By Joseph Menn | SAN FRANCISCO
The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.
A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.
NSA spokeswoman Vanee Vines declined to comment.
Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.
The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of U.S. technology products abroad.
The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.
Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.
"There can be serious negative effects on other U.S. interests," Swire said.
ADVERTISEMENT
.
TECHNOLOGICAL BREAKTHROUGH
According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.
Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.
"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.
Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.
Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
GETTING THE SOURCE CODE
Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.
The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.
Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.
(Reporting by Joseph Menn; Editing by Tiffany Wu)
Russian researchers expose breakthrough U.S. spyin...
Thursday, November 3, 2016
Monday, October 24, 2016
Russian researchers expose breakthrough U.S. spying program
http://www.reuters.com/article/us-usa-cyberspying-idUSKBN0LK1QV20150217
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.
A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.
NSA spokeswoman Vanee Vines said the agency was aware of the Kaspersky report but would not comment on it publicly.
Kaspersky on Monday published the technical details of its research on Monday, a move that could help infected institutions detect the spying programs, some of which trace back as far as 2001. (bit.ly/17bPUUe)
The disclosure could hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have upset some U.S. allies and slowed the sales of U.S. technology products abroad.
The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.
Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.
"There can be serious negative effects on other U.S. interests," Swire said.
TECHNOLOGICAL BREAKTHROUGH
According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.
Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.
"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.
Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.
Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
GETTING THE SOURCE CODE
Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
The NSA declined to comment on any allegations in the Kaspersky report. Vines said the agency complies with the law and White House directives to protect the United States and its allies "from a wide array of serious threats."
Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.
The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kaspersky said.
Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.
(Reporting by Joseph Menn; Editing by Tiffany Wu)
By Joseph Menn
| SAN FRANCISCO
The U.S.
National Security Agency has figured out how to hide spying software
deep within hard drives made by Western Digital, Seagate, Toshiba and
other top manufacturers, giving the agency the means to eavesdrop on the
majority of the world's computers, according to cyber researchers and
former operatives.That
long-sought and closely guarded ability was part of a cluster of spying
programs discovered by Kaspersky Lab, the Moscow-based security
software maker that has exposed a series of Western cyberespionage
operations.Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.
A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.
NSA spokeswoman Vanee Vines said the agency was aware of the Kaspersky report but would not comment on it publicly.
Kaspersky on Monday published the technical details of its research on Monday, a move that could help infected institutions detect the spying programs, some of which trace back as far as 2001. (bit.ly/17bPUUe)
The disclosure could hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have upset some U.S. allies and slowed the sales of U.S. technology products abroad.
The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.
Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.
"There can be serious negative effects on other U.S. interests," Swire said.
TECHNOLOGICAL BREAKTHROUGH
According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.
Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.
"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.
Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.
Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
GETTING THE SOURCE CODE
Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
The NSA declined to comment on any allegations in the Kaspersky report. Vines said the agency complies with the law and White House directives to protect the United States and its allies "from a wide array of serious threats."
Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.
The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kaspersky said.
Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.
(Reporting by Joseph Menn; Editing by Tiffany Wu)
Saturday, July 2, 2016
How I Cracked a Keylogger and Ended Up in Someone's Inbox
https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/
How I Cracked a Keylogger and Ended Up in Someone's Inbox
- July 1, 2016
-
Posted By Rodel Mendrez
It all started from a spam
campaign. Figure 1 shows a campaign we picked up recently from our spam
traps with a suspicious document file attachment. Notice how poor the
English is; this shall serve as a sign of warning to the email
recipients.
The attachment uses the ".doc" file extension but is actually an RTF (rich text file) file format. The file contains a specially crafted RTF stack overflow exploit. This was determined to be the CVE-2010-3333 that exploits the Microsoft Word RTF parser in handling the "pFragments" shape property. This vulnerability had been patched more than half a decade ago.
As you can see in Figure 2, the exploit and the shellcode were obfuscated to avoid antivirus detection. After extracting, cleaning up and decoding the exploit, I figured out that the shellcode would download and execute a file from the domain volafile[.]io
THE PAYLOAD
The downloaded file is a Microsoft .NET Win32 executable. A quick hex dump preview of the file gave a very interesting clue that I am dealing with a HawkEye keylogger build.
And with a little bit of Google-Fu, the string pointed me to a website which develops this keylogger. In the website, they've listed all of its "awesome features".
In my quick dynamic analysis, the keylogger drops a copy of itself to the Application Data (%appdata%) folder and uses the filename WindowsUpdate.exe. It sets an autorun registry to facilitate persistency in the Windows system even after reboot.
It also drops the following files in the infected system:
After a short while, SMTP network activity was observed where the system information of the infected system was sent to the attacker's email address.
The information may include:
I took a closer look in the decompiled source code and compared it to its list of "Awesome Features". I can confirm that its claim is 100% legit. I found the following features in its code like:
Keylogging.
A clipboard stealer/logger.
A browser, FTP, and Mail Client password stealer. It also attempts to steal password manager credentials and Windows keys.
A worm-like USB infection routine that will allow the keylogger to spread to other Windows machine.
It may also target the users of online gaming platform Steam. It deletes the configuration data and login data files so that the user will be forced to login again. This is an opportunity for the keylogger to steal the user's Steam credentials.
The stolen information including the desktop screenshot are sent to either to the attacker's email address or FTP server depending on how the keylogger was configured.
The attacker may also configure the keylogger to upload the stolen information through a HTTP tunnel to a PHP host, but the code seems to be voided.
The most interesting part I've found in the decompiled code however is a C# constructor named Form1(). This is where the keylogger configuration was stored. But to secure the attacker's email and FTP credentials, these data were encrypted using Rijndael algorithm and Base64.
As you may know, those encrypted data are not always secure, especially if the decryption routine is in the decompiled source code!
The image below is the "Decrypt" method where it accepts two string parameters: the encryptedBytes and the secretKey. The secret key happens to be a hardcoded string HawkSpySoftwares
As mentioned, the keylogger uses the Rijndael algorithm and the secret key is salted with the Unicode string "099u787978786", also hardcoded.
Out of curiosity, I copied the decryption part of the code, modified it accordingly and compiled it in MS Visual Studio, and of course the decryption was successful. (sorry, I need to blur the credentials :))
Naturally, I checked out these email inboxes.
They appear to be email accounts on compromised systems. So I've checked the email settings, and surprise surprise! The emails sent to this inbox are rerouted automatically to the attacker's Gmail account. You can see in the screenshot below the consistency of the downloaded keylogger's filename and the attacker's Gmail username (Seemaexport….).
CONCLUSION
Perhaps the attacker knows that the HawkEye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address.
We have reported the compromised email accounts to their rightful owners, in order for them to change their passwords and remove the attacker's email address from their reroute message settings.
Since this was written, we received similar spam messages with RTF attachments but this time containing the CVE-2012-0158 exploit. The payload is the same keylogger but they have used a different compromised email account as the first receiver of the stolen data .
The two vulnerabilties used in these attacks are old, but still widely used in email attacks. As usual, it is advisable to update your systems with the latest patches, to protect you from these old exploits used by cybercriminals. Trustwave Secure Email Gateway's AMAX (Advanced Malware and Exploit Detection) was able to detect these attached RTF exploit in the email gateway.
The attachment uses the ".doc" file extension but is actually an RTF (rich text file) file format. The file contains a specially crafted RTF stack overflow exploit. This was determined to be the CVE-2010-3333 that exploits the Microsoft Word RTF parser in handling the "pFragments" shape property. This vulnerability had been patched more than half a decade ago.
As you can see in Figure 2, the exploit and the shellcode were obfuscated to avoid antivirus detection. After extracting, cleaning up and decoding the exploit, I figured out that the shellcode would download and execute a file from the domain volafile[.]io
THE PAYLOAD
The downloaded file is a Microsoft .NET Win32 executable. A quick hex dump preview of the file gave a very interesting clue that I am dealing with a HawkEye keylogger build.
And with a little bit of Google-Fu, the string pointed me to a website which develops this keylogger. In the website, they've listed all of its "awesome features".
In my quick dynamic analysis, the keylogger drops a copy of itself to the Application Data (%appdata%) folder and uses the filename WindowsUpdate.exe. It sets an autorun registry to facilitate persistency in the Windows system even after reboot.
It also drops the following files in the infected system:
- %Temp%\Sysinfo.txt – the dropped malware executable path
- %Appdata%\pid.txt – the malware process ID
- %Appdata%\pidloc.txt – the malware process executable location
After a short while, SMTP network activity was observed where the system information of the infected system was sent to the attacker's email address.
The information may include:
- CPU Name (computer name)
- Local Date and Time
- Installed Language
- OS Installed
- Platform
- OS Version
- Memory installed
- .Net Framework Installed
- System Privileges
- Default Browser
- Installed Firewall
- Internal IP Address
- External IP Address
- Recovered Email settings and passwords
- Recovered Browser and FTP passwords
I took a closer look in the decompiled source code and compared it to its list of "Awesome Features". I can confirm that its claim is 100% legit. I found the following features in its code like:
Keylogging.
A clipboard stealer/logger.
A browser, FTP, and Mail Client password stealer. It also attempts to steal password manager credentials and Windows keys.
A worm-like USB infection routine that will allow the keylogger to spread to other Windows machine.
It may also target the users of online gaming platform Steam. It deletes the configuration data and login data files so that the user will be forced to login again. This is an opportunity for the keylogger to steal the user's Steam credentials.
The stolen information including the desktop screenshot are sent to either to the attacker's email address or FTP server depending on how the keylogger was configured.
The attacker may also configure the keylogger to upload the stolen information through a HTTP tunnel to a PHP host, but the code seems to be voided.
The most interesting part I've found in the decompiled code however is a C# constructor named Form1(). This is where the keylogger configuration was stored. But to secure the attacker's email and FTP credentials, these data were encrypted using Rijndael algorithm and Base64.
As you may know, those encrypted data are not always secure, especially if the decryption routine is in the decompiled source code!
The image below is the "Decrypt" method where it accepts two string parameters: the encryptedBytes and the secretKey. The secret key happens to be a hardcoded string HawkSpySoftwares
As mentioned, the keylogger uses the Rijndael algorithm and the secret key is salted with the Unicode string "099u787978786", also hardcoded.
Out of curiosity, I copied the decryption part of the code, modified it accordingly and compiled it in MS Visual Studio, and of course the decryption was successful. (sorry, I need to blur the credentials :))
Naturally, I checked out these email inboxes.
They appear to be email accounts on compromised systems. So I've checked the email settings, and surprise surprise! The emails sent to this inbox are rerouted automatically to the attacker's Gmail account. You can see in the screenshot below the consistency of the downloaded keylogger's filename and the attacker's Gmail username (Seemaexport….).
CONCLUSION
Perhaps the attacker knows that the HawkEye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address.
We have reported the compromised email accounts to their rightful owners, in order for them to change their passwords and remove the attacker's email address from their reroute message settings.
Since this was written, we received similar spam messages with RTF attachments but this time containing the CVE-2012-0158 exploit. The payload is the same keylogger but they have used a different compromised email account as the first receiver of the stolen data .
The two vulnerabilties used in these attacks are old, but still widely used in email attacks. As usual, it is advisable to update your systems with the latest patches, to protect you from these old exploits used by cybercriminals. Trustwave Secure Email Gateway's AMAX (Advanced Malware and Exploit Detection) was able to detect these attached RTF exploit in the email gateway.
Saturday, June 18, 2016
How Hired Hackers Got “Complete Control” Of Palantir
https://www.buzzfeed.com/williamalden/how-hired-hackers-got-complete-control-of-palantir
Palantir Technologies has cultivated a reputation as perhaps the most
formidable data analysis firm in Silicon Valley, doing secretive work
for defense and intelligence agencies as well as Wall Street giants. But
when Palantir hired professional hackers to test the security of its
own information systems late last year, the hackers found gaping holes
that left data about customers exposed.
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
This conclusion was presented in a confidential report, reviewed by BuzzFeed News, that detailed the results of a hacking exercise run by Veris over three weeks in September and October last year. The report, submitted on October 19, has been closely guarded inside Palantir and is described publicly here for the first time. “Palantir Use Only” is plastered across each page.
It is not known whether Palantir’s systems have ever been breached by real-world intruders. But the results of the hacking exercise — known as a “red team” test — show how a company widely thought to have superlative ability to safeguard data has struggled with its own data security.
The red team intruders, finding that Palantir lacked crucial internal defenses, ultimately “had complete control of PAL’s domain,” the Veris report says, using an acronym for Palantir. The report recommended that Palantir “immediately” take specific steps to improve its data security.
“The findings from the October 2015 report are old and have long since been resolved,” Lisa Gordon, a Palantir spokesperson, said in an emailed statement. “Our systems and our customers’ information were never at risk. As part of our best practices, we conduct regular reviews and tests of our systems, like every other technology company does.”
Virtually every company is vulnerable to hacks, to varying degrees. In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source. That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws. The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff.
“Regular red team testing is the industry standard of excellence in maintaining a proactive security posture,” David McGuire, the director of Veris’ adaptive threat division, which handles red team services, said in an emailed statement. “Since the red team exercise conducted in 2015, Palantir has consistently carried out similar exercises with Veris Group and other vendors on a regular basis.”
Veris, a cybersecurity services and consulting firm based near Washington, DC, works with customers including Microsoft, AT&T, and the Department of Justice, according to its website. For Palantir, Veris staff acted as hackers to find out whether Palantir’s cybersecurity team could detect and stop them.
The exercise was not meant to test whether Veris could breach Palantir’s external wall. Instead, the red team was deliberately let in, to simulate what would happen if a Palantir employee succumbed to a very common and highly effective break-in technique called “spear phishing” (in which staff are targeted with innocuous-seeming emails containing harmful links or files that give attackers access to a computer). But from that point on, the Veris team went into hacker mode, using a range of tricks to spread through Palantir’s cyber fortress, the report shows.
That fortress turned out to have major vulnerabilities, and the Veris intruders soon sat themselves on the throne. In what the report calls a “complete compromise,” the intruders uncovered encryption keys and administrative credentials that allowed them to travel widely inside the network, accessing source code, office surveillance footage, and the internal wiki, which held sensitive data about customers and projects, according to the report.
Beyond these secrets, the red team intruders accessed Palantir’s network equipment, which would have let them control the company’s internet connection if they so chose. They even found what appeared to be “access to customer infrastructure,” according to the report, or hardware powering customers’ information technology. The report says that any hacker who got this far would “possibly” be able to hack Palantir’s customers as well.
Repeatedly, the red team intruders followed a straightforward process: Find credentials for a high-level account, and then use those credentials to ferret out additional credentials that conferred even more access. They were able to “position themselves in the network for long-term persistence,” the report says.
In a sign of their deep access, the intruders created a software tunnel to smuggle data out to their own servers, without being detected for most of the exercise, according to the report. Their presence was finally discovered, the report says, after they broke into the laptops of information security employees — but even then, the intruders were able to monitor the employees’ countermoves in real time, shifting tactics to evade them.
Palantir wasn’t totally defenseless, the report shows. Its network was segmented in a way that initially prevented the Veris intruders from moving very far, forcing them to take a riskier approach that increased their chances of being detected — though they managed to slip through without setting off any alarms. The company also made use of two-factor authentication, which at first “severely hampered” the intruders’ plans but ultimately just forced them, again, to use a more conspicuous strategy to gain access, according to the report.
When Palantir’s information security employees finally discovered the intruders, they “provided a rapid network response in which they identified and mitigated” the “majority” of the red team’s actions within days, the report says. Compared with other large companies, this defensive response was unusually robust, the industry source said, based on a reading of the report.
Started in part with CIA money, the 12-year-old Palantir has developed an aura of secrecy and potency that helps it recruit bright engineers and attract corporate clients. Its chairman is Peter Thiel, the widely admired venture capitalist and former PayPal CEO (who recently admitted to secretly funding a lawsuit brought by the wrestler Hulk Hogan against Gawker Media). Part software shop and part consulting firm, Palantir places its “forward deployed engineers” on-site at client offices and uses custom-tailored software to crunch vast amounts of data.
Its customers include financial institutions, such as the giant hedge fund Bridgewater Associates, and government groups such as the military’s Special Operations Command. Palantir is the third most valuable American technology startup, behind only Uber and Airbnb.
At the same time, Palantir has recently lost blue-chip clients, has struggled to stem staff departures, and has recorded 2015 revenue that was less than a quarter of its customer bookings, according to a BuzzFeed News report in early May. The report, based on a trove of internal documents and insider interviews, revealed that 102 employees had left Palantir this year through mid-April, or 5.8% of all staff.
When it comes to cybersecurity, experts advise companies to fortify their internal defenses — to ensure an initial breach doesn’t become a total takeover. Hackers are so good at getting through the external wall, often using spear phishing, that cyber experts routinely just assume such attackers will get in, according to Anup Ghosh, CEO of cyber threat firm Invincea.
“Almost every breach you read about happens through spear phishing, and the weak link is the human behind the keyboard. Spear phishing always, always works. You can’t un-train human behavior,” Ghosh told BuzzFeed News. “How do we make it so that these attacks can’t compromise the whole computer?”
As of last fall, Palantir had an inadequate answer to that question, the Veris report shows.
When the red team intruders from Veris got inside, they found that standard user accounts had local administrative access — rendering Palantir more vulnerable. This setup “effectively granted administrative access to the red team” and “removed a major hurdle in the attack methodology,” the report says. In general, tech companies tend to give more control to employees than more traditional companies do. For Palantir, allowing low-level users to have high-level access was a “high” risk, Veris concluded.
“Administrative privileges should be granted explicitly and only when necessary,” Veris says in the report, urging Palantir to “remove standard domain users from the local administrators group or implement controls to delegate administrative permissions as necessary.”
The red team soon found that a local administrative account — with an easily identifiable name — was enabled on numerous computers in the network, with identical password hashes on each computer, the report says. A password hash is a way of obscuring a password in a hard-to-crack format.
But the red team didn’t need to crack the hashes. Since they were already inside, they could use a technique called “pass-the-hash” to feed hashes, rather than the underlying passwords, into password verification systems, allowing them to hop from computer to computer, the report shows.
(Pass-the-hash attacks are a widely known way of exploiting a vulnerability in Windows systems, and Microsoft has released security updates to mitigate the problem. “But ultimately, all we’re doing is we’re in an arms race with the hackers,” Jonathan Cogley, founder of security software company Thycotic, said in a presentation on pass-the-hash last year.)
Veris classified the riskiness of the pass-the-hash vulnerability as “high,” recommending that Palantir disable the local administrative account where possible and use unique passwords for each computer.
The red team had difficulty, however, moving outside its network segment, analogous to a walled room inside a building. So the team infiltrated a terminal server — a central server where multiple people, including some with privileged access, log on and perform important tasks. From this new vantage point, the intruders scanned the surrounding network and found credentials for a domain administrator account, which conferred a high level of access, the report shows.
Terminal servers make an obvious target for hackers, since they often contain high-level credentials. They tend to be well protected, however, making a hack risky. In Palantir’s case, the red team found that logon activities at the terminal server were “not heavily monitored,” according to the report.
After scooping up credentials for a system engineer, the intruders broke into systems related to the proxy server, an important data hub. They then set up an encrypted tunnel running outside the network to their own servers, for pilfering data. This step, again, would be risky for a hacker. But the tunnel “went undetected for most of the engagement,” allowing the red team to “access and data-mine internal Palantir web applications, as well as access servers of interest,” the report says.
“The lack of egress controls can allow an attacker to establish unrestricted communications with a remote server, outside of Palantir’s network,” the Veris report says. “An attacker can also leverage this vulnerability to successfully exfiltrate sensitive data from Palantir’s systems.”
Before long, the red team had found the central wiki, where they “observed sensitive data pertaining to customers, budgets, deployments, and locations,” according to the report. Palantir uses quirky codenames to refer to its customers — as of last month, “Nancy Drew” was Nasdaq, and “Stones” was BP, for example — and the red team was in some cases “able to map codenames to customers,” the report says. In a separate application, the intruders found “source code for a number of sensitive projects.”
The red team’s next target was a secure database — essentially a safe — that stored the credentials to access critically important systems. A master key, itself stored in a secure file, would open the safe.
That the red team even found this safe at all is a concern, the report suggests. Several “essential information systems,” including the safe, were “relatively easy to locate and access on the domain,” according to the report.
After analyzing the master key file, the intruders were able to decrypt it, opening the safe, the report shows.
Using information they found there, the intruders accessed switches and other devices that underpinned communication on the network. Anyone with access to a company’s network equipment can control the flow of network traffic — with the ability to filter traffic or even reroute it — though there is no indication the red team attempted to do this.
In addition, “access to customer infrastructure appeared to be stored” in the safe, according to the report. In enterprise computing, “infrastructure” is a broad term that includes the servers, routers, and other pieces of equipment that a company relies on for its business.
A hacker, moreover, could exploit weaknesses in the safe’s security “to access credentials and valuable information that will ultimately lead to compromise of most, if not all, of Palantir’s network devices, systems, and possibly customer infrastructure as well,” the report says. Veris urged Palantir to add another layer of security to the file containing the master key.
McGuire of Veris said in a phone interview with BuzzFeed News that, in general, a red team would never do anything “destructive” during an exercise, nor would it ever “test organizations that are not signed up for the assessment.” He said: “The demonstration of access is as far as we go.”
Even Palantir’s defense efforts were visible to the red team. The intruders found an “InfoSec Onboarding” page on the wiki that detailed Palantir’s security infrastructure. They monitored security devices and “ensured that their actions were not being logged.”
This was when, according to the report, the red team intruders had “complete control” of the Palantir domain. Their final task was to break into the Mac laptops of information security employees — the fortress guards. This they did, using a system that typically sent out software updates, and soon were able to get passwords and screenshots, review saved files, and “observe all user activity,” the report says.
They were finally caught while attempting to upload a screenshot to one of their own servers, according to the report. A piece of security software called Little Snitch — which regulates data sent out from a computer to the internet — was installed on one of the information security employees’ laptops, and it flagged the suspicious upload attempt, the report says. Little Snitch, while popular in the cybersecurity world, was not standard software for these employees, according to one person familiar with the matter.
Soon, Palantir security employees identified the red team’s attack tools and set up firewalls to block communications to the red team servers. These defenders “successfully demonstrated the ability to trace malicious activity across the domain and take the appropriate steps to neutralize an insider threat,” the report says.
But the red team still had an edge.
“The assessment team was able to observe all investigative actions as progress was tracked and noted,” the Veris report says. This allowed the intruders to “maintain their presence in the network, even after discovery,” by changing key elements of their attack tools.
According to the Veris report, “the red team successfully evaded defenders up until the last day of the engagement.”
Sheera Frenkel contributed to this report.
How Hired Hackers Got “Complete Control” Of Palantir
Palantir hired a cybersecurity firm last year to test its
digital defenses. A confidential report shows how the pro hackers were
able to dominate the tech company’s network.
posted on Jun. 17, 2016, at 11:01 p.m.
William Alden
BuzzFeed News Reporter
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
This conclusion was presented in a confidential report, reviewed by BuzzFeed News, that detailed the results of a hacking exercise run by Veris over three weeks in September and October last year. The report, submitted on October 19, has been closely guarded inside Palantir and is described publicly here for the first time. “Palantir Use Only” is plastered across each page.
It is not known whether Palantir’s systems have ever been breached by real-world intruders. But the results of the hacking exercise — known as a “red team” test — show how a company widely thought to have superlative ability to safeguard data has struggled with its own data security.
The red team intruders, finding that Palantir lacked crucial internal defenses, ultimately “had complete control of PAL’s domain,” the Veris report says, using an acronym for Palantir. The report recommended that Palantir “immediately” take specific steps to improve its data security.
“The findings from the October 2015 report are old and have long since been resolved,” Lisa Gordon, a Palantir spokesperson, said in an emailed statement. “Our systems and our customers’ information were never at risk. As part of our best practices, we conduct regular reviews and tests of our systems, like every other technology company does.”
Virtually every company is vulnerable to hacks, to varying degrees. In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source. That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws. The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff.
“Regular red team testing is the industry standard of excellence in maintaining a proactive security posture,” David McGuire, the director of Veris’ adaptive threat division, which handles red team services, said in an emailed statement. “Since the red team exercise conducted in 2015, Palantir has consistently carried out similar exercises with Veris Group and other vendors on a regular basis.”
Veris, a cybersecurity services and consulting firm based near Washington, DC, works with customers including Microsoft, AT&T, and the Department of Justice, according to its website. For Palantir, Veris staff acted as hackers to find out whether Palantir’s cybersecurity team could detect and stop them.
The exercise was not meant to test whether Veris could breach Palantir’s external wall. Instead, the red team was deliberately let in, to simulate what would happen if a Palantir employee succumbed to a very common and highly effective break-in technique called “spear phishing” (in which staff are targeted with innocuous-seeming emails containing harmful links or files that give attackers access to a computer). But from that point on, the Veris team went into hacker mode, using a range of tricks to spread through Palantir’s cyber fortress, the report shows.
That fortress turned out to have major vulnerabilities, and the Veris intruders soon sat themselves on the throne. In what the report calls a “complete compromise,” the intruders uncovered encryption keys and administrative credentials that allowed them to travel widely inside the network, accessing source code, office surveillance footage, and the internal wiki, which held sensitive data about customers and projects, according to the report.
Beyond these secrets, the red team intruders accessed Palantir’s network equipment, which would have let them control the company’s internet connection if they so chose. They even found what appeared to be “access to customer infrastructure,” according to the report, or hardware powering customers’ information technology. The report says that any hacker who got this far would “possibly” be able to hack Palantir’s customers as well.
Repeatedly, the red team intruders followed a straightforward process: Find credentials for a high-level account, and then use those credentials to ferret out additional credentials that conferred even more access. They were able to “position themselves in the network for long-term persistence,” the report says.
In a sign of their deep access, the intruders created a software tunnel to smuggle data out to their own servers, without being detected for most of the exercise, according to the report. Their presence was finally discovered, the report says, after they broke into the laptops of information security employees — but even then, the intruders were able to monitor the employees’ countermoves in real time, shifting tactics to evade them.
Palantir wasn’t totally defenseless, the report shows. Its network was segmented in a way that initially prevented the Veris intruders from moving very far, forcing them to take a riskier approach that increased their chances of being detected — though they managed to slip through without setting off any alarms. The company also made use of two-factor authentication, which at first “severely hampered” the intruders’ plans but ultimately just forced them, again, to use a more conspicuous strategy to gain access, according to the report.
When Palantir’s information security employees finally discovered the intruders, they “provided a rapid network response in which they identified and mitigated” the “majority” of the red team’s actions within days, the report says. Compared with other large companies, this defensive response was unusually robust, the industry source said, based on a reading of the report.
Started in part with CIA money, the 12-year-old Palantir has developed an aura of secrecy and potency that helps it recruit bright engineers and attract corporate clients. Its chairman is Peter Thiel, the widely admired venture capitalist and former PayPal CEO (who recently admitted to secretly funding a lawsuit brought by the wrestler Hulk Hogan against Gawker Media). Part software shop and part consulting firm, Palantir places its “forward deployed engineers” on-site at client offices and uses custom-tailored software to crunch vast amounts of data.
Its customers include financial institutions, such as the giant hedge fund Bridgewater Associates, and government groups such as the military’s Special Operations Command. Palantir is the third most valuable American technology startup, behind only Uber and Airbnb.
At the same time, Palantir has recently lost blue-chip clients, has struggled to stem staff departures, and has recorded 2015 revenue that was less than a quarter of its customer bookings, according to a BuzzFeed News report in early May. The report, based on a trove of internal documents and insider interviews, revealed that 102 employees had left Palantir this year through mid-April, or 5.8% of all staff.
When it comes to cybersecurity, experts advise companies to fortify their internal defenses — to ensure an initial breach doesn’t become a total takeover. Hackers are so good at getting through the external wall, often using spear phishing, that cyber experts routinely just assume such attackers will get in, according to Anup Ghosh, CEO of cyber threat firm Invincea.
“Almost every breach you read about happens through spear phishing, and the weak link is the human behind the keyboard. Spear phishing always, always works. You can’t un-train human behavior,” Ghosh told BuzzFeed News. “How do we make it so that these attacks can’t compromise the whole computer?”
As of last fall, Palantir had an inadequate answer to that question, the Veris report shows.
When the red team intruders from Veris got inside, they found that standard user accounts had local administrative access — rendering Palantir more vulnerable. This setup “effectively granted administrative access to the red team” and “removed a major hurdle in the attack methodology,” the report says. In general, tech companies tend to give more control to employees than more traditional companies do. For Palantir, allowing low-level users to have high-level access was a “high” risk, Veris concluded.
“Administrative privileges should be granted explicitly and only when necessary,” Veris says in the report, urging Palantir to “remove standard domain users from the local administrators group or implement controls to delegate administrative permissions as necessary.”
The red team soon found that a local administrative account — with an easily identifiable name — was enabled on numerous computers in the network, with identical password hashes on each computer, the report says. A password hash is a way of obscuring a password in a hard-to-crack format.
But the red team didn’t need to crack the hashes. Since they were already inside, they could use a technique called “pass-the-hash” to feed hashes, rather than the underlying passwords, into password verification systems, allowing them to hop from computer to computer, the report shows.
(Pass-the-hash attacks are a widely known way of exploiting a vulnerability in Windows systems, and Microsoft has released security updates to mitigate the problem. “But ultimately, all we’re doing is we’re in an arms race with the hackers,” Jonathan Cogley, founder of security software company Thycotic, said in a presentation on pass-the-hash last year.)
Veris classified the riskiness of the pass-the-hash vulnerability as “high,” recommending that Palantir disable the local administrative account where possible and use unique passwords for each computer.
The red team had difficulty, however, moving outside its network segment, analogous to a walled room inside a building. So the team infiltrated a terminal server — a central server where multiple people, including some with privileged access, log on and perform important tasks. From this new vantage point, the intruders scanned the surrounding network and found credentials for a domain administrator account, which conferred a high level of access, the report shows.
Terminal servers make an obvious target for hackers, since they often contain high-level credentials. They tend to be well protected, however, making a hack risky. In Palantir’s case, the red team found that logon activities at the terminal server were “not heavily monitored,” according to the report.
After scooping up credentials for a system engineer, the intruders broke into systems related to the proxy server, an important data hub. They then set up an encrypted tunnel running outside the network to their own servers, for pilfering data. This step, again, would be risky for a hacker. But the tunnel “went undetected for most of the engagement,” allowing the red team to “access and data-mine internal Palantir web applications, as well as access servers of interest,” the report says.
“The lack of egress controls can allow an attacker to establish unrestricted communications with a remote server, outside of Palantir’s network,” the Veris report says. “An attacker can also leverage this vulnerability to successfully exfiltrate sensitive data from Palantir’s systems.”
Before long, the red team had found the central wiki, where they “observed sensitive data pertaining to customers, budgets, deployments, and locations,” according to the report. Palantir uses quirky codenames to refer to its customers — as of last month, “Nancy Drew” was Nasdaq, and “Stones” was BP, for example — and the red team was in some cases “able to map codenames to customers,” the report says. In a separate application, the intruders found “source code for a number of sensitive projects.”
The red team’s next target was a secure database — essentially a safe — that stored the credentials to access critically important systems. A master key, itself stored in a secure file, would open the safe.
That the red team even found this safe at all is a concern, the report suggests. Several “essential information systems,” including the safe, were “relatively easy to locate and access on the domain,” according to the report.
After analyzing the master key file, the intruders were able to decrypt it, opening the safe, the report shows.
Using information they found there, the intruders accessed switches and other devices that underpinned communication on the network. Anyone with access to a company’s network equipment can control the flow of network traffic — with the ability to filter traffic or even reroute it — though there is no indication the red team attempted to do this.
In addition, “access to customer infrastructure appeared to be stored” in the safe, according to the report. In enterprise computing, “infrastructure” is a broad term that includes the servers, routers, and other pieces of equipment that a company relies on for its business.
A hacker, moreover, could exploit weaknesses in the safe’s security “to access credentials and valuable information that will ultimately lead to compromise of most, if not all, of Palantir’s network devices, systems, and possibly customer infrastructure as well,” the report says. Veris urged Palantir to add another layer of security to the file containing the master key.
McGuire of Veris said in a phone interview with BuzzFeed News that, in general, a red team would never do anything “destructive” during an exercise, nor would it ever “test organizations that are not signed up for the assessment.” He said: “The demonstration of access is as far as we go.”
Even Palantir’s defense efforts were visible to the red team. The intruders found an “InfoSec Onboarding” page on the wiki that detailed Palantir’s security infrastructure. They monitored security devices and “ensured that their actions were not being logged.”
This was when, according to the report, the red team intruders had “complete control” of the Palantir domain. Their final task was to break into the Mac laptops of information security employees — the fortress guards. This they did, using a system that typically sent out software updates, and soon were able to get passwords and screenshots, review saved files, and “observe all user activity,” the report says.
They were finally caught while attempting to upload a screenshot to one of their own servers, according to the report. A piece of security software called Little Snitch — which regulates data sent out from a computer to the internet — was installed on one of the information security employees’ laptops, and it flagged the suspicious upload attempt, the report says. Little Snitch, while popular in the cybersecurity world, was not standard software for these employees, according to one person familiar with the matter.
Soon, Palantir security employees identified the red team’s attack tools and set up firewalls to block communications to the red team servers. These defenders “successfully demonstrated the ability to trace malicious activity across the domain and take the appropriate steps to neutralize an insider threat,” the report says.
But the red team still had an edge.
“The assessment team was able to observe all investigative actions as progress was tracked and noted,” the Veris report says. This allowed the intruders to “maintain their presence in the network, even after discovery,” by changing key elements of their attack tools.
According to the Veris report, “the red team successfully evaded defenders up until the last day of the engagement.”
Sheera Frenkel contributed to this report.
Subscribe to:
Posts (Atom)