software is code signed to be any claim that it is not malicious. In addition though, Hacking Team did apparently acquire some certs by using stolen passports.
- Hacking Team exploits were quickly repurposed by other actors for their own activities[4]. It’s important to keep in mind that Hacking Team used similar techniques post-exploit, and that the new actors that incorporated Hacking Team exploits, used the same shellcode they had previously used, which means that if you have detections for the different stages that attackers use in their attacks, you can still easily detect them when they swap out different components. This is the key understanding for Iterative Defense.
- BGP usage: http://www.bgpmon.net/how-hacking-team-helped-italian-special-operations-group-with-bgp-routing-hijack/
- Flash exploit sold for $45K: http://arstechnica.com/security/2015/07/how-a-russian-hacker-made-45000-selling-a-zero-day-flash-exploit-to-hacking-team/
- iOS implant analysis: https://blog.lookout.com/blog/2015/07/10/hacking-team/
- HT exploit repurposed. http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/
Additional specific articles:
- 3 Flash 0-days:
- CVE-2015-5119: https://translate.google.com/translate?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://blogs.360.cn/blog/hacking-team-flash-0day/
- CVE-2015-5122: http://blog.trendmicro.com/trendlabs-security-intelligence/another-zero-day-vulnerability-arises-from-hacking-team-data-leak/
- CVE-2015-5123: http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak
- Windows kernel exploit for browser sandbox escape using Adobe Font Driver(atmfd.dll): https://translate.google.it/translate?sl=auto&tl=en&js=y&prev=_t&hl=it&ie=UTF-8&u=http%3A%2F%2Fblogs.360.cn%2F360safe%2F2015%2F07%2F07%2Fhacking-team-part3-atmfd%2F&edit-text=
- SELinux 0-day: https://github.com/informationextraction/core-android-native
- Windows malware: http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/
- Overview of many other aspects including the fuzzer, malware for Android, Windows phone, symbian, and blackberry, AV detection, : http://translate.wooyun.io/2015/07/09/A-Overview-of-Hacking-Team-Leaked-Data.html
OprahSSL
“Majority of Android apps using TLS not effected by new OpenSSL vuln since they don’t validate certificates properly anyway. “ Chris Wysopal
This vuln (CVE-2015-1793) for OpenSSL was largely a non-event. It only affected very recent versions of OpenSSL (post June 11, 2015), which most folks haven’t upgraded to yet, and it only affected clients that use OpenSSL or servers that check client certs.
- https://twitter.com/WeldPond/status/619132836960862208
Morpho/Butterfly/Wild Neutron
Symantec and Kaspersky released reports on this attack group that focuses on spying on businesses. Victims include Twitter, Facebook, Apple and Microsoft. It uses a valid certificate that was stolen from the laptop company Acer. It’s been around since 2011 and has been found to use 0-days. One is an undisclosed Flash 0-day, and the other is an old Java vuln ( CVE-2012-3213), that was unknown at the time this threat first started using it. These exploits are cross-platform and they have malware for OSX and Windows.
- http://www.symantec.com/connect/blogs/morpho-profiting-high-level-corporate-attacks
- https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
The MiTM Mobile Contest: GSM Network Down at PHDays V
If you thought things like getting an SMS for your two-factor auth was secure, take note that the CTF for the Moscow conference PHDays was focused on MiTM’ing mobile networks. The contest did disable the encryption you might normally find in mobile networks, but this contest still shows how easy and affordable most of the steps are, and this post walks through all of it. Due to US law, you likely will never see such a CTF in the US, but take note that what’s illegal here, other countries are doing for fun.
PHDays has a lot of interesting CTF’s, such as taking over a digital substation (there is a video of the wires melting[2]), “Choo Choo PWN” to derail a train (an annual contest since 2013), and “Leave ATM Alone” to hack into an ATM. Of particular interest was a contest to take over a missile launcher[3], given that there was an actual hack this week that took over a real German missile battery in Turkey[4], but very little has been disclosed about what happened).
- GSM contest: http://blog.ptsecurity.com/2015/07/the-mitm-mobile-contest-gsm-network.html
- Substation: https://www.youtube.com/watch?v=w8T-bbO3Qec
- PHDays missile launcher CTF: http://blog.phdays.com/2015/07/hot-cyberwar-hackers-and-missile.html
- Actual German missile battery hacked: http://rt.com/news/272275-german-patriot-missiles-hackers/
Business
- Splunk buys Caspida for $190M: Caspida automatically generates behavior patterns for systems and services on a network and then alerts when the activities of those entities change.
- Google Capital investing $100M in CrowdStrike: Crowdstrike previously raised $56M. Google Capital is a growth equity fund backed by Google, and operates independently. This is similar to Google Ventures, but they deal with larger and later stage investments. This deal has not been publicly announced yet.
- Avast acquires Remotium: Avast is an antivirus company from Prague, Czech Republic that has been around since 1991, and has been popular as a free antivirus solution. Remotium is based in Silicon Valley and provides a solution for mobile users to access enterprise apps via a virtualized workspace that the apps can access. Remotium was founded in 2012, and has received $1M in funding until now. Details were not disclosed.
- Cybersecurity accelerators: In addition to the Washington, DC based cybersecurity accelerator Mach37, there are now Cylon in London, Microsoft Ventures in Tel Aviv, VENUS Cybersecurity in Orleans, France, and Cybersecurity Factory in Boston. Additionally, Sam Altman (head of the well-known general accelerator Y-Combinator) stated this week:
“I would like YC to fund dozens of computer security companies in the next couple of years. Feels like the world is very exposed.” Sam Altman
Newspaper News
- Seven Teams Hack Their Way to the 2016 DARPA Cyber Grand Challenge Final Competition: The DARPA Cyber Grand Challenge required teams to find and fix software in an automated fashion. They had to secure 131 pieces of software in 24 hours with a total of 590 flaws being fixed.
- NYSE, United, and WSJ downed: A couple major sites were down one day, and some folks warned the end was nigh and cyberpocalypse was upon us, but instead it was just a router upgrade, and other non-attack related troubles.
- OPM Director resigns: Katherine Archuleta, who had been rewarded with the position of OPM Director for having led President Obama’s re-election campaign, has resigned as a result of scrutiny over the OPM breach which this week was revealed to include data on 22M people, including fingerprints for 1M.
Conference materials and publications
- PHDays: PHDays conference in Moscow from May.
- RVASec: Videos are up from this conference in Richmond, Virginia from early June.
- Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence: Using historical data from malware submitted to sandboxes they attempt to better monitor the development of malware as it’s samples get submitted to sandboxes. This is basically a clustering problem.
Other reads
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057): These post from nccgroup and breakingmalware discuss development of an exploit for this vuln that affects Windows XP to 10 Tech Preview, 32-bit and 64-bit, and requires modifying only a single bit.
- VMware Multiple Products – Privilege Escalation: This is privilege escalation on the host that runs VMware, not a guest-to-host escape.
- From inter to intra: gaining reliability: Part 2 of Chris Evan’s postings on exploit reliability showing how to make one example reliable.
- CSS: Cascading Style Scripting: Shows techniques for executing scripts within CSS.
- When “int” is the new “short”: Post from Google’s Project Zero team about a type issue in Chrome. The biggest take-away for me was simply the oddness that Chrome’s build process apparently isn’t using basic compiler flags that would warn about such things. One simple way to find vulnerabilities is simply to compile software with a modern compiler using it’s full set of checks. This often results in a flood of false positives, but doing so should be standard practice for modern software. There has been a “Size Overflow plugin” from 2012 from grsecurity that detects this issue and this post describes it thoroughly.
- Unmasking Kernel Exploits: Once you know how malware detonation solutions work, you realize that they will have trouble following what happens if a kernel exploit is used. LastLine discusses a little about what they do for their solution.