Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

Kaspersky Lab recently analyzed the activities of a threat group that has been targeting executive business travelers in the Asia-Pacific region.

The actors behind the cyber espionage campaign dubbed “<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fdarkhotel-attackers-target-business-travelers-hotel-networks%22%3EDarkhotel%3C%2Fa%3E" use various techniques to distribute their sophisticated pieces of malware, such as highly customized spear-phishing, malicious Wi-Fi networks, and P2P sharing websites.

The attackers, which appear to speak Korean, have been compromising the networks of luxury hotels for the past four or five years, attempting to trick chief executives, senior vice presidents, sales and marketing directors, and researchers into downloading a backdoor disguised as software updates. Some of the pieces of malware used in these attacks date back to 2007, Kaspersky said.

Thousands of Darkhotel victims have been spotted all over the world, but most of them appear to be located in Japan, Taiwan, China, Russia and Korea. 

Security experts shared their thoughts on this campaign and provided some important recommendations for executives who travel often and don’t want sensitive corporate information to end up in the hands of cyber spies.

And the Feedback Begins…

Carl Wright, General Manager for TrapX Security:

“Organizations must understand that hackers are always looking for the path of least resistance. While enterprises today are generally doing a better job of securing their networks against intrusions from outsiders, they’re falling short when it comes to securing devices outside the corporate network.

As a result of this and an ever-increasing mobile workforce, we’re seeing hackers shifting their attention from attacking organizations head-on through their network and instead concentrate their efforts on individuals outside the corporate firewall. And what a better place to reach them than at the hotels they’re staying at while they’re on the road.

Executives must begin to treat every hotel, plane, bus, cab, cafe etc. as an extension of their corporate office and as such, they need to subject themselves to the same level of security and best practices imposed by their organization’s IT teams. This includes not clicking on suspicious links and making sure their communications to corporate HQ are secured through a proper VPN tunnel.”

Jack Daniel, Strategist at Tenable Network Security:

“Recent stories including the Darkhotel attacks have made it clear that travelers need to assess their information security risks and take reasonable precautions to protect their systems and information. As always, context is critical in deciding what is reasonable in your situation- for some travelers a little extra caution may be all that is needed, for others more aggressive actions such as dedicated (and possibly even disposable) hardware may be required.

A few universal basics can help everyone. Start with strong authentication, including using two-factor authentication everywhere possible and keeping your second factor devices (tokens, phones, cards, etc.) under your control at all times. Use VPNs any time you connect to any network not under your (or your organization¹s) control. Since different networks sometimes interfere with different VPN technologies it is a good idea to have more than one VPN endpoint to connect to, and ideally use more than one VPN technology (IPsec, SSL, etc.) to improve your chances of establishing a secure connection. Other fundamentals include taking no more information than you need for the trip, and limiting the systems and information you access while traveling.

Depending on the type and amount of technology you travel with, it may be best to simply keep all of your digital equipment with you at all times. For more advanced tips, such as the use of Wi-Fi firewalls, consult a trusted security professional.”

Idan Tendler, Fortscale CEO:

“The DarkHotel malware is just more evidence of the troubling vulnerability of networks when it comes to phishing campaigns and credentials theft. It is one of the reasons that networks will need turn their focus internally and adopt a more aggressive approach to security that includes analyzing users.

If a user’s behavior is thoroughly analyzed and profiled, an attacker could steal the user credentials but can’t imitate his historic behavior, which can immediately trigger red flags to the security team for deeper investigation.”

Jared DeMott, security researcher at Bromium:

“Wi-Fi attacks are a real threat, and not just in hotels. At most free Wi-Fi spots there is usually no guidance on secure connection: the user is left to figure it out, and hope it just works. Traveling business people typically are not technical experts either. So, using a device that prefers a VPN is helpful in preventing snooping once connected.  But, if initial connection pages attack with 0-day exploits, the browser is, as usual, a potential weak link without a way to isolate attacks.

I’d advise people to stay off Wi-Fi, in favor of a mobile hotspot. Understandably that can be difficult while in planes, or overseas where mobile devices may not function or be prohibitively expensive.” 

Alex Cox, Senior Manager, RSA-FirstWatch:

“My advice to travelers wishing to stay secure is to opt for the “overly paranoid” approach.

When executives travel they should assume that any open wifi access point has the potential to be malicious, especially in “convenience” areas, where Internet access is provided as a service, probably without a lot of security forethought. They should consider using an Internet access service through a portable wifi device via a cellular network (a MiFi is a popular version). This gives the user a self-contained source of internet access that is for their use only, and this method of connectivity has proven to be one of the more secure as far as eavesdropping and manipulation. That said, it must be configured and used correctly.

If an executive is travelling in a high-risk area, they should consider that any time their device is out of their direct physical control (airport, hotel room, vehicle, etc.) it has the potential to be tampered with. With that in mind, the traveler should keep physical control of the device as much as possible. It’s also a good idea for a high-risk traveler to bring a “clean” laptop and/or smartphone or tablet that doesn’t involve any of their work outside of what is currently needed. While traveling users should have increased suspicion of update notifications, emails with attachments and unknown links, or the request to install “helper” apps in order to access something.

It’s important to adopt an intelligence-focused mindset, to help understand the threat vectors and attackers that may be targeting the traveler.”

John Dickson, Principal at The Denim Group:

“I think the pressure from clients, shareholders or deadlines puts executives in a situation where they rarely think twice about hopping on a hotel Wi-Fi to conduct business. Couple that with the trust in brands – executives would assume Hilton, Hyatt, and others provide information security in addition to physical security and a clean room – and you have a dangerous mix.

Connecting [to Wi-Fi] itself is not completely terrible, but users should VPN-in as soon as they connect to the network for both e-mail and browsing purposes. Also, they should make sure their laptops and mobile devices have the most recent software updates, to make their computing devices less vulnerable to known, often exploited vulnerabilities. The thing to remember is that most security issues occur when two things happens: (1.) A user-initiated action, like clicking on an attachment or link or visiting a site hosting malware; and (2.) a latent vulnerability exists on the computing devices from which the user is browsing.

This was a well thought-out attack, and like most great attacks, is less about the technology and more about exploiting a known trust mechanism, in this case the strength of hotel chains’ brands.”

Oliver Tavakoli, CTO of Vectra Networks:

“There are two lessons that can be learned from the DarkHotel issue. The first is security architectures must be able to protect against attacks that exploit mobile users on guest Wi-Fi networks. The second is in the fast evolving threat landscape, “what the malware is doing” is more important than “what the malware is.

The BYOD Mobile Security Report published by the LinkedIn InfoSec Community revealed that exploits entering organizations via mobile devices is a top security concern in 2014. It is not possible to completely protect users from exploits when they travel and use public-access Wi-Fi networks at coffee shops or hotels. However, it is possible to detect the activities of an attacker who has breached the network perimeter through a traveling employee’s laptop. In a targeted attack, the attacker will use the infected laptop to perform reconnaissance, spread laterally, acquire data, and ultimately exfiltrate it in as stealthy a manner as possible. Real-time breach detection uses machine learning to detect these behaviors among the chatter in the network, even when the exploit or malware “walks” into an organization on a user’s laptop.

 

Just like there were multiple iterations of Conficker and the malware that was used to attack Target was “tweaked,” there could one day be a “DarkHotel 2.” Naming malware may satisfy a human need or assist in knowing whether the right detection signatures are deployed, but it is not relevant in advanced threat defense. Advanced threats, even when they start with simple tactics like spear phishing, are stealthy by nature and will use malware and C&C channels that slip past perimeter and endpoint security that use signatures and reputation lists. Detecting what the malware is doing will always have a higher likelihood – and multiple opportunities – of detecting a targeted attack than knowing what the malware is. Think of it this way, if you can name it, then it is no longer an advanced threat or a targeted attack. Ignoring the malware may only relegate you to being one of its first victims, and that is no fun.”

Ian Amit, ZeroFOX Vice President:

“First things first – nothing is revolutionary about Darkhotel. It uses the same tactics that penetration testers have been using at red team engagements for years. The only surprise is that the attack was found, albeit with a delay of 7 years.

Darkhotel leverages publicly available information and past behaviors to predict where and when an executive is traveling. Having that information at hand is critical for launching a pinpoint attack, and in most cases can be derived from a simple social media search. Once the target is located, the attack comes via the hotel wireless network. As usual, the human factor plays a lead role in enabling such attacks, and unfortunately, most of the information needed can be found on social media.

When traveling, follow the rule “no changes allowed” – no updates, no downloads, no new software or hardware installations. This will prevent almost every malware attack. For the extremely security-conscious traveler, a freshly installed laptop and phone are recommended, both of which should be disposed of at the end of the trip.”

Anup Ghosh, Founder and CEO, Invincea:

“The DarkHotel campaign sheds light on risks business travelers face when leaving the four walls of their enterprise networks. Business travelers need access to the Internet, of course, and the hotel networks is usually the gateway. Even if they are employing VPNs, the access point is the local hotel wireless net prior to being able to login via VPN. At this juncture, we have seen not only rogue Flash updates, but also drive-by exploits hosted on these hotel network pages that silently infect the traveller’s machine.

This isn’t confined to hotel networks, of course, as any public network with a network access login (coffee shops, airports) can be compromised accordingly. Airports would be particularly rich for business travelers and many incorporate advertising that can be subverted via third party ad networks.

Bottomline is business travelers need end point protection that stops targeted attacks and novel malware without requiring the corporate network.”

Tal Klein, VP of Strategy for Adallom:

“Captive portals are basically dressed up Men-in-the-Middle. I don’t particularly understand the hype around DarkHotel given that tools like Hak5’s Pineapple have demonstrated the ease with which people can be compromised by trusting captive portals, especially in hotel settings. My advice: Invest in a mobile carrier Mi-Fi. Most hotel internet connections are unbearably slower and more expensive than a Mi-Fi anyway.”

Ian Pratt, Co-founder & EVP, Products at Bromium:

“Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user’s name and the organization they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

 

A VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.”

Paul Lipman, CEO of iSheriff:

“Darkhotel illustrates a fundamental hole in the typical approach to corporate cybersecurity. Organizations spend many millions of dollars to protect their networks against outside threats, investing in ever more sophisticated ways to defend their network infrastructure, applications, and data from attack. Despite all of this investment, roaming users are typically protected with nothing more than endpoint anti-virus, a technology that is woefully inadequate to protect against advanced persistent threats such as Darkhotel. Even worse, when an infected user later comes back into the office, any malware infection picked up “on the road” can instantly spider out across the network, multiplying the risk by orders of magnitude.

 

A cloud-based Web security solution provides a persistent layer of protection for roaming users, wherever or however they are connecting to the Internet. These services are constantly updated to cover the latest advanced threats, identifying them in the cloud in real-time, and blocking them before they can ever reach an end user’s device. In the case of Darkhotel, a user connecting through a cloud security layer would be fully protected through a “secure tunnel” from the device to the cloud security provider.”

Chris Messer, vice president of technology at Coretelligent:

“DarkHotel is a moderate threat for unsuspecting and non-technical users, and for users and organizations that have lax security safeguards present on traveling employee or executive devices.

 

This type of attack requires the potential victim to download a compromised update such as Adobe Flash or Google Toolbar from a compromised link or pop-up browser window. The user is then tricked into installing these updates as the attacker uses bogus digital certificates to “sign & validate” the compromised software to lead the user to believe they came from a trusted source. This compromised application then installs additional malicious software (Trojan, keylogger, etc.) on the victim’s machine, and then allows the attacker to track and collect data from their machine at will.

 

The good news is that this type of attack can be prevented if users follow good security practices and have reasonable security software and precautions put in place by IT:

 

• Individuals should avoid hotel wired and wireless Internet services all together, and instead rely on a company-provided mobile hotspot device, or tether via their mobile device. When individuals are required to leverage a hotel’s wired or wireless Internet, they should avoid performing any system administrative tasks or updates.

 

• Users should only transact business over a secure VPN connection and HTTPS secured sites. They should avoid sensitive sites such as banking sites for the duration of the hotel stay, if at all possible.

 

• Users should never click on any advertisements via the hotel Wi-Fi, and after logging into the wireless, make it a point to close and re-open their browsers to avoid re-using a questionable session.

 

• Individuals should ensure that they have a robust antivirus suite installed on their machine that has some sort of web filtering component. 

 Feel free to add your thoughts in the comments below, and until Next Friday…Have a Great Weekend!

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Risk Management
• Malware
• Management & Strategy

The days when the Black Hat USA and Defcon conferences are ongoing are two times when surfing the Internet in Las Vegas can be a gamble all on its own.

According to Imperva, there was a spike in malicious activity emanating from Sin City two weeks ago when the conferences were under way.

“I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline,” blogged Barry Shteiman, Imperva’s director of security strategy. “In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US. Finally, we summarized by date and where the city itself is Las Vegas.”

Here’s what the company found. Typically, it detects roughly 20 attacks originating from Las Vegas on a normal day. However, during the conferences that number peaked at 2,612. There was a significant drop off as Black Hat began winding down. On Aug. 6, the conference’s second to last day, there were just 20 detected attacks. The start of Defcon – which is also the final day of Black Hat – erased that decline however and the number of attacks shot back up to 1,916 on Aug. 7.

On the final day of Defcon, Aug. 10, the number of detected attacks fell to 7.

Imperva also noted a jump in attack volume during the NAACP conference in July, which indicates one of a few possibilities: either a large crowd in a conference-scale event causes a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there, Shteiman wrote. As for Black Hat and Defcon, they are not exactly typical conferences, he added.

“They have some of the brightest security/hacking minds in the world attending,” he blogged. “Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and therefore are less likely to be drive-by victims of hacking – for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences.”

Tags:

• NEWS & INDUSTRY
• Cybercrime

The term “Tipping Point” is controversial because it has been so widely misused and loosely applied; two abuses that I often see in the cyber security marketplace. However, there are examples where a tipping point has been found to exist through more rigorously applied studies.

One study showed the point where hospitals begin to fail resulting in the deaths of critically ill patients: “What our research revealed is that there is, in fact, a tipping point which was triggered strongly at midnight occupancy levels of around 92 per cent in our data. When the tipping point was exceeded, patients began dying in significant numbers.”

The risk of a fire turning into a firestorm due to the density of trees in a forest occurs at 59% density: “The risk of catastrophic fire does not increase in a linear relationship with the density of the forest. Instead there is a tipping point at about 59% density.”

My interest with tipping points have to do with critical infrastructure such as the power grid or transportation routes. A lot of papers have been written about cascading failures such as [1] and [2], however what would happen if a small terrorist group with moderate knowledge of industrial control systems wanted to create sustained or repeated outages? Think of the different regional grids in the U.S. as songs on an adversary’s playlist, and he just hit “Shuffle”. What would be the tipping point before social order in the U.S. would collapse?

I don’t know if there’s a good answer to that question, but I think it’s one that needs exploring. Therefore, I’ve organized a panel to address the issue from different angles at Suits and Spooks New York. Joining me will be Joe Weiss, an internationally known ICS expert and Dr. John Mallory of MIT.

If you’d like to hear this discussion and add your perspective, please register to join us at Suits and Spooks New York on June 20-21, 2014. This will be just one of many great panels and speakers. Suits and Spooks New York will mark the first SecurityWeek-branded two day event. Hope to see you there.

Footnotes:

[1] Saleh Soltan, Dorian Mazauric, Gil Zussman: Cascading Failures in Power Grids – Analysis and Algorithms

[2] Paulo Shakarian, Hansheng Lei, Roy Lindelauf: Power Grid Defense Against Malicious Cascading Failure.

Tags:

• Cyberwarfare
• INDUSTRY INSIGHTS

Researchers from FireEye have discovered a nasty zero-day exploit that bypasses the ASLR and DEP protections in Microsoft Windows and is being used in targeted attacks.

The security flaw is a remote code execution vulnerability (CVE-2014-1776) that affects versions of IE6 through IE11, which in total accounted for 26.25% of the browser market in 2013. 

The campaign is currently targeting US-based firms tied to the defense and financial sectors, a FireEye spokesperson told SecurityWeek, and is specifically targeting IE9 through IE11. 

“The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections,” FireEye wrote in a blog post Saturday. 

Microsoft also issued a security advisory on Saturday and said they were working with partners in its Microsoft Active Protections Program (MAPP) to extend broader protections to customers as soon as possible.

If successfully exploited, an attacker could gain the same user rights on the impacted system as the current user, Microsoft said. Accounts configured with fewer rights on the could be less impacted than users who operate with administrative privilages.

FireEye has named the campaign “Operation Clandestine Fox,” but has shared very little details other than saying the group behind the exploit has been the first to have access to a select number of browser-based 0-days in the past.

FireEye warned that the attackers are “extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”

“They have a number of backdoors including one known as Pirpi that we previously discussed here,” the researchers wrote. “CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.” 

“The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray,” FireEye explained. “The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.”

Because the attack leverages Adobe Flash, users who do not have Flash installed or have the Flash plugin for IE disabled, will be protected. Additionally, several versions of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) will break the exploit.

Additional technical details are available from FireEye. Microsoft also has provided some mitigation information. 

Related: ASLR Bypass Techniques Appearing More Frequently in Attacks

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Vulnerabilities
• Data Protection

If nothing else, the breach at Target brought this point home – point-of-sale [POS] systems are firmly on the radar of attackers.

So much so that US-CERT just recently warned retailers to do a better job of protecting their systems.

“In some circumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as skimming,” the organization noted. “In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is often trafficked to other suspects who use the data to create fraudulent credit and debit cards.”

“As POS systems are connected to computers or devices, they are also often enabled to access the internet and email services,” the advisory continued. “Therefore malicious links or attachments in emails as well as malicious websites can be accessed and malware may subsequently be downloaded by an end user of a POS system. The return on investment is much higher for a criminal to infect one POS system that will yield card data from multiple consumers.”

In the case of Target, malware was discovered on the company’s POS systems Dec. 15. At that point, Target disabled the malicious code and began the process of notifying card processors and payment card networks. As many as 40 million debit and credit card accounts may have been impacted. But that was just the most recent example of an attack. For example, in 2012, hackers hit the point-of-sale systems at Barnes & Noble and compromised credit card readers at 63 stores.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems,” said Mark Bower of Voltage Security.

These systems are in constant use around heavy shopping periods like Black Friday, when they are often less frequently patched and updated, he added. To take the profit out of the attacks, savvy retailers are utilizing point-to-point encryption to protect data before it even gets to the POS system, he said.

“If the POS is breached, the data will be useless to the attacker,” he said. “Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw.”

Organization need to take stock of what devices they have running and what gaps they need to close, said Chris Strand, compliance consultant at Bit9.

“Taking a better approach to automating the vulnerability analysis to get better visibility of the threat landscape and find a solution that allows organizations to see where high priority and critical areas are on those systems,” Strand said.  

US-CERT also recommends organizations restrict POS access to the Internet, disable remote access and update POS software applications.

Then there is the prospect of more secure EMV cards, which security experts say may have made the attack on Target a non-starter for those behind it.

“EMV is a big part of the answer and would likely have prevented the Target breach,” noted Chester Wisniewski, senior security advisor at Sophos. “Merchants have been resistant as it requires newer payment terminals, but Target is one of the few who were already EMV-ready. It is currently scheduled to roll out (for most transactions) in the US in the autumn of 2015. It took us about 18 months to fully embrace it here in Canada; let’s hope the US can one-up us.” 

Related Reading: PCI DSS 3.0 – The Impact on Your Security Operations

Tags:

• NEWS & INDUSTRY
• Cybercrime