20-20 Hindsight at the Big Top

RSA USA 2013 wrapped up last week and it had all the usual hallmarks of a modern security conference: storm troopers, casinos, free giveaways every few minutes, hawkers with headsets (much like the county fair), models in superhero costumes, attendees vying to collect the most free goodies, and of course the indispensable straight-jacketed unicycle-riding pitchmen.  The buzzwords this year included “Big Data”, “Mobile Security” and “Security Analytics”, not that there was any clear consensus about what those terms exactly meant or whether the solutions being peddled bore any resemblance to them.  For those with experience attending past conferences, it was just par for the course.

 

Outside of the circus tent, the high-profile hacks of major companies and web properties figured prominently in most presentations.  This wasn’t the usual FUD, either – even our conservative fellow researchers and technical presenters proclaimed that the bad guys had gained the upper hand, especially for the most sophisticated malware attacks from state-sponsored actors and financially-motivated cartels.  The technology put forth this year by the security industry in response was a little surprising, however.  Doubling down on the premise that “if the bad guys really want to get in, they will”, the emerging technology trend implied that it’s better to react quickly after you’re compromised rather than be under silent attack for months or even years like so many of the 2012-2013 examples have indicated.   There were over 11 different vendors that had created a behavioral sandbox (much like our ThreatScope) to examine the behavior of malware already in the environment.  There were at least 7 vendors that had created workflow tools to allow practitioners to record and investigate security events after the breach.  A few security vendors were touting their new-and-improved capabilities at repair and remediation.  One even declared that we now live in a “post-protection world.”  They all made for some fairly impressive demonstrations with all of those nifty post-breach attack details.

 

What was in short supply this year was an answer for why we were all there (in theory): “How do we stop the attacks?”  Where was the innovation around protection?   Protecting data from skilled attackers with newly crafted attacks designed to bypass existing security controls is indeed a hard enough task.  Now try adding in coverage for all the holes in emerging endpoints, mobility, and social web domains, and doing so inline, with low false positives and high performance.  Now try to figure out how to independently prove that all of this stuff works.  It’s a mammoth undertaking, and the unanimous consensus was that existing measures are not getting the job done.  Why not focus on THAT problem?

 

There were exceptions to this trend.  In addition to our own Chris Astacio’s standing-room-only talk on mass mobile attacks and Blackhole botnet dissection, Tomer Teller had some concrete insights into “Detecting the 1%” and Ed Skoutis presented CyberCity as a real-world model of how to pentest and ultimately protect infrastructure from physical attack.  There were other examples as well, but far too few.  

 

We’ve got to buck this trend and get back to basics – focus on stopping the attacks before they do harm or steal information.  True, we may never get it perfect, but we can certainly do a lot better.  It’s all well and good to put lots of 20-20 hindsight and forensics around an attack, but we would all prefer the deafening silence of a prevented attack over a decidedly louder postmortem of a successful data breach in all its glorious new detail.  

 

Honeyclient Evasion Techniques, Bible.org Case

Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org. It appears that the offending code has now been removed from the bible.org website.  

 

At first glance, this seemed to be a run-of-the-mill “compromise, redirect, exploit” chain; however, closer analysis revealed the use of an interesting Honeyclient evasion technique. Honeyclients allow the profiling of websites in a heuristic and automated way; more often, testing a website with a Honeyclient takes longer than signature-based solutions but the results are much more accurate, especially when new zero-day code or a new emerging threat needs to be flagged up and requires scrutiny. Usually, Honeyclients run on top of virtual machine sandboxes: evasion techniques allow malicious code to become more aware of its running environment and to check if it’s in a virtual environment or likely to be an ‘analysis’ environment before actually running malicious code. 

 

 

 

This snippet of code is the entirety of the Honeyclient evasion attempt – as the method name suggests, the function ‘jsstatic’ will only be called once the eventhandler registers the movement of the user’s mouse over the document (page) – obviously, a primitive Honeyclient will have no mouse movement emulation, therefore the offending function that leads to exploit code will never be called and alerted on by the Honeyclient.

 

Let’s take a closer look at the jsstatic function (click to enlarge):

 

 

The first part of this function definition is simply a sentry variable, to stop the function being executed indefinitely with each new onmousemove event – the global variable astatf is defined as 0 in an earlier part of the script. The next part simply creates the iFrame, which is then executed as if it had just been injected into the page, as per a normal compromise.

 

This technique is quite primitive and showcases the infancy of this type of Honeyclient evasion technique. The plethora of event handling methods available means this technique is not going to go away anytime soon, and is likely only going to get more complex and inventive. 

 

In summary: the use of such techniques ultimately aids malicious code in remaining undetected for longer periods of time and thus increases its chances of bypassing security products undetected. The technique described in this blog is simple and allows redirection to exploits only if a mouse movement is detected, an action that is often associated with an actual person interacting with a website and often not used by primitive Honeyclients. Why are the attackers using this technique instead of the normal drive-by type technique we usually see? probably because they wanted to make the attack more stealthy, as attacks like this wouldn’t be picked up by automated behavioral analysis systems. That’s why multiple layers of defense are needed for web-based attacks.

 

This discovery ties in to Websense Security Labs predictions that Cybercriminals will become more ‘virtually aware’ and find modern bypass methods to avoid security detection – see our Websense 2013  Security Predictions.

 

Author: Darrel Rendell 

NBC.com Compromised

Earlier today the main website of NBC and some of their show websites (such as www.jaylenosgarage.com) were compromised and served malicious content to users. The malicious content was inserted as a one-line iframe tag on one of the JavaScripts that gets loaded every time a user visits the page:

 

 

 

This one line of code forces the web browser of every visiting user to download content from the walterjeffers site, which, in turn, redirects the user to two other sites that eventually use an exploit kit to automatically install a malicious file onto the computer. During the few hours the attack was active, we saw several different URLs being used by the attackers. See the screenshot below for the sequence of events as recorded by our replay system that we have in Websense Security Labs.

 

 

 

 

Two vulnerabilities were used to compromise the user’s computer. In the above example, we can see a PDF file, but the exploit will also try Java vulnerabilities. If either is successful, a malicious binary from the Citadel family is installed on the machine. This family of malware is a so-called banking Trojan, which is designed to help the cyber criminals steal money from online banking accounts. While the file has very bad coverage from antivirus solutions according to VirusTotal, our Websense ThreatScope technology was able to see it as suspicious and provide a lot of additional details about the behavior of the file. See here for the full report.

 

Websense customers were proactively protected against the exploit code attack by our real-time analytics specifically designed to prevent exploit kits.

 

 

 

NBC has since confirmed that their site has been cleaned up, and it’s again safe to visit.

APT1: a prevention perspective

There’s been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed “APT1”.  Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks — a decidedly difficult enterprise.  While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise.  

 

 

Here are a few data points we’ve already put together from our own analysis of the ThreatSeeker Network:

  • We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments.
  • China has a disproportionately large share of web-based attack traffic in the United States.  
    • For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China.  11.21 percent of all malicious web requests from US manufacturing companies land on servers in China.  If you’re looking at traffic patterns, that’s more than a 20X traffic disparity toward malware.
    • US news & media companies are also disproportionately driven to malware located in China:   legitimate requests to China make up 7.47 percent of overall traffic, whereas China’s portion of all malicious traffic goes up to 21.21 percent.

  • As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent.  That may change.

 

A more interesting question than authorship for us is: “How can you proactively stop targeted attacks like APT1?”  Signatures are obviously not the answer.  Here are some of the ways that we block APT1 along the kill chain without the need for signature updates:

 

  • Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously) 
  • File sandboxing (find two examples of APT1’s telltale behavior in ThreatScope reports here and here)
  • URL sandboxing in e-mails to prevent spear phishing
  • Data loss prevention technology to fingerprint and identify legitimate data as it exits
  • Dynamic DNS request interception
  • Web reputation /  destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic.

 

 

One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.

 

 

APT1: A Prevention Perspective

There’s been increased interest in targeted attacks and advanced persistent threats in the news lately, from the intrusions on large media outlets and hacks on social networking sites to a recent detailed report of the tactics behind the infiltration of a sophisticated attack family dubbed “APT1”.  Much of the controversy swirling around these reports stems from the attempt to identify the perpetrators behind the attacks — a decidedly difficult enterprise.  While the balance of evidence presented for APT1 does appear to point toward authorship in China (after exhaustive analysis), sophisticated attacks are faceless at the moment of attempted compromise.  

 

 

Here are a few data points we’ve already put together from our own analysis of the ThreatSeeker Network:

  • We have observed more than 2,000 unique cases of APT1 attacks since 2011 against all major industry segments.
  • China has a disproportionately large share of web-based attack traffic in the United States.  
    • For example, in February 0.49 percent of all web requests from US manufacturing companies land on servers in China.  11.21 percent of all malicious web requests from US manufacturing companies land on servers in China.  If you’re looking at traffic patterns, that’s more than a 20X traffic disparity toward malware.
    • US news & media companies are also disproportionately driven to malware located in China:   legitimate requests to China make up 7.47 percent of overall traffic, whereas China’s portion of all malicious traffic goes up to 21.21 percent.

  • As the APT1 report suggests, China currently has much less web-based attack traffic originating from the rest of the world at 0.76 percent.  That may change.

 

A more interesting question than authorship for us is: “How can you proactively stop targeted attacks like APT1?”  Signatures are obviously not the answer.  Here are some of the ways that we block APT1 along the kill chain without the need for signature updates:

 

  • Full content scanning within SSL, including preventing rogue certificates and criminal encryption (as we blogged about previously) 
  • File sandboxing (find two examples of APT1’s telltale behavior in ThreatScope reports here and here)
  • URL sandboxing in e-mails to prevent spear phishing
  • Data loss prevention technology to fingerprint and identify legitimate data as it exits
  • Dynamic DNS request interception
  • Web reputation /  destination awareness. Many domains, hosts, IP addresses, and even ASNs used by APT1 have been classified for years. Block known compromised hosts for the hops and the outbound C&C traffic.

 

 

One trend that you can confidently predict: the attackers will continue to adapt and get smarter, and the techniques to thwart them will need to do the same.

 

 

Battered Twitter, Phish but no Chips!

Hot on the heels of Friday’s announcement by Twitter that they ‘detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data’ and subsequent confirmation that ‘attackers may have had access to limited user information’ for  ‘approximately 250,000 users’,  Websense® Security Labs™ are tracking a phishing campaign propagated via Twitter’s direct message functionality.

 

Whilst no correlation between the two events can be drawn at this time, Twitter users should be on guard for signs of their own account being abused or compromised, as well for abnormal signs or unusual behavior (or perhaps in many cases, more unusual than normal) from those that they follow. Specifically, users should be cautious, as always, when following any links received from direct messages or Tweets particularly if the page you’ve been directed to is asking for your credentials or personal information.

 

Given the recent compromise, Websense Security Labs suggest that you regularly check your online accounts for signs of compromise and, as if anyone needs an excuse to do so, regularly update your suitably complex (and most definitely not your pet/team/town or dictionary word) password as well as reviewing the permissions granted to third-party applications that have access to your accounts (Twitter: How to Connect and Revoke Third-Party Applications). Should you have been unlucky enough to fall victim to this recent compromise, you’ll have hopefully received a notification from Twitter that suggests these actions along with some general tips for account security:

 

 

Thankfully there are also suggestions, given this recent article on The Guardian’s Web site, that Twitter may be looking to implement two-factor authentication in the future as they are currently advertising a Product Security Software Engineer role in which the successful candidate would have the opportunity to work  with “user-facing security features, such as multifactor authentication”. The implementation of two-factor authentication would be a welcome addition to Twitter’s service which, based on figures released in 2012, has an estimated 500 million users, of which 200 million are estimated to be ‘active’.

 

The recent compromise is reported to impact 250,000 users, a mere 0.0005% of total users or 0.00125% of active users, and therefore may seem a somewhat small drop in the Twitter ocean. It is not unsurprising, therefore, that attackers are continuing to target Twitter users by dumping a barrel load of phish into this metaphorical ocean.

 

This recent phishing campaign, given the samples analyzed by Websense Security Labs so far in this incident, is using lures likely to elicit a click when received from a friend or associate, such as Did you see this pic of you? lol followed by a shortened URL.

 

Interestingly for us, and hopefully you, the use of Bitly’s URL shortening service allows us to append the URL with a plus ‘+’ and then view statistics for the shortened URL:

 

 

Whilst the click rate for the above example is low, we’ve seen numerous unique Bitly shortened URLs related to just one account, and would expect the perpetrators behind this campaign to rapidly cycle these in order to avoid detection and to increase the chances of catching more victims.

 

From all of the Bitly URLs analyzed, the statistics indicate that the victims are not confined to any one geographical area and that users are following the links. With regard to the small percentage of non-Twitter referrers, these could be Tweets or Direct Messages accessed via other applications or  indicative that the campaign is not limited to Twitter itself.

 

Once followed, the shortened URLs lead to what appears to be an intermediate and changing subdomain on hecro(.)ru which in turn redirects to active phishing sites hosted on a variety of typosquat-style domains:

 

 

The phishing URL in the above example, Tivtter(.)com (ACEInsight Report) appears at a glance to be legitimate and therefore is likely to dupe some unsuspecting victims into believing that they need to ‘re-login’ to their expired Twitter session. The URL in this example also appears to cycle through an alphabetic sequence of folders containing the phishing page, perhaps in order to gather some statistics or to split the campaign in some way, as we’ve seen active examples from /a/verify/ upwards (/n/verify/ at the time of writing). Once the letter has cycled onto the next, any attempt to access the phishing page will be met with a standard  ‘404 – Page not found’ error.

 

Should you fill in your account credentials, they’ll be snaffled by those behind this nefarious scheme and you’ll be presented with a fake ‘404’ page not found error before being whisked back to the official Twitter Web site as if nothing happened:

 

 

As well as the URL above, we’re also seeing other variations on the same Twitter typo theme including iftwtter(.)com (ACEInsight Report) and iwltter(.)com (ACEInsight Report).

 

Reassuringly, Bitly are flagging many of the shortened URLs as ‘potentially problematic’ although it is likely that for every one flagged another is sure to emerge.

 

Whilst Websense customers are protected from phishing and other threats by ACE, our Advanced Classification Engine, please do ensure that you check your personal accounts as well as sharing some basic security tips with your friends and family!