Monday, September 2, 2013

Wo(Man) in The Browser -MiTB

While conducting a penetration test of a web application for a financial services client recently, i came across a vulnerability that i wanted to briefly discuss. The vulnerability discovered was related to the now infamous "Banking Trojans" and the ability of its software to modify HTML pages on the fly.  This is an relatively sophisticated tactic utilized by various banking Trojans such as Zeus and SpyEye  to manipulate a users web browser's interactions with their banking web application. Specifically used as a phishing tactic in order to get users to enter extra sensitive data (for exp, during when they are logging into their on-line banking application).

Their can be various client-side attack vectors utilized to initially infect the user's system or mobile device with the banking Trojan, ranging from utilizing a lure in spear-phishing, or watering hole, to drive-by style delivery mechanisms.  After the user's system is infected, the trojan subsequently monitors the HTTP stream via Wininet.dll (or some other library) and modifies the content on the fly. The capabilities utilized for content modification for trojans like Zeus (in the tested instance), stem from the use of a file called "Webinjects.txt". When the victim fills in the additonal information, it is subsequently sent to its command and control host.
Mitigating this vulnerability can be a challenge as several remediation strategies have been set forth from various client hardening techniques, secure card readers (exp. Smartwipe), out of band verification and detection via web tripwire hooks used by various WAFs that can detect and identify these "in-flight" page manipulations in real-time. 

- MH "Madame Hack"

Wednesday, May 8, 2013

Asymmetric Warfare - Who's Got BeEF?


Normally, most organizations when responding to web-borne application attacks against their websites, take the approach of responding to the malicious attack traffic itself such as responding to cross-site scripting (XSS or CSRF) with a combination of output encoding/escaping combined with some form of input validation for untrusted user input.They may also add additional protection measures such as utilizing some form of content-security policy (CSP) or active content signatures (ACS) to further protect users of their applications from malicious scripts, iframes (click-jacking) etc..  These are of course very good steps to take and can indeed be very effective if implemented properly. But, in this post, I'd like to briefly discuss a slightly different approach to dealing with malicious attackers that are attacking your websites, and how this approach can significantly assist in identifying attackers, and in incident response actions..  Leveraging a tool set called BeEF ( Browser Exploitation Framework) in conjunction with a Web Application Firewall (WAF) such as Mod-security, you can utilize the BeEF application to hook malicious client browsers (not automated tools) that are attacking your websites , and provide much better information for incident response investigations.  It allows you to take the fight back to the malicious attackers of your websites.

What exactly is BeEF?,  As mentioned above, BeEF stands for Browser Exploitation Framework, and it a penetration testing tool set  (http://beefproject.com/), designed to test the exploitability of your web browser environment and trust me when i say it does a great job of that!


I wont discuss BeEF's full attack capabilities here (you can check it out for yourself ) but its a very powerful tool to say the least.  Instead of taking advantage of XSS vulnerabilities in your application as a pen testing attack vector, you can leverage a WAF like mod-security to not only identify malicious clients of your application,  but you can subsequently modify the HTTP response header sent back to malicious client requests and directly hook them utilizing the BeEF javascript hook code.. This will allow you to keep close tabs on the attackers of your website, and allow you to monitor their every move and activities. This is a much more effective tactic than trying to respond to incidents when all you have is an IP address (which I'm sure is not the real IP address due to the fact that the attacker is tunneling their traffic through proxies or other intermediary systems).    BeEF contains some powerful data harvesting capabilities  and can harvest critical details from the attackers web browser such as the "True Geographic location" of the attacker,  some of the location enumeration modules (under the host folder) can be used to get physical location including GPS coordinates and street address details.  You can even open up a dialog prompt and communicate with the hooked browser and ask questions about why your sight is being pwned.. Pretty cool....

MH - "Madame Hack"

Tuesday, September 4, 2012

Secrets and the Hidden Agenda...

Great article from CNET..  It states that For the 2nd time in two weeks a virus outbreak has been reported at an energy company in the mideast. Qatari liquified natural gas producer RasGas said its corporate network and Web site were down after getting hit by a virus on Monday. Earlier this week the Saudi Aramco oil company confirmed that its network was hit by a virus two weeks ago, shutting down 30,000 workstations.   These are just the latest attacks targeting organizations in the region recently involving malware that is designed to steal secrets, wipe data, shut down corporate systems, and sabotage critical infrastructure. Some believed they are related.  Here's a breakdown of some of the malware affecting that region, in rough chronological order

Stuxnet
Discovered in June 2010, Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems. It's thought to have been designed to shut down centrifuges at Iran's Natanz uranium enrichment plant, where stoppages and other problems reportedly occurred around that time. A New York Times report cited sources who said that Stuxnet was part of a U.S.-Israeli operation dubbed "Operation Olympic Games," that was begun while President George W. Bush was in office as an attempt to sabotage Iran's nuclear program. The sophisticated worm spreads via USB drives and through four previously unknown holes, known as zero-day vulnerabilities, in Windows. It used two stolen digital certificates, was aimed at Siemens supervisory control and data acquisition (SCADA) systems that were configured to control industrial processes, and infected programmable logic controllers.

Duqu
The Duqu worm emerged in September 2011, and researchers say it shares a lot of code with Stuxnet but is designed for a different purpose: stealing data for surveillance or other intelligence efforts. It hit computers in Iran but did not appear to be directed at industrial or critical infrastructures specifically. Duqu exploits zero-day Windows kernel vulnerabilities, uses stolen digital certificates, installs a backdoor, and captures keystrokes and information that could be used to attack industrial control systems. "We believe it could be a cyberespionage operation to gauge the status of Iran's nuclear program," Roel Schouwenberg, senior researcher at Kaspersky Lab, told CNET.

Gauss
Earlier this month, Kaspersky went public with details on a new espionage or surveillance toolkit called "Gauss." The malware was launched around September 2011 and was discovered in June. The malware was found on computers mostly in Lebanon, Israel, and Palestine, followed by the U.S. and the United Arab Emirates. Gauss is capable of stealing browser passwords, online banking accounts, cookies, and system configurations. Kaspersky says it comes from the same nation-state "factories" that produced Stuxnet, Duqu, and Flame.

Mahdi
The data-stealing Mahdi Trojan, discovered in February 2012 and publicly disclosed in July, is believed to have been used for espionage since December 2011. Mahdi records keystrokes, screenshots, and audio and steals text and image files. It has infected computers primarily in Iran, Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia, including systems used by critical infrastructure companies, government embassies, and financial services firms. Its name comes from references in the code to the word for the Islamic Messiah. It also includes strings in Farsi and dates in the Persian calendar format. It's unknown who's responsible for the malware, which uses social engineering to get people to click on attachments that have malicious Word or PowerPoint attachments.

Flame
Flame was discovered in May 2012 during Kaspersky Lab's investigation into a virus that had hit Iranian Oil Ministry computers in April. Kaspersky believes the malware, which is designed for intelligence gathering, had been in the wild since February 2010, but CrySyS Lab in Budapest says it could have been around as far back as December 2007.  Most of the infections were in Iran, but other countries hit were Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. Flame uses a fraudulent digital certificate and spreads via USB stick, local network, or shared printer spool vulnerability and leaves a backdoor on computers. It can sniff network traffic and record audio, screenshots, Skype conversations, and keystrokes, as well as download information from other devices via Bluetooth. It appears to be designed for general espionage and not targeted at any particular industry. Most of the infections were reported to be in Iran and appeared to involve stealing PDF, text, and AutoCAD files. Flame shares characteristics with Stuxnet and Duqu. It also was developed as part of the Olympic Games project along with Stuxnet, according to a report in The Washington Post.

Wiper
There were reports in April about a malware attack shutting down computer systems at companies in Iran, including the Oil Ministry, and mentions of a virus called "Wiper," Kaspersky said in a blog post yesterday. The malware wipes data from hard drives, placing high priority on those with a .pnf extension, which are the type of files Stuxnet and Duqu used, and has other behavioral similarities, according to Schouwenberg. It also deletes all traces of itself. As a result, researchers have not been able to get a sample, but they've reviewed mirror images left on hard drives. The discovery of Wiper led to the discovery of Flame, which led researchers to Gauss, according to Schouwenberg. "One major question is, did the people who released Wiper know about the Flame operation? And if so, did they factor in the possibility of Flame being discovered because of Wiper?" Schouwenberg said. "It seems kind of illogical to blow a multiyear cyberespionage operation just to wipe the machine."

Shamoon
Discovered earlier this month, the Shamoon virus attacks Windows computers and is designed for espionage. Shamoon was initially confused with Wiper in some reports but is now believed to be a Wiper copycat targeting oil companies. A logical error in the code of Shamoon points to the work of amateurs rather than a nation-state operation, Schouwenberg said. There is speculation that Shamoon hit Saudi Aramco. The malware reportedly was programmed to overwrite files with an image of a burning U.S. flag, as well as to steal data.

Monday, January 30, 2012

Super-Powered Malware...

Back in the old days (seems strange saying that considering its not really old) there was a clear-cut distinction between what a Trojan was,  what a Virus was , a Worm etc..Well it seems that those days are gone and a new breed of Malware has emerged recently... a new strain of Super-Powered Malware Dubbed...."Frankenmalware" or "Malware-Sandwiches" that has become a part of the malicious code landscape recently.. According to a recent article from Bitdefender , Cyber-criminals have started mixing malware ingredients between these traditional threat categories to maximize attack impact on potential victims. Trojans with worm capabilities or viruses with Trojan features, and so on.  Here is an excerpt from the article;

"the file infector that accidentally parasites another e-threat. A virus infects executable files; and a worm is an executable file. If the virus reaches a PC already compromised by a worm, the virus will infect the exe files on that PC - including the worm. When the worm spreads, it will carry the virus with it.  The combined features from both pieces of malware will inflict a lot more damage than the creators of either piece of malware may have originally intended.  While most file infectors have built-in propagation mechanisms, just like Trojans and worms (spreading routines for RDP, USB, P2P, chat applications, or social networks), some cannot replicate or spread between computers. And it seems a great idea to “outsource” the transportation mechanism to a different piece of malware (i.e. by piggybacking on a worm, etc.

The article further states that "most likely these Frankenmalware, or “malware sandwiches,” take place spontaneously". The virus actually infects by mistake another piece of malware and ends up using its capabilities to spread.

Sunday, December 11, 2011

A View from the Bunker.....

The few survivors from the front line have reported in.  We stand on the edge, starring into the abyss, a tangled mess of bodies behind us. We are the poor souls who have chased the demon , descending into the pit and climbed up the other side. What we have seen is not pretty at all. The collective corporate filesystem is a parking lot for castaway software barely able to run on a modern OS. Squeezing the last bit of life out of burned out win32 DLL’s (Dynamic Link Libraries) and rogue .exes . There are piles of unwashed garbage downloaded by employees that were passing by, never deleted, never cleaned. The strangest mutated crap has been swept tightly into temporary directory corners that have since calcified and become permanent artifacts.
 
These software programs are a biohazard. Some are just plain broken, wheezing out juice from a hooked windows message chain just long enough to cough up and die, only to be resurrected by the swift kick of a boot-time registry key the next time the machine reboots. Some have pretty little labels of well-known companies – clearly so you won’t look twice at them and notice how they are exfiltrating personal browsing statistics and other data to some cloud server – really like malware but allowed by the EULA that you didn’t read. 

Everything looks bad. So, it’s no wonder that attackers can just drop something new in and nobody notices. As long as it doesn’t infect five million residential banking customers then nobody is going to give a crap..

That is the unfortunate reality of hacking these days, and it has nothing to do with advanced persistent threats (APTs) . It has to do with the enterprise and the complete LACK of visibility and control you have over the endpoint (i.e. where all the action is)... When security is limited to the network perimeter only, you are not in control, Period......

Oh, and what a "breath of fresh air" the mobile device is.  A new pile of mobile software, mostly social media, that is directly connected to thousands of strangers that are not your employees, communicating in real-time with processes running within your defenses. In effect, you now have thousands of potential multi-homed routers to 3G-space (4G if your lucky..) from your network that don’t belong to you. 

OK, so lets review some basic security facts:
  • Today, malware is a tool for persistent adversaries
  • Adversaries are financially and/or politically motivated
  • Intrusions involve a real person (or group) that targets your organization directly 
  • Attackers are motivated to steal something from your network
Lets review the primary threat actors and groups we face today:

Criminal Enterprises – these are the guys who make more money than drug cartels and the reason a malware economy has emerged over the last few years. This is what mere mortals mean when they talk about malware, and the reason people get malware and hackers mixed up all the time.

Rogues – these are the hacking groups you can enumerate on any given day. Hundreds, if not thousands worldwide. These guys are all capable but normally aren’t fueled by cash.  These guys deface, DDOS, and partake in ‘mostly harmless’ hackery.  But, a small subset have always been deeply malicious. Others pick up a cause and act like cyber terrorists. And still others really are cyber terrorists.

Rogues meet cash - these hired mercenaries are the ones who write malware, sell 0-day, and get caught up in the vortex of organized crime. These guys are very, very dangerous.

All the membranes have been breached - the threat is blended. We live in a time where a state interest can simply buy access to adversary networks from criminals who are selling their botnets. Where state sponsored attacks can be vectored through private hacking groups. Where private hacking groups can fund their operations from cybercrime, while targeting corporations and governments with methodology indistinguishable from APT. There is no tidy bucket to place the threat, all the wires are now crossed. The only thing that is consistent here is that hacking is hacking, and it always looks and smells the same when you see it. 





Thursday, December 1, 2011

The Smell of Blood in the Water.....

Its been a while since my last post so I wanted to give a very brief summary of the current state of affairs (this is by no means exhaustive…) Lets just say that 2011 will go down in history as the year that our perceived security was stripped away.

EMC’s RSA division was breached and soon afterward so were some of its customers.

The world’s largest anti-virus companies have been taken to task for selling snake oil (also known as anti-virus software). Local police departments all over were unable to protect their own officers’ personal and confidential information

The FBI’s Infraguard program was repeatedly hacked. DARPA and NSA have recently both agreed that after many years of trying they’ve failed to come up with a security model that works in light of recent infiltrations...

We are entering 2012 more vulnerable than ever before because our security relied upon the "perception” that those charged with our security, both public and private, could do the job. Well, reality has stripped that misconception away which gives rise to opportunity.

Conversely, over 28 nations and counting are developing offensive cyber capabilities, and the really malicious actors of the world like drug cartels and extremist groups (both domestic and foreign) are rapidly learning what’s possible vis-a-vie attacks through cyberspace. In other words, those with the means to act are growing quickly.

 

Finally, the anger and frustration of the expanding "Occupy movement" combined with the onset of hate-fueled politics that accompanies a Presidential election year - especially against this President - will engender widespread motivation for people to take action. With means, motive, and opportunity solidly represented,  I expect 2012 will produce more cyber attacks against U.S. targets which will result in serious harm if not loss of life. Once there's blood in the water, you can expect more will quickly follow.

The very worst part of this prediction is that its inevitable.  CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has challenges to do what’s necessary to protect our nation’s critical infrastructure because it's 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice.

In the words of Upton Sinclair and the movie based upon his book Oil! - "there will be blood". It's just a mat
ter of time.

Thursday, January 27, 2011

Darkness Unleashed......

Darkness DDos Botnet Tool
A free version of a fast-growing DDoS botnet tool has been unleashed in the underground. The  Darkness botnet is known for doing more damage with less -- Boasting that it can take down an average-sized site with just 30 bots. This botnet has been very active over the past few months. In just the past three weeks, for example, Darkness has attacked an average of 1.5 victim sites per day, and about three per day in the fourth quarter of last year. An older version of the bot code, version 6m, had become available for free in various underground forums as of late December. Darkness requires fewer infected systems, which makes it more efficient.

Some consider Darkness a big competitor to the already-established Black Energy botnet. But unlike Black Energy, which has been known to deliver one-to punches of both DDoSing and stealing information from its victims, Darkness -- aka "Optima" and "Votwup" -- thus far appears to be all about its specialty, overwhelming websites with benign HTTP requests. It pumps out lots of packets ... And Darkness is not using any new vulnerability or technology. It's more just a good implementation of a known methodology for doing DDoS. 

The bot code circulating also includes other features as well.  There is a feature aimed at disrupting online voting and polling. A higher-end version of Darkness sells for $350 and includes three different command and control servers, providing a must-have for any botnet operator today, some built-in redundancy and resiliency just in case a researcher or law enforcement manages to take down one of its C&C servers.