Kaspersky Securelist

Syndikovat obsah Securelist
Aktualizace: 17 min 19 sek zpět

5G security and privacy for smart cities

48 min 18 sek zpět

The 5G telecommunications revolution is imminent. It is the next generation of cellular network, making use of the existing 4G LTE in addition to opening up the millimeter wave band. 5G will be able to welcome more network-connected devices and increase speeds considerably for users. It will serve as the foundation for advanced services, including:

  • 8k streaming, real-time mobile gaming into augmented/virtual reality experiences;
  • Complex remote operations such as remote unmanned vehicles, delivery and surveillance drones, surgical robots;
  • Critical infrastructure operations: enhanced management and monitoring systems for traffic, energy and water facilities;
  • Emergency and healthcare interventions: services for saving lives greatly benefit from 5G installations; drones can quickly reach and live broadcast an incident location, could be used for delivering first aid and equipment or even to transport a victim to the closest medical center.
5G risks and challenges

Managing security is a continuous and dynamic process. With the dramatic increase in the number of connected devices comes a natural expansion of the attack surface and threat intensity. As 5G technologies become widely deployed, the weaknesses and inherent security flaws of 5G will be identified and hopefully quickly patched.

The key anticipated risks can be described as follows:

  • Protocol weaknesses and large-scale vulnerability exploitation
  • Severe DDoS attacks
  • BYOD threats
  • Data security and privacy
  • State-funded terrorism, anti-fossil fuel activism, espionage or corporate sabotage
  • Critical infrastructure/public safety
Public privacy, safety and critical infrastructure

Connected services and infrastructure is a double-edged sword that helps provide better visibility, efficiency and performance, but is making non-critical infrastructure critical and therefore exposing more of the population to unaffordable risks. The general public is being ‘lulled’ into welcoming the convenience and continuous visibility provided by 5G, though in the event of a disruption, public order could be at stake.

The conventional boundaries of critical infrastructure such as water supply, energy grid, and military facilities, and financial institutions will expand much further to other unprecedented areas in a 5G-connected world. All these will require new standards of safety.

On the privacy side, matters become more complex. The advent of 5G with its short range will definitely mean more cell communication towers and building antennas being deployed in dense urban centers. With the right toolset, someone could collect and track the precise location of users. Another issue is that 5G service providers will have extensive access to large amounts of data being sent by user devices that could show exactly what is happening inside a user’s home and at the very least describe via metadata their living environment, in-house sensors and parameters.

Taking into account all of the above, it is our view that government and industry leaders need to combine their efforts to promote secure and safe 5G technology projects to enhance the services and quality of life for citizens of smart cities.

To learn more about 5G technologies, risks, challenges and security solutions, please read the full report.

Black Friday Alert 2019: Net Shopping Bag of Threats

1 hodina 45 min zpět

Every year, Kaspersky releases an annual Black Friday alert to highlight how fraudsters may capitalize on increased levels of online shopping at this time of year when many brands are offering their customers appealing discounts. In the rush to get a big discount or, even more panic-inducing, a limited time offer, many shoppers lose all sense of vigilance. Caution goes out the window and consumers start tapping on links and email vouchers without their usual care and attention.

Spam and Phishing

Unfortunately, online shopping at this time of year needs more security-awareness, not less. It is the peak season for phishers and spammers. Along with many genuine offers, there also lurk phishing scams ready to reel in an unwitting bargain hunter’s bank details. By clicking on a too-good-to-be-true discount link online without checking it’s genuine, you could find yourself at a fake marketplace, that may look indistinguishable from the real website. On these sites, entering your bank details could result in money leaving your account, but no package arriving at your door.

Since Kaspersky has been analyzing financial phishing activity, which began in 2013, there has been a steady rise in threats – peaking at 54% in 2017. However, last year this trend did slow down and decrease. The figure dropped to 44.70%. Financial phishing attacks are still expected to be a big risk around the upcoming Black Friday event, and there will be close analysis to see if the figure rises once more.

Share of financial phishing attacks from all phishing decreased for the first time in four years in 2018

Social Engineering in the Retail Sector How do phishing scams work?

In order to make these scams a success, fraudsters need to lure their potential victims to fake webpages and obtain their bank details. To do this, attackers register website domains, often containing the magic phrase ‘Black Friday’ and keep their registration data hidden.

Their sites are usually well designed and appear to be genuine and of a high quality. Unlike many old typo-filled spam emails, phishing web pages are relatively easy to make look authentic – scammers can simply copy the source code from the real store’s website and make theirs appear to be a near perfect match.

Domain addresses are usually hidden until the event itself, so they are not blocked in advance by antivirus software vendors. The scam website is then activated immediately before the phishing mail goes out, just as shown in these screenshots.

Occasionally, these attacks appear to be sent by large banks or payment systems, allegedly partners of the Black Friday sales campaign, while in fact these are carefully crafted copies of legitimate pages and mailshots made by criminals. Emails or warnings may threaten to block the user’s account or promise some financial benefits by clicking on the email. These phishing emails make it seem like all you have to do is follow the link and log in to your account.

However, if you do log in to these sites with your credentials, all your bank account or payment card data — such as card numbers or usernames and passwords — will be leaked to the scammers.

Once they have this data, scammers could be able to withdraw money from your account, sell your bank card details on the dark web, or spend your money in various ways. This is often carried out by teams in other countries.

These scams come in a variety of forms. In one example, scammers offer goods at crazy discounts, encouraging the victim to share their bank card details, thereby risking losing all of their account funds and of course, not receiving their order. In another scheme, the victim might be tricked into transferring money to the attacker’s account, after which the fraudster breaks off all contact and the funds are lost.

There is also another widespread and very successful phishing scheme which asks users to complete a survey and fill in a large registration form, along with bank card details to take part in the promotion. After completing the form, you’re asked to send a link to the website to 10 friends via a messenger app.

Of course, victims of this scam won’t ever receive any prizes but instead end up bombarded with various links and emails for more useless surveys. Any additional clicks on these survey usually mean that scammers receive even more money. Because the survey is shared through messenger apps, more users, who often trust links that come from their friends, might also fall for the trick. And so the cycle continues.

Where are phishing scams occurring?

According to our statistics, more than half of phishing attacks carried out in the digital retail space are in the payment sector – online stores, payment systems and banks. Frequently, criminals use brands of Amazon, eBay and Alibaba to trick users. Amazon was used as a disguise in more than a million attacks in the first three quarters of 2019 alone, as the graph below shows.

Online retailers most hit by phishing attacks during Q1-Q3 2019

Notably, the share of phishing incidents in the online retail space during the peak sales period significantly increased compared to what happens during the rest of the year. For instance, attacks that were using the eBay brand reached nearly 25,000 during the week of November 4th, 2018, two weeks before Black Friday, after experiencing minimal disruption in the preceding days. The Amazon disguise was also a key target for scammers too – facing more than 20,000 phishing attacks during the week of November 19th, 2018, which was the week of Black Friday last year.

Spikes in phising attacks on online marketplaces from August – December 2018

These 2018 findings allow us to predict that in 2019 the situation may repeat.

Banking trojans

Similarly to phishing scams, Banking Trojans also target e-commerce brands so that they can track down user credentials – like banking login details, passwords, bank card numbers or phone numbers.

But with Trojans, the malware can intercept data fields on targeted websites. This means they can modify online page content and steal credentials entered, while the victim will keep thinking that they enter login and password to legitimate fields on the website. Because of this, cybercriminals can monitor a hacked user’s online behavior, such as which sites they visit while on the infected device.

Once the user browses to one of the targeted e-commerce websites, the Trojan activates its form-grabbing functionality and saves all the data a user inputs on the website. On an e-commerce website, this means a credit or debit card number, expiration date and CVV, as well as your site login credentials.

If the site or user’s bank doesn’t feature two-factor authentication, then the criminals behind the Trojan will have access to all this data and can use it to empty the user’s bank account or use their card details for purchases.

In the first three quarters of 2019, Kaspersky discovered 15 families of financial malware targeted at users of popular brands. In addition to the already known banking families such as Zeus, Betabot, Cridex and Gozi, this year, we have also seen two mobile banking Trojans joining our list: Anubis and Gustuff.

Last year’s report saw a 10% increase in the detection rate of financial malware between 2017 and 2018[1], but over the course of the full year that growth was a far more significant 24%. More than 15 million attacks by banking Trojans have been registered in the first three quarters of 2019. This means we have already seen a nine percent increase on what was found during 2018.

Overall number of attacks by Banking Trojans, 2015 – 2019

Mobile Trojans are also able to steal user credentials. The common scenario for user account theft on mobile devices is an overlay-attack, which overlays windows from the hacker’s program on top of the app, or window the user is browsing. Often the overlayed window or data input form is identical to the real one and the user enters their data believing that they are dealing with the original program.

Targeted e-commerce categories

In 2019, we found those 15 malware families were targeting a total of 91 consumer e-commerce sites and mobile apps across the world.

Of those, consumer goods websites such as fashion and clothing, or toys and jewelry, were the most commonly targeted, with 28 websites falling into this category. Also popular with phishing scams are entertainment websites with 20 examples found and travel bookings with 15 in that category.

Surprisingly, sites which sell big ticket items, such as consumer electronics (two websites found) and telecoms (12 websites), which are popular purchases on Black Friday, are at the bottom of the list.

Proportion of e-commerce categories targeted by malware in Q1-Q3 2019

Consumer apparel (fashion, shoes, gifts, toys, jewelry, department store) 28 Entertainment (cinema, games etc.) 20 Travel (Flights, taxi, hotels, etc.) 15 Online retail platform (eBay, Alibaba group etc.) 14 Telecoms 12 Consumer electronics 2

Proportion of e-commerce categories targeted by malware in 2019, by number of targeted brands

Advice and recommendations

As shown in this overview, Black Friday offers a golden opportunity for fraudsters and scammers to steal consumers’ cash. Sometimes a deal can seem too-good-to-be-true, but retailers still offer great discounts at this time of year, so it’s important to examine every deal closely. Shopping around for a bargain can still be enjoyable, it just needs extra vigilance to make sure you can tell the difference between the must-have offers and fake promotions. With incidents of phishing and banking Trojans on the rise, it’s important to stay safe from cyberthreats during the peak Black Friday shopping season.

To stay safe and keep your hard-earned money secure while shopping online, Kaspersky recommends taking the following security measures:

If you are a consumer:

  • Avoid shopping from websites that appear suspicious or flawed, no matter how great their Black Friday deals are
  • Don’t click on unfamiliar links you receive in emails or social media messages, even from people you know, unless you were expecting the message
  • Double check the email address of the sender. If it not the official brand’s website domain, do not click on the link
  • Hover over the linked text in the email or message and see which URL it will actually open
  • Invest in a robust cybersecurity solution to protect all your devices you use to shop online
  • Think about how much money you wish to spend in an online payment transaction account at any one time
  • Reduce the amount of funds you have in your bank and online accounts. The greater the balance, the more can be lost to fraudsters
  • Restrict the number of attempted transactions on your bank card
  • Turn on and always use two-factor authentication (Verified by Visa, MasterCard Secure Code, etc.)

If you are an online brand or retailer:

  • Use a reputable payment service and keep your online trading and payment platform software up to date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals
  • Use a tailored IT and cybersecurity solution to protect your business and customers
  • Pay attention to the personal information used by customers who buy from you. Use a fraud prevention solution that you can adjust to your company profile and the profile of your customers

All research used in this report is based on user data obtained with consent and processed using the Kaspersky Security Network (KSN). All referenced banking Trojan malware were detected and blocked by Kaspersky security solutions.

The cybercrime ecosystem: attacking blogs

21 Listopad, 2019 - 11:00

Executive summary

The Cybercrime Ecosystem is a series of articles explaining how cybercriminals operate, what drives them, what techniques they use and how we, regular Internet users, are part of that ecosystem. The articles will also cover technical details and up-to-date research on the threat landscape to provide a more realistic understanding of why this is a problem and how we can prevent it.

This article describes current problems with cybercriminals infecting websites with malicious code. It is very common to see cybercriminals exploit vulnerabilities in blogging software such as WordPress and Joomla! for injecting their malicious code. This is very effective, as many blogs are whitelisted, are not detected as suspicious websites by anti-virus software and get a lot of traffic. In my research, I decided to investigate this further and see what the current threat landscape looks like by researching the most visited blogs in Sweden.

In my research, I noticed that the majority of the blogs were running outdated versions of not just the WordPress core, but plugins, too. Their vulnerabilities would allow both authenticated and unauthenticated users to execute system commands, inject malicious code, such as JavaScript, and perform SQL injections to get access to the database. Please note that none of the vulnerabilities have been verified; they are simply based on the publicly available version number identified in the research.

Introduction

Attacking websites and infecting them with malicious code is probably one of the most common types of attacks by cybercriminals. It will allow criminals to perform multiple attacks against visitors to the website. They can basically control all the visitors and redirect their browsers to any website they want, while the visitor may not be aware it is happening. The link to the infected website can be sent by email, in a personal message on a social media platform or any other common way.

By redirecting the visitors to a website under the criminals’ control, they can, for example, exploit vulnerabilities in the browser or other client software such as Java, Flash, Acrobat Reader, VLC, Microsoft Office and tons of others.

They can also redirect the user to scam/spam sites, for example, by tricking users into downloading a fake software update or scaring them to make them pay a ransom. Lately, we have also seen that criminals can utilize the browser itself for cryptocurrency mining, etc. or use it as a zombie in a larger botnet for denial-of-service attacks.

Cybercriminals can hack into blogs by using many different methods, such as exploiting software vulnerabilities or getting access to admin panels, getting remote access (SSH, telnet) with known or leaked passwords, or in some cases, even buying legitimate ads, poisoning these with malicious code, and displaying on the targeted website. This technique is called Malvertising.

I decided to look at the biggest CMS system (WordPress) and the top 50 biggest and most visited blogs in Sweden to see if they were vulnerable against any common and known vulnerabilities. Not all of the top 50 websites where running WordPress; some of them were running custom software or another CMS system. Another obstacle was that it was not possible to ascertain the exploitability of the identified vulnerabilities. I could only base my research on the version of the software/plugin they were running, whereas not all plugins disclose their version numbers, so this report is based only on the version numbers that I have been able to identify.

Tools and techniques used

Determining the version number of a specific plugin or piece of software is straightforward enough: you simply need to look at the source code of the website and follow the links on the website. WordPress provides a few common methods of determining the version number: one of these is to see if the system has RSS (feeds) enabled. By accessing the feed, you also get the version number: it will have a tag.

In addition to this, you can also start enumerating the plugins directory and see if there are any “readme” or installation notes. Most of the plugins have their version number written down in the readme/changelog/installation files or even print the version on the page.

Once the version number has been identified, there is a plenty of public resources you can use to check if that specific plugin is vulnerable to any known attacks. I used mainly two sources, which were www.exploit-db.com and www.wpvulndb.com.

A screenshot from wpvulndb.com

A screenshot from exploit-db.com

To automate this process, I teamed up with the WPscan team who have a tool/API allowing users to scan WordPress sites and automatically query the wpvuldb.com database via a nice API to check if the identified plugins and versions are prone to any known vulnerabilities. I thank WPscan for their support in this project! It would have taken me much longer to do this manually.

Statistics

The results were very interesting: I noticed that the most visited blogs in Sweden where running outdated software. Thirty-seven percent of the top 40 blogs in Sweden where running an outdated version of WordPress, with the oldest version being from 2012, vulnerable to a lot of exploits—even full remote code execution allowing the attacker to compromise not just the WordPress installation, but the server it is running on, too. When checking the server hosting this extremely old WordPress installation, I found that 13 other websites were running on the same server. Most of the outdated WordPress installations where from 2018.

RELEASE DATE VERSION VULNERABILITIES 2012-06-27 3.4.1 41 2013-06-21 3.5.2 19 2016-06-21 4.3.5 19 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2018-08-02 4.9.8 11 2019-03-13 5.1.1 1 2019-06-18 5.2.2 8 2019-09-05 5.2.3 6 2019-09-05 5.2.3 6

Source: cvedetails.com and wpvulndb.com

Another interesting fact is that 55% of the researched sites where running the latest version of WordPress, and out of those systems, 50% had a plugin with a history of being vulnerable, but due to the fact that the version number could not be determined, we do not know if they are still vulnerable. Only four out of these 22 systems had vulnerabilities which were verified via the version number.

Spreading the malware

As mentioned before, this is a very common way for cybercriminals to spread malware, but how does it work in real life? After the WordPress site is compromised, the most common technique is to redirect the user to a so-called exploit kit. This is a system which will enumerate the browser, and if a list of requirements is met, deliver the malicious payload to the victim. For example, some of the requirements may be to exploit a certain browser only, if the exploit kit only has exploits for Firefox. In that case, nothing will happen if you visit the website in Chrome or Internet Explorer.

More advanced exploit kits also enumerate certain users from certain countries, possibly even excluding certain IP addresses from known security companies, law enforcement agencies and other people. The exploit kit also keeps track of successfully infected victims, so the cybercriminals can easily perform their operations or sell access to the infected computers.

Exploit kits do not just deliver malware—they can deliver any payload, e.g. by simply redirecting a user to another website or displaying ads. You yourself may have been redirected to a survey or some kind of “amazing” offer. This could have been done using the same techniques as mentioned above.

Examples of recent and large attacks:

Database leaks

One of the biggest motivators for cybercriminals is financial gain, and although that does not apply to everyone—some attackers have political motivation, others just do it for the adrenaline—making money is still a strong incentive. The cybercriminal ecosystem is huge, and cybercriminals benefit from everything they compromise. Simple things, such as email databases, access to compromised systems or infected computers, email and password combinations, and a lot more are all sold on the black market.

Almost exactly one year ago, I wrote about how much stolen data was being sold on the black market.

Blogs are a goldmine for collecting user data, as they get a lot of visitors who, in many cases, maintain an account on the website to be able to comment on posts. Another reason is that it is very easy to perform social engineering attacks against the visitor, display a fake login page and trick the user into logging in to access “hidden” content.

However, cybercriminals can also exploit SQL injection vulnerabilities both in the WordPress core and many plugins that have these. The vulnerability will allow an attacker to query the underlying database, retrieve data from it, and in some cases, even modify and read/write files in the file system.

Fortinet has written a very good article on some of the SQL injection vulnerabilities they found a few months ago.

Are we doomed?

I personally think that this is not a problem we can blame on the technology, because if you look at, say, WordPress, the system is very good at informing you as an administrator that there are updates available. As you can see from the screenshot below, the available updates are shown in two places: Plugins and Dashboard, where WordPress core updates will show up as well.

One reason why the plugins or software is not updated might be that the current theme is not designed to work with the latest version of the plugin and might not function properly if the plugins are updated. Another reason might be that the people administrating the WordPress installation are marketing/PR agencies or web designers, who are only responsible for the layout, not security.

I think that anyone running a website should take a little more responsibility, not just for their brand, but for the systems they use, too. Regardless of whether you are an influencer, personal blogger or e-commerce website, it should be your best interest to ensure that you are not making the life of cybercriminals easy. If you are only a customer using these blogging platforms, please ask your provider what their policy is for making sure that the blog is secure.

As a regular Internet user, you need to make sure that you are securing your device and keeping your digital identity safe. A very good tip is to use protection against malicious code, which will identify and prevent these attacks even if the blog or website is infected.

You also need to ensure that you are not reusing your passwords on every site. One example of how you can create strong and unique passwords for every site, without using any additional software, can be found here.

Even if you do all of these, it is also very important that you make sure your device and any software installed on it is up to date with the latest security patches. Running the latest and secure versions makes a great difference.

I am also very glad that you took the time to read this article. It means that we are actually starting to make a difference, and the effort that we, security nerds, do reaches people such as yourself. Thank you and please share this knowledge with people who you believe might benefit from it. We cannot solve everything with technology, and we need to use our common sense and share knowledge among ourselves. We need your help with doing just that!

Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020

20 Listopad, 2019 - 11:00

Nothing is more difficult than making predictions. Rather than trying to gaze into a crystal ball, we will be making educated guesses based on what has happened during the last 12 months, to see where we can see trends that might be exploited in the near future.

This is what we think might happen in the coming months, based on the knowledge of experts in this field and our observation of APT attacks – since APT threat actors have historically been the center of innovation.

The next level of false flag attacks

The use of false flags has become an important element in the playbook of several APT groups. In the past, this has generally involved trying to deflect attention away from those responsible for the attack – for instance, the usage of Russian words in Lazarus group malware, or Romanian words by WildNeutron. In one notable case – the Olympic Destroyer attack – the Hades APT group sought to go further than just clouding the waters of attribution by forging elements of the attack to make it seem like the work of a different threat actor. We believe that this will develop further, with threat actors seeking not only to avoid attribution but to actively lay the blame on someone else.

For instance, this could include the usage of established backdoors by other unrelated APT actors, the theft and re-use of code (the recently published case of Turla reusing code from an unknown Iranian group, outlined by the UK NCSC and NSA comes to mind) or deliberately leaking source code so that other groups adopt it and muddy the waters further.

On top of all that, we should consider how actors continually use commodity malware, scripts, publicly available security tools or administrator software during their attacks and for lateral movement, making attribution increasingly difficult. Mixing a couple of false flags into this equation, where security researchers are hungry for any small clue, might be enough to divert authorship to someone else.

From ransomware to targeted ransomware

In the last two years we’ve seen a decline in numbers of all-purpose widespread ransomware attacks as cybercriminals have become more targeted in their use of this type of malware – focusing on organizations that are likely to make substantial payments in order to recover their data. We are calling this technique ‘targeted ransomware’. Throughout the year, we recorded several cases where attackers used targeted ransomware, and we think that a likely future development will be more aggressive attempts to extort money. A potential twist might be that, instead of making files unrecoverable, threat actors will threaten to publish data that they have stolen from the victim company.

In addition to targeted ransomware, it is inevitable that the cybercriminals will also attempt to diversify their attacks to include other types of devices besides PCs or servers. For instance, ransomware in consumer products, such as smart TVs, smart watches, smart cars/houses/cities. As more devices become connected to the internet, cybercriminals will also be looking for ways to monetize their access to these devices. Ransomware is, unfortunately, the most effective tool for extracting a financial profit from the victims.

New online banking and payments attack vectors

A new potential attack vector for cybercriminals could open up with the new banking regulations that have recently come into full effect across the EU. The PSD2 (Payments Services Directive) lays down regulatory requirements for companies that provide payment services, including the use of personal data by new fintech companies that are not part of the established banking community. Security of online, including mobile, payments is a key aspect of the legislation. Nevertheless, as banks will be required to open their infrastructure and data to third parties who wish to provide services to bank customers, it is likely that attackers will seek to abuse these new mechanisms with new fraudulent schemes.

More infrastructure attacks and attacks against non-PC targets

Determined threat actors have, for some time, been extending their toolsets beyond Windows, and even beyond PC systems: VPNFilter and Slingshot, for example, targeted networking hardware. The benefit to an attacker, of course, is that once they have compromised such devices, it gives them flexibility. They could opt for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In our threat predictions for 2019, we considered the possibility of ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker. In June, it was revealed that hackers had infiltrated the networks of at least 10 cellular telcos around the world, and had remained hidden for years. In some cases, it seems they had been able to deploy their own VPN services on telco infrastructure. The convergence of real and cyber worlds brought about by the profusion of IoT devices offers growing opportunities for attackers; and it’s evident that threat actors are aware of the potential. This year it was reported that unknown attackers stole 500MB of data from NASA’s Jet Propulsion Laboratory using a Raspberry Pi. In December last year, the UK’s Gatwick airport was brought to a standstill for fear of a possible collision after at least one drone was sighted above one of the runways. While it’s unclear whether this was the result of a hobbyist drone owner or a determined DDoS attacker, the fact remains that part of the country’s critical infrastructure was brought to a standstill because of the use of a drone. The number of such attacks will undoubtedly grow.

In recent years, we have seen a number of high-profile attacks on critical infrastructure facilities and these have typically been aligned to wider geo-political objectives. While most infections in industrial facilities continue to be from ‘mainstream’ malware, this fact itself highlights just how vulnerable these facilities can be. While targeted attacks on critical infrastructure facilities are unlikely ever to become a mainstream criminal activity, we do expect to see the number grow in the future. Geo-political conflicts are now played out in a world where the physical and cyber are increasingly converging; and, as we have observed before, such attacks offer governments a form of retaliation that lies between diplomacy and war.

Increased attacks in regions that lie along the trade routes between Asia and Europe

Clausewitz’s dictum, “War is merely the continuation of politics by other means”, can be extended to include cyberconflict, with cyberattacks reflecting wider real-world tensions and conflicts. We have seen numerous examples. Consider, for example, accusations of Russian interference in US elections and fears about a possible reboot of this in the run-up to the 2020 elections. We’ve seen it in the ‘naming-and-shaming’ of alleged Chinese hackers in US indictments. The widespread use of mobile implants to surveil ‘persons of interest’ is another example.

There are several ways this could play out. They include a growth in political espionage as governments seek to secure their interests at home and abroad. This could mean monitoring the activities of ‘undesirable’ individuals or movements within the country, as well as those of potential opponents abroad. It is likely to extend also to technological espionage in situations of potential or real economic crisis and resulting instability. This could result in new attacks in regions that lie along trade routes between Asia and Europe, including Turkey, East and South Europe and East Africa.

It’s quite possible that we will see changes to legislation and policy, as governments look to define more clearly what is and what isn’t allowed. On the one hand, this could be used as a way to establish plausible deniability and thereby avoid sanctions if the finger of suspicion is pointed at one state by another. On the other hand, it could enable more aggressive use of technology, as several justice departments seem keen to open the door to different kinds of ‘lawful interception’ to collect evidence on computers. One likely response from criminal groups will be greater use of encryption and the Darknet to conceal their operations.

Increasing sophistication of attack methods

It is hard to know exactly how advanced the top-class attackers really are and what kind of resources they have in their pockets. Of course, every year we learn a bit more: for instance, a few years ago we observed an apparent endless supply of zero-days for resourceful attackers who were ready to pay for them. This year we observed several examples, but probably the most interesting is the one involving at least 14 exploits for iOS during the last two years, as exposed by Google in August.

The new isolation methods implemented for Microsoft Word and other software traditionally targeted in spear-phishing campaigns might have a significant impact in malware delivery methods, forcing less sophisticated actors to change the way they spread malware.

We believe it is likely that additional interception capabilities, similar to the Quantum insert attacks described a few years ago, are already being used; and hopefully we will be able to discover some of them.

It also seems likely that attackers will exfiltrate data with non-conventional methods, such as using signaling data or Wi-Fi/4G, especially when using physical implants (something we also believe is probably being overlooked). In a similar vein, we believe more attackers will use DoH (DNS over HTTPS) in the future to conceal their activities and make discovery more difficult. Finally, it is possible that during the coming months we will start discovering more UEFI malware and infections as our ability to see such systems is slowly improving.

Use of supply chains will continue to be one of the most difficult delivery methods to address. It is likely that attackers will continue to expand this method through manipulated software containers, for example, and abuse of packages and libraries.

A change of focus towards mobile attacks

During the last 10 years, an important transition has taken place: the main storage for our digital lives has moved from the PC to mobiles. Some threat actors were quick to notice this and begin focusing on developing attack tools for mobiles. While we have constantly been predicting a huge increase in the number of attacks against mobiles, the observations from the field haven’t always reflected this inferred evolution. However, the lack of observations of a phenomenon doesn’t necessarily imply that it’s not happening.

We have already discussed how an attacker abused at least 14 zero-day vulnerabilities in iOS to target certain minorities in Asia. We also saw recently how Facebook sued the Israeli company NSO for allegedly misusing its servers (to deploy malware to intercept user data). We also saw how Android zero-click, full persistence exploits are now more expensive (according to Zerodium’s price list) than those for the iPhone.

All of this is telling us how much money attackers are investing in developing these technologies. It is clear to all of them how nearly everyone has a phone in his/her pocket and how valuable the information on those devices is. Every year we see new movements in this direction. We also see how complicated it might be for security researchers to obtain more technical details about attacks on such platforms, given the lack of visibility or accessibility.

There are no good reasons to think this will stop any time soon. However, due to the increased attention given to this subject by the security community, we believe the number of attacks being identified and analyzed in detail will also increase.

The abuse of personal information: from deep fakes to DNA leaks

We have previously discussed how data leaks help attackers to craft more convincing social engineering attacks. Not every adversary has a complete profile of potential victims to abuse, which makes the increasing amount of leaked data very valuable. This is also true for ‘less targeted’ attacks like the ransomware cases we have already discussed.

In a world where logged data continues to grow, we can see the danger in what could be considered especially sensitive leaks, for instance when it comes to biometric data. Also, widely discussed deepfakes are providing the technology to make such attacks a possibility, especially when combining this with less obvious attack vectors such as video and audio. We should not forget how this can be automated, and how AI can help with the profiling and creation of such scams.

Yes, all this sounds futuristic, but it is very similar to some of the techniques discussed for driving election advertisements through social media. This technology is already in use and it is just a matter of time before some attackers take advantage of it.

The future holds so many possibilities that there are likely to be things that are not included in our predictions. The extent and complexity of the environments in which attacks play out offer so many possibilities. In addition, no single threat research team has complete visibility of the operations of APT threat actors. We will continue to try and anticipate the activities of APT groups and understand the methods they employ, while providing insights into their campaigns and the impact they have.

{ "channelId" : 15591, "language": "en-US", "commId" : 376339, "displayMode" : "standalone", "height" : "auto" }

 

 Kaspersky Security Bulletin 2019. Advanced threat predictions for 2020 (PDF, English)

DDoS attacks in Q3 2019

11 Listopad, 2019 - 11:00

News overview

This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out by spoofing the return IP address through the WS-Discovery multicast protocol. According to other security researchers, cybercriminals started using this method only recently, but have already achieved an attack capacity of up to 350 Gbps. The WSD protocol has limited scope and is not generally intended for connecting machines to the Internet; rather devices use it to automatically discover each other on LANs. However, it is fairly common for WSD to be used not entirely for its intended purpose in a variety of equipment — from IP cameras to network printers (about 630,000 such devices are currently hooked up to the Internet). Given the recent rise in the number of WSD-based attacks, owners of such devices are advised to block on the server UDP port 3702, which is used by this protocol, and to take a number of additional steps to protect their routers.

Another new tool in the hands of DDoSers was detected by our colleagues at Trend Micro in the shape of a new payload distributed through a backdoor in the data search and analytics tool Elasticsearch. The malware is dangerous because it employs a multi-stage approach to infection, successfully avoids detection, and can be used to create botnets for launching large-scale DDoS attacks. Trend Micro recommends all Elasticsearch users to upgrade to the latest version, since the backdoor has already been patched.

That said, cybercriminals are far more likely to turn to proven techniques than to try out new ones. For instance, when last year the FBI took down a number of inexpensive DDoS-for-hire sites, new ones immediately sprang up in their place, and today the threat is more acute than ever. According to some reports, the number of attacks carried out with their assistance increased by 400% against the previous quarter.

It is highly likely that the attack on World of Warcraft Classic, launched in early September in several waves was organized through such a service. Before each episode, a certain Twitter user warned of the impending attack. Blizzard later announced the arrest of the mastermind, although whether it was the owner of the corresponding Twitter account remains unclear. But if so, it is hard to escape the conclusion that, far from being a member of a spin-off hacker group, it was a client of a DDoS-for-hire service.

Using another tried-and-tested method (a botnet similar to Mirai — or one of its clones), a 13-day application-level attack was unleashed in July against a streaming service with a capacity of up to 292,000 requests per second. The attack involved about 400,000 devices, mainly home routers.

But whereas the motives behind these two attacks can only be guessed at, two other attacks that took place this summer and fall were almost certainly politically driven. Thus, August 31 saw the targeting of LIHKG Forum, one of the main websites used by protesters in Hong Kong to coordinate their actions. According to the site owners, it was hit by 1.5 billion requests in 16 hours, taking it temporarily offline and causing the mobile app to malfunction.

Soon after that, an attack was conducted on Wikipedia. It began on the evening of September 6 and made the world’s largest online encyclopedia temporarily unavailable to users in various countries of Europe, Africa, and the Middle East. Wikipedia gets hit quite often, but this attack was exceptional in terms of capacity (exact figures are not available, but unofficial sources say more than 1 Tbps) and duration (three days).

The attack organizers remain at large, but several other investigations over the past quarter did reach their logical conclusion. For instance, in early July a US federal court sentenced a certain Austin Thompson of Utah to 27 months in prison and a fine of $95,000 for an attack on Daybreak Game Company (formerly Sony Online Entertainment). And on September 6 another cybercriminal, Kenneth Currin Schuchman of Washington State, admitted his involvement in setting up the Satori IoT botnet.

On the topic of law enforcement efforts, mention must be made of one other piece of news that highlights the importance of prevention in the fight against DDoS attacks. For several quarters now, the section on global botnet activity in our report has featured countries that just a couple of years ago were unlikely contenders to make the ratings. Moreover, the shares of other countries previously beloved of cybercriminals have been falling. This trend was also noted by TechNode, backed up by data from Nexusguard and the World Bank. Our colleagues pinpoint two factors to explain the situation. First, countries once collectively referred to as the Third World have seen rising living standards. More and more residents there are acquiring smartphones and broadband routers — that is, devices that most botnets are made from. Second, in regions where cybercriminals have been plying their trade for a long time, cybersecurity awareness is on the up, and more effective measures are being taken to protect devices, including at the provider level, which means that attackers are having to search for pastures new. This is what is changing the face of our lists of regions by number of cyberattacks.

Quarter trends

Q3 typically sees a lull in DDoS activity over the summer months, followed by a September spike associated with the start of the academic year. This year was no exception.

According to data from Kaspersky DDoS Protection, the number of smart attacks (that is, ones more technically sophisticated and requiring more ingenuity) declined significantly in Q3 against the previous quarter. However, comparing this indicator with the same period last year, we see more than double growth. The prediction made in previous reports is clearly coming true: the DDoS market is stabilizing for smart attacks too. With this in mind, it will be extremely interesting to see the Q4 results.

This stabilization of the market, where growth has been observed throughout the year, is also evidenced by the fact that the average duration of smart attacks is practically unchanged since Q2, yet almost double against Q3 2018. At the same time, the average duration of all attacks fell slightly due to the overall increase in the number of short-lived DDoS sessions.

The giant leap in the maximum duration of attacks on the graph comes from one very long smart attack that we observed this quarter. That this is just a curious anomaly is clearly visible from the medium-length columns.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the number and statistical distribution of DDoS attacks in Q3 2019 compared to Q2 2019 and Q3 2018 (download)

The change in the share of smart DDoS attacks in the general stream of cyber offensives is worth a separate mention.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the share of smart DDoS attacks in Q3 2019 compared to Q2 2019 and Q3 2018 (download)

The ratio of smart attacks to the total number of offensives almost halved against the previous quarter but increased by 7 p.p. compared to Q3 2018; the decline in the share of smart attacks against the end of H1 is due to the quirks of September’s statistics.

Like last year, the arrival of September went hand in hand with a significant rise in the number of DDoS attacks. Moreover, this month accounted for 53% of all Q3 attacks, and it was only because of September that any growth in general was observed.

What’s more, 60% of DDoS activity in the early fall was directed at education-related resources: electronic grade books, university websites, and the like. Against the backdrop of such attacks, most of which are short and poorly organized, the share of smart attacks in Q3 sank by 22 p.p.

We observed a similar picture last year, since it is due to students returning to school and university. Most of these attacks are acts of cyber hooliganism carried out by amateurs, most likely with no expectation of financial gain.

Note that the total number of attacks in September 2019 versus September 2018 increased by 35 p.p., while the total number of attacks in Q3 2019 compared to Q3 2018 climbed by 32 p.p. That is, these figures are roughly the same, while the difference in the growth indicators for the number of smart attacks is far greater: whereas the total number of smart attacks increased by 58 p.p., the number of smart attacks in September rose by only 27 p.p., and the month’s share of smart attacks even declined by 3 p.p. This confirms once again the extent to which September skews the overall statistical picture.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the number and statistical distribution of DDoS attacks in September 2019 compared to September 2018 (download)

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Changes in the share of smart DDoS attacks in September 2019 compared to September 2018 (download)

As such, in Q3 2019, for the first time in the past year, not only did we not observe a clear rise in the number of smart attacks, we saw their total number fall. It is quite possible that last quarter’s positive forecast — that the DDoS market would become saturated and stop growing — came true.

However, based on the experience of past years, in Q4 we expect to see growth in all key indicators (total number of attacks and smart attacks; duration of attacks), since the end of the year is a holiday season, which means more commercial and thus criminal activity. Yet if the conclusions about market stabilization are correct, this growth will not be that considerable.

That the indicators will drop or even remain at the Q3 level seems unlikely to us — in any case, the prerequisites for such a turnout of events are not yet visible.

The barrage of attacks on the education sector will subside by winter, but it will be left completely in peace only in summer when school’s out.

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system — part of the Kaspersky DDoS Protection solution — intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary
  • China remains top by number of attacks, with a practically unchanged share compared to Q2 (62.97% against 63.80%).
  • The unexpected guest in the Top 10 ranking by territorial distribution of attacks was South Africa, which took fourth place (2.40%), having never previously appeared in our leaderboard.
  • The Top 10 in terms of territorial distribution by number of targets is similar to the Top 10 by number of attacks: the Top 3 were again China (57.20%), the US (22.16%), and Hong Kong (4.29%).
  • In the past quarter, peak DDOS botnet activity was observed in July; the most dangerous day was Monday (17.53% of attacks), and the quietest was Sunday (10.69%).
  • The longest attack lasted more than 11 days (279 hours), which is almost half as short as in Q2.
  • The most common type of attack is still SYN flooding (79.7%), with UDP flooding in second place (9.4%). The least popular is ICMP flooding (0.5%).
  • The shares of Windows and Linux botnets are almost unchanged against Q2; Linux botnets still account for the vast majority (97.75%) of activity.
  • The leader by number of botnet C&C servers is once more the US (47.55%), followed by the Netherlands in second (22.06%) and China in third (6.37%).
Attack geography

As in previous quarters, the leader by number of attacks is still China, whose share fell by 0.83 p.p. to 62.97%. Likewise, the US remains in second place: its share slightly decreased to 17.37% (against last quarter’s 17.57%). Hong Kong firmly established itself in the bronze position. In contrast to China and the US, its share grew, albeit only by 0.83 p.p. to 5.44%.

The trend seen in past quarters continued, with an interloper rising from the lower ranks into the Top 10. This time it is was South Africa (2.4%), soaring up from 19th position last quarter. It seized fourth place from the Netherlands (0.69%), which dropped down to ninth. What’s more, the Top 10 welcomed back South Korea after a long absence — but not in the Top 3 as before, rather in eighth place with just 0.71%.

Also worth noting is Romania, which gained 0.93 p.p. and rejoined the Top 10 in sixth position with 1.12%. Romania, South Africa, and South Korea collectively squeezed out Taiwan, Australia, and Vietnam.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by country, Q2 and Q3 2019 (download)

The geographical distribution of unique targets this quarter has a lot in common with the distribution of number of attacks — which is fairly typical for statistics of this kind. The Top 3 here also belongs to China (57.20%), the US (22.16%), and Hong Kong (4.29%), with shares close to those in the rating by number of attacks. But there are variances in both Top 10s below. These are partly due to the small share of each individual country (except for the Top 3), which means that even minor fluctuations cause major reshuffles.

For instance, South Africa (1.83%) entered the Top 10 by number of unique targets, though not in fourth place, but fifth, giving way to the UK (2.71%). In the list of leaders by number of attacks, the situation is the opposite: the UK is fifth behind South Africa. Romania also made it back into the rating with a share of 0.71%, while South Korea was pushed overboard. This quarter’s rating also had no place for Taiwan and Ireland.

France remained in last place, its share falling by 0.23 p.p. against the previous quarter to 0.67%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q3 was relatively calm, with clear peaks and troughs being observed only in July. The most eventful day of this month was the 22nd, with 457 attacks. We also registered a high number of attacks (369) on July 8. The calmest day was August 11 (65 attacks).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Dynamics of the number of DDoS attacks in Q3 2019 (download)

The Q3 distribution of the number of attacks by day of the week was similar to Q2. The safest day in DDoS terms was Sunday (10.69% of attacks), although its share was slightly up from last quarter. As previously, the statistical majority of DDoS attacks occurred on Mondays (17.53%). The only significant difference from last quarter is that the second quietest day (after Sunday) from July to September was not Friday, but Thursday (13.16%).

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by day of the week, Q2 and Q3 2019 (download)

Duration and types of DDoS attacks

The longest attack this past quarter (traditionally against a Chinese ISP) lasted 11.6 days (279 hours), which is 1.8 times shorter than in Q2 (509 hours). In fairness, however, it should be noted that the longest attack of Q2 is the all-time record holder since our observations began.

Meanwhile, no global changes were seen in the summary statistics: the share of attacks lasting 140+ hours dropped by 0.01 p.p. to 0.12%. Conversely, the share of 20–139-hour attacks increased slightly, while the share of 5–9-hour attacks fell by 1.5 p.p.; the total share of the shortest attacks (lasting no more than four hours) rose just under 2 p.p. to 84.42%.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by duration (hours), Q2 and Q3 2019 (download)

The leading attack type remains SYN flooding. Its share changed inappreciably, down from 84% to 79.7%. Second place again went to UDP attacks (9.4%), while HTTP- and TCP-based attacks swapped places: whereas before HTTP flooding ranked third by frequency, it now lies in fourth place with a share of 1.7%, while the share of TCP flooding climbed to 8.7%, more than doubling against the previous quarter (3.1%). As before, ICMP flooding was in last place in Q3.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of DDoS attacks by type, Q3 2019 (download)

The share of Linux botnets continues to grow: Q3’s figure was 97.75%, while the share of Windows botnets, respectively, sank by 1.75 p.p. to 2.25%. This is not due to the growth in activity of Linux botnets, but to the decline in activity of Windows-oriented zombie networks.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Ratio of Windows/Linux botnet attacks, Q2 and Q3 2019 (download) (download)

Botnet distribution geography

As in Q2, the US tops the leaderboard by number of C&C servers located in the country, its share increasing from 44.14% to 47.55%. In second place is the Netherlands: its share also rose — from 12.16% to 22.06%. Such solid growth could not fail to have a major impact on most of the other top-tenners. China, for instance, whose share increased by only 1.42 p.p. to 6.37%, rose from fifth to third place, pushing the UK into fourth (4.90%).

Russia also climbed up the rating into fifth position with a share of 3.92%, while Greece and South Korea slipped out. The newcomer in the Top 10, in bottom place on 1.47%, was Romania, which this quarter also appeared in the leaderboards by number of DDOS attacks and their targets.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Distribution of botnet C&C servers by country, Q3 2019 (download) (download)

Conclusion

Statistically, Q3 2019 differs little from Q2. In terms of geographical distribution of attacks and targets, we saw a continuation of the now familiar trend of unexpected guests appearing, only to drop out the next quarter.

As for the chronological distribution of attacks, Q3 was again similar to Q2: turbulence was observed at the beginning of the quarter, with a lull in the middle and small peaks and troughs at the end. The characteristic distribution of attacks by day of the week also remained practically unchanged. The duration of the longest attack fell compared to the previous quarter, but the difference in the percentage shares of long and short attacks is barely noticeable.

All this could indicate either that the DDOS-attack market has temporarily stabilized, or that we face a statistical anomaly. The picture will become clearer upon the analysis of subsequent observations.

Titanium: the Platinum group strikes again

8 Listopad, 2019 - 11:00

Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).

Victimology

During our research we found that the main targets of this campaign were located in South and Southeast Asia.

Introduction

The Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor as the final step. Almost every level of the system mimics known software, such as security software, software for making DVD videos, sound drivers’ software etc.

In every case the default distribution is:

  1. an exploit capable of executing code as a SYSTEM user
  2. a shellcode to download the next downloader
  3. a downloader to download an SFX archive that contains a Windows task installation script
  4. a password-protected SFX archive with a Trojan-backdoor installer
  5. an installer script (ps1)
  6. a COM object DLL (a loader)
  7. the Trojan-backdoor itself
Infection vector

We believe the Titanium APT uses local intranet websites with a malicious code to start spreading.

1 – Shellcode

Another known way of spreading is the use of a shellcode that needs to be injected into a process. In this case it was winlogon.exe. Unfortunately, we don’t know how the shellcode was injected. See the shellcode description below.

2 – Wrapper DLLs

Attackers make active use of various kinds of ‘wrappers’. Each wrapper is usually a COM DLL, with the corresponding exported functions. The main purpose of these libraries is to decrypt and load an encrypted file (previously dropped somewhere) into the system memory (a payload) and then redirect calls to the wrapper itself to the payload’s exported functions.

Another type of wrapper DLL is designed to obtain a command line from its exported function argument passed by a caller and create a new process.

3 – Windows task installer (SFX archive)

This is a password-encrypted SFX archive that can be downloaded via BITS Downloader. The password is hardcoded into the downloader that is used to decrypt the SFX archive using the -p command line argument.

The main feature of this archive is that it contains the cURL executable code, compiled into a DLL. Its purpose is to install the Windows task to establish persistence in the infected system.

4 – Trojan-Backdoor installer (SFX archive)

The backdoor itself uses an SFX archive which must be launched from the command line using a password to unpack it. All paths examples here and there will be for the DVD making software. However, these notes can be also applied to any other known software paths.

5 – BITS Downloader

This component is used to download encrypted files from the C&C server then decrypt and launch them.

Shellcode description

The shellcode itself contains position-independent code and doesn’t require previously loaded libraries (except Kernel32.dll). Its sole purpose is to connect to the hardcoded C&C address, download an encrypted payload (the password-protected SFX archive), then decrypt and launch it using the hardcoded unpacking password. The usual command line is:

"rundll32 "$temp\IOZwXLeM023.tmp",GetVersionInfo -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw" BITS Downloader description

The BITS Downloader is a DLL file which has only one exported function: GetVersionInfoA. The main purpose of this library is to download files in encrypted form from the C&C and launch them.

Execution sequence

The first thing the downloader does is to check whether it was started using the SYSTEM user. If it was, it launches command line arguments (that were passed to the binary loaded by the downloader DLL) using WMI.

If it wasn’t started using the SYSTEM user, the downloader passes command line arguments into the argument parser.

Argument parser Key Parameter description -c URL Specifies a URL address where system information will be sent -t STRING An additional string that will be appended to a request string to the C&C -u URL Confirmation URL where the downloader will send various confirmations or request data. Possible to build in two additional confirmation URLs -br GUID Stop a payload downloading. The GUID parameter must provide a download task GUID

If one of these parameters exists, the downloader will collect information about installed antivirus products and send it to the C&C.

After that, it sends the download request to the confirmation URL. In response, the C&C sends a file that will be downloaded in the %USERPROFILE% directory.

To decrypt the downloaded file, the downloader uses an MD5 hash of the strings’ encryption key.

Confirmation URL request and file downloading

Default (hardcoded) URL: http://70.39.115.196/payment/confirm.gif

The request is a string such as:

  • http://70.39.115.196/payment/confirm.gif?f=1 (x86)
  • http://70.39.115.196/payment/confirm.gif?f=2 (x64)
Payload decryption and launch

This is the structure of the encrypted file:

typedef struct { byte hash[16]; // md5 hash of the following data dword data_size; byte data[data_size]; } enc_data;

The downloader checks the hash field against a calculated MD5 of the data field hash, and if the hash is correct, performs the following actions:

  • Appends an extension (DLL or EXE, depending on data type)
  • Stores the downloaded file in the %TMP% folder using the name %(SystemTimeAsFileTime.dwLowDateTime).%TMP

Then the downloader specifies a command line to launch the downloaded file. If the file is a DLL, the final command line will be:

"%systemroot%\system32\rundll32.exe %(SystemTimeAsFileTime.dwLowDateTime)%.TMP,-peuwewh383eg -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw"

If the file is an EXE file:

%(SystemTimeAsFileTime.dwLowDateTime)%.TMP -peuwewh383eg -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw

After that, the downloader deletes itself using the following command line:

/c for /L %i in (1,1,100) do ( for /L %k in (1,1,100) do (del /f /q module_path > NUL & if not exist module_path exit /b 0)) File launching

To launch the downloaded file, the downloader uses the WMI classes Win32_ProcessStartup, Win32_Process and their methods and fields.

File downloading using BITS

To download a file, the downloader uses the BITS service and its COM interface, called IBackgroundCopyManager.

It creates a task with the name Microsoft Download, then specifies remote and local file paths and timeouts.

Windows task installation (SFX archive with cURL)

It contains:

Name Description p.bat Launches cURL and obfuscated ps1 scripts c.dll cURL executable compiled as a DLL (7.50.3) f1.ps1 Will be executed after the first request to the C&C; decrypts x.dat f2.ps1 Will be executed after the second request to the C&C; decrypts b.dat e.ps1 Contains code that calculates a string for the Authorization field of the HTTP header h.ps1 Gets information about the system proxy settings e.dll A DLL file with a single exported function; calls CreateProcessA

It downloads:

Source file Downloaded and decrypted file Description x.dat u.xml AES-encrypted file (see f1.ps1 for decryption algorithm) b.dat i.bat AES-encrypted file (the same decryption algorithm)

The result:

Name Description i.bat Performs Windows task installation

When a caller (previous step) executes this archive, it must specify two arguments:

Argument Description -pKEY Argument with a key to unpack the SFX archive -t ACCEPTANCE_ID_STRING Argument with a long string – AcceptanceID (used in requests to the C&C) p.bat

It launches the h.ps1 script to get information about system-wide proxy settings. After that it launches the e.ps1 script to calculate the SystemID that will be used in requests to the C&C.

To send a request, it uses c.dll (which is cURL and has an exported function called DllGetClassObject).

Request 1

Command line arguments:

Where:

Parameter Description %pp% System-wide proxy %output% SystemID %p3% AcceptanceID

This request downloads the x.dat file, and the f1.ps1 script decrypts it into u.xml. After that it launches the next request.

Request 2

Command line arguments:

It downloads the b.dat file, and the f2.ps1 script decrypts it into i.bat (using the same decryption algorithm).

Task installation

After that, it launches the following command line to install the persistence task:

The i.bat file uses the previously decrypted u.xml file as the task description.

Trojan-backdoor installer

The archive unpacks its files into the following folder (in the case of DVD making software):

The archive itself contains:

Name Description BabyBoyStyleBackground.wmv Configuration data DvDupdate.dll Trojan-backdoor loader nav_downarrow.png Trojan-backdoor psinstrc.ps1 Loader installation script

In the case of the audio drivers software mimic, it differs only in its installation method compared to DVD making software: the ps1 script uses two known CLSIDs to replace their COM DLL paths with malicious ones.

psinstrc.ps1

This is the installer script that registers DvDupdate.dll as the ‘DVDMaker Help’ service, and sets its entry point as the DllGetClassObject name. It requires admin privileges to be executed correctly.

The script contains configurable parameters, so it’s easy to change any of the required parameters for different systems.

There are two ways the loader can be installed:

  • System service, with the DllGetClassObject exported function as the ServiceMain function
  • COM object, by replacing an existing CLSID registry path with its own
DvDupdate.dll

This is a service DLL, but with all the same exports you would expect from a COM object. Basically, it’s a payload loader.

The whole code is obfuscated with different Windows API calls and loops. It wasn’t designed to confuse a reverse engineer or to make reverse engineering harder, but to bypass some simple AV emulation engines.

The first exported function for every COM object is DllGetClassObject.

DllGetClassObject

The loader creates a thread that decrypts the payload, restores its PE and MZ headers, and then loads it into memory and launches it. The payload is encrypted with AES 256 CBC. The decryption key is hardcoded along with other encrypted strings. It doesn’t contain ‘MZ‘ and ‘PE‘ tags that allow it to bypass simple AV engines. After initializing the payload, the loader calls its function with ordinal 1.

nav_downarrow.png

The payload, with backdoor functionality, is a DLL file. The malware functionality is in the first exported entry only.

nav_downarrow.png – Ordinal 1 (Trojan-backdoor main function)

The first thing that it does is decrypt the other encrypted binary (containing configuration data) from the SFX content:

The configuration itself is divided into blocks, and every block has its own index. The payload uses these indices to get a specific item. The configuration contains:

  • the C&C address
  • traffic encryption key
  • the UserAgent string
  • other less important parameters
Execution thread

The execution thread is responsible for receiving commands from the C&C server and sending responses. It contains an execution loop that starts by reading configuration item #00 to get the C&C address.

Initializing C&C communication

To initialize the connection to the C&C, the payload sends a base64-encoded request that contains a unique SystemID, computer name, and hard disk serial number. After that, the malware starts receiving commands.

Receiving commands

To receive commands from the C&C, the payload sends an empty request to the C&C. It uses the UserAgent string from the configuration and a special cookie generation algorithm to prepare a request. The malware can also get proxy settings from Internet Explorer.

In response to this request, the C&C answers with a PNG file that contains steganographically hidden data. This data is encrypted with the same key as the C&C requests. The decrypted data contains backdoor commands and arguments for them.

Examples of PNG files:

C&C command processor (command descriptions)

The backdoor can accept many different commands, with the following among the most interesting:

  • Read any file from a file system and send it to the C&C
  • Drop or delete a file in the file system
  • Drop a file and run it
  • Run a command line and send execution results to the C&C
  • Update configuration parameters (except the AES encryption key)
  • Interactive mode – allows to the attacker to receive input from console programs and send their output at the C&C
Conclusions

The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.

Regarding campaign activity, we have not detected any current activity related to the Titanium APT.

DarkUniverse – the mysterious APT framework #27

5 Listopad, 2019 - 11:00

In April 2017, ShadowBrokers published their well-known ‘Lost in Translation’ leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system.

In 2018, we found an APT described as the 27th function of this script, which we call ‘DarkUniverse’. This APT was active for at least eight years, from 2009 until 2017. We assess with medium confidence that DarkUniverse is a part of the ItaDuke set of activities due to unique code overlaps. ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls.

Technical details Infection vector

Spear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their attention and prompt them to open an attached malicious Microsoft Office document.

Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable. Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones, so the current report details only the latest available version of the malware used until 2017.

The executable file embedded in the documents extracts two malicious files from itself, updater.mod and glue30.dll, and saves them in the working directory of the malware – %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Reorder.

After that, it copies the legitimate rundll32.exe executable into the same directory and uses it to run the updater.mod library.

The updater.mod module

This module is implemented as a dynamic-link library with only one exported function, called callme@16. This module is responsible for such tasks as providing communication with the C2 server, providing the malware integrity and persistence mechanism and managing other malware modules.

The persistence mechanism is provided by a link file, which is placed by updater.mod into the startup folder, ensuring malware execution after a reboot. If the link file becomes corrupted, the updater.mod module restores it.

Communication with C2

In this campaign the C2 servers were mostly based on cloud storage at mydrive.ch. For every victim, the operators created a new account there and uploaded additional malware modules and a configuration file with commands to execute it. Once executed, the updater.mod module connected to the C2 and performed the following actions:

  • downloaded the command file to the working directory;
  • uploaded files collected and prepared by additional malicious modules (if any) to the C2. These files were located in a directory called ‘queue’ or ‘ntfsrecover’ in the working directory. Files in this directory could have one of two extensions: .d or .upd depending on whether they had already been uploaded to the server or not.
  • downloaded additional malware modules:
    • dfrgntfs5.sqt – a module for executing commands from the C2;
    • msvcrt58.sqt – a module for stealing mail credentials and emails;
    • zl4vq.sqt – legitimate zlib library used by dfrgntfs5;
    • %victim_ID%.upe – optional plug-in for dfrgntfs5. Unfortunately, we were unable to obtain this file.

All malware modules are encrypted with a custom algorithm:

The credentials for the C2 account are stored in the configuration that is placed in the registry, but the updater.mod module also stores a copy as an encrypted string in the executable file. Also, the configuration specifies how often updater.mod polls the C2, supporting both an active mode and a partly active mode.

Malware configuration in the registry

The malware configuration is stored in the registry in the SOFTWARE\AppDataLow\GUI\LegacyP entry. Different values are detailed in the following table:

Value name Description C1 C2 domain. C2 C2 domain path. C3 C2 credential username. C4 C2 credential password. install 1 if malware is installed. TL1 DESACTIVAR | HABILITAR – specifies whether msvcrt58 and glue libraries are active. TL2, TL3 If TL1 is not NULL, it specifies time bounds when TL1 option is applied. “kl” If 1, updater.mod should download msvcrt58.sqt from C2 again. “re” If 1, updater.mod should download dfrgntfs5.sqt from C2 again. “de” If not 0, framework should uninstall itself. “cafe” REDBULL | SLOWCOW specifies how often updater.mod polls C2. “path” Path to the folder from which files are being sent to C2.

 

Modules glue30.dll and msvcrt58.sqt

The glue30.dll malware module provides keylogging functionality. The updater.mod module uses the Win API function SetWindowsHookExW to install hooks for the keyboard and to inject glue30.dll into processes that get keyboard input. After that, glue30.dll loads and begins intercepting input in the context of each hooked process.

The msvcrt58.sqt module intercepts unencrypted POP3 traffic to collect email conversations and victims’ credentials. This module looks for traffic from the following processes:

  • outlook.exe;
  • winmail.exe;
  • msimn.exe;
  • nlnotes.exe;
  • eudora.exe;
  • thunderbird.exe;
  • thunde~1.exe;
  • msmsgs.exe;
  • msnmsgr.exe.

The malware parses intercepted POP3 traffic and sends the result to the main module (updater.mod) for uploading to the C2. This is done by hooking the following network-related Win API functions:

  • ws2_32.connect;
  • ws2_32.send;
  • ws2_32.recv;
  • ws2_32.WSARecv;
  • ws2_32.closesocket.

 

The dfrgntfs5.sqt module

This is the most functional component of the DarkUniverse framework. It processes an impressive list of commands from the C2, which are listed in the following table.

Command Description VER Sends malware version to server. DESINSTALAR Uninstalls itself. PANTALLA Takes screenshot of the full screen and saves it to the \queue folder. CAN_TCP, CAN_HTTP, CAN_HTTPS Injects a shellcode into IE that establishes a direct connection with the C2, downloads additional code, sends info about the download results to the C2 and executes the downloaded code. MET_TCP, MET_HTTPS Also injects a shellcode into IE. The only difference with the previous command set is that in this case the shellcode doesn’t send any additional info to the C2 – it only establishes the connection, downloads additional code and executes it. CAN_HTTP_LSASS Injects the same shellcode as in the case of CAN_HTTP into the LSASS.exe process. SCAN/STOPSCAN Starts/stops network scan. Collects lots of different info about the local network. CREDSCAN Brute-forces IP range with specified username and password. ACTUALIZAR Updates dfrgntfs5.sqt. ACTUALIZARK Updates msvcrt58.sqt. SYSINFO Collects full system info. REDBULL Sets cafe flag to 1 – active. SLOWCOW Sets cafe flag to 0 – slow mode. X Runs specified process and logs its output, then prepares this output log for uploading to the C2. T Obtains list of files from a specific directory. TAUTH Obtains list of files of remote server if specified credentials are valid. G Sends a file to the C2. GAUTH Downloads a particular file from a shared resource if specified credentials are valid. SPLIT Splits file into 400 KB parts and uploads them to the C2. FLUSH Sends file with the data collected by all components that day and deletes it. C1 – C4 Sets the C2 in its configuration in the registry (C1-C4). TL1 – TL3 Sets the active state in its configuration in the registry (T1-T3). ONSTART Sets process to be started every malware startup. CLEARONSTART Undoes previous ONSTART command. ARP Runs unavailable ARP module (uncparse.dll – unavailable). This module stores data in a file internally named arpSniff.pcap. AUTO Automatically looks for updates of predefined files. MANUAL Files in the specified directory are searched using the * .upd pattern, all found files are deleted. REGDUMP Collects information from the registry. PWDDUMP Collects and decrypts credentials from Outlook Express, Outlook, Internet Explorer, Windows Mail and Windows Live Mail, Windows Live Messenger, and also Internet Cache; LOGHASH Injects process into lsass.exe and starts collecting password hashes in the file checksums.bk. SENDLOGHASH Sends collected lsass.exe process password hashes to the C2. PROXYINFO Checks if credentials for proxy are valid. DHCP Sets DHCP settings for local machine. DNS Sets DNS settings for local machine. FAKESSL Provides basic MITM functionality.

 

Victimology

We recorded around 20 victims geolocated in Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates. The victims included both civilian and military organizations. We believe the number of victims during the main period of activity between 2009 and 2017 was much greater.

Conclusions

DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch. Due to unique code overlaps, we assume with medium confidence that DarkUniverse’s creators were connected with the ItaDuke set of activities. The attackers were resourceful and kept updating their malware during the full lifecycle of their operations, so the observed samples from 2017 are totally different from the initial samples from 2009. The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations.

Appendix I – Indicators of Compromise MD5 Hashes
  • 1addee050504ba999eb9f9b1ee5b9f04
  • 4b71ec0b2d23204e560481f138833371
  • 4e24b26d76a37e493bb35b1a8c8be0f6
  • 405ef35506dc864301fada6f5f1d0711
  • 764a4582a02cc54eb1d5460d723ae3a5
  • c2edda7e766553a04b87f2816a83f563
  • 71d36436fe26fe570b876ad3441ea73c

A full set of IOCs, including YARA rules, is available to customers of the Kaspersky Intelligence Reporting service. For more information, contact intelreports@kaspersky.com

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

1 Listopad, 2019 - 17:00

Executive summary

Kaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google’s Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest version as soon as possible! You can read Google’s bulletin by clicking here.

Kaspersky endpoint products detect the exploit with the help of the exploit prevention component. The verdict for this attack is Exploit.Win32.Generic.

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.

More details about CVE-2019-13720 and recent DarkHotel false flag attacks are available to customers of Kaspersky Intelligence Reporting. For more information, contact: intelreports@kaspersky.com.

Technical details

The attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which in turn, loads a profiling script from a remote site.

Redirect to the exploit landing page

The main index page hosted a small JavaScript tag that loaded a remote script from hxxp://code.jquery.cdn.behindcorona[.]com/.

The script then loads another script named .charlie.XXXXXXXX.js. This JavaScript checks if the victim’s system can be infected by performing a comparison with the browser’s user agent, which should run on a 64-bit version of Windows and not be a WOW64 process; it also tries to get the browser’s name and version. The vulnerability tries to exploit the bug in Google Chrome browser and the script checks if the version is greater or equal to 65 (current Chrome version is 78):

Chrome version checks in the profiling script (.charlie.XXXXXXXX.js)

If the browser version checks out, the script starts performing a number of AJAX requests to the attacker’s controlled server (behindcorona[.]com) where a path name points to the argument that is passed to the script (xxxxxxx.php). The first request is necessary to obtain some important information for further use. This information includes several hex-encoded strings that tell the script how many chunks of the actual exploit code should be downloaded from the server, as well as a URL to the image file that embeds a key for the final payload and RC4 key to decrypt these chunks of the exploit’s code.

Exploitation chain – AJAX requests to xxxxxxx.php

After downloading all the chunks, the RC4 script decrypts and concatenates all the parts together, which gives the attacker a new JavaScript code containing the full browser exploit. To decrypt the parts, the previously retrieved RC4 key is used.

One more version check

The browser exploit script is obfuscated; after de-obfuscation we observed a few peculiar things:

  1. Another check is made against the user agent’s string – this time it checks that the browser version is 76 or 77. It could mean that the exploit authors have only worked on these versions (a previous exploitation stage checked for version number 65 or newer) or that other exploits have been used in the past for older Chrome versions.

    Obfuscated exploit code

  2. There are a few functions that operate on the browser’s built-in BigInt class, which is useful for doing 64-bit arithmetic inside JavaScript code, for example, to work with native pointers in a 64-bit environment. Usually, exploit developers implements their own functions for doing this by working with 32-bit numbers. However, in this case, BigInt is used, which should be faster because it’s implemented natively in the browser’s code. The exploit developers don’t use all 64 bits here, but instead operate on a smaller range of numbers. This is why they implement a few functions to work with higher/lower parts of the number.

    Snippet of code to work with 64-bit numbers

  3. There are many functions and variables that are not used in the actual code. This usually means that they were used for debugging code and were then left behind when the code was moved to production.
  4. The majority of the code uses several classes related to a certain vulnerable component of the browser. As this bug has still not been fixed, we are not including details about the specific vulnerable component here.
  5. There are a few big arrays with numbers that represent a shellcode block and an embedded PE image.

The analysis we have provided here is deliberately brief due to vulnerability disclosure principles. The exploit used a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker an a Use-After-Free (UaF) condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.

The exploit first tries to trigger UaF to perform an information leak about important 64-bit addresses (as a pointer). This results in a few things: 1) if an address is leaked successfully, it means the exploit is working correctly; 2) a leaked address is used to know where the heap/stack is located and that defeats the address space layout randomization (ASLR) technique; 3) a few other useful pointers for further exploitation could be located by searching near this address.

After that it tries to create a bunch of large objects using a recursive function. This is done to make some deterministic heap layout, which is important for a successful exploitation. At the same time, it attempts to utilize a heap spraying technique that aims to reuse the same pointer that was freed earlier in the UaF part. This trick could be used to cause confusion and give the attacker the ability to operate on two different objects (from a JavaScript code perspective), though in reality they are located in the same memory region.

The exploit attempts to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This is used to craft a special object that can be used with WebAssembly and FileReader together to perform code execution for the embedded shellcode payload.

First stage shellcode

Payload description

The final payload is downloaded as an encrypted binary (worst.jpg) that is decrypted by the shellcode.

Encrypted payload – worst.jpg

After decryption, the malware module is dropped as updata.exe to disk and executed. For persistence the malware installs tasks in Windows Task Scheduler.

The payload ‘installer’ is a RAR SFX archive, with the following information:

File size: 293,403
MD5: 8f3cd9299b2f241daf1f5057ba0b9054
SHA256: 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd

The archive contains two files:

File name: iohelper.exe
MD5: 27e941683d09a7405a9e806cc7d156c9
SHA256: 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48

File name: msdisp64.exe
MD5: f614909fbd57ece81d00b01958338ec2
SHA256: cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb

Both files were compiled at the same time, which if we are to believe the timestamp, was “Tue Oct 8 01:49:31 2019”.
The main module (msdisp64.exe) tries to download the next stage from a hardcoded C2 server set. The next stages are located on the C2 server in folders with the victim computer names, so the threat actors have information about which machines were infected and place the next stage modules in specific folders on the C2 server.

More details about this attack are available to customers of Kaspersky Intelligence Reporting. For more information, contact: intelreports@kaspersky.com.

IoCs
  • behindcorona[.]com
  • code.jquery.cdn.behindcorona[.]com
  • 8f3cd9299b2f241daf1f5057ba0b9054
  • 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd
  • 27e941683d09a7405a9e806cc7d156c9
  • 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48
  • f614909fbd57ece81d00b01958338ec2
  • cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb
  • kennethosborne@protonmail.com

The cake is a lie! Uncovering the secret world of malware-like cheats in video games

1 Listopad, 2019 - 11:00

In 2018, the video game industry became one of the most lucrative in the world, generating $43.4 billion in revenue within the United States alone. When we consider that video game licenses are only a fraction of the total market, it becomes clear just how important the industry is compared to the movie and music industries, for example. Moreover, conservative estimates put global revenue for the gaming industry at over $130 billion for the past year, placing it ahead of Hollywood and the blockbusters premiering worldwide.

An entire ecosystem has sprung up around the gaming industry, electronic sports, or eSports, being one of the main attractions for audiences eager to watch teams or individuals play against each other in tournaments broadcast on cable television. With nearly 400 million viewers each year, and more being added via streaming platforms such as Twitch or Mixer, eSports and the mainstream media have found a balance between both worlds, recognizing that there’s huge business potential in these competitions.

With crowdfunded prizes that have reached $30 million, eSports brings together teams from all over the world to compete in different multiplayer games.

Stereotypes and urban myths would have you believe video games are only played by a certain type of individual, but recent research presented by ESA (Entertainment Software Association) indicates that in the US the average gamer is 34 years old, and women make up 45% of the gaming demographic. Currently, one of the main factors when deciding which video game to purchase is the online gameplay capability, a feature that provides players with a competitive arena to test their abilities against equally ranked opponents and enables developers and publishers to charge a subscription fee.

While difficult to understand for some, the popularity of video games is no accident. Designers specifically craft rewards systems that keep the players hooked long enough until they can receive their next ‘hit.’ Online worlds provide the novelty that humans seek, all within a controlled environment that anyone can join on demand. While the psychology involved in creating an addictive video game is outside the scope of this research, it’s important to understand why these virtual worlds present such a fragile equilibrium that can easily be broken when players seek to gain an unfair advantage over their opponents.

Usually sold in a subscription model, private cheats can cost anything from 10 to several hundred dollars, exceeding a game’s original retail price several fold.

Although cheats in video games have been around since the early days of the industry, it wasn’t until cheat codes appeared that they attracted the attention of enthusiasts wanting to make their gaming sessions easier or harder, depending on the cheat used. A popular cheat named Konami Code, developed by Kazuhisa Hashimoto by porting the game Gradius to the NES (Nintendo Entertainment System) in 1986, is considered one of the first of its kind. This code enabled the developer to lower the game’s difficulty by giving the player additional resources, making testing of the game much easier. A lot has happened since those days, and we can now encounter cheats that demonstrate malware-like behavior, using anti-detection techniques and evasion features that rival those used in rootkits and implants found in advanced persistent threats.

This paper will address the following questions, inspired by the Five Ws investigative methodology:

  • What is video game cheating? How does it affect the video game industry and other players?
  • Why do individuals cheat? Is there a virtual economy around trading cheats? If so, how big is it?
  • Who is developing cheats and who is using them? What types of cheats currently exist?
  • When and where are cheats used? Can these programs be profiled or detected? What techniques can be used?
  • How do cheats work? How do they avoid detection by developers and publishers? Is there really an arms race between two sides in the video game world?

Read the full report (PDF) to discover the answers.

 

Steam-powered scammers

28 Říjen, 2019 - 11:00

Digital game distribution services have not only simplified the sale of games themselves, but provided developers with additional monetization levers. For example, in-game items, such as skins, equipment, and other character-enhancing elements as well as those that help one show up, can be sold for real money. Users themselves can also sell items to each other, with the rarest fetching several thousand dollars. And where there’s money, there’s fraud. Scammers try to get hold of login details to “strip” the victim’s characters and sell off their hard-earned items for a juicy sum.

One of the most popular platforms among users (and hence cybercriminals) is Steam, and we’ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Steam phishing attacks, January 2019 – September 2019 (download)

It all starts with an online store

Like many others, the scam we uncovered is phishing-based. Attackers lure users to websites that mimic or copy online stores — in this case, the ones linked to Steam — that sell in-game items. The fake resources are high-quality and it is really hard, sometimes even impossible, to distinguish them from the real thing. Such phishing sites:

  • Are very well implemented, no matter if copied or made from scratch
  • Have a security certificate and support HTTPS
  • Issue a warning about the use of cookies
  • Provide some links to the original website (that go nowhere when clicked)

The longer a user spends on the site, the more likely they are to spot something odd. Therefore the scammers do not want users to stay long, and phishing sites get down to business very quickly: on clicking any link, the user immediately sees a window asking for their Steam login and password. By itself, this might not raise a red flag. The practice of logging into a service through another account (Facebook, Google, etc.) is quite common, and Steam accounts can likewise be used to log into third-party resources. All the more so since the supposed trading platform requires access to the user’s account to obtain data on what items they have.

The fake login/password window is very similar to the real one: the address bar contains the correct URL of the Steam portal, the page has an adaptive layout, and if the user opens the link in another browser with a different interface language, the content and title of the fake page change in accordance with the new “locale.”

However, right-clicking on the title of this window (or control elements) displays the standard context menu for web pages, and selecting “view code” exposes the window as a fake, implemented using HTML and CSS:

In one example, the username and password are transferred using the POST method through an API on another domain that also belongs to scammers.

The fake login form is given extra credence by the fact that the entered data is verified using the original services. On entering the wrong login and password, the user is shown an error message:

When a valid login and password pair is entered, the system requests a two-factor authorization code that is sent by email or generated in the Steam Guard app. Obviously, the entered code is also forwarded to the scammers, who gain full control over the account as a result:

Other varieties

Besides creating “complex” login windows using HTML and CSS, cybercriminals also employ the good-old trick of a fake form in a separate window, but with an empty address value. Although the window display method is different, the operating principle is the same as above. The form verifies the entered data, and if the login and password match, it prompts the victim to enter a two-factor authorization code.

How to stay protected

The main tips for guarding against this and similar scams are essentially no different to those for identifying “ordinary” phishing sites. Look carefully at the address bar and its contents. In our example, it contained the correct URL, but less sophisticated variants are more common — for example, the website address might not match the store name, or display the words “about:blank”.

Pay close attention to login forms on “external” resources. Right-click on the title bar of the window containing the form, or try to drag it outside the main browser window to make sure it’s not fake. Besides, if you suspect that the login window is not real, open the Steam main page in a new browser window and log into your account from there. Then go back to the suspicious login form and refresh the page. If it’s real, a message will appear saying that you’re already logged in.

If everything seems normal, but something still arouses suspicion, check the domain using WHOIS. Genuine companies do not register domains for short periods and do not hide their contact details. Lastly, activate two-factor authentication through Steam Guard, follow Steam’s own recommendations, and use a security solution with anti-phishing technology.