Tuesday, June 26, 2012

Pwning Posion Ivy Server: Own And You Shall Be Owned

Via Gal Badishi's Security Bits Blog -

While working on Poison Ivy’s communication, one of my students approached me and asked me if the fact that an infected computer can connect to the C&C server means that the compromised host can break into the server. Well folks, it appears that it’s possible. We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any computer, for that matter) to assume control of PI’s C&C server.


It’s important to note that the exploit data following our header never gets decrypted, so we don’t have to worry about PI ruining our values if we don’t encrypt the data.

In light of this analysis, a Metasploit module without encryption is being prepared.

Boko Haram Linking Up with al Shabaab and Al Qaeda

Via ChannelsTV.com -

Three of Africa’s largest extremist groups are sharing funds and swapping explosives in what could signal a dangerous escalation of security threats on the continent, the commander of the U.S. military’s Africa Command said on Monday.

General Carter Ham said there are indications that Boko Haram, al Shabaab and Al Qaeda in the Islamic Maghreb – groups that he labeled as the continent’s most violent – are sharing money and explosive materials while training fighters together.

“Each of those three organizations is by itself a dangerous and worrisome threat,” Ham said at an African Center for Strategic Studies seminar for senior military and civilian officials from Africa, the United States and Europe.

“What really concerns me is the indications that the three organizations are seeking to coordinate and synchronize their efforts,” Ham said. “That is a real problem for us and for African security in general.”

The United States classified three of the alleged leaders of the Islamist sect Boko Haram, based in remote northeast Nigeria, as “foreign terrorist,” on June 20. But it declined to blacklist the entire organization to avoid elevating the group’s profile internationally. Police in Nigeria said members of the group seized a prison there Sunday and freed 40 inmates.

Islamist militant group al Shabaab is active in war-ravaged Somalia and has been blamed for attacks in Kenya. Last year it claimed responsibility for the death of Somali Interior Minister Abdi Shakur Sheikh Hassan.

Al Qaeda in the Islamic Maghreb (AQIM), an affiliate of al Qaeda based in North Africa, is mainly a criminal organization operating in the Sahel region. It kidnaps Westerners for ransom and aids Africa’s drug trade, according to intelligence officials.

Wednesday, June 20, 2012

Syrian Activists Targeted with BlackShades RAT

Via Threatpost.com

One of the attackers who has been targeting Syrian anti-government activists with malware and surveillance tools has returned and upped the ante with the use of the BlackShades RAT, a remote-access tool that gives him the ability to spy on victims machines through keylogging and screenshots.

The original attacks against Syrian activists, who are working against the government's months-long violent crackdown, were using another RAT known as Xtreme RAT, with similar capabilities. That malware was being spread through a couple of different targeted attacks, including one in which activists were directed to YouTube videos and their account credentials were then stolen when they logged in to leave comments.

That attack continued with the installation of the RAT, giving the attacker surreptitious access to the victims' machines, enabling him to monitor their activities online. Now, researchers say that at least one attacker who is known to be involved in these targeted attacks also is using the BlackShades RAT in a new set of attacks.

The new attack is being run by spreading a malicious link to dissidents. When a victim clicks on the link, it takes him to a site that downloads a file called "new_new .pif." That file then goes through a long infection routine that includes the installation of several files. One of the files that's installed is a keylogger and the malware also creates a number of registry keys that ensure persistence on the machine, according to an analysis of the attack by researchers at the EFF and Citizen Lab.


For those interested in samples, Mila posted copies of all three RATs used to target Syrian anti-government activists.


Friday, June 1, 2012

Obama Order Sped Up Wave of Cyberattacks Against Iran

Via NYTimes -

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.


The impetus for Olympic Games dates from 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. Having falsely accused Saddam Hussein of reconstituting his nuclear program in Iraq, Mr. Bush had little credibility in publicly discussing another nation’s nuclear ambitions. The Iranians seemed to sense his vulnerability, and, frustrated by negotiations, they resumed enriching uranium at an underground site at Natanz, one whose existence had been exposed just three years before.


For years the C.I.A. had introduced faulty parts and designs into Iran’s systems — even tinkering with imported power supplies so that they would blow up — but the sabotage had had relatively little effect. General James E. Cartwright, who had established a small cyberoperation inside the United States Strategic Command, which is responsible for many of America’s nuclear forces, joined intelligence officials in presenting a radical new idea to Mr. Bush and his national security team. It involved a far more sophisticated cyberweapon than the United States had designed before.


Those looking for a deeper look, can grab Flamer/Skywiper samples from Mila Parkour at the Contagio blog.

China Arrests Security Official on Suspicion of Spying for U.S.

Via Reuters -

A Chinese state security official has been arrested on suspicion of spying for the United States, sources said, a case both countries have kept quiet for several months as they strive to prevent a fresh crisis in relations.

The official, an aide to a vice minister in China's security ministry, was arrested and detained early this year on allegations that he had passed information to the United States for several years on China's overseas espionage activities, said three sources, who all have direct knowledge of the matter.

The aide had been recruited by the U.S. Central Intelligence Agency and provided "political, economic and strategic intelligence", one source said, though it was unclear what level of information he had access to, or whether overseas Chinese spies were compromised by the intelligence he handed over.

The case could represent China's worst known breach of state intelligence in two decades and its revelation follows two other major public embarrassments for Chinese security, both involving U.S. diplomatic missions at a tense time for bilateral ties.

The aide, detained sometime between January and March, worked in the office of a vice-minister in China's Ministry of State Security, the source said. The ministry is in charge of the nation's domestic and overseas intelligence operations.

Wednesday, May 30, 2012

Taking a Bite Out of IXESHE

Via TrendMicro Malware Blog -

We released a new research paper describing the activities of another APT campaign, IXESHE (pronounced “i-sushi”).

One of the most notable characteristics of the IXESHE campaign is the attackers’ use of compromised servers in target organizations as command-and-control (C&C) servers. This tactic allowed them to hide their presence by confusing their activities with data belonging to legitimate individuals. In one particular case, we saw C&C servers hosted on the compromised machines of an East Asian country, making targeted attacks against that government easier. In another case, we received an error message from a C&C server, which indicated that the front-end servers were merely acting as proxies for the actual back-end servers.

Our research also showed that attackers utilized dynamic Domain Naming System (DNS) servers and broadly distributed external C&C servers around the world to make detection and takedowns more difficult to do.

The IXESHE campaign has been underway since at least July 2009 when we first saw samples of this particular malware family. Its primary method of entry into user systems is via malicious .PDF files that exploit Adobe Acrobat, Reader, or Flash Player vulnerabilities. These malicious files are sent as attachments to targeted emails sent to potential victims within target organizations.

In the process of our investigation, we were able to determine that its victims could be broadly classified into three categories:

•East Asian governments
•Electronics manufacturers
•A German telecommunications company

For further details, please consult the full paper...

Monday, May 14, 2012

Fundamentals of Chinese Information Warfare

The Potomac Institute Cyber Center hosted a special program on Fundamentals of Chinese Information Warfare and Impacts on the Western World on Friday, May 11, 2012. The guest speakers included William T. Hagestad II, author of the new book 21st Century Chinese Cyberwarfare (IT Governance, 2012)


The commentary is pretty insightful and near the end of touches on some possible geopolitical solutions that can be used to change China's behavior.

Hat-tip to Bill and his Red Dragon Rising blog.


Here is the Potomac Institute for Policy Studies lecture and panel discussion on "Russian Cyber Capabilities".

Project Grey Goose - Operation Poachers


I'm pleased to announce that the fourth Project Grey Goose investigation, commencing today, will target the very serious problem of domestic and international poaching of endangered species. I founded Project Grey Goose in August, 2008 as an experiment in crowd-sourcing an Open Source Intelligence (OSINT) effort whose goal was to investigate possible Russian government connections in the cyber attacks against Georgian government websites during the Russia Georgia war. Rather than focusing on hackers, this project will focus on criminals who are viciously taking the lives of rare and beautiful animals for body parts and profit; i.e. poachers. The problem is vast and growing, and it's my sincere hope that Project Grey Goose's unique international collaborative approach to OSINT will make an impact.

I'm particularly happy to announce that my co-manager for this project is Nada Bakos, a former CIA intelligence analyst and targeting officer. I can't imagine a more qualified person to help lead this effort than Nada and I'm excited to have her aboard to help this mission succeed.


Check out the link above to Jeffrey's blog, if you want to know how you can help.

Uighur Leader Accuses China of ‘Systematic Assimilation’

Via VOA News -

Exiled representatives of the Uighur, an ethnic group that lives mainly in Western China’s province of Xinjiang, are meeting in Japan for their fourth annual conference. The World Uighur Congress, based in Germany, opposes what it calls the Chinese occupation of their land, and the group's gatherings routinely draw criticism from Beijing.

Rebiya Kadeer, leader of the World Uighur Congress, and also known as "the Mother of the Uighur Nation," has been living in exile in the United States since her release from a Chinese prison in 2005.

She joined more than 100 representatives of the ethnic group from more than 20 countries, including the United States, Germany and Australia, to elect new leadership and discuss strategies to engage China over the issue of self-determination.

Kadeer said the Uighurs are facing a threat to their existence because of the Chinese government’s policy of systematic assimilation. She also accuses Chinese authorities of committing extra-judicial killings, economic exploitation, and destroying Uighur values.


With that in mind, could you guess who might want to target companies or organization interested in the Uyghur Congress with targeted zero-day malware? I wonder. ;)

APT: A Geopolitical Problem

Sunday, May 13, 2012

South China Sea Spat Goes Cyber

Via The Diplomat -

China continues to raise the heat in its dispute with the Philippines over the sovereignty of Scarborough Shoal/Huangyan Island. On Monday, He Jia, an anchor on China’s state-run CCTV, mistakenly declared that “China has unquestionable sovereignty over the Philippines” rather than just over the disputed island. On Tuesday, Chinese Vice Foreign Minister Fu Ying warned a Philippine diplomat that China was fully prepared to do anything to respond to escalation. Deep-water drilling has begun near islands in the South China Sea and Chinese travel agencies have reportedly suspended tours to the Philippines. Chinese netizens are fully in support of the claims, and have in many instances criticized the Ministry of Foreign Affairs for not taking more assertive action.

As with previous territorial disputes in East Asia these days (see China-Vietnam, China-Japan, and Korea-Japan), the political, diplomatic, and military maneuvering has a cyber component. On April 20, Chinese hackers attacked the website of the University of the Philippines. The next day, Filipino hackers struck back with the defacement of Chinese websites. On the 23rd and 24th, the two sides again traded tit-for-tat attacks (a very useful timeline up until April 30 can be found here). Attacks have continued over the last week; attackers have also pasted the Chinese flag on the website of the Philippines News Agency.

From almost the beginning of the attacks, the Philippines government has called for both sides to stop. On April 22, a Philippines government spokesperson said, “We call on citizens, including ours, to exercise civil temperance.” On April 25, the Philippines’ Department of Science and Technology and Information and Communications Technology Office declared that the attacks were neither sanctioned nor condoned, and on May 10 a spokesman went further in warning that such attacks “will not benefit anyone and could possibly lead to bigger problems in the future for the Philippines and China and escalate the already tense situation at Panatag Shoal (Scarborough Shoal).” This is not a misplaced worry as freelance attacks could make it much more difficult for the two sides to communicate and signal intentions.

Unfortunately, there has been silence from Beijing on the issue. China’s leaders seem to be embracing the conflict, or at least the prospect of conflict, as a welcome distraction from the problems of Chen Guangcheng and Bo Xilai. As Michael Yip and Craig Weber argue, the Chinese government – after years of enrolling students in patriotic education that stresses a history of national humiliation – needs to align itself with and divert away from nationalistic responses to real and perceived slights. Political hacking acts as a diversion – venting resentment away from the regime, focusing web users’ ire on outside actors, and maintaining the government’s nationalistic credentials.

When China’s Minister of Defense General Liang Guanglie was at the Pentagon this week, he talked about how China wanted to work to improve cybersecurity. Beijing could gain a great deal of credibility by doing what the Philippines has done: call on both sides to stop the attacks.

Friday, May 11, 2012

TTPs: Lessons from Today's Amnesty Hack

Via Imperva -

Amnesty International UK's website was hacked courtesy a backdoor dropped on visitors systems. Most likely done by a foreign government, many speculate that it's the Chinese. Websense's blog gives a good technical overview of the attack.

But what does it mean for security teams?

In some cases, hackers don’t want to steal the data from the website but rather want to infect the users who are visiting. This can lead to more access to business critical data which, for example, is often stored as files on a fileserver. In the Amnesty case, the real prize isn't Amnesty's data per se, but the corporate and individual data and files of those who visit the site.


This exact technique has been used by advanced adversaries in previous targeted attacks. Intelligence sources have obvsered this technique being used in attacks against the US defense industry as well.

July 2011 - Attack On Pacific Northwest National Lab Started At Public Web Servers

Thursday, May 10, 2012

Iran's Web Censorship Filters Supreme Leader's Own Statement

Via Ars Technica -

Iranian Supreme Leader Ayatollah Ali Khamenei’s own words have now become a victim of Iran’s massive online censorship infrastructure.

According to Radio Free Europe (RFE), last week Khamenei issued a “fatwa,” or religious edict, confirming that anti-filtering tools and software are illegal in Iran. The decree came in response to a question by Mehr News (Google Translate), a semi-official news agency, which had asked for clarification on the ruling due to the fact that, as journalists, employees sometimes need to access blocked websites and other non-authorized information.

Khamenei, according to a translation by RFE, replied: "In general, the use of antifiltering software is subject to the laws and regulations of the Islamic republic, and it is not permissible to violate the law."

However, his own use of the word “antifiltering” apparently triggered Iran’s own filtering system, making Khamenei’s words inaccessible to most Iranians.

RFE also reported that this filtering episode prompted Tabnak, a conservative news website, to respond: "The filtering of a [religious] order is so ugly for the executive [branch] that it can bring into question the whole philosophy of filtering."

Iran, of course, has a notorious surveillance and filtration system in place—just last month, the Islamic Republic published a "Request for Information" for furthering its so-called "halal Internet."

Tuesday, May 8, 2012

GPS Jamming Affects Ship Navigation off Korean Coast

Via Marine Link -

122 ships, including Coast Guard vessels and a passenger vessel, have reported malfunctions in their navigation systems since the apparent jamming of satellite signals by North Korea last week, reported 'Safety4Sea'.

According to the Coast Guard in Incheon, west of Seoul, a total of 122 ships were affected by the disruption to Global Positioning System (GPS) signals. Among the vessels were eight patrol boats belonging to the Coast Guard, a passenger liner carrying 387 people and a petrol products carrier.

Fishing boats operating near the tense western maritime border with North Korea also reported errors in their navigation systems, although none of them led to accidents, Coast Guard officials said.

The transport ministry said about 250 commercial flights in and out of international airports at Incheon and Gimpo, also west of Seoul, were also affected by the jamming, although they were not put in danger.

South Korea came under similar electronic attacks in March of last year, and in August and December of 2010, all of which were blamed on the North. South Korean Defense Minister Kim Kwan-jin has said anti-jamming programs are being developed to counter the attacks.

The defense ministry has also said the North operates a regiment-sized electronic warfare unit near its capital Pyongyang, and some battalion-sized units closer to the inter-Korean border.

Sunday, May 6, 2012

On The Rebound: Shining Path Factions Vie for Control of Upper Huallaga Valley

Via The Jamestown Foundation -

After the Peruvian army captured Comrade Artemio on February 12 and two potential successors on March 4 and April 3, President Ollanta Humala declared that the Shining Path was “totally defeated”—a prediction that is already proving to be premature. The Shining Path faction in the Upper Huallaga Valley retains a core group of loyal fighters capable of conducting military operations to pressure the government for Artemio’s release, but they are more dangerous for their apparent alliance with Movadef, a rising political movement that the government sees as a “front” for the Shining Path. Meanwhile, the 500-fighter faction of the Shining Path led by Comrade Jose in the VRAE has made clear its desire to expand its international narco-trafficking enterprise into the Upper Huallaga Valley and exploit the power vacuum with Artemio out of the picture. A takeover of the Upper Huallaga Valley would elevate Comrade Jose to the level of one of South America’s premier narco-trafficking bosses. Neither Shining Path faction is near surrender, and questions linger about whether President Humala’s new four-year anti-drug strategy underwritten by millions of dollars of U.S. aid will tame or enflame the country’s narco-trafficking insurgencies.


The Shining Path consists of a 500-fighter faction in the River Apurimac and River Ene Valley (VRAE) led by Comrade Jose and a smaller 150-fighter faction in the Upper Huallaga Valley led until February 12 by Comrade Artemio. The VRAE and Upper Huallaga Valley factions split in 1999 after the capture of then leader Comrade Feliciano (Oscar Ramirez Durand). Comrade Artemio succeeded Feliciano in 1999 and remained loyal to Shining Path founder, Abimael Guzman (Chairman Gonzalo), who was captured in 1992. After Feliciano’s capture, Comrade Jose’s faction disavowed the Shining Path of Guzman, Feliciano and Artemio, who they criticized for alienating the campesinos during the war against the State in 1980s and for offering truces to the government once Guzman was captured.

Both factions officially espouse turning Peru into a Marxist state, but they depend on their capitalist narco-trafficking enterprises for financial survival. It is no coincidence that the two surviving factions of the once 15,000-fighter Shining Path operate in the country’s two main coca producing regions—the VRAE and the Upper Huallaga Valley, which produce 75% of Peru’s coca. With Peru expected to surpass Colombia as the world’s largest coca producer (61,200 hectares) in 2012, both factions stand to benefit.



The capture of Comrade Artemio has weakened his faction, but a core group of his fighters continue to engage in shows of military force to support Movadef’s political goals. There appears to be a low likelihood of a Shining Path merger considering that the two groups operate in distinct areas and harbor contrasting motivations. If Artemio’s faction continues to splinter, however, Jose’s faction may gain control of the major drug trafficking routes in the Upper Huallaga Valley and revive the Shining Path under a model like the FARC—a drug cartel with a nominal Marxist ideology. Both Shining Path factions benefit from the country’s increasing coca production, while they are also capable attracting recruits from the cocaleros if the drug eradication plan moves forward. The drug war can only be won if the cocaleros are provided with a substitute to growing coca, but historically the state has struggled to meet this need.

After the capture of Abimael Guzman in 1992, then President Fujimori said, “Sendero has been defeated. I defeated it.” Twenty years later, President Humala shows similar optimism, but the events on the ground suggest that both Shining Path factions will adapt to the realities on the ground after Artemio’s picture and implement new strategies in order to survive.


Shining Path (Sendero Luminoso in Spanish) is a Maoist guerrilla insurgent organization in Peru. It prefers to be called the "Communist Party of Peru" or "PCP" for short. The Shining Path's ideology and tactics have been influential on other Maoist insurgent groups, notably the Communist Party of Nepal (Maoist) and other Revolutionary Internationalist Movement-affiliated organizations. Widely condemned for its brutality, including violence deployed against peasants, trade union organizers, popularly elected officials and the general civilian population, the Shining Path is described by the Peruvian government as a terrorist organization. The group is on the U.S. Department of State's list of Foreign Terrorist Organizations, and the European Union and Canada likewise describe it as a terrorist organization and prohibit providing funding or other financial support.

Friday, May 4, 2012

Xtreme RAT Used in Targeted Attack Against Syria Activist

Via F-Secure Labs -

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: hxxps://sites.google.com/site/nxtremerat

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address This IP block belongs to Syrian Arab Republic — STE (Syrian Telecommunications Establishment).

This would not have been the first case of using trojans for such purposes in Syria, either.

"Right On" by The Roots (feat. Joanna Newsom & STS)

Thursday, May 3, 2012

Microsoft Fingers Chinese Firewall/IPS Vendor In Windows Exploit Leak

Via Dark Reading -

Microsoft today announced that it had rooted out the source of a leak from within its third-party security software firm partnership program that resulted in the weaponization of a bug in Windows -- raising questions about whether the Microsoft Active Protections Program (MAPP) could be vulnerable to other such breaches.

Chinese firewall and IPS vendor Hangzhou DPTech Technologies Co., Ltd., according to Microsoft, was the culprit behind a rapid-fire turnaround of a working exploit for the Windows Remote Desktop (RDP) flaw in mid-March, just after the bug was patched by Microsoft.


Microsoft today was mum on how it ultimately rooted out DPTech as the source of the leak, or on just what Hangzhou DPTech Technologies did. "During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program," said Yunsun Wee, director or Microsoft Trustworthy Computing, in a statement.

HD Moore, chief security officer at Rapid7 and creator of Metasploit, says it couldn't have been simple to trace the leak to a specific company. "[It's] interesting and somewhat surprising that they found it at all," Moore says.

Meanwhile, the announcement by Microsoft appears to raise more questions than it answers. Concerns about a Chinese security vendor leaking Windows vulnerability details before the patch window had closed, and whether this was truly the first breach of the MAPP program, sent a chill through the industry.

"Yes, it is a little concerning that it was a Chinese firm that leaked the Microsoft information. That being said, what did Microsoft really expect was going to happen? The Chinese do not have a very good track record of adhering to NDA and other agreements," says Paul Henry, security and forensic analyst at Lumension. "It is important to recognize that the MAPP program is relatively new, so there will be bumps in the road as Microsoft works out the delicate balance between strategic sharing and safeguarding the distribution of sensitive information regarding its products."


MAPP Update: Taking Action to Decrease Risk of Information Disclosure


Shocker. Kudos to MS for tracking this down to the company. Impressive.

Monday, April 30, 2012

Determined Adversaries and Targeted Attacks

Via Microsoft Security Intelligence Report -

Over the past two decades the internet has become fundamental to the pursuit of day-to-day commercial, personal, and governmental business. However, the ubiquitous nature of the internet as a communications platform has also increased the risk to individuals and organizations from cyberthreats. These threats include website defacement, virus and worm (or malware) outbreaks, and network intrusion attempts. In addition, the global presence of the internet has allowed it to be used as a significant staging ground for espionage activity directed at industrial, political, military, and civil targets.

During the past 5 years, one specific category of threat has become much more widely discussed. Originally referred to as Advanced Persistent Threats (APT) by the U.S. military — referring to alleged nation-state sponsored attempts to infiltrate military networks and exfiltrate sensitive data — the term APT is today widely used in media and IT security circles to describe any attack that seems to specifically target individual organization, or is thought to be notably technical in nature, regardless of whether the attack was actually either advanced or persistent.

In fact, this type of attack typically involves two separate components — the action(s) and the actor(s) — that may be targeted against governments, military organizations or, increasingly, commercial entities and civil society.

The actions are the attacks themselves, which may be IT-related or not, and are referred to as Targeted Attacks in this paper. These attacks are initiated and conducted by human actors, who are collectively referred to in this paper as Determined Adversaries. These definitions are important because they emphasize the point that the attacks are carried out by human actors who may use any tools or techniques necessary to achieve their goals; these attacks are not merely malicious software or exploits. Using an encompassing term such as APT can mask this reality and create the impression that all such attacks are technically sophisticated and malware-driven, making it harder to plan an effective defensive posture.

For these reasons, this paper uses Targeted Attacks and Determined Adversaries as more specific and meaningful terms to describe this category of attack.


Be sure to check out Microsoft's Security Intelligence Report (SIR) Volume 12.
The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people.

Sunday, April 29, 2012

Snow Leopard Users Most Prone to Flashback Infection

Via Computerworld.com -

Of the Macs that have been infected by the Flashback malware, nearly two-thirds are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said Friday.

Doctor Web, which earlier this month was the first to report the largest-ever malware attack against Apple Macs, mined data it's intercepted from compromised computers to come up with its findings.


In a Friday blog post, Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet's massive size.


Not surprisingly, 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple's operating system that comes with Java.

Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.

Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.

Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.

Last month, Leopard powered 13.6% of all Macs.

But while Snow Leopard's and Leopard's infection rates are higher than their usage shares, the opposite's true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.

Doctor Web did not connect those dots in its analysis, but the numbers make clear that versions of Mac OS X that included Java -- Snow Leopard and Leopard -- are much more likely to be infected by Flashback. Conversely, Lion -- by default, sans Java -- is significantly more resistant to the malware.

The Russian company's data also showed that many Mac users don't keep their machines up-to-date, something ZDNet blogger Ed Bott noted on Friday.

Twenty-four percent of the Snow Leopard-infected Macs were at least one update behind, 10.4% were three or more behind, and 8.5% were four or more behind.

Lion users were no better patch practitioners: 28% were one or more updates behind.


To protect Snow Leopard and Lion systems from the Java-exploiting Flashback, users should launch Software Update from the Apple menu and download this month's Java updates. Software Update will also serve the newest version of those operating systems to Macs running outdated editions.

People running Leopard can disable Java in their browser(s) to stymie attacks.

Later this year, Oracle will release Java 7 for OS X. Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.

Saturday, April 28, 2012

Friday, April 27, 2012

Photos: Space Shuttle Discovery

Grabbed these shots today, at about 4:45pm EST. Free entrance and parking at Steven F. Udvar-Hazy Center.


Space Shuttle Discovery (Orbiter Vehicle Designation: OV-103) @ Steven F. Udvar-Hazy Center, an annex of the Smithsonian Institution's National Air and Space Museum.

Wednesday, April 25, 2012

US Experts To Help Decrypt 'FARC' Computers

Via ColombiaReports.com (23 April 2012) -

A team of U.S. computer experts has arrived in Colombia to help national authorities recover information from the computer of deceased FARC leader "Alfonso Cano," reported Colombian newspaper El Espectador Monday.

Investigators with the Prosecutor General's office are working to break encryption codes on seven computers, 38 USB sticks and 24 hard drives recovered after a military bombing killed Cano in November, 2011.

The technology was retrieved from a FARC camp after the attack in Suarez, a town in the southwestern Cauca department.

The heavily-encrypted data uses four languages and multiple passwords, and requires the "meticulous" skills of the U.S. team to salvage and analyze it.

Investigators have already recovered some information from Cano's computer, including a plan to attack five army air bases with remote controlled helicopters.


Some of the 'plans' may be more aspirational, than operational ;)

Tuesday, April 24, 2012

The Mobile Exploit Intelligence Project

Dan Guido, working with Mike Arpaia, brings his well received intelligence-driven security ideas from "The Exploit Intelligence Project" of 2011, into the mobile space.


Nissan Gets Hacked, Intellectual Property Possible Target

Via DailyTech.com (April 24, 2012) -

Nissan Motor Company has announced that its information systems have been hacked. So far, the company doesn't know who the hackers were, or where they struck from and it's unclear what data may have been compromised. Nissan believes that the hackers were looking for intellectual property related to its EV drivetrains.

Nissan maintains that it quickly secured its system and issued a statement alerting customers and employees that its data systems were breached. Nissan says that the infiltration was noticed on April 13 so it has been roughly 10 days since the database was compromised.

The statement read:
We have detected an intrusion into our company's global information systems network.

On April 13, 2012, our information security team confirmed the presence of a computer virus on our network and immediately took aggressive actions to protect the company's systems and data. This included actions to protect information related to customers, employees and other partners worldwide. This incident initially involved the malicious placement of malware within our IS network, which then allowed transfer from a data store, housing employee user account credentials.

As a result of our swift and deliberate actions we believe that our systems are secure and that no customer, employee or program data has been compromised. However, we believe that user IDs and hashed passwords were transmitted. We have no indication that any personal information and emails have been compromised. Regardless, we are continuing to take appropriate precautionary measures.

Due to the ever-evolving sophistication and tenacity of hackers targeting corporations and governments on a daily basis, we continue to vigilantly maintain our protection and detection systems and related countermeasures to keep ahead of emerging threats. Our focus remains on safeguarding the integrity of employee, consumer and corporate information.
Nissan says that it opted to keep the hack secret for the last 10 days until it had a better idea what was going on according to a spokesman cited by The Detroit Bureau.


Looks like Active Directory might have got popped.

Primary Sources....

Nissan Statement: Nissan is Taking Actions to Protect and Inform Employees and Customers Following an Intrusion into the Company's Global Network Systems

The Detroit Bureau: Nissan Scrambles After Major Cyber-Attack

Monday, April 23, 2012

Both Mac and Windows are Targeted at Once

Via Symantec Security Response Blog -

Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers.

On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS.


When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type malware written in Python. However, if the threat is running on a Windows operating system, it downloads a standard Windows executable file dropper. Both droppers drop a Trojan horse program that opens a back door on the compromised computer.


The Trojan only checks whether it is a Windows operating system or not in this code, but the downloaded Python dropper checks again whether it is a Mac operating system or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not a popular script to write malware in, but it works fine on a Mac operating system because Python has already been installed by default.

Finally, one of two back door Trojans is dropped on to the computer. These two Trojans are downloaded from the same server, but are a little bit different from each other.

The back door Trojan for the Mac operating system written in Python can control the “polling times”, which is related to how many times it gets commands from the server at certain time intervals. The author has done this in order to avoid IDS or IPS detection by reducing network communication. The network connection is also encrypted by RC4 or compressed by Zlib.


Recently, malware that targets Mac computers, such as OSX.Flashback and OSX.Sabpab, are increasing. This recent increase provides evidence that malware authors now consider Mac computers a viable battleground along with the Windows platform. Certainly it is now time for you to arm your Mac computer with a good security product.

Symantec detects the Java Applet malware as Trojan.Maljava, the droppers as Trojan.Dropper, and the back door Trojans as Backdoor.Trojan. We continue to watch out for both Mac and Windows malware in order to protect our customers.

Defense Clandestine Service: Pentagon Reorganizes Intel into New Spy Shop

Via CBS News -

The Pentagon is rebranding and reorganizing its clandestine spy shop, sending more of its case officers to work alongside CIA officers to gather intelligence in places like China, after a decade of focusing intensely on war zones.

Several hundred case officers will make up the new Defense Clandestine Service. Drawn from the Defense Intelligence Agency, the officers will be sent to beef up U.S. intelligence teams in areas that are now receiving more attention. Those include Africa, where al Qaeda is increasingly active, to parts of Asia where the North Korean missile threat and Chinese military expansion are causing increasing U.S. concern.

The new effort was described by a senior defense official who spoke on condition of anonymity because he was not authorized to speak publicly about the classified program.

Defense Department case officers already secretly gather intelligence across the globe on terrorism, weapons of mass destruction and other issues, mostly working out of CIA stations in embassies and operating undercover like their CIA counterparts.

But an internal study by the Director of National Intelligence last year found the agency still focused more on its traditional mission of providing the military with intelligence in war zones, and less on what's called "national" intelligence — gathering and disseminating information on global issues and sharing that intelligence with other national security agencies, the official said.

The study also found that the Pentagon did not always reward clandestine service overseas with promotions, so its most experienced case officers often left for the CIA, or switched to other career paths within the Pentagon.


The case officers in the field — some military and some civilian — will answer directly to the top intelligence representative in their post, usually the CIA's chief of station, in addition to serving their agency back home. The arrangement is likely to curb complaints seen in earlier expansions of the Defense Department's spy mission, which the CIA and other agencies saw as the military stepping on their territory.

The changes were worked out by the top Pentagon intelligence official, Under Secretary of Defense for Intelligence Michael Vickers, and his CIA counterpart who heads the National Clandestine Service, and briefed to Congress before Defense Secretary Leon Panetta signed off on the new program last Friday.


Looks like they are playing better together, post-CIFA days.

Monday, April 16, 2012

Recent Purported CEIEC Document Dump Booby-Trapped

Via ShadowServer -

In recent weeks thousands documents have been released online by a hacktivist going by the online moniker of "Hardcore Charlie." These documents appear to have potentially been sourced and possibly stolen from various businesses and governments in different countries including the United States, the Philippines, Myanmar, Vietnam, and others. In particular Hardcore Charlie has been attempting to draw attention to some of the documents that apparently relate to U.S. military operations in Afghanistan. The twist in all of this is that the documents are purported to have been stolen by Hardcore Charlie from the Beijing based military contractor China National Import & Export Corp (CEIEC). If true, that would mean that the documents were stolen at least twice. These are allegations that CEIEC has strongly denied and condemned in a post on their website.

This entire turn of events has raised more questions than they have answered. Are the documents legitimate? Where were they original stolen from? If these were really stolen twice, who stole them first? We unfortunately do not have the answer to any of these questions. However, one thing we do have are words of caution and some interesting information about a handful of the documents found in this dump. Within the document dump in a folder related to Vietnam are 11 malicious documents (8 unique) that exploit vulnerabilities (CVE-2010-3333 and CVE-2009-3129) in Microsoft Office to install malware. These documents installed four different types of backdoors that reported back to six distinct command and control servers. Two of the backdoors were unfamiliar to us and the other two were the well known Poison Ivy RAT and the Enfal/Lurid. At least one hostname could be tied back to a known set of persistent actors engaged in cyber espionage.


Vietnamese Targeting and Timeline

These nine unique samples from the document dump from Hardcore Charlie appear to lead to multiple different attack campaigns targeting Vietnamese interests. The malicious documents have Vietnamese names and will open legitimate clean versions of the documents in Vietnamese upon successful exploitation. At least one of the trojan samples even saves itself as a file that might blend in on a Vietnamese computer. Another has strings related to the Vietnamese version of Google, while another uses a DNS name that is in Vietnamese as well. We would suspect this may just be the tip of the ice berg.

As for timing -- several indicators seem to point to these documents being approximately a year old. The most obvious and more tamper proof piece of evidence being a VirusTotal submission from April 2011. You may note the document from this submission was named BC cua chi binh voi BCS.doc. However, this file has the same MD5 hash of of32f5ad4f09135fcdde86ecd4c466a993, which matches the file was saw named Danh sach.doc. This indicates that his activity is not new and these files may have been unknowingly included in this document dump


These malicious documents within the data dump raise several questions and can lead to plenty of speculation. Were these malicious documents resident on victim systems from previous targeted APT campaigns and exfiltrated alongside the legitimate documents as part of another cyber espionage operation? Could it be that they were intentionally placed into this data dump? Anything is possible and we do not have all the answers. However, we can tell you that a few of the malware samples had previously been submitted to VirusTotal in early 2011. Additionally meta data of the clean documents dropped by a few of the malware payloads showed that the documents were also created in 2011, indicating that the malicious documents have likely been circulating in the wild for more than year.

Although many questions remain, the following facts are clear:

  • A small subset of the documents contained in the purported CEIEC dump are malicious.
  • These malicious documents drop a mix of malware families including Poison Ivy, Enfal/Lurid and two unnamed families.
  • Some of the malware samples extracted from the CEIEC dump connect to infrastructure used in previous APT campaigns.

These documents just go to show that malicious files can end up pretty much anywhere. We are stating the obvious but remember to exercise caution when viewing files you downloaded from the Internet. Microsoft patched the two vulnerabilities used in these attacks quite some time ago. They patched CVE-2009-3129 with MS09-067 and CVE-2010-3333 with MS10-087. Malicious documents that exploit vulnerabilities in Microsoft Office, Adobe Acrobat [Reader], or components loaded by these pieces of software are still some of the most common ways in which cyber espionage attacks are conducted. Staying current with the latest versions and security patches for any software you run is highly recommended.

Saturday, April 14, 2012

SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

Via Securelist.com (Kaspersky) -

We can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

The remote C&C website - rt***.onedumb.com is hosted on a VPS located in the U.S, Fremont, CA.

“Onedumb.com” is a free dynamic DNS service. Interesting, the C&C at IP 199.192.152.* was used in other targeted attacks (known as “Luckycat”) in the past.


The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products.

At the moment, it is not clear how users get infected with this, but the low number and it’s backdoor functionality indicates that it is most likely used in targeted attacks. Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany.

The timing of the discovery of this backdoor is interesting because in March, several reports pointed to Pro-Tibetan targeted attacks against Mac OS X users. The malware does not appear to be similar to the one used in these attacks, though it is possible that it was part of the same or other similar campaigns.

One other important detail is that the backdoor has been compiled with debug information - which makes its analysis quite easy. This can be an indicator that it is still under development and it is not the final version.


Kaspersky redacted part of the C2 info, but Symantec did not...

Symantec - OSX.Sabpab
Next, the Trojan connects to the following location and opens a back door on the compromised computer: hxxp://rtx556.onedumb.com

Fighting the OSX/Flashback Hydra

Via ESET Threat Blog -

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission of MRT: remove Flashback.


When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.

When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.

Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size.

Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.

The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter.


Flashback Malware Removal Tool
This Flashback malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.

This update is recommended for all OS X Lion users without Java installed.

Monday, April 9, 2012

S. Korean Government Says North Preparing for Third Nuclear Test

Via Washington Post -

As North Korea prepares for a long-range rocket launch within the next week, the South Korean government has released fresh evidence that, it says, suggests a nuclear test soon could follow.

Seoul’s Ministry of Unification, in charge of policy toward Pyongyang, on Sunday sent a report to journalists detailing activity at a test site in North Korea’s northeast, the location for previous nuclear tests in 2006 and 2009. The report, citing recent commercial satellite images, said that the North is “on its way to another grave provocation” by gathering dirt at the entrance to a tunnel.

According to the analysis, that dirt would be used to plug the tunnel before conducting an underground test, which would be the North’s third.

“The effort is believed to be in its final stages,” said the report, which was drafted by Seoul’s intelligence agency. “The soil around the tunnel’s entrance appeared to have been brought in from another region and has been growing in amount since March.”

If North Korea conducts a nuclear test soon after launching its rocket, it would match the pattern set by the reclusive country in 2006 and 2009, in which launches brought international condemnation. In both cases, Pyongyang, outraged by the outrage, tested nuclear devices soon after.

But predictions about a third nuclear test have run rampant in the past two years, and progressive media in Seoul suggested that the latest release was an attempt by the ruling conservative party to gain voter support in advance of Wednesday’s parliamentary elections.

The announcement might be a “red herring election move by conservatives,” the liberal Hankyoreh newspaper said in a headline on its Web site.

Intelligence Surge Boosts U.S. Confidence on Iran’s Nuclear Program

Via Washington Post -

More than three years ago, the CIA dispatched a stealth surveillance drone into the skies over Iran.

The bat-winged aircraft penetrated more than 600 miles inside the country, captured images of Iran’s secret nuclear facility at Qom and then flew home. All the while, analysts at the CIA and other agencies watched carefully for any sign that the craft, dubbed the RQ-170 Sentinel, had been detected by Tehran’s air defenses on its maiden voyage.

“There was never even a ripple,” said a former senior U.S. intelligence official involved in the previously undisclosed mission.

CIA stealth drones scoured dozens of sites throughout Iran, making hundreds of passes over suspicious facilities, before a version of the RQ-170 crashed inside Iran’s borders in December. The surveillance has been part of what current and former U.S. officials describe as an intelligence surge that is aimed at Iran’s nuclear program and that has been gaining momentum since the final years of George W. Bush’s administration.

The effort has included ramped-up eavesdropping by the National Security Agency, formation of an Iran task force among satellite-imagery analysts and an expanded network of spies, current and former U.S. officials said.

At a time of renewed debate over whether stopping Iran might require military strikes, the expanded intelligence collection has reinforced the view within the White House that it will have early warning of any move by Iran to assemble a nuclear bomb, officials said.

“There is confidence that we would see activity indicating that a decision had been made,” said a senior U.S. official involved in high-level discussions about Iran policy. “Across the board, our access has been significantly improved.”


There is also the chastening experience of Iraq. A decade ago, analysts at the CIA and other agencies were confident that Iraq had stockpiles of banned weapons, including the components of a nuclear weapons program. A costly U.S. invasion and futile search for those stockpiles proved them wrong.

The sting of that intelligence failure was still fresh when U.S. spy agencies came under pressure to ramp up collection efforts against Iran. By 2006, U.S. intelligence officials and top Bush advisers had become alarmed by deep gaps in U.S. knowledge of Iran’s nuclear efforts and ambitions.

Michael V. Hayden, then the new CIA director, recalled a White House briefing in which Bush became visibly agitated.

At the time, Iran was rapidly expanding its stockpile of enriched uranium at its main Natanz facility while working on what was then a secret site at Qom. American officials feared that Iran might surprise the world with a nuclear weapons test that would leave U.S. leaders with two highly unpalatable options: Attack Iran or accept the emergence of a new nuclear power in the Middle East.

At one point, Bush turned to Hayden and said, “I don’t want any U.S. president to be faced with only two choices when it comes to Iran,” according to Hayden. Efforts to reach Bush for comment were not successful.

The meeting became the impetus for overhauling the CIA’s approach to a country considered one of its hardest targets. The agency’s Iran experts and operatives were moved from its Near East Division to a group focused exclusively on Iran, much as the CIA had formed its Counterterrorism Center 20 years earlier.

“We put the best people on the job and put the most talented people in charge,” Hayden said. “Then we said, ‘Tell us what you need to get the job done.’ ”

Known internally as “Persia House,” the Iran Operations Division was set up in the agency’s Old Headquarters Building. Over time, it swelled from several dozen analysts and officers to several hundred. The division is now headed by a veteran case officer who previously served as CIA station chief in Islamabad, Pakistan.

“It got a robust budget,” said a former senior CIA official who worked in the Near East Division at the time. The Iran division’s emphasis was “getting people overseas in front of people they needed to be in front of — there are a lot of places to meet Iranians outside Iran.”


One of those operations was exposed last year, when an RQ-170, flown from an airstrip in Afghanistan, crashed inside Iran. Officials in Tehran have triumphantly claimed credit for bringing the stealth drone down and have released pictures showing the drone apparently patched up after the crash. U.S. officials say a technical failure caused the crash.


Despite the setback, U.S. officials said that some surveillance flights continue and that the damage to American espionage capacity overall has been limited.

That is partly because the drone flights were only a small part of a broad espionage campaign involving the NSA, which intercepts -e-mail and electronic communications, as well as the National Geospatial-Intelligence Agency, which scours satellite imagery and was the first to spot the uranium enrichment plant at Qom.


The expanded espionage effort has confirmed the consensus view expressed by the U.S. intelligence community in a controversial estimate released publicly in 2007. That estimate concluded that while Iran remains resolutely committed to assembling key building blocks for a nuclear weapons program, particularly enriched uranium, the nation’s leaders have opted for now against taking the crucial final step: designing a nuclear warhead.

“It isn’t the absence of evidence, it’s the evidence of an absence,” said one former intelligence official briefed on the findings. “Certain things are not being done.”

Kaspersky Lab Confirms Flashback Botnet Infected More Than 600,000 Mac OS X Computers

Via Kaspersky Lab News -

Kaspersky Lab’s experts recently analyzed Flashfake, a massive botnet that infected more than 600,000 computers worldwide, and concluded that more than 98% of the infected computers were most likely running a version of Mac OS X. To infect victims’ computers, the cyber criminals behind the Flashfake botnet were installing a Flashfake Trojan that gained entry into users’ computers without their knowledge by exploiting vulnerabilities in Java. To analyze the botnet, Kaspersky Lab’s experts reverse-engineered the Flashfake malware and registered several domain names which could be used by criminals as a C&C server for managing the botnet. This method enabled them to intercept and analyze the communications between infected computers and the other C&Cs.

The analysis showed that there were more than 600,000 infected machines, with the largest regions being the United States (300,917 infected computers), followed by Canada (94,625), the United Kingdom (47,109) and Australia (41,600). Using a heuristic “OS fingerprinting” method, Kaspersky Lab’s researchers were able to gauge which operating systems the infected computers were running, and found that 98% were most likely running Mac OS X. It is anticipated that the other 2% of machines running the Flashfake bot are very likely to be Macs as well.


Flashfake is a family of OS X malware that first appeared in September 2011. Previous variants of the malware relied on cyber criminals using social engineering techniques to trick users into downloading the malicious program and installing it in their systems. However, this latest version of Flashfake does not require any user-interaction and is installed via a “drive-by download,” which occurs when victims unwittingly visit infected websites, allowing the Trojan to be downloaded directly onto their computers through the Java vulnerabilities. After infection the Trojan uploads additional payload which hijacks victims’ search results inside their web browsers to conduct a “click-fraud” scam.

Although no other malicious activities have currently been detected by the Trojan, the risk is still significant because the malware functions as a downloader on users’ computers, which means the cyber criminals behind Flashfake can easily issue new, updated malware - capable of stealing confidential information such as passwords or credit card details - and install it onto infected machines.

Although Oracle issued a patch for this vulnerability three months ago, Apple delayed in sending a security update to its customer base until 2 April. Users who have not updated their systems with the latest security should install and update immediately to avoid infection.


Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

Individual Mac OS X users, can query Dr. Web's database of infected Macs to determine if their machine was seen in the collected data....

After sinkholing one of the Flashback C2, Kaspersky created flashbackcheck.com - which can be used in a similar fashion to Dr. Web above.


Corporations can check their the user-agent data collected at their outbound proxies.

The bots can be identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"

The 'id' variable would contain the Hardware UUID of the infected OSX system.


F-Secure Lab’s has released a free removal tool - https://www.f-secure.com/weblog/archives/00002346.html


10 Simple Tips for Boosting The Security Of Your Mac

American Universities Infected by Foreign Spies Detected by FBI

Via Bloomberg (April 8, 2012) -

While overshadowed by espionage against corporations, efforts by foreign countries to penetrate universities have increased in the past five years, Figliuzzi said. The FBI and academia, which have often been at loggerheads, are working together to combat the threat, he said.

Attempts by countries in East Asia, including China, to obtain classified or proprietary information by “academic solicitation,” such as requests to review academic papers or study with professors, jumped eightfold in 2010 from a year earlier, according to a 2011 U.S. Defense Department report. Such approaches from the Middle East doubled, it said.

“Placing academics at U.S. research institutions under the guise of legitimate research offers access to developing U.S. technologies and cutting-edge research” in such areas as information systems, lasers, aeronautics and underwater robots, the report said.


While most international students, researchers and professors come to the U.S. for legitimate reasons, universities are an “ideal place” for foreign intelligence services “to find recruits, propose and nurture ideas, learn and even steal research data, or place trainees,” according to a 2011 FBI report.

In one instance described in the report, the hosts of an international conference invited a U.S. researcher to submit a paper. When she gave her talk at the conference, they requested a copy, hooked a thumb drive to her laptop and downloaded every file. In another, an Asian graduate student arranged for researchers back home to visit an American university lab and take unauthorized photos of equipment so they could reconstruct it, the report said.

A foreign scientist’s military background or purpose isn’t always apparent. Accustomed to hosting visiting scholars, Professor Daniel J. Scheeres didn’t hesitate to grant a request several years ago by Yu Xiaohong to study with him at the University of Michigan. She expressed a “pretty general interest” in Scheeres’s work on topics such as movement of celestial bodies in space, he said in a telephone interview.

She cited an affiliation with the Chinese Academy of Sciences, a civilian organization, Scheeres said. The Beijing address Yu listed in the Michigan online directory is the same as the Academy of Equipment Command & Technology, where instructors train Chinese military cadets and officers. Scheeres said he wasn’t aware of that military connection, nor that Yu co-wrote a 2004 article on improving the precision of anti- satellite weapons.

Once Yu arrived, her questions made him uncomfortable, said Scheeres, who now teaches at the University of Colorado. As a result, he stopped accepting visiting scholars from China.

“It was pretty clear to me that the stuff she was interested in probably had some military satellite-orbit applications,” he said. “Once I saw that, I didn’t really tell her anything new, or anything that couldn’t be published. I didn’t engage that deeply with her.”


Unlike its counterparts in other countries, which rely on their own operatives, China’s intelligence service deploys a freelance network including students, researchers and false- front companies, said David Major, president of the Centre for Counterintelligence and Security Studies in Falls Church, Virginia and a former FBI official.

China has “lots of students who either are forced to or volunteer to collect information,” he said. “I’ve heard it said, ‘If it wanted to steal a beach, Russia would send a forklift. China would send a thousand people who would pick up a grain of sand at a time.’”

China also has more than 3,000 front companies in the U.S. “for the sole purpose of acquiring our technology,” former CIA officer S. Eugene Poteat, president of the Association of Former Intelligence Officers in McLean, Virginia, wrote in the fall/winter 2006-2007 edition of “Intelligencer: Journal of U.S. Intelligence Studies.”


Universities “may not fully grasp exactly who they’re spinning off their inventions to,” Figliuzzi said. “The company could be a front for a foreign power, and often is. We share specific intelligence with university presidents, and we’ve opened some eyes.”

Michigan State’s Simon learned to be wary of front companies by serving on the National Security Higher Education Advisory Board, established by the FBI and CIA in 2005. It “makes you more aware that you need to look below the surface of some of these offers,” she said. “A short-term solution may turn into an institutional embarrassment.”

Saturday, March 31, 2012

Researchers Document Chinese Censorship in Detail

Via Technology Review -

We already knew that the "great firewall" barred many people in China from reaching websites deemed subversive or otherwise inappropriate by the government. Now comes evidence of just how sophisticated and widespread the censorship is even on sites inside the firewall.

Researchers at Carnegie Mellon analyzed how often posts to social networking sites in China will be deleted if they contain certain terms and found that, for example, at least 16 percent of the messages at one popular microblog site, Sina Weibo, were sent to the memory hole. The researchers document their work in great detail at http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3943/3169

Australian DSD: iOS Hardening Configuration Guide


About this Guide

This guide provides instructions and techniques for Australian government agencies to harden the security of iOS 5 devices.

Implementing the techniques and settings found in this document can affect system functionality, and may not be appropriate for every user or environment.

However agencies wishing to differ from the mandatory controls specified in this guide must note that the product will no longer fall under the evaluated configuration. In these cases, agencies should seek approval for non-compliance from their agency head and/or accreditation authority to allow for the formal acceptance of the risks involved.

iOS Evaluation

As per the Evaluated Product List, the Defence Signals Directorate (DSD) has found Apple iOS data protection classes A and B to be suitable for downgrading the handling of PROTECTED information to that of Unclassified. This document provides guidance on policy that either must be enforced or is at the agency’s discretion.

Thursday, March 29, 2012

Case Based in China Puts a Face on Persistent Hacking

Via New York Times -

A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university — putting a face on the persistent espionage by Chinese hackers against foreign companies and groups.

The attacks were connected to an online alias, according to a report to be released on Friday by Trend Micro, a computer security firm with headquarters in Tokyo.

The owner of the alias, according to online records, is Gu Kaiyuan, a former graduate student at Sichuan University, in Chengdu, China, which receives government financing for its research in computer network defense.

Mr. Gu is now apparently an employee at Tencent, China’s leading Internet portal company, also according to online records. According to the report, he may have recruited students to work on the university’s research involving computer attacks and defense.

The researchers did not link the attacks directly to government-employed hackers. But security experts and other researchers say the techniques and the victims point to a state-sponsored campaign.

“The fact they targeted Tibetan activists is a strong indicator of official Chinese government involvement,” said James A. Lewis, a former diplomat and expert in computer security who is a director and senior fellow at the Center for Strategic and International Studies in Washington. “A private Chinese hacker may go after economic data but not a political organization.”

Neither the Chinese embassy in Washington nor the Chinese consulate in New York answered requests for comment.

The Trend Micro report describes systematic attacks on at least 233 personal computers. The victims include Indian military research organizations and shipping companies; aerospace, energy and engineering companies in Japan; and at least 30 computer systems of Tibetan advocacy groups, according to both the report and interviews with experts connected to the research. The espionage has been going on for at least 10 months and is continuing, the report says.

In the report, the researchers detailed how they had traced the attacks to an e-mail address used to register one of the command-and-control servers that directed the attacks. They mapped that address to a QQ number — China’s equivalent of an online instant messaging screen name — and from there to an online alias.

The person who used the alias, “scuhkr” — the researchers said in an interview that it could be shorthand for Sichuan University hacker — wrote articles about hacking, which were posted to online hacking forums and, in one case, recruited students to a computer network and defense research program at Sichuan University’s Institute of Information Security in 2005, the report said.

The New York Times traced that alias to Mr. Gu. According to online records, Mr. Gu studied at Sichuan University from 2003 to 2006, when he wrote numerous articles about hacking under the names of “scuhkr” and Gu Kaiyuan. Those included a master’s thesis about computer attacks and prevention strategies. The Times connected Mr. Gu to Tencent first through an online university forum, which listed where students found jobs, and then through a call to Tencent.

Reached at Tencent and asked about the attacks, Mr. Gu said, “I have nothing to say.”


Lucky Cat might sound familiar? That is for good reason.

Wednesday, March 28, 2012

The Luckycat Hackers



A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after.


The most useful information about the attackers is in one of the log files retrieved from a C&C server. This log file appears to record connections to an FTP server running on the C&C server. The attackers probably use FTP to easily retrieve stolen data uploaded to the C&C server. 45 unique IP addresses were identified in the log. Of these, all but two are from the same ISP, based in Sichuan province in China. The remaining two are from South Korea.

Despite this, the IP address used for the new connection changes regularly. In figure 7, during a period of approximately an hour and 15 minutes, four different IP addresses were used for six distinct connections. This is unusual because if the attacker is using DHCP, generally an IP address will remain allocated to a particular computer for a longer period of time.

A possible explanation is that the IP addresses used are the point of egress of a VPN-like service. The attackers may be using a service through which they can route their connections. The service periodically rotates connections amongst a pool of IP addresses in order to render the attacker anonymous or implicate China as the source of the attack. There are two potential reasons for the South Korean IP addresses. The first is that the IP addresses are part of the VPN service and were assigned to the attacker as the service rotated through the range of IP addresses available. The second explanation is that the attacker may have forgotten to enable the VPN by mistake and connected directly to the C&C server.

Adobe Flash Player w/ Automatic Updates!

Adobe has released Flash Player v11.2.202.228, which addresses critical vulnerabilities and introduces automatic updates.

Grab v11.2.202.228 here.

For more information, check out the Adobe Secure Software Engineering Team (ASSET) Blog, "An Update for the Flash Player Updater".

Adobe Reader and Adobe Flash Player has been heavily targeted by cyber criminals and APT actors in the past. It is good to see Adobe taking serious steps to make their product more resist to exploitation.

Oracle, are you listening? *cough* Java *cough*

Tuesday, March 27, 2012

Trojan.Taidoor Takes Aim at Policy Think Tanks


Executive Summary

Trojan.Taidoor has been consistently used in targeted attacks during the last three years. Since May 2011, there has been a substantial increase in its activity. Taidoor’s current targets are primarily private industry and influential international think tanks with a direct involvement in US and Taiwanese affairs. Facilities in the services sector that these organizations may use have also been targeted. There are a number of additional ancillary targets.

Trojan.Taidoor dates back to March 2008 and in-field telemetry has identified Taidoor being used in targeted attack emails since May 2009. Fourteen distinct versions and three separate families of the Trojan have been identified to date. The threat continues to evolve to suit the attackers’ requirements.

Saturday, March 24, 2012

U.S. Intelligence Report Warns of Global Water Tensions

Via New York Times (March 22, 2012) -

The American intelligence community warned in a report released Thursday that problems with water could destabilize countries in North Africa, the Middle East and South Asia over the next decade.

Increasing demand and competition caused by the world’s rising population and scarcities created by climate change and poor management threaten to disrupt economies and increase regional tensions, the report concludes.

Prepared at the request of the State Department, the report is based on a classified National Intelligence Estimate completed last October that reflected an increasing focus on environmental and other factors that threaten security. An estimate reflects the consensus judgment of all intelligence agencies.

While the report concluded that wars over water are unlikely in the coming decade, it said that countries could use water for political and economic leverage over neighbors and that major facilities like dams and desalination plants could become targets of terrorist attacks. Coupled with poverty and other social factors, problems with water could even contribute to the political failure of weaker nations.


Global Water Security
This report—requested by the Department of State—is designed to answer the question: How will water problems (shortages, poor water quality, or floods) impact US national security interests over the next 30 years? We selected 2040 as the endpoint of our research to consider longer-term impacts from growing populations, climate change, and continued economic development. However, we sometimes cite specific time frames (e.g., 2030, 2025) when reporting is based on these dates. For the Key Judgments, we emphasize impacts that will occur within the next 10 years.


This effort relied on previously published Intelligence Community (IC) products, peer-reviewed research, and consultations with outside experts. The Defense Intelligence Agency (DIA) was the principal drafter with contributions from NGA, CIA, State/INR, and DOE.