Tuesday, July 24, 2012

Saturday, July 21, 2012

Website of South Korean news agency hosting malware

Google safe browsing is showing that the website of Yonhap news, South Korea's largest news organization, is hosting malware. See images below.


Monday, July 9, 2012

MacControl cyber espionage RAT linked to Chinese source code

The recently discovered Mac Control cyber espionage tool used within an espionage campaign against Tibetan related NGOs and described by AlienVault probably draws on code available on the Chinese web. Searching for strings within the tool reveals the following function names(the below image linked from the Microsoft analysis).



A Google search of the Internet for the strings "ParseCMD" "NM_CMD_S" results in only 5 hits. 
These five results are all Chinese programming forums. The number 1 hit is for a posting to the programming forum www.pudn.com/. The hit is for strings within the source code package shykVC.rar(size 1072 K) uploaded 2009-03-02 by 许凤(Xu Feng) and downloaded 425 times.

blog post by dmackey

Monday, July 2, 2012

SSL encryption being used in malware command and control

Evolution in malware command and control presents a significant challenge to network based intrusion detection. According to an October 2011 report by TrendMicro some targeted attacks are making use of SSL encrypted command and control communications. These techniques are a response to defensive measures taken against standard command and control mechanisms which use specially created domains and DNS. Damballa's work provides an example of such defense. Here are some excepts from the TrendMicro report.

"There are malware samples that use webmail accounts as elements of command and control. When malware connects to well known services such as Gmail or Yahoo! Mail the session is protected by SSL encryption and therefore network monitoring software will be unable to determine if the subsequent traffic is malicious or not. The attackers use such webmail accounts to send commands to compromised hosts, update compromised hosts with additional malware tools or components, and ex-filtrate data from compromised hosts. In addition to webmail services, could-based storage services are being used to host additional malware components. The use of such services provides the attackers with command and control infrastructure that cannot be easily detected as malicious."

"Some threat actors use compromised legitimate sites as command and control servers. This allows the attackers some element of deception because even if the network communication is detected as anomalous, upon further inspection the website will be determined to be legitimate. One threat actor simply embeds commands within HTML comment tags in web pages on compromised, legitimate web sites. The malware simply visits these pages and extracts and decodes the commands. The use of custom base64 alphabets and XOR makes decoding the command and the network traffic increasingly difficult. In addition, attackers are making use of stolen or forged SSL certificates in an attempt to make their network traffic appear to be legitimate."

These techniques make detection of command and control communications very difficult and will defeat many network based IDS. This situation reveals problems at the core of computer security. A small change by the attacker results in a significant expense by defenders to produce new defensive measures. Lets look at the most troubling of these techniques.

SSL encrypted session with Gmail, command and control via Gmail

An example, syschk.ocx (md5:16ba21c1eac48eb20c04ac91ef9c2bd1) is available at the links below.

http://www.nartv.org/2010/10/22/command-and-control-in-the-cloud/

http://contagiodump.blogspot.com/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html

http://pastebin.com/8f51r7Q0

How is an enterprise to detect this? One detection option is to use an SSL interception proxy and then run signatures over the decrypted traffic. But this is terribly cumbersome, running an SSL interception proxy can be a nightmare for a large enterprise. And this suffers from the problems standard IDS has which is that the system only detects known threats. The other is to use anomaly detection to detect anomalous SSL flows, some research on this has been done, see this report. But anomaly detection suffers from high false positives, and I have my doubts about whether this would work with a large enterprise. In addition an attacker could modify their malware so that C&C communications better mimic standard SSL communications.

As the Australian Defense Signals Directorate showed network based IDS is not the best way to prevent targeted attacks. The best approach involves an effective OS and third party software patching program coupled with application whitelisting and a heavy reduction in administrative accounts.


Tuesday, June 26, 2012

Security Service(MI5) Director General speaks on cyber security

The Director General of the British Security Service(MI5), Jonathon Evans, spoke at Mansion House on security threats facing the UK including cyber security issues.  Some interesting points fromm the speech include the following.

"Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both State sponsored cyber espionage and organised cyber crime."

"What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations. And the threat to businesses relates not only to major industrial companies but also to their foreign subsidiaries, and to suppliers of professional services who may not be so well protected."

"One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations. "

The full speech is available here.

Friday, June 22, 2012

South Korea facing North Korean cyber attack campagin

South Korea is facing an increasing onslaught of cyber attacks from North Korea. Below is a list of the most recent significant incidents. This is a useful tactic for North Korea as it is difficult for South Korea to respond.North Korea has little Internet infrastructure to attack via computer network operations(CNO) and it would take an extreme North Korean attack involving loss of life to prompt South Korea responding militarily. South Korea, one of the most networked countries on Earth, has to just play defense and take the hits.

June 2012, South Korean Newspaper JoongAng Ilbo
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. Link. Previous blog entry.

April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. Link.

March 2011, DDoS against South Korean websites
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). Link.
The attacks in March were also linked to a covert North Korean operation to import computer games containing malware into South Korea. Link.

July 2009 DDoS against South Korean and US websites
In July 2009 several waves of DDoS attacks targeted South Korean and US websites. Link.

Further reading

"Increasing concerns regarding cyber warfare capabilities of North Korea", Security Affairs Blog
"North Korea's cyber warfare strength grows", Bloomberg News
"North Korea's IP address space"North Korean Tech blog

SCADA systems: 15 new HTML reply signatures and examples

There is an incredible variety of things now connected to the Internet from industrial control systems and digital video security systems to printers and VoIP telephone systems. Many of these systems provide a web service via HTTP on port 80. A good deal of information about these devices can be found by looking at the meta-data within a reply from a simple HTTP Get message. The Shodan system scans the Internet to acquire this information and its database now holds the records for millions of IP addresses around the world.

In the tables below I have put together a list of signatures(i.e search strings) that appear in the HTTP meta-data for 15 Supervisory Control and Data Acquisition(SCADA) systems. An additional list of 29 signatures is available in this paper by Cambridge University Master's student E P Leverett, the paper also has a great introduction to SCADA systems.
In the following analysis I follow the same engagement rules as E P Leverett which are from the joint US DHS & UK CPNI good practice guide.
  1. I will not interact with any system except to view a publicly accessible HTTP interface.
  2. I will not attempt to login to any system.
What sort of SCADA systems are out there? Here are  a couple of examples.

Wastewater overflow management pumping station, Boncourt, Switzerland

The SCADA system on this pump is a Schneider Electric FactoryCast system. According to the user manual.

"FactoryCast is a software package that allows you to customize a Web site on the Embedded Web Server module. The site can be accessed via a browser to view and modify data from a Quantum or Premium programmable logic controller (PLC)."

System home page

Found on Google maps

This small pumping station is used to manage wastewater overflow in the Basse-Allaine region of Switzerland. Wastewater from the town of Boncourt flows through a pipe down to the treatment plant in Grandvilliars,France. But what happens if there is heavy rain? Along the pipe's path are overflow stations which consist of a large underground basin, a pump and a overflow pipe leading to the Allaine river. When it rains the overflow first runs into the basin and the pump returns it to the pipe reducing the flow down the pipe and lessening the chance of overflow to the river. Of course if the rains are heavy enough then the basin will fill and wastewater will overflow into the river.

The installers of the Schneider system, Swiss firm Stebatec, have customized the embedded web site.

1.9MW solar power plant, Mysliv, Czech Republic

This system is running Schneider Electric FactoryCast.
News items give further details on this plant.

"On October 7, Solar Park Mysliv, located in the south-western part of Bohemia, 20 kilometers east of the city of Klatovy, started producing solar electricity. This is the first solar power plant Gehrlicher Solar AG has built in the Czech Republic. The plant has a peak performance of 1.99 MWp and comprises an area of 3.8 hectares. It will be producing 1.79 million kilowatt hours of green electricity and covering the electricity requirements of 510 three-person households. 8.844 Yingli modules and two SMA inverters were used in the construction."
Biomass boiler systems

Unknown HVAC system in Germany

This small HVAC system, running a Saia-Burgess PCD allows anyone level 0 access(the least privileged) which allows viewing of measurements.


Solar power plant, Coppola S.p.A, Scafati, Italy

Coppola is company located in Scafati, it's solar power system was installed by group magaldi.The system allows anyone to view solar plant measurements. It is running a SpiderControl system.


The security of some of these systems can be very weak. I have seen cases of the system login password being shown directly within the HTML source code of the publicly accessible device home page(anyone can view this source code using a browser's view HTML source button).


SCADA systems
System Signature Shodan count Comments
Siemens building automation energy management Siemens Switzerland Ltd 449 http://www.buildingtechnologies.siemens.com
Beck IPC embedded controller IPC@CHIP 4038 For example used by Solar plant energy monitor solar-log.net,beck-ipc.com
SMA Solar remote solar plant monitoring/maintenance Sunny webbox 6675 SMA Solar Sunny webbox
Kieback&Peter Bus Module Controller BMR/0.09 85 kieback&Peter BMC. Controller for controlling,monitoring & operating HVAC systems.
Saia-Burgess Process Control Device(PCD) Saia PCD 839 saia-pcd.com,control devices for remote monitoring and machine control
Schneider Electric energy management/monitoring Schneider-WEB 197 Schneider FactoryCast system
Sciopta system software sciopta Webserver 2 System Software for Safety-Critical Embedded Applications, sciopta.com
Phoenix contact system running SpiderControl Phoenix-Contact 155 phoenixcontact.com,spidercontrol.net
Moxa industrial systems MoxaHttp 4734 moxa.com
Trihedral SCADA software "Server: VTS" 102 Trihedral VTS
Electro Industries/GaugeTech EIG Embedded Web Server 118 electroind.com
clearSCADA integrated SCADA host platform clearSCADA 13 www.clearscada.com
Delta enteliTOUCH DELTA enteliTOUCH 22 Delta entelitouch system
TAC Xentra control systems TAC/Xentra 53 Old systems,TAC now owned by Schneider Electric
Loxone home automation system Loxone 165 Home automation web control system


Links to further reading

SCADA security news and consulting, http://scadahacker.com/
SCADA security analysis, www.reversemode.com
SCADA security consulting firm, www.digitalbond.com
SCADA security consulting firm, www.tofinosecurity.com
US government ICS-CERT, www.us-cert.gov/control_systems/ics-cert
SCADA security consulting firm, www.scadahacker.com
SCADA security consulting firm, www.redtigersecurity.com

Some interesting articles on problems with Moxa systems in the Netherlands.

www.tofinosecurity.com/blog/cyber-security-nightmare-netherlands

The following are in Dutch.

webwereld.nl/nieuws/109526/zeeuwse-gemalen-te-hacken-via-scada-lek---update.html
webwereld.nl/nieuws/109565/scada-bedrijf-xylem-ontkent-kwetsbaarheden.html

Wednesday, June 13, 2012

JoongAng Ilbo cyber attack

In June 2012 the South Korean newspaper JoongAng Ilbo(중앙일보) was hit by a major cyber attack (해킹, 차원 다른 악의적 수법으로) which attempted to destroy the papers article database, editing and distribution system. News reports indicate that this attack was likely carried out by North Korean state actors and follows a threat made by North Korea earlier this year against several South Korean news outlets. In addition the attack left the following image on the paper's website joongang.co.kr
The text in yellow is a message from the hackers written using SQL and is as follows .
select count (*) from tbTarget // 1000000
select domain, d-day, method from tbTarget WHERE seqnumber = 2048 //www.joongang.co.kr, 2012-06-09, APT
select domain, d-day, method from tbTarget where seqnumber = 2049 //???.??????.???,2012 -??-19,???? < br /> select domain, d-day, method from tbTarget where seqnumber = 2050 //???.?????.???,2012 -??-29,??
select count (*) from tbHacker // 10000
select name, birthday, sex from tbHacker where age < 5 //IsOne, 2011-06-09, woman
There is a purported SQL query followed by the supposed result. This is threatening further attacks on the 19th and 29th day of an unknown month in 2012. The hacking group is calling itself "IsOne".

Tuesday, June 12, 2012

Only seven cyber attacks. The term is widely over used.


Many analysts misuse the term cyber attack, making it seem that operations better classed as espionage or vandalism are more dramatic than they really are. According to the Department of Defense, Computer Network Attack(CNA) consists of actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves(see Joint Pub 3-13). I would be even more strict that the DoD and suggest that denial of service operations have to be extremely significant for them to be classed as an attack. A bank or government website being unusable for a few days is hardly in the same class of operation as destroying information throughout an organization to cripple its operations.

I would argue that there has been only 7 publicly known cyber attacks in history and 3 of them are probably by North Korea. It is not surprising that all the attacks relate to significant real world conflicts.

June 2012, South Korean Newspaper JoongAng Ilbo
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. Link.

April 2012, Iranian Oil Ministry
Unknown cyber actors launched an attack against the Oil Ministry to destroy key ministry information. Link.

March 2012, Al Qaeda forums knocked offline
Unknown cyber actors disabled several major Al Qaeda online forums, the forums remained offline for many weeks. Link.

February 2012, BBC news
In early 2012 cyber actors linked to Iran launched an attack against the BBC's Persian language service, the attack seemed to be coordinated with Iranian satellite jamming efforts. Link.

April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. Link.

March 2011, DDoS against South Korean websites
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). Link.

2008-2010 Natanz, the Iranian centrifuge plant
According to the New York Times the US launched a cyber attack against Natanz to destroy centrifuges. Link.

Thursday, June 7, 2012

Tuesday, May 22, 2012

Adobe Systems, a national security threat?

Slopping coding and software development practices by Adobe Systems has made things easier for China based cyber espionage actors. The number one vector for these intrusions has been carefully crafted e-mails containing malicious attachments or links. And the most commonly targeted vulnerable applications have been Adobe Systems products. Let's look at this a little closer. Below is a table listing the number of high severity vulnerabilities within the National Vulnerability Database for several different products. Adobe product vulnerabilities dominate those of Microsoft Windows. But there are obviously serious issues across the entire software industry which may be a subject for another post.



Year Adobe Adobe Reader Adobe Flash Microsoft Powerpoint Microsoft Windows XP SP3
2012 44 9 0 14 12
2011 166 49 19 57 90
2010 184 63 25 59 62
2009 77 42 33 18 73
2008 34 12 17 11 23
2007 13 3 2 3 3

Looking in further detail, here are the vulnerabilities which have actually been exploited in the wild during the period January, 2011 to today, Adobe Systems vulnerabilities dominate those of Microsoft 7 to 2. This information can be found from searching the National Vulnerability Database for the string "exploited in the wild" and cross correlating with the analysis of virus researchers.

Adobe:CVE-2012-0779,CVE-2011-4369,CVE-2011-2462,CVE-2011-2110,CVE-2011-0627,CVE-2011-0611,CVE-2011-0609

Microsoft:CVE-2012-0158,CVE-2011-3402

Should software firms be held liable for the losses their bugs impose on customer's? Why are people
still using Adobe products? This points to wider issues of market failure within the software and information security industry which has now caused issues of national security concern to governments world wide.

Monday, May 21, 2012

US government publications/statements link China to decade long campaign of cyber espionage operations

The last 6 months has seen a series of extraordinary revelations by US government officials who have revealed that China based actors are responsible for an extensive industrial cyber espionage campaign and, further, link this activity to the Chinese government itself. This started in October 2011 when the Office of the National Counterintelligence Executive issued the 2011 report on Foreign Economic Collection and Industrial Espionage which is available here. The report has many interesting details and is well worth reading but from the executive summary we have the key paragraph.

"Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.”

This is the first time the US government has officially named Chinese actors as carrying out extensive cyber espionage, but it is worded carefully to not say the Chinese government or name any entities within China. Then in January 2012 Mike McConnell,Michael Chertoff, and William Lynn writing in the Wall Street Journal stated something stronger, naming the Chinese government as responsible.

"Only three months ago, it would have been a violation of national security rules for us to share what we are about to say, even though, as the former Director of National Intelligence (DNI), Secretary of Homeland Security, and Deputy Secretary of Defense, we have long known this to be true: The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

"Evidence of China’s economically devastating thefts of proprietary technologies and other intellectual property of U.S. companies is growing exponentially, and only in October 2011 were the details declassified in a report to Congress by the Office of the National Counterintelligence Executive. By contrast, as a matter of official national policy, the United States does not engage in or allow economic espionage.”

The full article is available here.

Then from a Senate Armed Service Committee hearing on Cyber Command from March 2012(transcript and video is available here) we have the following.

From Chairman Levin's opening remarks.

Chairman LEVIN."...General Alexander has stated that the relentless industrial espionage being waged against U.S. industry and Government chiefly by China constitute ‘‘the largest transfer of wealth in history.’’ The committee needs to understand the dimensions of this technology theft and its impact on our national security and prosperity..."

From an exchange between Chairman Levin and General Alexander(commander Cyber Command and Director NSA).

Chairman LEVIN."...The industrial espionage campaign I noted in my opening statement, and you made reference to it in your statement, particularly China’s aggressive and relentless industrial espionage campaign through cyberspace. I wonder. Can you us some examples in open session of the technologies that have been stolen through penetration of major DOD contractors and perhaps the Department itself."
General ALEXANDER. "...We are seeing a great deal of DOD-related equipment stolen by the Chinese. I cannot go into the specifics here, but we do see that from defense industrial base companies throughout. There are some very public ones, though, that give you a good idea of what is going on. The most recent one, I think, was the RSA exploits. RSA creates the two-factor authentication for things like PayPal. So when you get on and order something and pay for it over the network, the authentication is done by encryption systems that RSA creates. The exploiters took many of those certifications and underlying software which makes it almost impossible to ensure that what you are certifying or what someone else is certifying is in fact correct.
Now, RSA acted quickly and is replacing all those certificates and has done that in priority order for the Defense Department and others.
But when you think about it, the ability to do it against a company like RSA is such a high-order capability, RSA being one of the best, that if they can do it against RSA, that makes most of the other companies vulnerable."

(The Chinese state actor then used the stolen RSA information to attempt to breach Lockheen Martin and other Defense contractors, see for example this article in the New York Times.)
From an exchange between Senator McCain and General Alexander.

Senator MCCAIN. "I want to thank the witnesses. I would ask General Alexander. Do you agree that Secretary Panetta and the FBI have said that cyberattacks may soon be the number one threats to the United States?"
General ALEXANDER. "Absolutely, Senator."
Senator MCCAIN. "And would you agree that the major threats to our national security come from outside the United States specifically, obviously from unclassified information, from China"
General ALEXANDER. "Absolutely."

In late April 2012 Rep. Mike Rogers (R-Mich,chairman) and Rep. Dutch Ruppersberger (D-Md,ranking member) of the House Permanent Select Committee on Intelligence wrote an op-ed for Politico which opens with a very strongly worded article.
"The Chinese government has been quietly pursuing a strategy to help project that nation into superpower status. China steals as much intellectual property as it can from U.S. companies and uses it to artificially and unfairly compete in the global marketplace. Beijing uses this information to further its military modernization and, most important, to help fuel economic growth."
and continues
"Every morning in China, thousands of highly trained computer spies now wake up with one mission: Steal U.S. intellectual property that the Chinese can use to further their economic growth. American companies are hemorrhaging research and development on products ranging from fighter engines, to pesticides, to cutting-edge information technology."
The full op-ed is available here.
Then on the 18, May 2012 the Department of Defense released its 2012 report on "Military and Security Developments involving the People's Republic of China" which mentions concerns regarding China and cyber espionage. At the news conference launching this report there was the following exchange between a reporter and Dave Helvey, the acting deputy assistant secretary of defense for East Asia. The official is much more cautious than the members of congress and only talks about China based actors.

Q:David, Bob Burns from AP."On the topic of cyber espionage, which you mentioned very prominently in the report, do you see signs of them accelerating this capability, in particular as it could be applied against U.S. targets?"

MR. HELVEY:"Well, we continue to highlight in this report some of the concerns that we have about China's investment in cyber capabilities.We note that China's investing in not only capabilities to better defend their networks but also they're looking at ways to use cyber for offensive operations.We also highlight a number of areas where we see China engaging in cyber activity focused on computer network exploitation.That continues to be a concern of ours, and we've raised it and we've talked to the Chinese about it, most recently during the Strategic Security Dialogue in Beijing.As well, Secretary Panetta raised that with General Liang in their visit. So this is something that we continue to pay very careful attention to, and we've raised these concerns with the Chinese."
The full transcript is available here.

Turning now to non-government sources we have the following from the March 26,2012 testimony of Richard Bejtlich, CSO,Mandiant before the U.S.-China Economic and Security Review Commission.

"For the most part, our team and I use the strict definition of APT as created by the Air Force in 2006, namely as an unclassified reference to intrusions sets ultimately traced back to actors in China. Our intelligence team currently tracks approximately twenty distinct APT groups. These groups include all of the parties identified by reports publicly released by other security companies, as well as actors that we believe are unknown to many of those other companies. “
"Most of the APT groups we track target the US defense industrial base (DIB). Some of these groups also target US government agencies, think tanks and political organizations, and other commercial or private targets.”

So there are at least 20 distinct groups of cyber espionage actors tied to China. Is further attribution possible? Yes of course, despite what is commonly said regarding the difficultly of attribution. A Reuters report based on authoritative information clearly attributes at least some Chinese cyber espionage activity to the People's Liberation Army's Third Department Technical Reconnaissance Bureaus. The report also links this activity with the intrusions detailed within the 2009 Information Warfare Monitor report “Tracking GhostNet: Investigating a Cyber Espionage Network”, the subsequent IWR report “Shadows in the Cloud: Investigating Cyber Espionage 2.0” details similar activity. These reports make for fascinating reading and are available here. A couple of actors involved in these activities have even been named, in particular, Lost33 and Yinan Peng. An excellent report on the PLA Third Department is available from the Project 2049 Institute, “The Chinese People's Liberation Army Signals Intelligence and Cyber Reconnaissance Infrastructure”. Further information on the PLA and Cyber Espionage is available from a report prepared for the U.S.-China Economic and Security Review Commission, “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”.

Early reporting on Titan Rain suggest Chinese based cyber operations have been underway for many years.
http://www.time.com/time/magazine/article/0,9171,1098961-1,00.html

Here is some links to useful summaries of significant cyber events over the last few years.
Of course others do it too, see reports below on Buckshot Yankee.
  • William Lynn (writing when he was United States Deputy Secretary of Defense) in Foreign Affairs magazine on "Defending a New Domain".
  • Extensive Washington Post article with many interesting details, here
  • Here is a LA Times article which suggests the intrusion came from Russia.