Labs Research: Using Anomalies in Crash Reports to Detect Unknown Threats
Posted by AlexWatson on 19 February 2014 10:30 AM
Websense Research Report Details New Targeted Campaigns and Unreported POS Systems Attack
Today, we released a research white paper detailing the use of Windows Error Reporting (WER) to detect advanced targeted campaigns in the wild, including: a campaign against a government agency; a major cellular network provider; and a previously unreported campaign targeting point-of-sale (POS) systems at retailers with a new variety of malware. The white paper, entitled “Using Anomalies in Crash Reports to Detect Unknown Threats,” can be downloaded here: www.websense.com/crashAPTreport
Alexander Watson, Director of Security Research, Websense, will present advanced findings related to this research at the 2014 RSA Conference in San Francisco. Join us for our session, "Use Anomalies to Detect Advanced Attacks Before Bad Guys Use It Against You" on Tuesday, February 25, 2014, at 4 p.m. PT.
In a previous blog post, we discussed how Microsoft Windows Error Reporting (WER), a.k.a. Dr. Watson, sends detailed telemetry to Microsoft each time an application crashes or fails to update, or a hardware change occurs on the network. By correlating the data, we demonstrated how an attacker who was capable of intercepting this data could create a precise blueprint of the target’s hardware and software network. Attackers can use this intelligence to create tailored attacks with a high probability of success.
But those reports also got us thinking about ways we could use that wealth of data to enable security. Our first step in that direction involved releasing source code on GitHub that allows organizations to use Dr. Watson telemetry reports to identify incidents that could lead to data loss.
One of the biggest challenges in security today is the persistence of targeted attacks. How many highly publicized attacks were detected quickly? The fact is that most stay on a system for a long time before detection. We wanted to take our research a step further to see if we could create a new method of identifying previously unknown threats – attacks that have made it past organizations’ defenses – in a manner never before accomplished.
We hope this research encourages the industry to continue looking beyond analytic and signature-based defenses that are based on expert knowledge of known attacks, and begin integrating advanced anomaly and threat intelligence capabilities. This integration brings the ability to reveal new and targeted threats that pose an incredibly high risk to organizations.
Read more »
MSIE 0-day Exploit CVE-2014-0322 - Possibly Targeting French Aerospace Association
Posted by AlexWatson on 14 February 2014 07:54 AM
CVE-2014-0322 Attack Analysis
Contributors: Alex Watson, Victor Chin - Websense Security Labs
Websense Security Labs ThreatSeeker telemetry has confirmed the existence of the Microsoft Internet Explorer 10 0-day exploit CVE-2014-0322 beginning as early as January 20 2014, predating the previously believed first use by nearly three weeks.
The CVE-2014-0322 exploit has been seen hosted and delivered from the following URL, which was first seen by Websense on January 20, 2014:
hxxp://gifas.assso.net is presumably a fake site meant to look like hxxp://gifas.asso.fr, which is a French aerospace association:
GIFAS, the French aerospace industries association, has more than 300 members, from major prime contractors and system suppliers to small specialist companies. Activities extend from civil and military aircraft and helicopters to engines, missiles and armament, satellites and launch vehicles, plus aerospace, defence and security major systems, equipment, subassemblies and associated software.
The use of the very similar domain name may indicate that the French aerospace association is the target, but this domain does not appear to be a campaign with active lures, yet.
Domain History for assso.net
An anonymous DNS registration service was originally used to register the domain "assso.net" which was updated to direct users to the malicious site on January 20, 2014.
Name Servers: NS05.DOMAINCONTROL.COM|NS06.DOMAINCONTROL.COM
Registrar Name: GODADDY.COM, LLC
As of January 28, 2014 gifts.assso.net resolved to 18.104.22.168. This IP address is geolocated to Santa Clara, Calif. We noticed the SHA1 for Tope.swf being uploaded to VirusTotal on January 20 (the same day as the fake gifas.assso.net site was set up), with no detection at the time by AV vendors. Presumably this was done by the attackers to check AV coverage for their malware before starting their attacks, further indicating that January 20 was the initial rollout of this campaign of attacks using this 0-day.
Similarity with other observations of CVE-2014-0322
As is in the HTTP stream shown below, visitors going to hxxp://gifts.assso.net are linked to include.html, which sets up the ROP exploit and "Tope.swf" Shockwave Flash file (SHA1: 910de05e0113c167ba3878f73c64d55e5a2aff9a) which is utilized after the CVE-2014-0322 use after free vulnerability to access memory through ActionScript in the SWF file.
Checking for Microsoft's Exploit Mitigation Toolkit
var steeple ="<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'res://C:\\windows\\AppPatch\\EMET.DLL'>";
Malicious Content in Tope.swf Shockwave Flash File
Below is code located in the Tope.SWF that leads to a second stage dropper called "Erido.jpg". Code snippet below :
The code above shows the Shockwave Flash ActionScript downloading content but not actually storing it to a file. The follow-on code below shows a buffer being written and read as "little endian" to denote the order for the byte array to be executed. The _local(x) variables look to be calculations in memory which makes us believe this is an "in memory" only attack, presumably to make antivirus detection more difficult.
Analysis of the Malicious ActionScript (AS3) Code
Below is the use after free type vulnerability that is triggered when the Vector class is allocated / freed
In the code above, the string:
appears to be the culprit responsible for causing the vulnerability to return to malicious memory space allocated.
Links to DeputyDog and EphemeralHydra Campaigns
The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been covered by FireEye. More detailed analysis coming soon.
If you are concerned about your exposure to this vulnerability due to the use of Microsoft Internet Explorer 10 we would recommend that you consider upgrading to Internet Explorer 11. You can find out more information at Microsoft's IE page here.
This attack is known to check for the presence of Microsoft's Enhanced Mitigation Experience Toolkit (EMET). If it is found then the exploit attempt terminates. You can find out more about how to deploy EMET in Microsoft's overview here and the EMET knowledge base article.
Read more »