Sunday, February 26, 2012

Charcoal is Fueling Al Shabaab

Via CNN's Security Clearance Blog (Feb 23, 2012) -

Secretary of State Hillary Clinton has arrived in London to attend a conference that will focus on how the international community can help stabilize the chaotic situation in Somalia. One issue getting attention – the role of charcoal.

A British sponsored resolution, currently making its way through the United Nations Security Council, aims to expand the current amount of troops in the U.N. peacekeeping mission in Somalia, and to expand their mandate to work beyond the Somali capital of Somalia. It also calls for a ban on charcoal out of Somalia because such exports have been used by al-Shabaab, the al-Qaeda linked terrorist group in Somalia, as a means to finance their operations.

“Much of the charcoal that flows out of south central Somalia is either taxed or owned by al-Shabaab’” a senior State Department official told reporters traveling aboard Clinton’s plane as it flew to London from the United States. “When charcoal flows out to Yemen, to Saudi Arabia, to places in the Gulf, al-Shabaab is able to tax this charcoal and to gain the resources from it.”

In addition to choking off a source for al-Shabaab coffers, the State Department says the charcoal ban would "help protect the very fragile ecological balance," in the southern part of Somalia.


----------------------------------------

Recently, al Shabaab (and it's affiliate in Kenya) officially merged with al Qaeda, forming al Qaeda East Africa (AQAE).

Higgs Boson is Running Out of Hiding Places

Via Science News (Feb 23, 2012) -

Even as physicists in Europe close in on their most-wanted quarry — a particle known as the Higgs boson — scientists in Illinois are helping narrow the hunt. New measurements of a different particle, one called the W boson, confirm the Higgs is in the mass range that most physicists had thought.

Theory suggests that the Higgs particle must exist in order to imbue many other particles with mass. Experiments at the Large Hadron Collider, at the CERN laboratory near Geneva, have shown that the Higgs’ own mass must be less than 127 billion electron volts. (Though it sounds like a unit of electricity, the electron volt is particle physicists’ fundamental unit of mass. A proton’s mass is about 1 billion electron volts.)

The new W boson findings confirm that the Higgs must be less than 145 billion electron volts. At the bottom end scientists have long known the Higgs, if it exists, must be at least 114 billion electron volts.

Narrowing the Higgs mass range with different methods helps scientists cross-check and thus have more confidence in their results. The W boson comes into play because it, the Higgs, and a third particle called the top quark are all interrelated. Determine the mass of any two of those, and you can calculate the mass of the third.

The new measurement is the most precise ever of the W boson mass: 80,387 million electron volts, according to scientists with the CDF collaboration at the Fermi National Accelerator Laboratory in Batavia, Ill., who announced the findings February 23 at a lab seminar.

ASLR in Android Ice Cream Sandwich 4.0

Via Duo Security Blog -

For the uninitiated, ASLR randomizes where various areas of memory (eg. stack, heap, libs, etc) are mapped in the address space of a process. Combined with complementary mitigation techniques such as non-executable memory protection (NX, XN, DEP, W^X, whatever you want to call it), ASLR makes the exploitation of traditional memory corruption vulnerabilities probabilistically difficult.

However, ASLR is commonly an all-or-nothing proposition. If ASLR is not applied to all areas of memory in a process, its effectiveness is often nullified. A single executable mapping that is mapped in a static location in the address space is often sufficient to construct a ROP payload. For example, this was the indeed case with the OS X prior to 10.7, where the dynamic linker was not randomized, providing a sufficient gadget source for a ROP payload.

So, let’s take a look at this new-fangled ICS 4.0 platform and see if ASLR was properly and fully implemented.

[...]

Unfortunately, the ASLR support in Android 4.0 did not live up to expectations and is largely ineffective for mitigating real-world attacks, due to the lack of randomization of the executable and linker memory regions. It also would be beneficial to randomize the heap/brk by setting kernel.randomize_va_space=2.

In addition to ASLR, Android could certainly stand to beef up some of it’s other exploit mitigation mechanisms. Non-executable memory support was recently added and GCC’s stack protector is now enabled in the default NDK CFLAGS, but other mitigations are still lacking. RELRO is missing allowing GOT overwrites as demonstrated in Stealth’s GingerBreak exploit.

I’d also love to see code signing support similar to iOS, which prevents the introduction of new executable code in an address space. In addition, code signing would hamper the ability to pull down additional malicious code at runtime, a technique I demonstrated two years ago at SummerCon that the RootSmart malware authors have recently adopted.

Let’s just hope that we don’t have to wait for another major version release of the Android platform to get the same exploit mitigations that have been available on desktop and server platforms for years.

As Dug eloquently summarizes below: “TL;DR: ICS ASLR = FUBAR”

UPDATE: Nick Kralevich from the Android Security Team provided the following updates in the comments below:


  • kernel.randomize_va_space is set to 2 in ICS 4.0.3, randomizing the heap/brk mapping.
  • Support for randomizing the linker mapping will be available in a future Android release.
  • Support for randomizing executable mappings (PIE) will be available in a future Android release.
Sounds promising! We’ll be sure to check back in when those updates are live!

Friday, February 24, 2012

DarkComet RAT Surfaced in the Targeted Attacks in Syrian Conflict

Via TrendMicro Malware Blog -

The Internet has played a significant role in the current conflict in Syria. The opposition has made increasing use of platforms such as Facebook to organize and spread their message. In response, supporters of the regime like the “Syrian Electronic Army” have sought to disrupt these activities by defacing websites and spamming Facebook pages. Recently, this conflict took on a new dimension with reports that suggested targeted malware attacks were being used against supporters of the Syrian opposition movement.

Dark Comet RAT Used as “Syrian Spyware”

The malware used in the attacks reportedly spreads through Skype chats. Once users execute the malware, it connects to a C&C (command and control) server in Syria at {BLOCKED}.{BLOCKED}.0.28, which belongs to an IP range assigned to the Syrian Telecommunications Establishment. While the malware has been described as “complex” and “invisible”, it turns out that it is the widely available Remote Access Trojan (RAT) known as Dark Comet.

In our analysis, which confirms an earlier investigation by Telecomix, we found that the samples connecting to {BLOCKED}.{BLOCKED}.0.28 are instances of the DarkComet RAT versions 3.3 and 5. However, some samples are “downloaders” that connect to this same IP address via HTTP and download a encrypted “Update.bin” file, which is then decrypted and executed. The payload is the actual DarkComet RAT.

DarkComet is a full featured RAT that has the ability to take pictures via webcam, listen in on conversations via a microphone attached to a PC, and gain full control of the infected machine. But the features attracting most people using this RAT are the keylogging and file transfer functionality. This way, an attacker can load any files onto the infected machine or even steal documents.

DarkComet is still being developed and version 5 was released last January 15. It is created by a coder using the handle DarkCoderSc and was first coded in 2008. Since the reports of its use in connection with events in Syria, the author of DarkComet has expressed regret and while he will continue developing the RAT, he plans to make a DarkComet detector/remover available to the Syrian people.

[...]

These developments illustrate that targeted attacks can be conducted with widely available DIY malware tools. These tools possess all the “complex” functionality attackers need to compromise their targets.

Wednesday, February 15, 2012

Al Qaeda's Merger

Via Foreign Policy -

Hundreds of Somalis gathered on the outskirts of Mogadishu on Feb. 13 to celebrate the union of al Qaeda with its Somali cousin, the insurgent-terrorist group al-Shabab. But the mainstream media hasn't quite figured out what to make of the news, first announced last week, that the two groups had officially merged.

They might have done better with a simple headline: "Dozens of Americans Join al Qaeda."

The disturbing truth is that al-Shabab has had more success recruiting Americans than any of al Qaeda's other franchises. The newest official addition to the terrorist network's family includes around 40 Americans, in addition to dozens more involved in support activities on U.S. soil, as well as those with more casual connections to the United States. That support network dwarfs the American presence in "al Qaeda Central," which was largely terminated after the 9/11 attacks.

Al-Shabab's numbers and its extensive support network mean al Qaeda is now better positioned to carry out strikes on the U.S. homeland than at any point in the last 10 years. The majority of al-Shabab's American recruits are ethnic Somalis -- first- and second-generation immigrants with still-fresh ties to their ancestral home -- but the group also enjoys significant support from radicalized Muslim converts from diverse backgrounds, who are attracted by its efforts to carve out a domain ruled by a harsh interpretation of Islamic law.

Tuesday, February 14, 2012

Prediction: Handful of Malicious Networks Will Spawn Most Attacks In 2012

Via Threatpost -

A shadowy web of malicious networks, or "malnets" will be the source of two thirds of online attacks in 2012, according to a report from the security firm Blue Coat.

Despite the continued industry focus on specific families and samples of malicious software, Blue Coat researchers say that identifying the common components of a handful of underlying infection infrastructures, which they are referring to as 'malnets,' is a more promising approach to stopping further infections.

The company's 2011 State of the Threat Landscape report identifies five principle malnets: Shnakule, Glomyn, Cavka, Naargo, and Cinbric.

Blue Coat describes Malnets as distributed network infrastructures designed to sweep up victims while they browse trusted Web sites and route them through the malnets: forwarding them along from a legitimate (but compromised) Web site through relay servers and on to exploit and payload servers. Blue Coat believes that nearly to-thirds of all attacks in 2012 will originate from these and other known malnets. The company's researchers hope to exploit these networks by identifying common components within them and then using that information to mitigate threats before they become active.

[...]

Malnets make tools like blacklists and signature based threat detection less effective, Larsen said. However, they do give vendors the opportunity to more thoroughly detect threats at an earlier stage - in some cases even before attacks have been launched.

Blue Coat said it is looking at ways to block attacks by determining variables that are reasonably constant across the malnet such as domain name similarities.

Larsen said that his company's data shows that organized crime groups and malicious hackers are sticking with what works when launching online attacks. Despite an overall decline in e-mail use, attacks via e-mail increased by nearly five per cent from the first half of the year and continue to be a large problem. Attacks launched from search-engine optimized Web sites were the most common entry point for malicious code. Search engine poisoning accounts for some 40 per cent of infection, Blue Coat found. At the same time, Social networking is moving up as a malware entry point. Now accounting for almost 6.5 per cent of infections, the report said.

Larson believes that the continued prevalence and success of search engine poisoning as a method of infection is evidence that we are doing a poor job of communicating the dangers of search. Too often, he said, users will trust a link just because it popped up as a top search result. Instead, users need to inspect URLs and make sure they are safe before following links.


-------------------------------------------------

Blue Coat Systems 2012 Web Security Report
Exposing Malnet Strategies and Best Practices for Threat Protection
http://www.bluecoat.com/2012-web-security-report

Saturday, February 11, 2012

U.S. Stepping Up Syrian Intel Gathering

Via CNN's Security Clearance Blog -

The United States has recently stepped up intelligence, surveillance and reconnaissance operations over Syria, CNN has learned.

"This is for situational awareness," a senior U.S. official told CNN. "There are media reports but we also want to verify exactly what is happening."

The official said the United States believes all the media reports coming out of Syria, but for intelligence uses they want to gather even more information to understand precisely what is happening there.

The official would not address whether U.S. intelligence-gathering operations include eavesdropping on or jamming of Syrian government and military communications. Such actions were used in Libya. Under fire from some quarters for not doing more immediately to help stop the bloodshed in Syria, the State Department on Friday said it will release publicly reconnaissance photos of Syrian cities showing broad images of what appeared to be smoke rising from areas where the fighting is most intense.

The first image was posted on the Facebook page of the U.S. Embassy in Damascus. That embassy was closed last week when U.S. Ambassador Robert Ford and his remaining staff were called back to Washington.

The images shows "some declassified U.S. national imagery of destruction of Homs, very gruesome pictures showing lines of tanks, showing fire, showing the kind of things that you really only see when you have a major military attacking in a civilian area," explained State Department spokeswoman Victoria Nuland.


----------------------------------------------------------

US State Dept: Satellite Images of Syrian Military Artillery
http://www.stateondemand.com/Latest-Stories/satellite-images-of-syrian-military-artillery/s/63057bec-e32d-4bee-9d9c-ba8531a3a90a

Somalia's al-Shabaab Joins al-Qaeda

Via BBC (10 February) -

Islamist militant group al-Shabab, which controls much of Somalia, has released a joint video with al-Qaeda, announcing the two groups have merged. Al-Shabab leader Ahmed Abdi Godane, known as Mukhtar Abu Zubair, said he "pledged obedience" to al-Qaeda head Ayman al-Zawahiri. The two groups have long worked together and foreigners are known to fight alongside Somali militants.

The announcement comes as al-Shabab is under pressure on several fronts. Africa Union troops supporting the forces of the UN-backed government have taken control of the capital, Mogadishu, while both Kenya and Ethiopia have sent forces into Somalia to push back the Islamists. Al-Shabab, however, still controls many southern and central areas of the country.

However, correspondents say al-Shabab's policy of banning many foreign aid agencies from areas it controls during the region's worst drought in 60 years has lost the group some of its popular support. The United Nations says that although the famine in Somalia is officially over, a third of the population still needs urgent feeding.

BBC Somali editor Yusuf Garaad Omar says the merger of al-Shabab and al-Qaeda has the potential to change the dynamics of the conflict in Somalia.During the 15-minute Arabic-language video posted on jihadist websites, Zawahiri said the move was "good news" for al-Qaeda.

Analysts say the announcement helps boost al-Qaeda after its leader Osama Bin Laden was killed last year.


-------------------------------

This CFR Backgrounder provides a profile of the al-Shabaab Islamist militant organization based in southern Somalia.

Thursday, February 9, 2012

United States Ranks 4th Globally in Cyber Defense

Via Defense News (Jan 31, 2012) -

The U.S. ranked behind Finland, Israel and Sweden in a new report analyzing the ability of countries to defend themselves against cyber attacks. The report pointed to information-sharing limitations as one of the key stumbling blocks for U.S. security, giving the country four out of a possible five stars.

“Government only inhales, it never exhales,” said Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council. He was part of a panel assembled for the release of the report Jan. 30. “It will take all the information, but it will find any excuse to not share.”

The reputational rankings appeared in “Cyber-security: The vexed question of global rules,” a report based on surveys with 250 leaders in 35 countries that rated 23 countries. Produced by the Security & Defense Agenda, a Brussels-based think tank, and the cybersecurity company McAfee, the report used a methodology developed by Robert Lentz, former deputy assistant secretary of defense for cyber, that measures preparedness based upon a country’s technology and available pool of expertise.

While ranked as even with Germany, France and the United Kingdom, among others, the United States was ahead of China and Russia, which only received three stars. The two countries are often cited as the source of the vast majority of cyber attacks, with those emanating from China appearing to be state-sponsored espionage and those from Russia likely financial crime related.

Although information-sharing was cited as the best technique for combating cyber attacks, the details can be difficult to figure out, experts said.

[...]

Attribution remains a tricky problem, experts said, but that doesn’t mean that companies aren’t getting better. Tim McKnight, a chief information security officer at Northrop Grumman, indicated that the company had been able to pinpoint a collection of groups that have been waging attacks.

“We track about 26 different gangs that have been attacking our company for the last seven years,” he said.

Germany Expels Four Syrian Diplomats in Spy Case

Via NY Times -

As tensions mount between Western nations and the authorities in Damascus, Syria, the Foreign Ministry here in Berlin said on Thursday that it had ordered the expulsion of four staff members from the Syrian Embassy after arresting two men accused separately of spying on opponents of President Bashar al-Assad among Syrian exiles in Germany.

The police here arrested the two men on Tuesday saying they were “strongly suspected of investigating Syrian opposition members in Germany for a Syrian intelligence service over a period of years.”

The men were identified, under standard German procedures, only as Mahmoud El A., 47, of Lebanese descent, and Akram O., 34, a Syrian.

State and federal police officers searched the homes of six other suspects “believed to be involved in espionage.”

In a statement on Thursday, Guido Westerwelle, the foreign minister, said four diplomats — three men and a woman who were not identified by name — had been given three days to leave Germany. Mr. Westerwelle did not go into detail about the expulsions, but officials said the embassy personnel were suspected of carrying out activities incompatible with their diplomatic status, a formulation that usually refers to espionage.

The action came after several Western and Arab nations reduced their diplomatic presence in Damascus. The United States closed its embassy there earlier this week.

Syrian officials made no immediate public comment on the expulsions.

After Tuesday’s arrests, Mr. Westerwelle had already summoned the Syrian ambassador to tell him that intimidation of Syrian opposition figures in Germany would not be tolerated, officials said. According to German news reports, the two arrested men were not themselves diplomats, but worked closely with Syrian Embassy officials.

Their activities were said to have included infiltrating demonstrations to photograph Syrians opposed to President Assad and then transmitting the images to Damascus along with other information about the regime’s opponents.

[...]

The practice of spying on overseas opponents is not restricted to Germany or Syria.

In October, a Syrian-American man was arrested in the United States and accused of secretly working with Syrian intelligence to gather information on overseas protesters against the government in Damascus. The Syrian Embassy in Washington has called the charges baseless.

A Time-based Analysis of Rich Text Format Manipulations: A Deeper Analysis of the RTF Exploit CVE-2010-3333

http://www.sophos.com/en-us/why-sophos/our-people/technical-papers.aspx

Malware authors are still looking for new ways to distribute an old RTF vulnerability (CVE-2010-3333). This SophosLabs technical paper 'A time-based analysis of Rich Text Format manipulations' will explore, over a long period of time, the way that the malware authors attempt to evade detection.

Download 'A time-based analysis of Rich Text Format manipulations'

By Paul Baccas, Senior Threat Researcher, SophosLabs UK, 2011

Wednesday, February 8, 2012

Citadel - An Open-Source Malware Project

Via Seculert Blog -

A few weeks ago, Brian Krebs reported on Citadel, a new variant of the Zeus Trojan.
Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem.

The developers did not stop there. They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers. This CRM (Customer Relationship Management) platform has explosive potential, as it harnesses the accumulative knowledge and resources of its cyber community.

Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution - an open-source malware.

We have previously discussed trends in malware evolution, where the sophistication level is continuously rising, especially on the server side, as malware kits have become the mainstream among cybercriminals.

[...]

Each version added new modules and features, some of which were submitted by the Citadel customers themselves, including:

  • AES Encryption – The customer can decide whether to encrypt the malware configuration file and communication with the C&C server, with RC4 encryption (used by old Zeus versions) or AES encryption.
  • Avoiding Trackers Detection – Zeus tracking websites (e.g. Zeus Tracker, Malware URL, etc.) help in shutting down Zeus botnets by reporting on new Zeus C&C servers. Citadel now requires a specific botnet key in order to download malware updates and configuration files, in a hope to not be detected by those trackers.
  • Security vendors websites blacklist – Machines infected with Citadel cannot access websites of information security vendors. This blocks the option to download new security products, or get updates from currently installed products (e.g. Anti-Virus updates).
  • Trigger-based Video Recording – Record videos (using MKV codec) of the infected machine activity, in case the victim visits a specific website. A customer can decide whether to receive a malware builder with or without this module, mainly because this feature requires a lot of space on the malware C&C server.

---------------------------------------------------------

Check out the full details at the Seculert blog...

Monday, February 6, 2012

Adobe Flash Player Sandboxing is Coming to Firefox

Via Adobe Secure Software Engineering Team (ASSET) Blog -

In December of 2010, I wrote a blog post describing the first steps towards sandboxing Flash Player within Google Chrome. In the blog, I stated that the Flash Player team would explore bringing sandboxing technology to other browsers.

[...]

Today, Adobe has launched a public beta of our new Flash Player sandbox (aka “Protected Mode”) for the Firefox browser. The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach. Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities. The sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation. Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7. We would like to thank the Mozilla team for assisting us with some of the more challenging browser integration bugs. For Flash Player, this is the next evolutionary step in protecting our customers.

Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits. For example, since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X. We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.


-----------------------------------------------

Kudos to Adobe for embracing sandboxing technique as a way to minimize exploit impact in Adobe Reader X and now Adobe Flash Player. Now if they will do it for IE on Windows 7, then we will be getting somewhere.

Unfortunately, the bad guys (both criminal and nation-state) are taking advantage of Oracle's inability to do anything to secure Java JRE usage. So it might be too little too late to really help enterprises counter advanced threats.

Sunday, February 5, 2012

Cone of Silence Surrounds U.S. Cyberwarfare

Via Stars and Stripes (Oct 18, 2011) -

The burial at sea was just a few hours old when sources around Washington began to spill the tactics and objectives of the May 1 mission that killed Osama bin Laden. Quickly, a substantial picture of shadowy mission in Pakistan emerged.

But nearly two years after another operation that in terms of ingenuity and audacity might be considered the cyberwar equivalent of the bin Laden mission — the Stuxnet attack that destroyed crucial equipment in Iran’s nuclear program — the silence remains unbroken. Military and civilian leaders have steadfastly refused to confirm or deny U.S. involvement.

Classified, it seems, is the enduring reality of computer warfare.

Even though the Pentagon this year formally declared cyber a new domain of warfare equal in importance to land, sea and air, a murky blanket of secrecy covers not only its operations but its policies and doctrines. It’s a level of obfuscation that far outstrips that which surrounds U.S. conventional and nuclear capabilities.

[...]

No one has yet proven who perpetrated the Stuxnet malware operation that in late 2009 or early 2010 began to cause computers in the Natanz nuclear facility in Iran to go haywire. The worm may have set work back by several years in a program that the United States says is aimed at one day producing nuclear weapons with which to threaten its neighbors.

Though Western researchers and Iranian investigators alike point a finger at the United States, frequently alleging a U.S.-Israeli collaboration, U.S. officials will not comment.

Months before the attack was disclosed, Bumgarner, a retired U.S. Army special operations veteran, former intelligence officer and cyberwarrior, penned an article in an information warfare journal that, clearly, no one in Iran’s nuclear program read or took seriously. The article, titled “Computers as Weapons of War,” suggested that centrifuges used to refine nuclear fuel could be made to destroy themselves with the right kind of offensive cyberweapon. Soon after, that’s what happened. (Among its other effects, Stuxnet is also thought to have put a Russian-built Iranian nuclear power plant at risk of meltdown.)

Bumgarner says he wrote about the centrifuge vulnerability simply to show what can be accomplished. Many other U.S. opponents have similarly vulnerable systems, as does the United States, he said.

The key from the standpoint of the attacker is not to tip one’s hand, Bumgarner said. Obscuring precise capabilities gives you an edge, while revealing too much information weakens you.

“When it comes to cyberweapons, some of the things that you develop need to be held close to the vest,” he said. “If information about a specific cyberweapon leaks out, the adversary can adjust their defenses and your offensive capability will be diminished.”
The key for U.S. officials, and the thing that perhaps keeps their lips sealed in public, is knowing the line between healthy public discussion and tipping off adversaries to their own weaknesses.

“A conventional weapon can be effective for years, perhaps even decades,” he said. “A cyberweapon’s effectiveness might be measured in minutes until someone applies a patch or a new security filter.”

Music: Atlantic Connection ft. Kemst - Touch This



Awesome liquid drum & bass (liquid funk) song by Atlantic Connection.

Saturday, February 4, 2012

Operation Starlight: The Chinese PLA Assault on RSA and the Undermining of the Authentication Control Supply Chain

Via Diocyde's Veiled Shadows Blog -

This post will be one of several that will reveal the origins of the investigation, research, and analysis group effort behind what has been revealed as Operation Starlight.


BACKGROUND

The formation, vision, and strategy behind Starlight was a direct result of the compromise and Intellectual Property data theft of vital technical information from RSA that forms the underpinnings of Authentication Frameworks used in thousands of companies and Government organizations worldwide.

[...]

Over the past year, Government officials active and retired, congressmen, and security researchers have come out explicitly linking and declaring this to be the case. They should know. There is YEARS of evidentiary data linking this activity to exact groups and individuals behind these activities. The old tired adages of how ATTRIBUTION is too hard of a problem, and how its impossible to track the source of an attack are a RED HERRING in this industry. Do not believe it for a second. If your told that you are being lied to. The abilities of Nation States to conduct Multi-INT intelligence analysis on threats is unparalleled. This intelligence supports the missions of Counter-Intelligence, Law Enforcement, and provides data for Strategy and National Leadership Decision Making.

Future postings here will reveal many of the lessons learned through this experience.

It is my hope that it inspires the community of security experts, investigators, forensic professionals, incident responders, and malware analysts to recognize clearly that there is a dire need to come together as one to share their threat data, become educated on the specific technical threats and the groups behind them, and operate as a single unified entity in confronting the single most damaging threat to our future, described as “the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it.”


----------------------------

Big shout out to @diocyde. Keep up the good work.

Analysis Of Sykipot Smartcard Proxy Variant

Via EipLoader Blog -

Executive Summary

In this analysis report, it attests Alientvault’s claim that users who are using ActivIdentity ActivClient software are affected. See link: http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs

This malware does not only attempts to capture keystrokes and clipboard data, it also serves as a backdoor to remote control the victim’s system fully, and access protected resources that require authentication using smartcard.

Having said that, it is also important to note that the malware requires the smartcard to be in the reader when access is required. In another word, this victim is used as a smartcard proxy, where the stolen login pin is used to access the smartcard.

By analyzing this malware’s behavior, it is highly likely an espionage malware, which is particularly keen in email messages and reports craft while Outlook, Firefox and/or Internet Explorer is running through key logging. Additionally, this malware takes extra precautionary measures to maintain stealth in the victim’s system, and it hopes to remain undetected for a long period.

Wednesday, February 1, 2012

Ongoing Targeted Attack Campaign Going After Defense, Aerospace Industries

Via Threatpost.com -

Researchers have identified a strain of malware that's being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form and the emails containing the malicious attachments are specifically targeted at executives and officials in various industries using fake conference invitations.

The attack campaign, as many do, appears to be changing frequently, as the attackers use different binaries and change up their patterns for connecting to remote command-and-control servers. The research, done by Seculert and Zscaler, shows that the attackers are patient, taking the time to dig up some information about their potential targets, and are carefully choosing organizations that have high-value intellectual property and assets.

The malware used in these attacks has been dubbed MSUpdater Trojan, as it attempts to conceal its presence on the machine by disguising its outbound communications as Windows Update requests. The researchers first saw the infection on Dec. 25, 2011, and then, working backward from the malware's infection routine, connection pattern and other characteristics, were able to find much older incidents that seem to have been the work of the same attackers.

[...]

The research by Seculert and Zscaler shows that the attacks are targeting companies and organizations in the defense industry as well as the aerospace sector. The first attacks likely occurred as far back as early 2009, they said, and while some of the binaries used in the incidents are detected by security software under various names, they haven't been correlated as part of one ongoing campaign before.


--------------------------------------------------------

MSUpdater Trojan and the Conference Invite Lure
http://blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html

MSUpdater Trojan Whitepaper
http://www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf