New Java and Flash Research Shows a Dangerous Update Gap

Today we’re
continuing our Java security research series by analyzing other plug-ins,
browser extensions and rich internet applications that are commonly exploited.

 

Our previous
research
indicated that the current state of Java affairs isn’t pretty. At
that time, ninety-three percent of enterprises were vulnerable to known Java
exploits. Nearly 50 percent of enterprise traffic
used a Java version that was more than two years out of date. Through Websense ThreatSeeker Intelligence
Cloud analysis we now discover:

 

  • Only 19 percent of enterprise Windows-based
    computers ran the latest version of Java (7u25) between August 1-29, 2013.
  • More than 40 percent of enterprise Java requests
    are from browsers still using outdated Java 6. As a result, more than 80
    percent of Java requests are susceptible to two popular new Java exploits:
    CVE-2013-2473 and CVE-2013-2463.
  • 83.86 percent of enterprise browsers have
    Java enabled.
  • Nearly 40 percent of users are not running the
    most up-to-date versions of Flash.
  • In fact, nearly 25 percent of Flash
    installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old.

 

Our in-depth
analysis ran for one month, across multiple verticals and industries. We
surveyed millions of real-world web requests for Java usage through our global
Websense ThreatSeeker Intelligence Cloud. 

 

New Java Exploits and the Neutrino Exploit
Kit

New Java
exploits CVE-2013-2473 and CVE-2013-2463 are already making a big impact by targeting
computers running outdated versions of Java. It’s clear the cybercriminals know
there is a Java update problem for many organizations.

 

For example, Websense ThreatSeeker Intelligence Cloud noticed an
uptick in new hosts running the Neutrino exploit kit in the first and second
weeks of August 2013. This could be attributed to Neutrino’s addition of
Java-based code execution exploits including CVE-2013-2463, which is based on AWT/2D vulnerabilities
and affects all Java 6 users (tip of the hat to F-Secure). Typically associated with ransomware payloads,
Neutrino is best known for its easy-to-use control panel and features that evade
AV and IPS systems.

 

Forty percent
of Java 6 users are vulnerable to these new exploits and there are no software
patches in sight. Effective exploit kit delivery mechanisms, such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge
for organizations that have not updated to Java 7.

 

On the positive
side, our updated numbers show that enterprise IT is pushing out more Java
updates. Earlier this year, 70 percent of Java requests came from Java 6 users.
That figure has decreased to 40 percent.

 

Check out this previous blog post
on how Java plays a part within the Seven Stages of Advanced Attacks and our advice on Java remediation steps at this post.

 

Don’t Forget About Flash

Remember,
just a few years ago, Flash was a primary attack vector. As our research above indicates,
nearly 40 percent of users are not running the most up-to-date versions of
Flash. In the last three months, five security patches have been released for
Flash-and that number leaps to 26 over the course of the last year.

 

This is
exactly why real-time security models are absolutely essential. Even the best patch
management and traditional security tools simply cannot keep up with the ongoing barrage of
zero-day attacks and exploit kits being created.

 

We’ll keep
you posted as we conduct ongoing and future research on these critical systems
and programs. Stay tuned on the latest research and information on how to
mitigate these threats in future posts.

 

The Tibetan Alliance of Chicago hit by cyber waterholing attack

Websense Security Labs™ ThreatSeeker® Intelligence Cloud has detected that the website of the Tibetan Alliance of Chicago has been compromised to serve malicious code.

 

In the last two days, the BBC website reported news about a waterholing attack against the Central Tibetan Administration website. Over the last two years, attacks like these have targetted pro-Tibet websites and other human rights organizations around the world. A waterholing attack is one that targets users of specific websites with the aim to install malware on their systems (usually using a backdoor approach) to collect documents, email contacts, social contacts, and passwords. The frequency of these attacks prompted Websense Security Labs to check our collective threat intelligence for any other websites that are considered pro-Tibet to see if they are affected by this kind of attack.

 

In this blog we’re going to analyze the Tibetan Alliance of Chicago website and illustrate how waterholing attacks are conducted.

 

One of the trends with targeted attacks in the last few years is that any installed malware binaries connect to dynamic DNS websites. One of the most interesting aspects of this specific attack is that a successful exploit downloads a binary that connects to a small Dynamic DNS service offered by none other than a German-based security appliances and services company, which reaffirms the notion that perpetrators pick and choose the parts of their attack infrastructure.

 

 

Although the website does not have a high Alexa rank, we thought it was worth consideration, because our analysis concluded that it wasn’t a scattered attack, but a targeted injection to infect the users of that website. The website has been injected with two malicious iFrames as shown below:

 

 

 

We started to investigate the content of these two links above. The first (hxxp://78.129.252.195/images/Adobe/index.html) contains another iFrame that leads to a Firefox plugin named “Adobe Flash Player.xpi,” although at the time of the analysis, the plugin wasn’t available:

 

 

When we used Threatseeker to search for other instances of “Adobe Flash Player xpi,” we detected other malicious websites, so we deduced that the aim of this iFrame was to try to install a malicious plugin using social engineering techniques. The second link (hxxp://78.129.252.195/index.html) caught our attention, because it seems to be malicious code exploiting the vulnerability CVE-2012-4969 as shown below:

 


The code highlighted above shows another iframe that leads to hxxp://78.129.252.195/yRrztX.html with the following content: 

 

 

From this, we could see the code used to trigger the Internet Explorer vulnerability addressed as CVE-2012-4969 and spotted in other targeted attacks by a security researcher here in September 2012. The code within the page “index.html” uses the “heap spray” mechanism to run shellcode if the exploiting attempt succeeds. The following is the snippet of code that has been assigned the shellcode:

 

 

Once the shellcode is executed, it downloads and runs a malicious file on the compromised system. The shellcode appears to be using the Windows default user-agent ‘wininet’ to retrieve the malicious file, which in itself can be considered suspicious, because we don’t normally see many legitimate HTTP requests that use this agent. We do see this user-agent being used by legitimate software, but it’s not predominant.

 

Following is the Fiddler’s session where you can see the binary file that was downloaded:

 

 

Analyzing the dynamic behavior of the malicious executable, you can detect a first call to the command-and-control point at mail.firewall-gateway.com located in the United Kingdom:

 

 

 

We conducted a quick investigation about the domain “firewall-gateway.com,” and it appears to be mantained by the German service provider, Securepoint, that specializes in provisioning secure VPN endpoints and other kinds of network services offerings. This is what we saw from the WHOIS record:

 

 

In one of Securepoint’s support forums, the announcement of the availability of a dynamic DNS service is still shown. The service appears to be available at this address. We believe it’s an attempt to remain covert, because it is not by chance that the perpetrators chose their command-and-control point to be reached through a dynamic DNS service associated with a security company.

 

 

The detection rate of the binary file seems very low as reported by Virustotal. From a brief static analysis of the malicious binary file, you can detect a list of strings used to check the presences of Antivirus on the impacted system:

 

 

 

The binary file has a low AV rate detection rate, as reported by this Virustotal report.

 

In this blog we gave a brief example of what seems to be a waterholing attack that is aimed for a specific crowd, in this case, pro-Tibet users. We believe that the complexity of such attacks lies in direct relation to the security measures that are employed by the potential targets, in this case the attack isn’t that complex but probably just enough to fulfill its ultimate purpose.

 

Websense customers are protected from injected websites and the different stages of this threat with our Advanced Classification Engine – ACE.

 

Custom Attachment Names and Passwords for Trojans

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, recently noticed an increased use of custom-generated attachment file names, and some use of password-protected ZIP files. Emails with banking/financial themes are being sent with executables packed in ZIP files, with file names matching the intended recipient. When the attachment runs on a victim’s computer, a Trojan from the Zbot P2P family is downloaded via a Pony loader. Zbot is typically used to steal banking credentials as well as for the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. We saw such a campaign on July 15, 2013, featuring subjects like “IMPORTANT Docs – WellsFargo” and “IMPORTANT Documents – WellsFargo”. Websense Cloud Email Security has detected and blocked over 80,000 instances of this campaign. We have proactively blocked similar cases since June 10. Just as we were getting ready to publish, we have noticed that Websense CES has proactively blocked another campaign, this time using fake emails pretending to be from Trusteer, trying to convince the victim to install an update for Trusteer Rapport software. Again, the attachment names are custom generated to match the recipient’s user name (or  the first recipient in the case of multiples). So far we have blocked more than 36,000 variants of this latest campaign.

 

Let’s take a look at the campaign from July 15 first:

 

 

What’s unique to these campaigns compared with others we have blocked in the past is the custom-generated attachment name. The cyber criminals seem to be trying to come up with incremental improvements to enhance their effectiveness.

By automating file name creation and linking it to the intended recipient’s email username, they are presumably trying to socially engineer the potential victims to feel a little more at ease about opening the attachment. They might also be hoping to get around rudimentary blocking based on attachment file name. In the examples we’ve seen, the packed executable was the same across the same campaign burst. The potential victim first sees the ZIP file with their own unique name, so a search for the attachment file name in a search engine might not show anything suspicious.

A typical misleading icon (another common trait to malware used in email attacks) would cause the file attachment to look like this if the folder option “Hide extensions for known file types” is selected:

 

 Savvy users will display all file extensions, which will clue them to the suspicious nature of the attachment:

 

If we analyze the behavior of the attachment using Websense ThreatScope™, we can see the Pony loader module communicates to:

hxxp:// dharmaking.net/ponyb/gate.php on 64.94.100.116

which is an empty Post transaction in this case, since there was no information to exfiltrate.

For the sake of curiosity, we can check out the admin login panel of the Pony loader on that page:

The Pony loader sends GET requests to download further executables from other locations:

hxxp:// liltommy.com/ep9C.exe 184.173.201.131

hxxp:// www.wineoutleteventspace.com/7UNFVh.exe 208.113.243.4

hxxp:// www.oh-onlinehelp.com/Pefyi.exe (suspended, not resolved)

hxxp:// video.wmd-brokerchannel.de/qAz575t.exe 213.148.99.220

It also includes communication to legitimate sites to mask its malicious activity.

 

You can see the full ThreatScope report here.

Anti-Virus detection at the time of the attack is pretty dismal, only 4 out of 45.

 

Dropped executables are recognized as malicious by ThreatScope. See reports here and here.

And again, AV detection is minimal – 1 out of 47.

But as is the case most of the time, AV vendors eventually update their signatures, and 19 out of 47 now detect the dropped binary as a Zbot Trojan variant.

For comparison sake, we decided to run another ThreatScope report, to see how our own analytics fared after they had a chance to update.

Here’s what we found:

As expected, some of the dropped files hosts are not responding anymore. But one actually delivered a new binary:

hxxp:// www.wineoutleteventspace.com/7UNFVh.exe

The ThreatScope report indicates that it is malicious, as seen here. In addition, Websense ACE™, our Advanced Classification Engine, had generic detection against it.

AV detection? 2 out of 47

We should also note that ACE updated the categorization of the Uncategorized hosts seen in the initial report:

hxxp:// dharmaking.net/ponyb/gate.php is now under Bot Networks.

hxxp:// dharmaking.net/ is now under Malicious Web Sites.

hxxp:// www.wineoutleteventspace.com is now under Malicious Web Sites.

See the updated report here.

 

In an older campaign example (June 14, 2013), we can see another feature that has been used frequently in the last few months.

Not only does the ZIP attachment file name match the recipient’s user name, it is also password protected, with the password supplied in the email body. This is an obvious attempt to get around automated analysis and further increase the window of exposure before security vendors update their detection for the malware variant.

 

 

The attachment (again hiding extensions for known file types) is displayed as:

Similar behavior can be seen in the ThreatScope report.

And again, AV is not quite up to speed.

See the dropped executables ThreatScope report, compared to VirusTotal at the time of attack, which is a little better at 18 out of 47.

 

The latest campaign, featuring fake Trusteer emails, has subject lines like:

Important Security Update : Customer 9382121

Here’s a sample:

 

 

As in the other samples, the attachments are named with a custom generated file name that matches the username of the first recipient. We can assume that since Trusteer are a software company, the cyber criminals are trying to lure potential victims to be less suspicious of the executable packed inside the attachment.

 

 

 

 

Similar behavior to above samples, see ThreatScope report here, and compare to Virus Total at 5/47

Dropped file ThreatScope report, Virus Total at 3/46

 

It is interesting how simple some of the lures are, but the attackers might be getting enough monetary gain from using them and employing the small, incremental changes described above.

Simple social engineering techniques, known exploits, and known malware families are still being widely used in attacks large and small, because apparently they work.

Beyond user education, employing a multi-layered security product that combines multiple analytics could help prevent such attacks.

Websense has provided protection against this campaign in multiple stages. As an email attack carrying attachments, this campaign uses some of the stages outlined in our whitepaper describing the 7 stages of Advanced Threats.

Lures – Websense Cloud Email Security provides proactive protection against emails carrying executables or other suspicious attachments, based on multiple analytics.

Dropper File – Websense ThreatScope recognizes the malicious behavior of the dropper file.

Call Home – Websense ACE, our Advanced Classification Engine, blocks the Pony loader page via real-time analytics.

Dropped Files – ThreatScope recognizes the malicious behavior of the dropped executable files. In addition, ACE protects against the URL hosts.

Data Theft – Websense DLP (data loss prevention) tools can detect and stop the exfiltration of sensitive information, like the banking credentials and PII that Zbot targets.

 

 

 

Fox News-themed Malicious Email Campaign [UPDATED]

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, discovered an interesting malicious email campaign using spoofed email addresses from Fox News domains in an attempt to ultimately lure victims to websites hosting the Blackhole Exploit Kit. Should the exploit and compromise be successful, a malicious payload related to the Cridex family appears to be delivered which, as detailed in an earlier Websense Security Labs blog, is typically used to steal banking credentials as well as the exfiltration of personally identifiable information (PII) and other confidential data for criminal gain. These emails, discovered early on the morning of June 27th,  featured “breaking news” subjects and mimicked legitimate news content related to the US Military moving into Syria in order to entice the victim to ‘click’ on the malicious links. The campaign appears to have targeted a variety of industries and countries, as of 1600 PST on June 27th, the Websense ThreatSeeker® Intelligence Cloud had detected and blocked over 60,000 samples.

Email Screenshot:

 

Intercepted emails generated interest as they are highly convincing as breaking news alerts and are targeting highly popular and polarizing topics such as Immigration reform, the war on terror, and sending troops to Syria. Example email subjects include:

  • U.S. Military Action in Syria – is it WW3 start?
  • US deploys 19,000 troops in Syria
  • Obama Sending US Forces to Syria

Malicious Email Analysis

The emails above contain links that follow a series of redirections leading to a BlackHole exploit kit which delivers a malicious PDF. Once opened, the malicious PDF executes embedded and obfuscated JavaScript code which delivers an exploit (CVE-2010-0188). In the event the exploit is successful, the shellcode downloads a malicious component from: hxxp://sartorilaw.net/news/source_fishs.php?kxdtlz=1l:1g:1i:1o:1j&mbtdi=1k:33:1f:32:2w:30:1h:1o:1h:1g&swlpwu=1i&doko=vaif&wgnrppva=xoti

 

Redirection Chain:

 
       

The malicious component downloaded by the shell-code is characterized as a Trojan that is capable of downloading malicious files onto a compromised computer and spreading itself via mapped and removable drives.

Malicious component:
https://www.virustotal.com/en/file/2b6a58cbf235fedfbcdb1f15645f5d3f9156ebeb916074539b83c1e7934b1ef9/analysis/

About the PDF file:
https://www.virustotal.com/en/file/f2130f5c0e388454db7c8b25d16b59cb19ba193fe6cd1a5a7b7168d94e6d243b/analysis/

Malicious PDF Analysis

First Stage – Obfuscated JavaScript embedded in PDF:

 

Second Stage:

 

The third and final stage reveals the shellcode and URL:

 
Should the malicious PDF successfully exploit the victim’s machine, it creates a Windows Registry entry in order to maintain persistence by running automatically as the system starts:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Once executed, a number of HTTP connections on port 8080 are opened in order to download additional malicious payloads:

Associated Domains

The domain (hxxp://sartorilaw.net) that hosts the malware downloaded by the PDF exploit above was first registered on June 25th, 2013. In that time, it has resolved to three different IP addresses (119.147.137.31, 203.80.17.155, 174.140.166.239) and has hosted multiple pieces of malware which resulted in it being characterized as a malicious website by the Websense ThreatSeeker® Intelligence Cloud nearly immediately.

Malicious domain (hxxp://sartorilaw.net)
Contact email: soldwias@usa.com
Registrant: Cabrieto, Debbie

A WhoIS lookup on the contact email and registrant indicates that a second domain was registered on the same day (hxxp://enterxcasino.net). This domain does not resolve yet, but is likely to be used for malicious purposes in the future.

Impact and Protection

The overall efficacy of this campaign is difficult to judge, but the combination of a relatively high level of sophistication in the attacker’s social engineering and the utilization of relatively recent exploits and malware result in an increased risk to targeted systems. Websense provided protection from this campaign at multiple stages. Correlating this attack to the 7 stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

  • Stage 2 (Lure) – The Fox News themed email campaign
  • Stage 3 (Redirect) – The websites that take the user to the delivery of the exploit code
  • Stage 4 (Exploit Kit) – Real-time detection of the BlackHole exploit kit that was used in this attack
  • Stage 6 (Call Home) – The malicious PDF launches code that reaches out to a server known to host malware and that is blocked via Websense. Further, analytics have been added that detect and block the C2 protocol used by the PDF
  • Stage 7 (Data Theft) – Websense DLP (data loss prevention) tools are capable of detecting and stopping the exfiltration of sensitive information with advanced feature sets such as Drip DLP, OCR analysis and covert channel detection

 

[Update]

 

Tuesday, July 2, 2013:

Websense Labs, via our ThreatSeeker Intelligence Cloud, have identified a modification to this campaign; using Pinterest as it’s platform, the update informs the recipient their Pinterest account is in need of updating and suggests they follow a link to do so – clicking on this link results in action which is identical to the Fox News campaign, mentioned in the initial blog.

As always, Websense keeps it’s users safe through the7 stages of Advanced Threats, via our Advanced Classification Engine.