Wednesday 19 June 2013

Google Docs hijacked by Trojan.APT.Seinup malware

A cyber attack that uses Google Docs to avoid detection in order to steal information has been spotted in the wild.
Security firm FireEye reported uncovering the campaign, warning that the crooks are using advanced malware to mount a targeted spear phishing campaign designed to steal corporate and personal data from a variety of victims.
FireEye researcher Chong Rong Hwa wrote: "The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN [Association of Southeast Asian Nations].
Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy.
"This malware was found to have used a number of advanced techniques, which makes it interesting. The malware leverages Google Docs to perform redirection to evade callback detection."
Chong highlighted the use of Google Docs as particularly troublesome as it offers the malware increased protection against traditional security tools, but confirmed that there are ways to address the problem. "By connecting the malicious server via Google Docs, the malicious communication is protected by the legitimate SSL provided by Google Docs," he wrote.
"One possible way to examine the SSL traffic is to make use of a hardware SSL decrypter within an organisation. Alternatively, you may want to examine the usage pattern of the users. Suppose a particular user accesses Google Docs multiple times a day, the organisation's incident response team may want to dig deeper to find out if the traffic is triggered by a human or by malware."
Outside of its use of Google Docs, the phishing document is confirmed to target the CVE-2012-0158 vulnerability and use a malware dropper named exp1ore.exe. The dropper is particularly dangerous as it allows the malware to falsely register itself as a Windows Service on infected machines, meaning it can survive a system reboot and network persist.
The malware is troublesome as it grants the criminals a variety of powers over the infected machine. "This malware is named Trojan.APT.Seinup because one of its export functions is named ‘seinup'. This malware was analysed to be a backdoor that allows the attacker to remote control the infected system," wrote Chong.
The FireEye researcher listed the campaign as proof criminals are developing new more sophisticated ways to target businesses, and called for companies to update their current defence strategies to deal with the evolved threat.
"Malware is increasingly becoming more contextually advanced. It attempts to appear as much as possible like legitimate software or documents. In this example, we would conclude the following.
A potentially stolen document was used as a decoy document to increase its credibility. It is also a sign that the compromised organisations could be used as a soft target to compromise their business partners and allies," he wrote.
"It is important to put a stop to the malware infection at the very beginning, which is the exploitation phase. Once a network is compromised, it is increasingly harder to detect such threats.
Anti-incident response and forensic techniques are increasingly used to evade detection. It would require a keen eye on details and a wealth of experience to identify all these advanced techniques."
FireEye is one of many companies to urge firms to drop their outdated perimeter-based defences. Most recently Finnish security firm F-Secure released its contextually aware DeepGuard 5 analysis tool to help businesses spot attacks on their systems.

Iran develops first national computer operating system

The University of Tehran has developed the first national computer operating system in Iran, ISNA news agency reported.
The operating system has been installed on computers at the university and it is possible to install the operating system at other universities.
In November 2012, Mehr news agency quoted a member of the board of directors in Iran's Telecommunication Infrastructure Company Mohammad Taher Shams as saying that Iran will launch an improved secure internet to prevent cyber-attacks.
Iran's IP network, IPMPLS, will provide various services in IP, MPLS and VPLS and a secure internet. "The network's most important aim is to prevent domestic and international cyber-attacks," he said.
Earlier, Iran announced that it has taken all necessary steps to create the Halal Internet network.
The Iranian net consortium has already been established for this purpose, Iranian IRNA state news agency quoted the country's Deputy Vice President for Economic Affairs Ali Agamohammadi as saying.
The Iranian net consortium will work in the area of the fibre-optic network and Internet speed will increase once launched. "The consortium initially will render services through a fibre-optic network to 10 million users," he said.
Iran announced it had detected and thwarted a cyber-attack by the Stuxnet worm, which was supposedly created to infect Iranian industrial and nuclear computer systems in 2010.
The Stuxnet worm first identified by Iranian officials in June last year, is a malware designed to infect computers using Siemens Supervisory Control and Data Acquisition (SCADA) - a control system favored by industries that manage water supplies, oil rigs and power plants.

Microsoft EMET Detect Eavesdrop Attack

Microsoft released a new version of our Enhanced Mitigation Experience Toolkit (EMET 4.0). EMET is a free mitigation tool designed to help IT Professionals and developers prevent vulnerabilities in software from being successfully exploited.
The tool works by protecting applications via the latest security mitigation technologies built into Windows, even in cases where the developer of the application didn’t opt to do this themselves.
By doing so, it enables a wide variety of software to be made significantly more resistant to exploitation  even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied.
Enhanced Mitigation Experience Toolkit(EMET 4.0 ) incorporates a number of new enhancements including protection against Man in the Middle attacks leveraging the Public Key Infrastructure (PKI), and hardening of Return-Oriented Programming (ROP) mitigations and  also addresses known compatibility issues and is designed to work with our latest technologies such as Internet Explorer 10 and Windows 8.

WordPress E-Commerce Plugins Vulnerabilities

WordPress plugins that are used to add e-commerce functionality to business websites are riddled with vulnerabilities, according to a new study released today.
Israeli application security firm Checkmarx said its WordPress plugin analysis found seven out of the 10 most popular e-commerce plugins contain vulnerabilities. The security firm found SQL injection errors and cross-site scripting flaws that are most frequently targeted by attackers.
"Every developer can upload their plugin to the WordPress.org market and any user can download that plugin with no security assurance process in place," said Maty Siman, founder and CTO of Checkmarx. "In certain cases, you can exploit a vulnerability to get full access control to the hosting server, and in many cases you can get access to other WordPress sites hosted on the same server."
Attackers have been targeting WordPress users due to the platform's popularity; an estimated 60 million websites are built with the content management system. Automated tools can scan and exploit common Web application vulnerabilities, enabling attackers to set up drive-by attacks or use the back-end systems to set up command-and-control servers for botnets.
"With 18 percent of the total Internet based on WordPress, a single vulnerability can impact millions of websites all at once," Siman said.
WordPress, Joomla and Drupal are among the most popular platforms. Attackers can also steal data from Web servers or redirect website visitors to another attack websites, Siman told CRN. Siman said the website vulnerabilities serve as an easy way for attackers to spread malware and expand their botnets, taking control of larger armies of infected PCs.
Checkmarx performed multiple scans on the top 50 most downloaded plugins as part of its study. Some website owners don't have the resources or skill level to apply updates, although newer versions of WordPress can be set to automatically update plugins, Siman said. In addition to installing security updates issued by each platform, Siman said users need to apply patches to plugins and uninstall components that are not used.
The firm found that e-commerce plugins, such as those that add shopping cart functionality to a site, were typically riddled with coding errors. Plugins that helped setup and manage a store also contained errors.
"We assumed that these plugins would be more secure but that wasn't the case," Siman said. "Developers want to get the most users as possible and many forgo security to get their functionality to market faster."
Other top error-prone plugins included components that help website owners manage site statistics, review comments in site forums or blog entries, or save contact form data. Sites also had errors associated with feed aggregators, broken links,site development tools and connections to popular social networks, including Facebook, according to Checkmarx's study.
Siman recommends that WordPress site owners stick to Wordpress.org when downloading plugins. Site owners can also use scanning tools to check plugins for flaws and make a knowledgeable decision on whether using them are worth the risks they pose. Stick to the latest version of plugins, he said, and remove any unused plugins that are hosted on the site.
An attacker can still gain access to vulnerable plugins even if they are disabled, Siman said. To remove the threat completely, plugins must be uninstalled.
The firm highlighted six popular plugins for correcting coding errors that Checkmarx found in January: BuddyPress, a plugin that creates a social network; BBPress, forum software; E-Commerce, a shopping cart plugin; Supper Cache, a site optimization plugin; and Woo Commerce, an e-commerce store.
Wordpress.org volunteers did not respond to CRN's request for comment Tuesday. The platform maintains a security FAQ for website owners. Users who may have fallen victim to an attack are directed to an exploit scanner plugin that examines database tables and plugins for irregularities or unusual file names.

Wire Transfer Company’s Tech Support Scam

The IC3 has recently received complaints from businesses regarding telephone calls from individuals claiming to be with a wire transfer company’s tech support.
One complainant reported that the wire transfer company’s name was displayed on their caller ID. The callers instructed the victims to go to a particular website to run an application which allows the caller to remotely access the victim’s computer.
Once remote access was established, the victims were instructed to open their wire transfer program and log-in to their accounts, so the callers could update the system. The victims were then told to turn off their monitors, to avoid interference with the update.
The victims later discovered the subjects made wire transfers to NetSpend accounts. One victim noticed something downloading onto his computer once the caller gained remote access. This made the victim suspicious, so he turned off his computer.
Later, he discovered the caller had loaded $950 on a prepaid credit card from the victim’s account. Another victim reported money transfers were made to various states and individuals, but the caller reassured the victim that no transfers were actually being processed. No other details were provided.