Threat Reports

Monthly Cyber Summary – March 2016

Our Monthly Cyber Summary reports a selection of the top trending stories in cyber security from the last calendar month. Keep up to date with some of the most prominent and strongly emerging malware, hacker groups, hacker ops, attack types, vulnerabilities and cyber stories with Silobreaker. 

Malware

KeRanger Ransomware
First reported by Palo Alto Networks on March 4th, KeRanger shot into the limelight on March 7th when news broke of the first fully functional Mac ransomware malware. Distributed via compromised downloads of the Transmission torrent client (v. 2.90), KeRanger is signed with a legitimate Apple certificate which allowed it to bypass Apple’s Gatekeeper security protection. 

KeyRanger ransomware

KeRanger is distributed via downloads of Transmission. Image source: Palo Ato Networks.

After encrypting certain file types, KeRanger demands that infected users pay a fee of one Bitcoin (about $400) to retrieve their files.

KeyRanger Time Series

Silobreaker Time Series showing a huge spike in KeRanger mentions.

Once KeRanger was picked up, Apple immediately took steps to curb its spread, so the infected version of the Transmission torrent would no longer install. Meanwhile, Transmission urged people to upgrade to an updated version of their software. Nevertheless, the old mantra that Apple’s products are infallible has taken yet another dent. 

KeRanger’s technical details can be found here

AceDeceiver Malware 
A major new family of iOS malware was identified in March. Known as AceDeceiver, like KeRanger it was uncovered by researchers at PaloAlto Networks. The malware is notable for its method of attack, which unusually does not abuse enterprise certificates to gain access to users’ systems.

AceDeciever Time Series

Silobreaker Time Series showing trending malware with AceDeceiver exploding in the middle of March.

AceDeceiver exploits Apple’s FairPlay DRM protection via a Man in the Middle attack. Apple customers can purchase apps via iTunes for later installation on their devices, with the proviso that they must activate these apps using an authorisation code. Authorisation codes theoretically prevent pirated apps from being successfully installed on iOS devices, but malware authors have discovered that they can buy apps themselves, intercept these codes, and then use them to distribute malicious apps (in this case AceDeceiver) that users never paid for.

Once apps infected with AceDeceiver are on a user’s phone, they have the capacity to siphon off Apple ID’s and passwords. Apple’s App Store is renowned for being more secure than its Android counterpart, but this infiltration is evidence that even Apple cannot prevent the spread of mobile based malware. Security researcher Will Strafach believes that the incredible growth in the popularity of Apple products means that their security team cannot vet new apps quickly or thoroughly enough; “It seems that Apple’s review process has not caught up to the huge amount of apps being submitted, I don’t know if their staff have proper tools at hand to conduct security checks.”

At present AceDeceiver is only operating on mainland China, but it has the capacity to spread quickly and is therefore a threat well worth monitoring.

Petya Ransomware
Petya seems like the logical next step for ransomware authors. Screen-lockers are passé, while barely a week seems to go by without another crypto-locker taking a set of files hostage. Petya, on the other hand, is a snob. Rather than targeting a hardcoded set of file extensions, it will encrypt the system’s Master File Table (MFT) under the guise of running a disk repair.

Petya tops Silobreaker's Heat widget for mentions.

Petya ransomware tops Silobreaker’s Heat widget for mentions.

The MFT is basically a table of contents for your hard drive. It lists the location, attributes and permissions of every stored file, so encrypting it makes your system practically unusable. It’s also a lot faster than encrypting individual files; by default, the MFT is allocated 12.5% of the drive’s space, and usually this is more than enough. So what about the ransom note? To add insult to injury, Petya’s ransom note also incorporates a lock-screen, complete with a flashing skull and instructions for downloading TOR.

1petya_ransomware

If you see this, you’re in trouble.

You can avoid Petya by not downloading any Dropbox files that you receive by email, especially if you’re working in HR for a German company, as this appears to be the ransomware’s target audience. If you are infected however, all is not yet lost. In the first stage of compromise, Petya will XOR the Master Boot Record (MBR) to prevent a standard reboot, before telling the system to use its own malicious loader. It will then blue-screen in order to get users to reboot, which will result in the second stage (fake) check disk dialogue. It’s actually possible to back up files before the restart takes place, in which case the MBR can be repaired and a clean version of Windows installed. Unfortunately, if the second stage does go through there’s currently no way to recover encrypted data without paying for a key.

Petya ransomware instructions.

Petya ransomware user instructions.

Hacker Groups

Syrian Electronic Army (SEA)
The well-known hacker group, which claim to be supporters of Syrian President Bashar al-Assad, have been active since 2009. They came to the fore last month after the US Department of Justice charged three of their alleged members.

Syrian Electronic Army close up Network

A close-up snapshot of the Silobreaker Network view for SEA showing how it relates to a selection of organisations, companies and people. Click anywhere on the Network to see it in full.

The trio were charged with multiple counts involving conspiracy to commit computer crimes. Amongst these crimes are various attacks on US Government, private sector and media organisations, as well as social media account hacks. Using spear phishing techniques the SEA sent emails to their targets that were designed to look like they were from a trusted source. Within these emails was a link that would encourage victims to hand over their credentials. 

The adversaries have been named as 27-year-old Firas Dardar AKA ‘The Shadow’, 36-year-old Peter Romar AKA ‘Pierre Romar’, and 22-year-old Ahmad Umar Agha AKA ‘The Pro’.

In one memorable hack back in 2013, the SEA took over the Associated Press’s Twitter account, sending out a message that falsely claimed that there has been an explosion at the White House and that President Obama was injured. The hoax briefly caused a $136 billion dip in the stock market.

Operation Transparent Tribe
A major Advanced Persistent Threat (APT) was uncovered by researchers at Proofpoint in the last month. Operation Transparent Tribe targets Indian military and diplomatic personnel who operate in embassies across the world.

Initially attacks against Indian embassies in Saudi Arabia and Kazakhstan were thought to be isolated incidents, but Proofpoint unearthed a hugely complex operation utilising a number of attack vectors and malware strains.

Transparent Tribe Network view

A snapshot of  the Silobreaker Network view for Op Transparent Tribe showing how it relates to a selection of attack types, companies, organisations and products. Click anywhere on the Network to see it in full.

Transparent Tribe employs a multifarious malware family entitled Msil/Crimson, and distributes it via a number of attack techniques, including sophisticated phishing attacks, watering hole campaigns and mass spam email distribution. The Crimson Trojan used throughout the operation has a number of data exfiltration capabilities, including the ability to control computer webcams and execute various keylogger functions.

The breadth and complexity of Operation Transparent Tribe has led to widespread speculation that it is a state sponsored campaign. A researcher at Proofpoint declared that “this is a multi-year and multi-vector campaign clearly tied to state-sponsored espionage, in the world of crimeware, you rarely see this type of complexity.”

Pakistan have been widely touted as the nation behind Operation Transparent Tribe as their relationship with India is notoriously hostile, and some of the attack vectors were traced back to IP addresses originating in the country.

More recently, Palo Alto have announced that a group of actors called ‘ProjectM’, who they have identified as being based in Pakistan, are potentially behind Operation Transparent Tribe, only strengthening the claim that the Pakistani state are sponsoring cyber attacks against their regional rival.

An in-depth technical analysis of Operation Transparent Tribe is available here.

Attack types & Vulnerabilities

Advances in Malvertising
In Silobreaker’s 30-day cyber summary for February, we covered the malvertising campaigns that had affected major news sites such as TMZ, and Rotten Tomatoes. These campaigns were fairly low in sophistication, and posed a danger mainly because they had infected sites with high traffic volume.

A snapshot of Silobreaker Hot Spots showing global locations relevant to malvertising.

A snapshot of Silobreaker Hot Spots showing global locations relevant to malvertising.

In the past month however, malvertising campaigns have appeared that utilise much more sophisticated attack vectors, designed to increase their efficiency and reduce their visibility to anti-virus programs.

A number of major sites, including Gumtree.com and livejournal.com, have been infiltrated by malvertising attacks that follow the same, highly sophisticated approach.

The more advanced campaigns use two techniques in order to increase their ability to entrap users.

The first is Domain Shadowing, which refers to a method of harvesting domain credentials from legitimate companies via phishing attacks. Businesses that offer a product or service are targeted, and an ad banner is designed using images and content from the site they are abusing. The criminal authors then register a subdomain, with the stolen username/password, to host that ad banner. This allows the authors of the attacks to approach reputable websites as they possess highly authentic advertising material, emanating from a genuine and legitimate company. Malvertising campaigns thus become active on some of the internet’s most trusted sites, and therefore are less prone to having their origins examined.

Domain Shadowing is then coupled with fingerprinting in order to make the campaign as effective as possible. Fingerprinting is a technique that allows the author to profile a victim’s computer by using code injected into the malicious advert banner. This code assesses whether or not the machine is worth infiltrating, it seeks out targets with outdated virus programs and vulnerable software, so the rate of infection is increased. It also avoids non-viable targets, computers with strong anti-virus protection, or honeypots that have been set up by malware researchers, ensuring that the campaigns go undetected for longer.

Malvertising

Screenshots showing malvertsing in action on Gumtree | Image source: Malwarebytes.com

Malvertising campaigns have clearly increased in sophistication. A user no longer needs to click on an infected ad to be affected, the act of loading the ad banner is now enough to cause silent redirectional code that loads up Exploit Kits and Trojans. 

Badlock
It was March 22nd when rumours of a new vulnerability known as ‘Badlock’ began to spread around the security industry. Engineers from the Microsoft and the Samba Team immediately got to work in an effort to fix the critical vulnerability announcing that patches would be available on April 12th. 

The future patch date still leaves well over a week for any adversaries and curious researchers to discover the vulnerability. Whoever finds it could either be in for a PR coup or a weapon to exploit for criminal purposes. The race is very much on.

Whilst no technical details of Badlock are actually known, the bug does have its own name, logo and website. This branding effort has caused a debate with one side arguing the positive impact of making an otherwise generic CVE number more memorable and the other sensing that a branded vulnerability could be leveraged for commercial gain. This incentives those who can reap such commercial benefit to brand everything they discover and talk up its severity. 

The Badlock vulnerability was discovered and named by Johannes Loxen who works for SerNet.

The Badlock vulnerability was discovered and named by Johannes Loxen who took to Twitter to express the benefits that branding the vulnerability is bringing to his company, SerNet.

Story of the month

Insiders, corruption & the Bangladesh Bank Heist: What happened to Tanvir Hassan Zoha?
The recent theft of $81 million from Bangladesh Bank’s Federal Reserve account was one of the largest (and most interesting) cyber-heists in history, and it was certainly covered that way. From the moment a spelling error was reported to have cost the thieves $900 million (in actuality ‘only’ $20 million), it was clear that this was going to be a media rollercoaster. But behind the resignations, recriminations and dubious accounting practices of Philippine banks is another, rather peculiar story.

Tanvir Hassan Zoha is an IT security expert and a director/chairman of the Insight Bangladesh Foundation. He was described in interviews as ‘the focal person of the ICT Ministry’s Cyber Security Programme’ right up until March 14th, when the government’s ICT division denied any link with him whatsoever. This was curious, because he had worked with the police cybercrime unit to track Islamist terrorist groups like Jamaat-e-Islami only a month before. He had also (reportedly) aided police with a murder investigation involving off-shoots of these same groups on the 26th of February.

BBank investigation annotated

An annotated Time Series showing how the curious series of events unfolded over the month of March. Click anywhere on the Time Series to get a clearer view.

Zoha appears to have had a working relationship with Bangladesh Bank. He was involved in an investigation into ATM skimmers and card fraud throughout February, offering ‘expert commentary’ to the press. After the heist was reported, Zoha was one of the first to comment. Suggesting that there had to be a local link for the theft to have worked, he noted that SWIFT codes and bank IDs would have been needed for the transfers. Zoha gave a second, similar interview on the 13th of March, noting a bank official may have been involved in the heist. By the next day, Zoha was no longer part of the ICT Division. Three days later he disappeared.

According to the friend he had gone to meet, they had been stopped and separated while travelling in a rickshaw. Zoha had been taken away in a jeep by unknown men, while the friend had been dropped off far from their original location. It had taken him hours to get home and call Zoha’s family to let them know what had happened.

Law enforcement didn’t appear to be interested. Zoha’s family accused the police of repeatedly stone-walling based on jurisdictional issues, and were forced to travel to several different stations to report his disappearance. Finally, on the eve of filing a report, the family received a call stating that Zoha would be returned. They were unwilling to say more in case it brought him harm, although a government source speaking on condition of anonymity said that he “wasn’t a big fish [and] would turn up after a few days.”

On the 23rd of March, Zoha did indeed turn up. According to the law enforcement officers who dropped him off at his home, Zoha was found wandering near a train station in the early hours of the morning in a ‘disoriented mental state’. He was not questioned by police and his family have issued no statement as of yet.

Investigations into the Bangladesh Bank heist have so far focused on returning the money from the Philippine banks and casinos that intended to launder it. It was suggested several times that insiders were involved in the theft, but the resignation of Atiur Rahman, two governors and a secretary, appear to have ended speculations for the moment. Yet several questions still remain: was Tanvir Hassan Zoha lying? Did he know too much – or not quite enough to disappear permanently?

Leak of the month

Verizon
It’s been an embarrassing month for Verizon, as hackers made off with contact details for some of the company’s biggest customers. On the 24th of March KrebsonSecurity discovered that the contact information for 1.5 million Verizon Enterprise Solutions customers was being sold on an underground forum for $100,000.

verizon Word Cloud

Silobreaker Word Cloud showing word associations with the Verizon leak.

Enterprise Solutions is a B2B component of Verizon that sells networking, hosting and managed security services to numerous Fortune 500 companies. It appears that a (now repaired) vulnerability on the vendor’s website allowed hackers to access the database and dump its contents. Though no proprietary information was lost, the leak is likely to have serious consequences; contact details for executives in major companies across the world will certainly provide attackers with a rich list of potential phishing targets.

The irony of this breach is unlikely to be lost on Verizon, whose cybersecurity chops are well documented, not least when it comes to investigating data-breach issues.

The Silobreaker Team

More News

  • Silobreaker Daily Cyber Digest – 14 June 2019

      Ongoing Campaigns Trend Micro discover new campaign using NSA leaked tools to deliver cryptominers Trend Micro researchers discovered an ongoing cryptojacking campaign infecting...
  • Silobreaker Daily Cyber Digest – 13 June 2019

    Malware Palo Alto’s Unit 42 report on evolving Hide ‘N Seek botnet Unit 42 have discovered a variant of the Hide ‘N Seek botnet...
  • Silobreaker Daily Cyber Digest – 11 June 2019

      Ongoing Campaigns MuddyWater uses multi-stage backdoor POWERSTATS V3 and new post-exploitation tools Trend Micro researchers detected new campaigns that appear to be operated...
View all News

Request a demo

Get in touch