Reason To Choose This Incident

Published Date: 02 Nov 2017

In this report I am going to discuss about three incidents happened during the given time period. All the incidents ‘Operation Red October’, ‘Bit 9 attack using malware’ and Mini-Duke Malware attack’ are about Cyber Espionage also called cyber spying. It is one of the most dangerous cyber-crimes in the present technological world. These incidents have potential significance in their own perspective and gained more attention by the researchers and security experts. Cyber espionage is a serious crime involves stealing of sensible data; this is pretty common in today’s corporate world. Most of the time, these campaigns are state sponsored and assigned to know the secrets of their enemies or competitors. The cyber spying is a serious threat to everyone in the cyber world. We need a strong cyber law to find a solution to this activity.

Operation Red October

Introduction:

On January 14, 2013, Kaspersky surprised the world with a sensational research report of cyber espionage based on the attacks happened on the network of diplomatic services repeatedly to steal the sensible information of political, governmental and research organizations of different countries around the world. Kaspersky research and analysis team initiated the investigation on these attacks on last October. During investigation large scale of cyber espionage operation has been discovered, dubbed as ‘Red October’, name inspired by the novel “The Hunt for the Red October”. It is also called ROCRA.

Reason to choose this incident:

In my opinion this incident has gained more popularity because, this is the largest cyber espionage operation of this year so far. The espionage campaign started in 2007 and still in active, another interesting thing is it prevented to be detected by most sophisticated malware more than five years. The victim of the campaign limited to not only computers but also mobile devices and enterprise network equipment around the world. So it has become a major breakthrough in the industry to reveals about Espionage activities.

Details about the incident:

The Operation Red October campaign targets the many machines from different categories which include government, embassies, research institutions, trade and commerce organizations, companies like gas &oil, nuclear and energy plants, military &aerospace organizations. The motivation behind this attack is to steal the sensitive information. According to Kaspersky’s team it has been done since 2007 and hasn’t been shut down yet. During this long period it has already stolen hundreds of terabytes data related to geopolitical intelligence.

ROCRA is also famous for wide range of devices it targeted. “Apart from the traditional computers and networks, it steals information from the mobile phones (Smart Phones, Nokia, IPhone and windows mobile), retrieve the data from the removable disks, hijacking e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers”. It has more than 1000 uncovered modules linked to 30 distinguish module categories. Every one performs different functionality that has never appeared in any other malware.

The control structures used in it very complex and extended version compared to Aurora and Night Dragon. “It hosts number of servers from different countries mainly from Russia and Germany and uses more than 60 domains. During the period from 2 Nov 2012 to 10 Jan 2013.it registering more than 55,000 connections to six sinkholes of 60 domains from 39 countries using 250 different IP’s of victim. Switzerland, Greece and Kazakhstan were the top countries amongst it, but none of these have relationship with the origin”. Attackers used true proxy functionality of the malicious nodes along with multi-level proxies by C&C architecture (Command and control i.e. C2) to hide the mother ship’s control server,. It has been very effective because this malware still undetected over 300 computers and network for more than five years.

The attackers used three different known Microsoft vulnerabilities to gain the access of victim system “CVE-2009-3129(MS Excel), CVE-2010-3333(MS Word) and CVE-2012-0158(MS Word)”. Kaspersky’s researchers used two different approaches to identify the targets first they used detection statistics using Kaspersky Security Network (KSN). Second method by creating the sinkhole server to monitor the infected servers connected to C2.

How the Attack Happened:

According to the classical schema of attacks ROCRA has two distinguish phases on its structure.

Initial infection: It is also called spear-phishing attack. Here in this phase malware is delivered to the victim system via E mail attachment by exploiting the known vulnerabilities; In addition to this attacker also infiltrate the network by using java exploitation (Rhino CVE-2011-3544).

Once the victim opened the attached file or malicious URL .the main component is started and it initiates a remote connection to C&C server by handshake packet contains victim’s unique ID. It infected the machine by sending hand shake for every fifteen minutes. Later number of spy modules adds to the system by using C&C server. Based on the behaviour of infected systems these modules divide into two categories offline and online. At this stage attackers used very efficient system to infect the network. Typically they collect the information about the network by identifying the key streams for sometimes, and then they compromised the other computers in the network by deploying next modules. These spying modules used to steal the sensible information. This data is compressed and stored on victim system. After that attacker sends the data to Control &Command sever by using flash module.

The modules in the malware contains specials feature called ‘fool proof backdoor’. It creates an extension for the adobe and Microsoft word files on victim machine. That helps attacker to regain the access to the system even though it detected and quarantine by the anti-virus. "The document may be sent to the victim via e-mail; it will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document." It has more than 1000 uncovered modules linked to 30 different module categories.

The objective of this espionage campaign is to collect the geo political intelligence .These stolen credentials were compromised in list used as additional information by the attackers, when needed to gain access by using crypto graphic systems such as Acid Cryptofiler ,Which is an encryption program used by French military and NATO.

The researchers found very interesting facts about its origin. There is no fundamental evidence about the people or organisation behind this attack. It has no relationships to previously detected attacks and it is not a state sponsored enterprise like Flame (the espionage malware reportedly developed by the US and Israel to spy on Iran). In fact the exploits used in this attack were similar to the previous attacks and made by the Chinese hackers, but they are Russian in nature because they have Russian slang and also based on the registration data of C&C server and different artifacts left in the malicious code also supports the same thing. There is subtle difference in the module code of ROCRA; attackers changed the executable code with their own code.

Conclusion:

The research report published by the Kaspersky is a significant finding of the year so far. Investigation is going on ways to find how mitigate this kind of attacks and also the real culprit behind it. As far as the information we have people, who run these attacks are very professional, skilled and organised. The discovery of Red October opens a new era of cyber espionage campaign, which includes its own customization along with the high degree of superiority of previous malware Duqu, Flame and Aurora. As an impact, a few hours after the Kaspersky broke so called ‘Red October’ campaign the attacker shut- down the infrastructure by killing all its domains, host and also Command and Control server.

In addition to Kaspersky analysis, The CEO of Tiai global, on his way to analyse the incident to find out the origin behind he observed some matching of IP blocks between the RBN list and Kaspersky report. He has posted the fallowing matches on his blog by claiming Russian Government is behind this campaign.

Malicious servers:

178.63.208.49 matches to 178.63.

188.40.19.247 matches to 188.40.

78.46.173.15 matches to 78.46.

88.198.30.44 matches to 88.198.

Mini-mothership:

91.226.31.40 matches to 91.226.

If the Kaspersky can find out the RBN espionage ring, ROCRA will become one of the significant findings of the decade because (Russian Business Network) has a working relationship to Russian government and it involves in selling the information to whomever it needs.

References:

http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html

http://www.2-viruses.com/kaspersky-lab-has-uncovered-rbn-controlled-espionage-ring

http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation

http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_Operation_Red_October_an_Advanced_Cyber_Espionage_Campaign_Targeting_Diplomatic_and_Government_Institutions_Worldwide

http://jeffreycarr.blogspot.it/2013/01/rbn-connection-to-kasperskys-red.html

http://arstechnica.com/security/2013/01/red-october-computer-espionage-network-may-have-stolen-terabytes-of-data/

http://slashdot.org/topic/cloud/the-hunt-for-red-october/

http://www.wired.com/threatlevel/2013/01/red-october-spy-campaign/all/

Bit 9 Attack using Malware

Introduction:

Bit 9, one of the giant security firms provides network and security services to US government and more than 1000 global customers which include 500 fortunes companies, breached by hackers. They theft company’s digital signatures and enable the malware as legitimate file.

Reason to choose this incident:

I have chosen this incident because it is very peculiar incident happened during the time period because here the attackers target the security company but not its product and that to it is very big firm. Bit 9 serves security services to many Fortune companies in the world so it gained much popularity in the security industry about the breach. Researchers still try to identify the origin behind the incident because company response to the incident raises more doubts. The case is still under investigation to find out the culprits. Recently they have published their investigation report on their site. They are very open to the world about the incident. These things dragged me to choose this incident.

Details about the Incident:

Bit 9 was the top most security company provides the security services to many government organisation and fortune 500 companies. It fallows a different approach to help its client to identify and fight against the malwares which is called whitelisting. In general antiviruses identify the suspected file and bad known file to be quarantine. On the other hand Bit 9 blocks everything potentially unknown except the software are used by the customers daily and verified by its digital signature. Recently a few of the Bit 9 customers were compromised; they found malwares inside their Bit 9 network. Bit9 said “malware that was digitally signed by Bit9’s own encryption keys”. This is a very serious attack because the attackers targeted firm not its products. The firm investigates the incident to find out the origin of the breach. This incident occurred on Feb 8, after some blog post about the incident Bit 9 shared some information on its site. It kept the list of customers, who were affected by this malicious digital signature as a secret but they mentioned that it was done by some third party intruder not their customer. Some researchers believed that this is similar to the RSA security attack 2011(the attackers targeted the proprietary algorithm that protected thousands of companies network’s).

How the attack happened:

The Company claimed that this incident happened because of the operational break down. It stated on its website “ We failed to install our product in to one ours virtual machines this leads to an attacker to compromise the system and gain access to use our digital signature”. First attacker finds the system without bit9 security product and launches their attack. They theft the digital signatures which were used to sign on the file after carefully examine by the firm to distinguish which one is god and bad. The white listing software allows only the files with this digital signature and blocks the files without it. It doesn’t know anything about the content of the file and blindly trust the digital signature. Attackers used those digital signatures to make malwares as legitimate file and transfer it to the customer.

First Bit 9 reluctant to reveal the information about the incident after publishing a few blog posts about the incident. It shared the cryptographic hash values that were used by the malicious signatures. After analyzing these files very carefully, ‘KrebsOnSecurity’ found the matches of these malicious files. They use ‘Virstotoal.com’ to search; it accepts suspicious files for scanning and performs the operations with dozens of antivirus tools. They found that the attack has its roots on earlier days because they found the matches of a file “media.exe signed with the bit9’s certificate on July 13 2012”. Another match is “Microsoft driver file for an ‘SQL Database server’ which was compiled and signed by bit9’s certificate on july25, 2012. Bit 9 admits the same thing. According to recent report published on the its blog attackers initially drop a malicious back door application HitKit (netddeserve.exe a remote access Trojan McRAT containing an embedded root kit component) by SQL injection flaw using internet web server presented at that time. “There are two versions in this back door that is found on the compromised system, one is used to communicate with a remote host using IP address (218.210.49.203) and another one is to communicate with the URL(downloadmp3server.servemp3.com is fixed to the IP address 66.153.86.14)”.

Bit9 research’s team identified 32 different files signed using that digital signature certification. Consequently, to attract the three compromised customers, hackers compromised the website (similar to the water hole attack happened on Facebook, Apple and Microsoft) attackers use java vulnerability to insert malicious file to these sites by using a malicious Java applet these files already have signed by the stolen digital signatures. First they gained access to virtual machine by compromising two users. This virtual machine contains digital signatures and not protected bybit9. Then attackers download many files including variants of Hit-kit and Home Unix. They utilise the java 0 day vulnerability attack (CVE 2013-1493) to deliver signed files to the customers. The researcher from sematic and fire eye detected a remote access Trojan and named Trojan.Naid. According to their report they identified this Trojan.Naid which is also there in the list of malicious file in the Bit 9 attack. In the first stage of an attack target visits the web page contains exploits (CVE 2013-1493) and it hosts a malicious JAR file. If the attacks is successful, svchost.jpg file will be downloaded and it is MZ executable. Then the dropped appmgmt.dll file loads with the help of executable file.

Prevention of the Attack:

As an immediate response to this breach, Bit 9 revokes the all the affected certificates and replace all the virtual machines to bit9 product by eliminating the operational issue. Additional to this they introduced a patch to detect and stop execution of malwares that use illegal signatures. As a preventive measurement from client side, I strongly suggest remove java from your browsers because attackers always find loop holes in java and compromised machines easily. If it is not possible to remove Java, you should maintain two browser primary (without java) and secondary (with Java).

The motive behind the attack is to perform cyber espionage against their customer but not on the Bit 9 product. If it is not true, the attackers would compromise anything in the bit9 virtual machine but they used it as tool to attack its customer. They fallowed very advanced techniques for this breach like java 0 Vulnerability to exploit the system and Hit-kit to hide their file in the system. Another reason for files to remain undetected is the infected virtual machine had been offline from July to December and brought back recently in January. After analysing the attack carefully bit9 found that there is no flaw in their product. The question here in every one’s mind who discovered the flaws first either Bit 9 or customer

Conclusion:

This incident has many impacts on the security world. It shows how internal policies play a major role in any organisation and also reveals present technology itself isn’t enough to fight against the cyber criminals. Security is a multi-layer functioning includes user authentication, access control, network monitoring and filtering, attackers target any later to find hole to exploit the system. There are a lot of things are there to learn from this incident. It is a wakeup call to everyone in the industry because in attacker’s point of view everyone is a potential victim either government organization or reputed security firm. This incident is a perfect evidence of cyber espionage done by motivated and organized cyber criminals as a long term goal. In my opinion, one of the ways to mitigate this kind of incidents is to share the intelligence and inform the victims and potential targets of the attacks about the attack and also open scrutiny.

References:

http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

http://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/

https://blog.bit9.com/2013/02/25/bit9-security-incident-update/

http://www.theregister.co.uk/2013/02/11/bit9_hack/

https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/

http://www.scmagazine.com/hackers-hijack-bit9-to-target-its-customers-with-malware/article/279777/

http://www.securityweek.com/malware-attack-linked-bit9-hack-researchers-say

Mini-Duke Malware

Introduction:

Cyber criminals targeted the government higher official’s over 20 European countries including Romania and Ireland and many research organizations to steal geopolitical intelligence using a malware called Mini-Duke. This is complex online assaults seen rarely since turn of the millennium. A researcher’s team from Kaspersky work together with The Laboratory of Cryptography and System Security published a new research report on this cyber espionage.

Reason for choosing the incident:

In my view this ‘Mini-Duke’ Malware attack got huge response from the security industry because it uses "01d sk001" technique to launch its attack. This is just pungent of attack from two decades ago. Interestingly, examination of the incident reveals nothing about the origin. This is done by old malware writers who were actively exploit the networks with complex viruses in the past and they comes to the party with the skills of old fashioned and newly advanced techniques to targeting the government’s higher officials and research institutes around the world. Moreover it uses emergency fixer issued by the Adobe to fix its vulnerability. Another interesting thing is ambiguous about its origin. Some researches argue that it’s from China others blames European hackers but still it is unpredictable.

The Incident in details:

Kaspersky research lab team published a report on cyber spy malware ‘Mini-Duke’, targets the governments of more than 20 countries including Ireland, Belgium, Portugal, Czech Republic Ukraine and Romania. It also compromised the research institute of Hungary and an unnamed health provider in US, the motive behind the espionage is to steal some geopolitical information of those. The location of the servers which controls the malwares were identified in Turkey and Panama According to the Kaspersky team this is an unusual attack reflects the programming of the late 1990 and early 2000. It uses Old school hacking techniques means low level viruses using an assembler with small file (20KB). Hackers use pdf file to launch their attack by utilize the vulnerability in adobe reader. The pdf files seems to be real but infected the computers once downloading is started .Here they used one of the old steganography schema to embedded the code in to pdf file. Attackers use Email attachments to spread this malware to target machines.

Recent attacks using this malware happened on February 20, it is still active and use best social engineering techniques to compromise the target by forwarding the pdf to targets. “The new PDF attacks drop fake documents that are shown to the victim if the exploit is successfully executed. The documents refer to a human rights seminar (ASEM) and Ukraine’s foreign policy and NATO membership plans; these are compatible with the most of the versions of adobe like 9, 10, and 11 by ignoring its sandbox technology”.

How Mini-Duke Affects and Works:

This is the typical attacking scenario of Mini-Duke Malware based on the Kaspersky report.

Attackers attach the malicious PDF file to E-Mail by exploiting the Adobe PDF bug (CVE-2013-6040), they rigged the malware into pdf and send it to the target machine.

After the user initiating the download of 20 kb file on to the disk. It has some assembler code performs encryption function on data by creating the unique identifier called finger print of the system. For this malware using some mathematical calculation .It also has special mechanism to fool the antivirus and security professionals into believing the real because the designers know how malware analyst works. It programmed to avoid analysis by some tools in VM environment. If it finds any of these indicators it will run idle and never run its decryption function.

After performing this initial check up on the victim machine, the malware uses pre made twitter account for tweets these accounts were created by Mini-Duke Command â€"S and control operator C2, Every tweet maintain a separate tag to the encrypted URL for backdoors. These URL s provide access to C2 and send command to open up the backdoors through GIF files

There is special feature in Mini-Duke; it creates dynamic backups to the encrypted URL. If twitter isn’t available at that time, it will use Google search to find out the encrypted string to next c2.

Once it finds the c2, it receives encrypted backdoors that are not in a user readable format with in GIF file. After completing the download operation then it performs espionage activities like copy, move, delete, kill process and install new malwares etc. on the victim system.

Finally it receives instructions from attacker by connecting two servers located in Panama and Turkey.

This is a very complex attack to figure out. To challenge the world attacker left a small piece of code (dw 666) before the decryption. This helps the Kaspersky to find out 53 unique systems that present in 23 different countries.

The Mini-Duke file consists of only 20 kb and that is in the form of .dll. It has both encryption and decryption schema in it. The main functioning of this Malware depends on the backdoor. The back door has seven call addresses, first one is to check for the user activity, which is GetAsyncKey twice, check for the mouse event. Second block checks %temp% directory for the file with an extension of “*.exe” and “*.dll”. This block fetches the information that is required for decryption of the backdoor’s main body like CPU’s information, drive and computer name which is custom encryption for unique victim. The fourth block maintains for self-protection malware analysis .The fifth and sixth block are used to calculate the SHA1 information which is used for next C2 interaction.

Once restart the infected system the malware gets activated and it gains control over boot by writing a LNK file start up folder by using rundll32. This malware file works effectively only on the victim system. If you copy the file to another system it doesn’t work because the parts of malicious .DLL file encrypted with system configuration’s information.it is different for every system so it won’t function properly.

After performing the examination, the researchers couldn’t find anything about its origin. The CEO of Bitdefenders said “The discovery of this malware raises question about the origin of 2012 malware and malware as whole”. There is lot confusion around its origin. Some argues that this is a typical work of chines hackers other blame this work done by European hackers. Interestingly Romania admits this is also a state sponsored network like Flam. Still no one knows who’s behind this espionage.

By analyzing the newer version of the Mini-Duke with the older Mini-Duke at Bitdefender’s lab, they identify much of the code is same and those are all from a similar group. The only difference between 2011 and 2012 malwares is the clocking time. In 2012 Mini-Duke fetches time from chines time zone and 2011 fetches time from US department of Navy. According to Bit defender’s anti malware research team “the malware identifies on June 20 2011 is the oldest found so far”. The researchers introduced a malware removal tool by combining and paralyzing the all versions of malwares.

How to minimize the impact:

It is highly impossible to fight against this kind of attacks with some antiviruses and malware remover tools because as we know security is arms race you always want to step ahead to secure against this kind of attacks. As for the information we have there is only one tool is available to remove Mini-Duke Malware and none knows how effective it is.

In my opinion if we fallow some security policies, we will prevent this attack some of them are

Use firewall to block all incoming connection used by internet service and allow only connections that are explicitly needed to go out.

Don’t open any unknown email attachment, open the attachment if it receive by the know sender only or open an attachment if it is expected.

Give least privilege to the end users to do their jobs no more than less.

Use complex password policy; it is good to use a very complex password though your system is compromised still it is highly impossible to change that password.

Turn off the auto play option for the USB. Turn off the Bluetooth if it is not required to perform any process. stop file sharing schema if it is not needed

Keep your antivirus up to date this may prevent at least somehow minimize the impact.

If your system is already infected with this malware, first isolate the system from the network and run virus scan, if the malware is found make it quarantine or use malware removal tool.

Run forensic scan to find out the vulnerabilities and damage caused by the malware. Try to fix the holes this will prevent you from further damage.