Tweet

Last month, the hacker collective Anonymous announced their intention to launch cyber attacks against the petroleum industry (under the code name #OpPetrol) that is expected to last up to June 20.

Their claimed reason for this attack is primarily due to petroleum being sold with the US dollar instead of currency of the country where petroleum originates. However, some chatter indicates there was a desire to launch new attacks due to both #OpIsrael and #OpUSA being regarded as ineffective.

Users should note that June 20 is only the day that most attacks are expected to occur and/or be made public. Similar to last month’s #OpUSA, they have begun mobilizing prior that date. Since the announcement of this operation, targets have been hit, credentials have been stolen, and the list of targets is already growing.

It is also not uncommon for these activities to be used as a distraction to mask other attacks. Based on the collateral damage recorded from previous operations and data leaks outside publicized attack dates, their targeting and timing aren’t always precise either.

An announced operation like this is a good opportunity for all current existing and potential targets to exercise the necessary steps to protect themselves. Everyone is a target eventually; there will always be vulnerabilities to be exploited for cause or profit.

If your organization or country you defend is a potential target in this operation, you should consider doing the following steps (see below) and possibly more. If you’re in anyway connected to the targeted industries or located in one of the potential target countries, we advise that you consider going through these steps anyway. However, if you are not affected or linked to the expected targets, you may use these steps as proactive measures against attacks like #OpPetrol.

Before June 20:

• Ensure all IT systems (OSs, applications, websites, etc.) are updated.
• Ensure IT security systems are current, have as wide a view as they can, and can inspect deeply. Can they detect and prevent phases of attack plan and can they be integrated into part of a kill-chain? Can they observe indicators over the network, on disk, and in memory?
• Ensure relevant third party vendors are aware and accessible.
• Probe any anomalous network and system behavior and examine it. Reconnaissance phases of the attack are already in play. Opportunities for exploit are being logged and credentials are already being stolen. Solutions such as Trend Micro Deep Discovery can help you examine dubious network activities.
• Remind your users to be particularly careful and watch out for phishing and spear-phishing emails.
• Plan or review your incident response procedures with all necessary parties (not only IT groups). Explore how the planned response differs among DDoS, defacement, and disclosure.
• Have IT Security, Attorneys, and External Communications departments prepare or review public statements in the event your organization is affected. Ask the question of “how your statements and response might differ if it wasn’t a hacktivist group, but a criminal, nation state, insider, or terrorist?”
• Monitor the many Anonymous sources for any changes in targeting, tools, or motives, lists of accomplishments, or data dumps.

On June 20:

• Note that attackers may attack across different time zones, so it can last longer than the 24 hours in your time zone.
• Continue to monitor the Anonymous’ sources for any changes in targeting, tools, motives, lists of accomplishments, or data dumps.
• Exercise a high level of awareness of your IT and IT Security systems and their logs; continue to apply questioning curiosity to anything interesting.
• If you think your organization is affected, assume that you are affected by DDoS, defacement, and disclosure – and not just one of them.

After June 20:

• Continue to monitor Anonymous’ sources for any lists of accomplishments or data dumps.
• If you’ve made it into Anonymous’ news, you’ll be remediating and designing against future occurrence.
• If you didn’t make it in Anonymous’ news, review for any sign of breach, compromise, or excessive probing.
• Remain vigilant, especially if you’re in the target list. The attacks may not be over.

Similar to how DDoS, defacement, and disclosure tactics can distract and mask each other, so can threat actors. A hacktivist group’s activity can mask or distract criminal, nation state, insider, or even terrorist activity.

Announced operations like these with their relative open disclosure of tactics, tools, and procedures are golden opportunities for evaluation and improvement of countermeasures in real world scenarios. Taking advantage of these opportunities helps train people, process, and technology to recognize signals of a targeted attack regardless whether it is publicly disclosed or covert.

For more information on how targeted attacks work and how organizations can better protect themselves from such threats, you may refer to some of our previous entries here.

Tweet

Earlier in February we blogged about RARSTONE, a Remote Access Tool (RAT) that we discovered having some similar characteristics to PlugX, an older and more well-known RAT. In April, the same malware family used the Boston Marathon bombing as part of its social engineering bait.

Since then, we’ve been looking out for further attacks using RARSTONE. We’ve seen it used in targeted attacks across Asia, hitting several industries like telecommunications, oil and gas, governments, media, and others. The said targets are located in various countries including India, Malaysia, Singapore, and Vietnam. To better identify this campaign, we are calling this Naikon, based on the common useragent strings found in related attacks (NOKIAN95/WEB).

These attacks were carried out using spear-phishing attacks against the target organizations, using messages related to diplomatic discussions in the Asia-Pacific region.

The spear-phishing email contains a malicious document as an attachment, which exploits CVE-2012-0158, a dated vulnerability in Windows common control. This vulnerability was also used in other targeted attacks, most recently the “Safe” campaign that compromised several government agencies, media outlets and other institutions.

When the target opens the attachment, a decoy document is dropped into the system, so as to make the victim think that the decoy document is the file they opened. However, in reality, opening the attachment also triggers the dropping of BKDR_RARSTONE. The malware downloads its backdoor component from a C&C server and loads it directly into memory. This behavior makes RARSTONE difficult to detect using ordinary, file-based scanning technologies.

What makes RARSTONE unique from PlugX – and other RATs – is its ability to get installer properties from Uninstall Registry Keys. This is so that it knows what applications are installed in the system and how to uninstall them, in the case that these applications inhibit RARSTONE’s functions. It also uses SSL to encrypt its communication with its C&C server, which not only protects that connection but also making it blend in with normal traffic.

The attackers behind Naikon clearly tried to make the work of security researchers more difficult. The domains used by this campaign used either dynamic DNS domains, or used registrars with privacy protection.

Targeted attacks like this are typically part of broader campaigns meant to stay under the radar and steal information from target entities. Traditional technologies like blacklisting and perimeter controls are not enough to detect or block the components of these campaigns. Instead, enterprises need to increase their visibility and control over their networks in order to identify dubious network traffic.

Tools like Trend Micro Deep Discovery can help IT admins accomplish this, in the broader context of a custom defense necessary to detect intrusions in the network. Deep Security also protects users from exploits using CVE-2012-0158 via DPI rule 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158).

With additional insights by Senior threat researcher Jessa dela Torre

Tweet

The past few weeks have seen some very high-profile sites adopt two-factor authentication in one form or another. First was Twitter, followed soon by Evernote and Linkedin.

For users of these sites, these represent a welcome improvement to their security. In the event that their password is (somehow) compromised, an attacker faces another barrier before they can gain access.

There is still room for improvement. All three services use text message verification – i.e., they send an access code to the user’s phone when somebody tries to log in. Unfortunately, mobile malware can also intercept text messages: it is possible for a clever attacker to intercept these.

An alternative which some sites use is an authenticator app, which generates the verification code on the device. Some sites require their own app; other sites are compliant with RFC 6238 so that a single app can authenticate multiple services.

There are also some usability challenges. Not all apps or operating systems allow the user to enter authentication codes (actually, relatively few do). In these cases, you need to create an application/device-specific password – if the service supports it. (Theoretically, a bad implementation of these could pose a risk as well.) In addition, there is the very real problem of people losing their phones. In the United States alone, 1.6 million people lost their smartphones in 2012. A large service rolling out two factor authentication has to consider some way for users to authenticate if they’ve lost their device.

This highlights the importance of the stolen device problem we talked about recently. Not only are mobile devices in and of themselves valuable and contain the user’s personal data, they can act as the keys to the rest of the user’s accounts.

Of course, these three services are not the only ones to introduce two-factor authentication. Many other high-profile companies like Blizzard, Facebook, Google, and Microsoft all support some form of two-factor authentication. Users should check which of their services support it and strongly consider activating it.

Tweet

Microsoft releases five security bulletins for June 2013, which is relatively light compared to previous ones. Despite this, users must update their systems immediately, to avoid possible web threats leveraging software vulnerabilities.

This roster of security fixes include updates for vulnerabilities found in Windows and Internet Explorer, which were rated Critical. This means that IT administrators and users should prioritize and apply the solutions immediately to avoid greatest risk. By exploiting these vulnerabilities, an attacker can execute a malware onto the vulnerable systems, which can lead to information theft and security compromise among others.

Other security bulletins for this month are rated Important, providing resolution to vulnerabilities in Windows and MS Office. If these fixes are not applied immediately, users systems can be vulnerable to threats such as unwanted data disclosure, malware execution, and denial-of-service (DoS) attack.

For its part, Adobe releases their fix for vulnerabilities found in certain Adobe Flash Player versions. Users are advised to apply this too, as a successful exploitation may lead to a vulnerable system being infected with a malware.

Some users may take this few bulletins lightly and delay updating their systems with these fixes. However, now is not the right time to be lax security-wise (there’s actually no ‘right’ time to be lax when it comes to security). Anonymous has recently announced their #OpPetrol cyber attack campaign, which is reportedly targeting oil companies in a dozen of countries (which include the United States, United Kingdom, Canada among others). Such attacks usually exploit vulnerabilities to penetrate their targets’ networks, usually to get more information which they can use to further harm their victims.

Every little vulnerability can be taken against you, thus it is important to guard your systems from attacks. Users are advised to implement these bulletins as soon as possible. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

Update as of June 13, 12:16 PDT

Microsoft has noted an ongoing attack against specific targets that exploits CVE-2013-1331, which is one of the vulnerabilities resolved for this month. Trend Micro Deep Security already protects users from this threat via DPI rule 1005546 – Microsoft Office Buffer Overflow Vulnerability (CVE-2013-1331).

Tweet

In our monitoring of the GAMARUE malware family, we found a variant that used the online code repository SourceForge to host malicious files. This finding is the latest development we’ve seen since the increase in infection counts observed last month.

SourceForge is a leading code repository for many open-source projects, which gives developers a free site that allows them to host and manage their projects online. It is currently home to more than 324,000 projects and serves more than 4 million downloads a day. Its popularity among programmers and users is the perfect venue to make these malware available to users.

GAMARUE malware poses a serious risk to users; attackers are able to gain complete control of a system and use it to launch attacks on other systems, as well as stealing information. Among the most common ways it reaches user systems are: infected removable drives, or the user has visited sites compromised with the Blackhole Exploit Kit.

This attack is made up of four files. The first is a shortcut, which appears to be a shortcut to an external drive.  (This is detected as LNK_GAMARUE.RMA.) Instead of a drive, however, it points to a .COM file (detected as TROJ_GAMARUE.LMG).

The .COM file runs another executable file, which has been disguised as a desktop.ini file. This third file (detected as TROJ_GAMARUE.RMA) decrypts the main GAMARUE file, which has been disguised as a thumbs.db file. The main GAMARUE file (detected at WORM_GAMARUE.LJG) is decrypted and saved in a folder under the Windows directory.

Figure 1. GAMARUE Infection Chain

Once the executable file is decrypted, it downloads updates to itself, as well as malicious files from a SourceForge project. In effect, it uses SourceForge to unwittingly host malicious files.

SourceForge User Serves More Gamarue Variants

The malicious files in the above example were hosted under the tradingfiles project. The same user created two more projects that were also used to host malicious GAMARUE files: ldjfdkladf and stanteam. New files were uploaded in these projects from June 1 onwards.

As we noted in our 2013 predictions, legitimate cloud providers are likely to come under attack this year. A site like SourceForge is a perfect target to be abused by cybercriminals.

Trend Micro protects users from this by detecting and deleting these GAMARUE variants. We’ve contacted SourceForge so these files can be removed from their servers as soon as possible.

With analysis from Threat Response Engineer Lenart Bermejo