Category Archives: Threat Intelligence

Molerats, Here for Spring!

| By | Advanced Malware, Targeted Attack, Threat Intelligence, Threat Research |
Comments
0

Between 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial institution and multiple, European government organizations.

When we last published details relevant to Molerats activity in August of 2013, we covered a large campaign of Poison Ivy (PIVY) attacks directed against several targets in the Middle East and the United States. We felt it was significant to highlight the previous PIVY campaigns to:

  1. Demonstrate that any large-scale, targeted attacks utilizing this off-the-shelf Remote Access Tool (RAT) shouldn’t be automatically linked to Chinese threat actors.
  2. Share several documented tactics, techniques, and procedures (TTP), and indicators of compromise (IOC) for identifying Molerats activity.

However, this was just one unique facet to a much broader series of related attacks dating back to as early as October 2011 and are still ongoing. Previous research has linked these campaigns to Molerats, but with so much public attention focused on APT threat actors based in China, it’s easy to lose track of targeted attacks carried out by other threat actor groups based elsewhere. For example, we recently published the “Operation Saffron Rose” whitepaper, detailing a rapidly evolving Iranian-based threat actor group known as the “Ajax Security Team.”

New Attacks, Same Old Tactics

With the reuse of command and control (CnC) infrastructure and a similar set of TTPs, molerats1Molerats activity has been tracked and expanded to a growing target list, which includes:

  • Palestinian and Israeli surveillance targets
  • Government departments in Israel, Turkey, Slovenia, Macedonia, New Zealand, Latvia, the U.S., and the UK
  • The Office of the Quartet Representative
  • The British Broadcasting Corporation (BBC)
  • A major U.S. financial institution
  • Multiple European government organizations

Previous Molerats campaigns have used several garden-variety, freely available backdoors such as CyberGate and Bifrost, but, most recently, we have observed them making use of the PIVY and Xtreme RATs. Previous campaigns made use of at least one of three observed forged Microsoft certificates, allowing security researchers to accurately tie together separate attacks even if the attacks used different backdoors. There also appears to be a habitual use of lures or decoy documents – in either English or Arabic-language – with content focusing on active conflicts in the Middle East. The lures come packaged with malicious files that drop the Molerats’ flavor of the week, which happen to all be Xtreme RAT binaries in these most recent campaigns.

Groundhog Day

On 27 May we observed at least one victim downloading a malicious .ZIP file as the result of clicking on a shortened Google URL – http://goo[.]gl[/]AMD3yX – likely contained inside of a targeted spearphishing email. However, we were unable to confirm for this particular victim:

molerats2

1) “حصري بالصور لحظة الإعتداء على المشير عبد الفتاح السيسي.scr” 
(MD5: a6a839438d35f503dfebc6c5eec4330e)

  • Malicious download URL was sent to a well-known European government organization.
  • The shortened URL breaks out to “http://lovegame[.]us/ Photos[.]zip,” which was clicked/downloaded by the victim.
  • The extracted binary, “حصري بالصور لحظة الإعتداء على المشير عبد الفتاح السيسي.scr,” opens up a decoy Word document and installs/executes the Xtreme RAT binary into a temp directory, “Documents and Settings\admin\Local Settings\Temp\Chrome.exe.”
  • The decoy document, “rotab.doc,” contains three images (a political cartoon and two edited photos), all negatively depicting former military chief Abdel Fattah el-Sisi.
  • Xtreme RAT binary dropped: “Chrome.exe” (MD5: a90225a88ee974453b93ee7f0d93b104), which is unsigned.
  • As of 29 May, the URL has been clicked 225 times by a variety of platforms and browser types, so the campaign was likely not limited to just one victim.
  • Two of the download referrers are webmail providers (EIM.ae” and “Sltnet.lk”) further indicating the malicious URL was likely disseminated via spearphishing emails.

On 29 April we observed two unique malicious attachments being sent to two different victims via spearphishing emails:

2) 8ca915ab1d69a7007237eb83ae37eae5moleratssss

  • Malicious file sent to both the financial institution and Ministry of Foreign Affairs targets.
  • Drops an Arabic language decoy document titled “Sisi.doc”, which appears to contain several copy/pasted excerpts of (now retired) Egyptian Major General Hossam Sweilem, discussing military strategy and the Muslim Brotherhood.
  • The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic. As noted in our August 2013 blog post, this could possibly be a poor attempt to frame China-based threat actors for these attacks.
  • Xtreme RAT binary dropped: “sky.exe” (MD5: 2d843b8452b5e48acbbe869e51337993), which is unsigned.

molerats4

3) “Too soon to embrace Sisi _ Egypt is an unpredictable place.scr” (MD5: 7f9c06cd950239841378f74bbacbef60)

  • Malicious file only sent to a European government organization.
  • Drops an English language decoy document also titled “Sisi.doc”, however this one appears to be an exact copy of a 23 April Financial Times’ news article about the uncertainties surrounding former military chief Abdel Fattah el-Sisi running for president in the upcoming Egyptian elections.
  • Drops the same Xtreme RAT binary: “sky.exe” (MD5: 2d843b8452b5e48acbbe869e51337993), which is unsigned.

Another attribute regularly exhibited by Molerats malware samples are that they are often archived inside of self-extracting RAR files and encoded with EXECryptor V2.2, along with several other legitimate looking archived files.

Related Samples

Both of the malicious files above have a compile date/time of 2014-04-17 09:43:29-0000, and, based on this information, we were able to identify five additional samples (one sample only contained a lure but no malicious binary), related to the 29 April attacks. These samples were a little more interesting, because they contained an array of either attempted forged or self-signed Authenticode certificates.

All of the additionally identified samples were sent to one of the same European government organizations mentioned previously.

4) 2b0f8a8d8249402be0d83aedd9073662molerats5

  • Drops an Arabic language Word Document titled “list.doc”.
  • The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic.
  • Xtreme RAT binary dropped: “Download.exe” (MD5: cff48ff88c81795ee8cebdc3306605d0). This malware is signed with a self-signed certificate issued by “FireZilla” (see below).Certificate serial number: {75 dd 9b 14 c6 6e 20 0b 2e 22 95 3a 62 7b 39 19}.

moleratsfirezille

Forged FireZilla certificate

5) 4f170683ae19b5eabcc54a578f2b530bmolerats8

  • Drops an Arabic language Word Document titled “points.doc,” which appears to be an online clipping from a news article about ongoing Palestinian reconciliation meetings between Fatah and Hamas in the Gaza strip.
  • The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic.
  • Xtreme RAT binary dropped: “VBB.exe” (MD5: 6f9585c8748cd0e7103eab4eda233666). Though the malware appeared to be signed with a certificate named “Kaspersky Lab”, the real hash did not match the signed hash (see below).Certificate serial number: {a7 ed a5 a2 15 c0 d1 91 32 9a 1c a4 b0 53 eb 18}.

kaspersky

(Forged Kaspersky Lab certificate)

6) 793b7340b7c713e79518776f5710e9dd & a75281ee9c7c365a776ce8d2b11d28daredtext

  • Both drop an Arabic language Word Document titled “qatar.doc,” which appears to be an online clipping for a new article concerning members of the Gulf Cooperation Council (GCC) and the ongoing conflicts between Saudi Arabia, the United Arab Emirates (UAE), and Bahrain – all against Qatar because of the country’s support for the Muslim Brotherhood.
  • The title of the document appears to have several Chinese characters, yet the entire body of the document is written in Arabic.
  • Xtreme RAT binary dropped by the first sample: “AVG.exe” (MD5: a51da465920589253bf32c6115072909), which is unsigned.

7) Pivoting off one of the fake Authenticode certificates we were able to identify at least one additional related binary, “vmware.exe” (MD5: 6be46a719b962792fd8f453914a87d3e), also Xtreme RAT, but doesn’t appear to have been sent to any of our customers. The malicious binary is also encoded with EXECryptor V2.2–similar to the samples above–and the CnC domain has resolved to IPs that overlap with previously identified Molerats malware.

Indicators of Compromise

molerats11

Although the samples above are all Xtreme RAT, all but two samples communicate over different TCP ports. The port 443 callback listed in the last sample is also not using actual SSL, but instead, the sample transmits communications in clear-text – a common tactic employed by adversaries to try and bypass firewall/proxy rules applying to communications over traditional web ports. These tactics, among several others mentioned previously, seem to indicate that Molerats are not only aware of security researchers’ efforts in trying to track them but are also attempting to avoid using any obvious, repeating patterns that could be used to more easily track endpoints infected with their malware.

Conclusion

Although a large number of attacks against our customers appear to originate from China, we are tracking lesser-known actors also targeting the same firms. Molerats campaigns seem to be limited to only using freely available malware; however, their growing list of targets and increasingly evolving techniques in subsequent campaigns are certainly noteworthy.

MD5 Samples

  • a6a839438d35f503dfebc6c5eec4330e
  • 7f9c06cd950239841378f74bbacbef60
  • 8ca915ab1d69a7007237eb83ae37eae5
  • 2b0f8a8d8249402be0d83aedd9073662
  • 4f170683ae19b5eabcc54a578f2b530b
  • 793b7340b7c713e79518776f5710e9dd
  • a75281ee9c7c365a776ce8d2b11d28da
  • 6be46a719b962792fd8f453914a87d3e

Older Molerats samples from Dec 2013 (not listed above)

  • 34c5e6b2a988076035e47d1f74319e86
  • 13e351c327579fee7c2b975b17ef377c
  • c0488b48d6aabe828a76ae427bd36cf1
  • 14d83f01ecf644dc29302b95542c9d35

References & Credits

A special thanks to Ned Moran and Matt Briggs of FireEye Labs for supporting this research.

Strategic Analysis: As Russia-Ukraine Conflict Continues, Malware Activity Rises

| By | Threat Intelligence, Threat Research |
Comments
0

Cyber conflicts are a reflection of traditional, “real life” human conflicts. And the more serious the conflict in the “real world,” the more conspicuous its cyber shadow is likely to be. So let’s look at a serious, current international conflict – the one between Russia and Ukraine – to see if we can find its reflection in cyberspace.

One of the most reliable ways to discover computer network operations is to look for malware “callbacks” – the communications initiated from compromised computers to an attacker’s first-stage command-and-control (C2) server. At FireEye, we detect and analyze millions of such callbacks every year.

Table 1, below, shows the top 20 countries to receive first-stage malware callbacks over the last 16 months, according to the latest FireEye data.

ru1

Table 1 – Callback Infrastructure: the Last 16 Months

As we track the evolution of callbacks during this period, we see a likely correlation between the overall number of callbacks both to Russia and to Ukraine, and the intensification of the crisis between the two nations. The two key indicators we see are:

  • In 2013, Russia was, on average, #7 on this list; in 2014, its average rank is #5.
  • In 2013, Ukraine was, on average, #12 on this list; in 2014, its average rank is #9.

The biggest single monthly jump occurred in March 2014, when Russia moved from #7 to #3. In that same month, the following events also took place in Russia and Ukraine:

  • Russia’s parliament authorized the use of military force in Ukraine;
  • Vladimir Putin signed a bill incorporating the Crimean peninsula into the Russian Federation;
  • The U.S. and EU imposed travel bans and asset freezes on some senior Russian officials;
  • Russian military forces massed along the Ukrainian border; and
  • Russian energy giant Gazprom threatened to cut off Ukraine’s supply of gas.

The graphs below provide a closer look at the crucial month of March 2014, specifically comparing it to malware callback data from February.

Figure 1 shows a significant rise in malware callbacks to Russia from three of the top four source countries in February: Canada, South Korea, and the U.S. (Great Britain had a slight decline).

ru2

Figure 1 – Callbacks to Russia in Feb/Mar 2014: Top Four Countries

Figure 2 depicts the same, general rise in callbacks to Russia from many other countries around the world.

ru3

Figure 2 – Callbacks to Russia in Feb/Mar 2014: Rest of World

Figure 3 shows that the sharp rise in callbacks to Russia in March 2014 was seen in every FireEye industry vertical.

ru4

Figure 3 – Callbacks to Russia in Feb/Mar 2014: Industry Verticals

Tables 2 and 3, below, compare the rise in callbacks to Russia and Ukraine against the rise in callbacks to other countries for February and March 2014. It is important to note that nearly half of the world’s countries experienced a decrease in callbacks during this same time frame.

Table 2 shows the countries that received the highest increase, from February to March 2014, in the number of source countries sending callbacks to them. Ukraine and Russia both placed in the top ten countries worldwide, with Ukraine jumping from 29 source countries to 39, and Russia moving from 45 to 53.

ru5

Table 2 – Callbacks in 2014: Number of Source Countries

Table 3 shows the increase in the number of malware signatures associated with the callbacks to each country for February and March 2014. Ukraine does not appear in the top ten (it tied for #15), but Russia was #4 on this list (again, nearly half of the world’s countries showed no increase or a decrease).

ru6

Table 3 – Callbacks in 2014: Number of Malware Signatures

It is not my intention here to suggest that Russia and/or Ukraine are the sole threat actors within this data set. I also do not want to speculate too much on the precise motives of the attackers behind all of these callbacks. Within such a large volume of malware activity, there are likely to be lone hackers, “patriotic hackers,” cyber criminals, Russian and Ukrainian government operations, and cyber operations initiated by other nations.

What I want to convey in this blog is that generic, high-level traffic analysis – for which it is not always necessary to know the exact content or the original source of individual communications – might be used to draw a link between large-scale malware activity and important geopolitical events. In other words, the rise in callbacks to Russia and Ukraine (or to any other country or region of the world) during high levels of geopolitical tension suggests strongly that computer network operations are being used as one way to gain competitive advantage in the conflict.

In the near future, we will apply this methodology to other global occurrences to further identify patterns that could provide valuable advanced threat protection insights.

The PLA and the 8:00am-5:00pm Work Day: FireEye Confirms DOJ’s Findings on APT1 Intrusion Activity

| By | Threat Intelligence, Threat Research |
Comments
0

Yesterday, the U.S. Department of Justice (DOJ) announced the indictment of five members of the Second Bureau of the People’s Liberation Army (PLA) General Staff Department’s Third Department, also known as PLA Unit 61398. This is the same unit that Mandiant publicly unmasked last year in the APT1 report. At the time it was originally released, China denounced the report, saying that it lacked sufficient evidence. Following the DOJ’s indictment, however, China’s usual response changed from “you lack sufficient evidence” to “you have fabricated the evidence”, calling on the U.S. to “correct the error immediately.” This is a significant evolution in China’s messaging; if the evidence is real, it overwhelmingly demonstrates China’s unilateral attempts to leapfrog years of industrial development — by using cyber intrusions to access and steal intellectual property.

The evidence provided in the indictment includes Exhibit F (pages 54-56), which shows three charts based on Dynamic DNS data. These charts indicate that the named defendants (Unit 61398 members) were re-pointing their domain names at a Dynamic DNS provider during Chinese business hours from 2008 to 2013. The China work day, particularly for government offices, is very predictable, as noted on this travel site:

“Government offices, institutions and schools begin at 8:00 or 8:30, and end at 17:00 or 17:30 with two-hour noon break, from Monday to Friday. They usually close on Saturday, Sunday and public holidays.”

What Exhibit F shows is a spike of activity on Monday through Friday around 8am in Shanghai (China Standard Time), a roughly 2-hour lull at lunchtime, and then another spike of activity from about 2pm to 6pm. The charts also show that there were very few changes in Dynamic DNS resolution on weekends.

At Mandiant (now a FireEye company), we can corroborate the DOJ’s data by releasing additional evidence that we did not include in the APT1 report. In the APT1 report, we specified the following:

  • Over a two-year period (January 2011 to January 2013) we confirmed 1,905 instances of APT1 actors logging into their hop infrastructure from 832 different IP addresses with Remote Desktop.

  • Of the 832 IP addresses, 817 (98.2%) were Chinese and belong predominantly to four large net blocks in Shanghai which we will refer to as APT1’s home networks.

  • In order to make a user’s experience as seamless as possible, the Remote Desktop protocol requires client applications to forward several important details to the server, including their client hostname and the client keyboard layout. In 1,849 of the 1,905 (97%) APT1 Remote Desktop sessions we observed in the past two years, the keyboard layout setting was “Chinese (Simplified) — US Keyboard.”

One thing we did not originally provide was an analysis of the time of day and day of week that these 1,905 Remote Desktop (RDP) connections occurred. However, when we look at these connections in bar chart format, obvious patterns appear:

rdp-analysis-fig1Figure 1: APT1 Remote Desktop login times distributed by hour of day (China Standard Time)

 

rdp-analysis-fig2Figure 2: APT1 Remote Desktop login times distributed by day of week (China Standard Time)

Essentially, APT1 conducted almost all of the 1,905 RDP connections from 2011 to 2013:

  • (1) On week days (Monday through Friday),
  • (2) between 8am and noon, 2pm and 6pm, and 7pm and 10pm CST.

On some occasions, APT1 personnel appear to have worked on weekends, but these are minor exceptions to the norm. Consider the following evidence together for the 1,905 RDP connections:

  • 98.2% of IP addresses used to log in to hop points (which help mask the real point of origin to victim organizations) were from Shanghai networks
  • 97% of the connections were from computers using the Simplified Chinese language setting
  • 97.5% of the connections occurred on weekdays, China Standard Time
  • 98.8% of the connections occurred between 7am and midnight China Standard Time
    • 75% occurred between 8am to noon or between 2pm to 6pm
    • 15% occurred between 7pm and 10pm

The simplest conclusion based on these facts is that APT1 is operating in China, and most likely in Shanghai. Although one could attempt to explain every piece of evidence away, at some point the evidence starts to become overwhelming when it is all pointing in one direction. Our timestamp data, derived from active RDP logins over a two year period, matches the DOJ’s timestamp data, derived from a different source — active Dynamic DNS re-pointing over a five year period. These data sets show that APT1 is either operating in China during normal Chinese business hours or that APT1 is intentionally going to painstaking lengths to look like they are.

The data used to produce the charts above are archived in raw format and we are confident that any computer networking expert would certify them as genuine and non-fabricated in a court of law. But, that isn’t really the issue. The real issue is: will this activity continue and for how long? Regardless, FireEye remains focused on how these threats evolve over time, in order to reduce the time from “detect” to “fix”, as these and other actors continue targeting potential victims.

Operation Saffron Rose

| By , , and | Advanced Malware, Threat Intelligence, Threat Research |
Comments
0

There is evolution and development underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities. The capabilities of threat actors operating from Iran have traditionally been considered limited and have focused on politically motivated website defacement and DDoS attacks.

Our team has published a report that documents the activities of an Iran-based group, known as the Ajax Security Team, which has been targeting both US defense companies as well as those in Iran who are using popular anti-censorship tools to bypass Internet censorship controls in the country.

This group, which has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, has engaged in website defacements since 2010. However, by 2014, this group had transitioned to malware-based espionage, using a methodology consistent with other advanced persistent threats in this region.

It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. We have observed this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware. They use malware tools that do not appear to be publicly available. Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used exploit code in web site defacement operations.

The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.

Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations have been somewhat successful. We assess that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.

To view a full version of the report on “Operation Saffron Rose,” please visit: https://www.fireeyesolution.com/resources/pdfs/fireeye-operation-saffron-rose.pdf.

“Operation Clandestine Fox” Now Attacking Windows XP Using Recently Discovered IE Vulnerability

| By and | Targeted Attack, Threat Intelligence, Threat Research

On April 26th, FireEye Research Labs notified the public of a new IE zero-day exploit being used in “Operation Clandestine Fox.” The initial attack targeted users of IE versions 9, 10, and 11 on Windows 7 and 8. Despite attackers only targeting those versions of Microsoft IE and Windows OS, the vulnerability actually impacts all versions of IE from 6 through 11.

Today, FireEye Labs can reveal a newly uncovered version of the attack that specifically targets out-of-life Windows XP machines running IE 8. This means that live attacks exploiting CVE-2014-1776 are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8.

We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organization in the Government- and Energy-sector are now also facing attack.

Mitigation

In our tests, disabling VXG.dll blocks this attack on all configurations of IE and Windows OSs. However, we strongly suggest that Windows XP users upgrade to a later Windows operating system to take advantage of new mitigation technologies from Microsoft, such as EMET 5.0 and IE with Enhanced Protected Mode (EPM). Deploying preventative measures now will help mitigate the impact of these exploits until Microsoft patches the underlying vulnerability, and will offer additional protection from future ZeroDay exploits.

Details

The main differences between this new attack targeting Windows XP compared to the original Windows 7/8.1 versions of this attack are the mitigation bypasses. The Windows 7/8.1 version develops its write primitive into read/write access to much of the process space by corrupting Flash vector objects. This is to bypass ASLR by searching for ROP gadgets and building a ROP chain dynamically in memory.

Without ASLR, ROP gadgets can be constructed beforehand with static addresses. Consequently, Flash assistance in the Windows XP version is much simpler. It builds a ROP chain with static addresses to gadgets in MSVCRT, tweaks addresses for a plethora of language packs, and jumps directly to a pivot without developing a write primitive. From there, the ROP chain calls VirtualAlloc to allocate executable memory, copies the shellcode to the allocated chunk, and executes the shellcode.

This new tactic of specifically targeting those running Windows XP means the risk factors of this vulnerability are now even higher. We have been working with Microsoft and they have released an Out of Band patch. FireEye highly recommends users of Microsoft Internet Explorer apply the patch as soon as possible for security reasons.

NGOs: Fighting Human Rights Violations and, Now, Cyber Threat Groups

| By | Threat Intelligence, Threat Research

With so many non-government organizations (NGOs) in operation today around the world, we asked ourselves a question here at FireEye Labs. Who would think about targeting NGOs? Steal from a nonprofit? It would seem unthinkable to most people. But, as we can see from a few recent examples below, this is a clear reality.

As more NGOs reach out to us, it is clear that the situation for them is not a pretty one. Based on the breaches we have observed in this space, it appears there are more than 15 distinct advanced threat groups active in NGO networks. The sheer volume and variety of threat groups active in NGO environments struck us as unusually high for a single industry and indicates the incredibly difficult threat landscape NGOs face.

Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property. Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.

Cyber Operations at NGOs: An Intelligence Collection Pursuit?

NGOs — particularly those based in the U.S. — have long been perceived as instruments of U.S. government policy. Regimes with a less-than-favorable view of the U.S. frequently consider NGOs’ work as a rallying point for domestic unrest and political opposition. Three nations that fit this description — China, Russia and Iran — are all rumored or known to have existing and growing cyber operations to support their governments’ political agendas. Data acquired from NGOs via network compromises has the potential to grant these nation-states valuable, predictive insights on key policy topics and NGO programming, as well as intelligence on personnel and their contacts.

Over the last few years, we have observed China-based advanced persistent threat (APT) groups frequently target U.S.-based NGOs. Unsurprisingly, they were organizations with programs that touched on Chinese human rights, democratic reforms, and social issues. In these instances, data theft was not just limited to documents about NGO programming, but also included documents on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs’ operations, issues, and personnel. Not only were the threat actors better positioned to understand the NGOs’ values and plans, but, more importantly, they could potentially identify in-country contacts for the NGOs. These domestic contacts could face repercussions for their collaboration with the NGO.

NGO

Figure 1: A sample breakout of the types of documents stolen from an NGO

Sought-After Financial Data Goldmine

Because NGOs are often dependent on donations from large donors and dedicated supporters, they maintain or process financial data of potentially great value to cybercriminals who seek to steal PII. This financial information could be used to perpetrate identity theft and other types of criminal exploitation, including the theft of credit card numbers, bank account information, and other PII of wealthy individuals. There are any number of cases of non-profits who were either breached via network compromise or even experienced the physical theft of devices that gave perpetrators access to databases filled with valuable information such as names, addresses and social security numbers. In one instance, a simple website misconfiguration exposed one nonprofit’s database of donors and their personal information.

The acknowledged wealth of many NGO donors likely contributes to the motivations financial threat groups would have in targeting NGOs. FireEye tracks a number of criminal threat groups who conduct network intrusions to obtain data similar to the kind NGOs manage in large quantities. These threat actors may seek financial gain from cyber operations through direct theft of funds or the resale of data they have stolen. Because NGOs maintain valuable financial data, and perhaps other data they perceive to be valuable, criminal threat actors may target these networks with the intent to profit.

Perception of Weak Defenses

When criminals are looking for an easy target, NGOs’ networks may be perceived to be easy pickings. Just as the common thief would rather steal items of value from a house without an alarm than one with, the same is true with advanced threat actors and cybercriminals. NGOs possess information of value that a variety of threat actors desire, and their networks can sometimes be far easier targets than government institutions or large commercial organizations, due to their typically limited resources when it comes to network security and defense.

Although NGOs face a unique landscape when it comes to advanced threats in terms of the sheer number of threat groups targeting them and the widely varying possible impacts of a breach, their operations and needs share many similarities with those of our small- and medium-sized (SMB) customers. To that end, FireEye Labs recommends reviewing our latest SMB-focused white paper for more insight into what the broader threat landscape looks like for NGO-like organizations. A copy of the paper can be found here: https://www.fireeyesolution.com/smb_five_reasons_wp.html.

If an Android Has a Heart, Does It Bleed?

| By , and | Mobile Threats, Threat Intelligence, Threat Research, Vulnerabilities

The OpenSSL Heartbleed vulnerability “allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” [1]. Heartbleed surprised the public by allowing attackers to steal sensitive information from vulnerable websites by sending crafted SSL heartbeat messages. However, due to the fact that servers can send heartbeats to clients as well, malicious servers can, in turn, attack vulnerable clients and steal sensitive information. For the Android platform, we find that roughly 150M downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed.

Currently there are about 17 antivirus apps on Google Play branded as “Heartbleed detectors”. Six of them scan the OpenSSL library belonging to the Android platform for vulnerabilities. Unfortunately, this method isn’t sufficient for detecting the Heartbleed vulnerability on Android. Except in limited Android versions (mainly 4.1.0-4.1.1), the majority of Android platforms are not vulnerable, as most versions use OpenSSL libraries that are not vulnerable or simply have the OpenSSL heartbeat functionality disabled.

However, Android apps frequently use native libraries, which either directly or indirectly leverage vulnerable OpenSSL libraries. Therefore, even though the Android platform itself is not vulnerable, attackers can still attack those vulnerable apps. They can hijack the network traffic, redirect the app to a malicious server and then send crafted heartbeats messages to the app to steal sensitive memory contents.

We studied apps with vulnerable OpenSSL libraries and confirmed this attack. Most of the vulnerable apps are games, and some are office-based applications. Although there is not much valuable information in the game apps, attackers can steal OAuth tokens (access tokens and refresh tokens) to hijack the game accounts; as such, the information might be useful for hijacking those linked social network accounts with incorrect configurations. Office apps vulnerable to Heartbleed are much more dangerous due to further potential data leakage.

During our investigation of the office apps that contains a vulnerable version of OpenSSL, we were surprised that they were not vulnerable to the Heartbleed attack. How could it be? A deeper look shows that these apps either make a mistake in the native code linkage, or just contain dead code. Therefore, when they try to invoke SSL functions, they directly use the non-vulnerable OpenSSL library contained within the Android OS, instead of using the vulnerable library provided by the app. The linkage mistake is common for Android applications built with native code. As such, the side-effect of this mistake helps reduce the apps’ overall risk profile.

Within the 17 Heartbleed detector apps on Google play, only 6 detectors check installed apps on the device for Heartbleed vulnerability. Within the 6, 2 report all apps installed as “Safe”, including those we confirmed as vulnerable. One detector doesn’t show any app scan results and another one doesn’t scan the OpenSSL version correctly. Only 2 of them did a decent check on Heartbleed vulnerability of apps. Although they conservatively labeled some non-vulnerable apps as vulnerable, we agree it is a viable report which highlights both the vulnerabilities and the linkage mistakes. We’ve also seen several fake Heartbleed detectors in the 17 apps, which don’t perform real detections nor display detection results to users and only serve as adware.

On April 10th, we scanned more than 54K Google Play apps (each with over 100K downloads) and found that there were at least 220 million downloads affected by the Heartbleed vulnerability. We have notified some of the app developers and library vendors about the OpenSSL Heartbleed vulnerability found in their products. Fortunately, it seems most app developers and library vendors take Heartbleed seriously, as we have started to see apps updated with proper fixes. The total number of vulnerable apps download has since decreased to 150 million on April 17th.

[1] Vulnerability Summary for CVE-2014-0160

Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370

| By and | Advanced Malware, Targeted Attack, Threat Intelligence, Threat Research

While many advanced persistent threat (APT) groups have increasingly embraced strategic Web compromise as a malware delivery vector, groups also continue to rely on spear-phishing emails that leverage popular news stories. The recent tragic disappearance of flight MH 370 is no exception. This post will examine multiple instances from different threat groups, all using spear-phishing messages and leveraging the disappearance of Flight 370 as a lure to convince the target to open a malicious attachment.

“Admin@338” Targets an APAC Government and U.S. Think Tank

The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.

The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group’s activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:

IP Address First Seen Last Seen
103.31.241.110 2013-08-27 2013-08-28
174.139.242.19 2013-08-28 2013-08-31
58.64.153.157 2013-09-03 2014-03-07
59.188.0.197 2014-03-07 2014-03-19

Continue reading »

A Detailed Examination of the Siesta Campaign

| By and | Targeted Attack, Threat Intelligence, Threat Research

Executive Summary

FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1.

The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.

Overview

On March 6, 2014 TrendMicro reported on the Siesta Campaign. Though not explicitly stated in this report, the tactics, techniques and procedures (TTPs) described in this report share a number of characteristics with historical activity we’ve attributed to APT1 (also known as the “Comment Crew”). Continue reading »

Cybercriminals Continue to Target Retail Sector

| By | Advanced Threat Trends, Security News, Targeted Attack, Threat Intelligence

A series of spectacular cyber attacks have breached big-name retail stores in recent months, including Target, Nieman Marcus, and Michaels. These incidents are the only latest in what has become an alarming trend.

In 2013, for example, the U.S. Department of Justice (DoJ) profiled a financial hacking scheme in which four Russians and one Ukrainian penetrated the computer networks of retail organizations. This series of attacks yielded more than 160 million credit card numbers — and cost corporations and consumers hundreds of millions of dollars. The cybercriminals sold the credit card data (which was stored on computers scattered around the globe) and sold it via hacker forums. They charged $10 for American cards and $50 for European cards.

The FireEye Dynamic Threat Intelligence™ team can confirm that the retail sector faces an increased risk from actors using point-of-sale (POS) malware to steal customer credit card data. Ongoing attacks against our retail clients align closely with the DoJ revelations and recent headlines. FireEye is actively tracking one financial threat group that we believe is associated with Russian and Ukrainian attackers.

Continue reading »