Dridex – Password Bypass, Extracting Macros, and Rot13

When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent wave of Dridex phishing emails, this is what we saw. Here’s the phishing email sent to one PhishMe employee:

Dyre Trojan Expands to Career Website Targets

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The MAAWG conference in San Francisco provides an opportunity for the leading hosting companies, Internet Service Providers, and Internet and email security companies to collaborate, develop best practices, and share information. We took the opportunity to speak to attendees about Dyre malware, and how the Trojan is now a serious concern. In recent days, we have seen an aggressive expansion in the targets that Dyre is configured to steal credentials from. Dyre malware is currently being spread via spam email and the Upatre downloader.

We have already reached out to many of the newly impacted brands, several of which had a presence at MAAWG.  The relationships at MAAWG are so critical for maintaining effective response capabilities in the security industry.  Shaking hands and breaking bread with those in charge of security in very large organizations is critical to how the community actually gets things done!

PhishMe Intelligence subscribers will have already have received our report on the Dyre Trojan, although, before the report was issued, their SIEMs and scripts will have been able to retrieve the campaign information and Indicators of Compromise (IOCs) to help protect their network and identify potentially compromised hosts.

PhishMe Analysis of the Upatre / Dyre Campaign

Today’s Dyre campaign was quite different than many of the previous Dyre campaigns that used a spam “lure” of a range of British brand names, with financial services companies extensively spoofed.  This campaign was quite high volume, with well over a thousand emails identified early in the morning.

The actual messages attempt to convince the user that their credit card has been charged several thousand dollars by the New York City Department of Finance.  The spam messages all have the “Subject: Thank you for your payment” and the sender appears to be nycserv@finance.nyc.gov.

The attachment, which claims to have more details about the parking fines that have been paid, is in .zip form.

The PDF file is the Upatre executable, the TXT file is the Upatre-encoded version of the binary, while the “cube icon” file is the Dyre Trojan.

Career Sites Now Targeted

The Dyre Trojan uses a special configuration file to prioritize the credentials that it desires to steal.  PhishMe Intelligence subscribers will be familiar with several previous Dyre reports on how these configuration files work.  The current version is the first time that we have seen “Career Sites” targeted by Dyre.  The criminals have posed as employers on the following sites:

SimplyHired, Indeed.com, Monster.com, GlassDoor, CareerBuilder.

The URL substrings that will trigger Dyre’s special actions are listed below:
ads.simplyhired.com/simplypost/sign-in/*
ads.simplyhired.com/v/favicon.ico[?]*

secure.indeed.com/account/login*
employers.indeed.com/jobs?ts=*
employers.indeed.com/candidates?ts=*
*.indeed.com/v/favicon.ico[?]*

hiring.monster.com/Login.aspx*
hiring.monster.com/Challenge.aspx*
hiring.monster.com/jpw/Services/Secure/JCMIIWebServices/Jobs.asmx/GetJobs*
hiring.monster.com/v/favicon.ico[?]*

www.glassdoor.com/partners/login_input.htm*
www.glassdoor.com/v/favicon.ico[?]*

www.careerbuilder.com/share/verifyidentity.aspx*
www.careerbuilder.com/share/setchallengequestions.aspx*
www.careerbuilder.com/share/login.aspx*
www.careerbuilder.com/share/favicon.ico[?]*
www.careerbuilder.com/AJAX/GetProductsByUserGroup.aspx*
www.careerbuilder.com/jobposter/mycb/loadaccountwidgetdata.aspx*
www.careerbuilder.com/jobposter/ajax/myjobs/loadmyjobs.aspx*

Non-Career Sites Also Added Today

We’re not sure why the following were also added.  Perhaps the NewEgg indicates a desire to do a little shopping, or perhaps something more sinister may be occurring.

secure.newegg.com/NewMyAccount/AccountLogin.aspx*
secure.newegg.com/Shopping/ShoppingLogin.aspx*
secure.newegg.com/*/CheckoutStep1.aspx*
secure.newegg.com/*/CheckoutStep2.aspx*
sellerportal.newegg.com/Pages/Account/LandingPage.aspx*
*.newegg.com/v/favicon.ico[?]*

The criminals also are targeting the administrators of mailing lists hosted by MailChimp, which could allow them to deliver malicious emails on behalf of a “trusted” source, helping the criminals to bypass spam filtering controls.

  • mailchimp.com
  • *.admin.mailchimp.com/campaigns*
  • *.admin.mailchimp.com/lists*
  • *.admin.mailchimp.com/account/domains*
  • *.admin.mailchimp.com/reports*
  • mailchimp.com/v/favicon.ico[?]*

GoDaddy accounts would allow creation of domains and also modification of existing domains for malicious purposes.

*.godaddy.com*
*.godaddy.com/v/favicon.ico[?]*

Lastly, Accurint refers to the LexisNexis Accurint database.  This is a very rich collection of Public Records with more than 37 billion entries that can be used for verifying identities.

  • accurint.com/app/bps/main
  • accurint.com/1/favicon.ico[?]*
  • accurint.com

 

 

Forbes.com, Adobe Flash Player, and Your Email

What do the three topics in today’s title have in common?  Quite a bit if you are in the malware business!  Near the top of the Tech news today is the story that Forbes.com, the 61st most popular website in the United States, has been distributing malware through it’s “Thought Of The Day” advertisements application.

When first visiting Forbes, regardless of which article link you have clicked on from your websearch, newsreader, Facebook/Twitter link, or email recommendation, you don’t go directly to the article.  Instead you are taken to a “Thought Of The Day” page, where Forbes is able to sell some of their most valuable advertisements.

Those advertising spaces are valuable. They are displayed to all visitors to the website. That’s a lot of traffic and exposure for the advertisers. However, not all of those advertisers are genuine companies looking to promote their products or brands. Cybercriminals have also taken advantage of these ad blocks and have been using them for their own forms of adverts – Otherwise known as malvertising. These malvertising advertisements link to phishing websites or sites containing exploit kits that silently download malware.

The Patching Myth

The story, which was first shared with the media by Andrea Peterson via her technology policy blog at the Washington Post. She interviewed iSight Partners’ Steve Ward and was told that from at least November 28th to December 1st, two specific vulnerabilities were used in this attack.  The first was a vulnerability in Adobe Flash Player known in the industry as CVE-2014-9163.  Many Windows users faithfully patch their Microsoft software, including Windows and Internet Explorer, but fail to patch other applications that interact with their web browser.   In this case, unless the user had patched their version of Adobe Flash Player AFTER December 9th, the day that Adobe released their patch, APSB14-27, they would have been vulnerable to attack. The website was delivering their attack until December 1st.  That means EVERYONE WAS VULNERABLE!  This condition, called a 0-day, is when hackers are actively exploiting a vulnerability for which there is no patch.

Many websites require the use of Adobe Flash in order to deliver animated advertisements, or to enable certain functionality of their websites.  Apple Computers took a great deal of heat by refusing to allow Flash to be used in the iOS operating system used on iPhones and iPads.  Their claim that this was a security feature is regularly proven.

The second exploit used in this attack was a vulnerability in Internet Explorer versions 9 and higher, known by its Common Vulnerabilities and Exposures id CVE-2015-0071.  A patch for this vulnerability was released by Microsoft – MS15-009 – on February 10, 2015. It was another 0-day vulnerability that was being actively exploited in the wild.

Exploit Kits

An Exploit Kit is a way of delivering not just two exploits, but in some cases dozens.  In the Forbes situation, a very advanced actor used two previously unpublished vulnerabilities to attack computers.  If a visitor to the Forbes.com site was using Internet Explorer on a current version of Windows, the IE9 vulnerability was exploited. If they had Adobe Flash Player installed and were using an older version of Windows, that was the path of attack.

Exploit kits do that on steroids.  Three of the most popular exploit kits today are the Angler Exploit Kit, the Rig Exploit Kit, and the Sweet Orange Exploit Kit.  Criminals who run these malware delivery systems allow other criminals to subscribe to them so that whenever a new vulnerability is made public, these kits can take advantage of that vulnerability. Additional exploits are uploaded to the kit. For example, late last year, Rig was updated to include CVE-2014-0515 (another Flash Exploit, patched by Adobe in April 2014) and CVE-2014-0569 (another Flash Exploit, patched by Adobe in October 2014).  Sweet Orange did both of those, and also CVE-2014-6332, a Microsoft Windows exploit patched in Critical Security Patch MS14-064.

The way the Exploit Kits work is they search for vulnerabilities on web visitors’ computers that can be exploited. When a vulnerability is discovered, it is used to push the payload of the criminals’ choice.  So ANY malware that a criminal wants to deliver can be silently downloaded as the payload of an Exploit Kit.  But first, they have to get a visitor to go to the site that is hosting the Exploit Kit.

After purchasing access to an Exploit Kit, criminals place their “license” to the Exploit Kit on a distribution page. They must then determine how they will drive traffic to that website.  Some criminals do that by introducing malicious advertisements into ad networks (malvertising), causing their ads to show up on high-ranking websites such as Yahoo, the New York Times, Amazon.com, and YouTube.  They can also place their malware on any website where they manage to acquire the userid and password of the webmaster. Sometimes that password gathering happens via a targeted phishing attack, such as those used to take over the Twitter accounts of CNN and Time Magazine.  Other times the passwords are harvested through regular password-stealing software, such as the Dyre Trojan or GameOver Zeus.

Of course, millions of websites have their own vulnerabilities that allow massive exploitation, such as the WordPress exploits in December 2014 where more than 100,000 websites began distributing malware called SoakSoak, leading Google to temporarily block access to more than 10,000 WordPress sites in their search results!  (According to Tripwire’s State of Security report, 23% of all websites run WordPress!)

A new explosion in Exploit Kit variants is likely after today’s revelation that the RIG Exploit Kit source code has been leaked online.

Exploit Kits and Spam

If a criminal doesn’t have the means to break in to sophisticated advertising networks, and doesn’t have ready access to webmaster passwords, the old reliable delivery mechanism is spam email. It’s not as sophisticated, but spam is still one of the most successful malware-delivery methods!  Cisco’s 2015 Annual Security Report shared the surprising news that spam volumes had risen by 250% in 2014. Perimeter security and web filtering are often effective at preventing users from visiting websites hosting Exploit Kits. In the case of the former, it can be difficult for criminals to bypass those security controls. In the case of the latter, not all organizations have web filters in place. The leading theory behind the rise in spamming is the realization by cybercriminals that the attack vector is still highly effective. Targeting end users allows cybercriminals to bypass perimeter security by attacking the weakest link in the security chain: End users.

Other sources have reached a contrary but equally harmful conclusion.  For example, PhishMe Intelligence shows there was a 56% DROP in spam volume in 2014; however, the percentage of emails that were deemed malicious increased to an average of 10%, with spikes as high as 40%!  (See InfoSecurity magazine – Spam Volumes Drop but Unsolicited Emails Get More Malicious).

All too often, malware authors use multiple delivery mechanisms to infect end users. One of the most famous examples of recent “dual-delivery” malware is the CryptoWall malware that proved to be so popular in 2014. As Phil Muncaster shared in Infosecurity magazine last month, links to CryptoWall 3.0 are commonly found both in spam and drive-by forms of Exploit Kits. It doesn’t matter which delivery method is used, the underlying architecture of the payload malware is identical.

The Ad-Blocking Controversy

Several popular security products either specifically block online advertising, or block the ads as a side-effect of not allowing code to execute from unapproved pages.  For example, see the Forbes “Home USA” news index page from today, as viewed in Chrome, and as viewed in Firefox with “NoScript” running.

In the top image, visiting the Forbes webpage results in top and bottom ads and an Adobe Flash Player-based video ad on the left of the page.  Visiting with FireFox with NoScript running prevents all of those ads from being displayed. That means malvertising is blocked, but so are legitimate adverts.

Where is the controversy?  The ethical question is that I am allowed to read Forbes magazine for free as a result of the contracts that Forbes has to display their ads to their customers.  When I choose not to view ads for free content, am I not breaking the implied economy of the online world?  As the saying goes “If you are not paying for something, you are not the customer, you are the product!”  Online web pages sell our advertising market eyeballs to their vendors, but in viewing these ads are we exposing ourselves to risk?

Some online sources have revealed there were 5.3 trillion online advertisements displayed last year.  “Only” a few million of those were malicious. On the same list we see that 50% of the clicks on mobile ads are accidental. Interestingly, Solve Media claims you are more likely to survive a plane crash than click a banner ad.

I’ll end this post with an amusing news story about the Flash malware at Forbes.  NBC News had a video story about the article.  I couldn’t see it, because my Firefox won’t play the Flash Player unless I specifically allow it. However, they published the story about the malware attack on Forbes users, and included a Flash advertising block underneath.

Anthem and Post-breach phishing awareness

The Anthem data breach on February 5, 2015 raised the high-water mark on healthcare data breaches. The Anthem breach smashed all previous records, exposing close to 80 million members’ records. It was the largest healthcare data breach ever discovered by a considerable distance. Only a very small number of healthcare data breaches have been reported that have exceeded 2 million records.

In the United States, data breaches impacting the protected health information of patients and health plan members are required to be reported to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). OCR maintains a searchable data base of all healthcare data breaches that have impacted 500 or more individuals. Many of those data breaches were relatively minor; a misdirected batch of emails for example. Not all of those healthcare data breaches required such extensive actions and mitigations as the latest Anthem ‘mega’ breach.

Anthem’s CEO has now established the website “AnthemFacts.com” containing a Frequently Asked Questions document about the data breach, but the media offers plenty of alternative sources of Facts and FAQs.

Previous Largest Healthcare Data Breaches

The previous largest ever healthcare data breach occurred in 2011. The records of 4.6 million active and retired military personnel were reported stolen after back-up tapes of their health records disappeared from a data contractor’s car in San Antonio, Texas.  SAIC, the contractor involved, had no reason to believe the tapes were the target of the theft, or whether the thief even knew what he or she was stealing. (see Records of 4.9 mln stolen from car in Texas data breach ).

The second largest healthcare data breach occurred in 2014. Tennessee-based Community Health Systems experienced an “external criminal cyber-attack” in April and June of 2014 that resulted in the theft of the protected health information of its patients.  CHS’s Media Notice said it had worked closely with Federal law enforcement and believed they were the victim of an “Advanced Persistent Threat” group originating from China.  The HHS database indicates 4.5 million patient records were exposed in that breach.

The third largest healthcare data breach ever reported to OCR by a HIPAA-covered entity affected Advocate Medical Group.  4 million patient records were stolen from the company on July 15, 2013.  The unencrypted patient health records were stored on four laptop computers. It was unclear whether the laptops were stolen for their value or for the data that may have been stored on them.

The lawsuits filed on behalf of the potential victims were dismissed. In order “to claim injury, whether actual or threatened, the plaintiffs must establish it is ‘distinct and palpable’ and ‘fairly traceable’ to the defendant’s actions and that the requested relief would substantially redress the loss.”  (See Illinois court dismisses claims of potential loss from Advocate data breach ). The plaintiffs were unable to provide sufficient evidence to prove that was the case.

Other than the Xerox data breach, which cost the company the State of Texas Medicare contract in 2014, no other healthcare data breach listed on the OCR breach portal has resulted in the theft or exposure of more than two million records.

Healthcare Data Breach Lawsuits

As Forbes magazine recently explained, the number of records stolen in the Anthem cyberattack exceeds the sum of all the healthcare data breaches reported in the previous five years!   Anthem, which fell from its 52-week high stock price of $143.65 to $134.79 today following the announcement of the cyberattack, has already had four class action lawsuits filed against it. (See Cohen and Malad Anthem Lawsuit, Morris v. Anthem, Juliano v. Anthem (Alabama-based), and D’Angelo et. al. v. Anthem )

What all of these lawsuits claim, is the theft of current and former Anthem customers’ electronic protected health information puts plaintiffs and class members at an increased risk of suffering identity theft and fraud.  Specifically, the following data elements:

  • Full names
  • Birthdates
  • Email addresses
  • Employment details
  • Social Security numbers
  • Incomes
  • Home addresses

Anthem only has 34 million current customers and almost 80 million records were exposed. The breach therefore likely affects former customers and other family members included on the health plans.

The lawsuits make much of the fact that the U.S. Department of Health and Human Services’ Office for Civil Rights has previously fined Anthem for using “inadequate safeguards” to protect customer records. The California Attorney General has also taken action against Anthem, and specifically pointed at the fact that the company was storing customers’ Social Security numbers in an unencrypted format. (A 2013 report by the California OAG about 131 separate data breach incidents outlines that 1.4 million Californians would have been protected had their data been encrypted.)  Critics of Anthem have pointed out that the company was previously warned about the potential for breaches of ePHI in an FBI Private Industry Notification dated 8 April 2014 titled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain.”

Anthem is also accused of “failing to provide timely and accurate notice of the Anthem data breach” in violation of state data breach statutes in California, Colorado, Connecticut, Georgia, Kentucky, Virginia, and Wisconsin.

Be Alert for Phishing and Related Scams

While the theft of credit card data may seem harmful, credit monitoring is usually offered and credit card companies quickly re-issue cards that have been stolen in a cyberattack. Most victims of credit card fraud are also reimbursed for any fraudulent charges on their cards. Unfortunately, Social Security numbers are never re-issued. There is also unlikely to be any reimbursement or refunds if identities are stolen and financial losses are suffered.  Customers who have their SSN and personal data stolen are especially vulnerable to scams and face an elevated risk of identity theft and fraud for a lifetime. Anthem will certainly not be offering a lifetime of identity theft protection and credit monitoring services to breach victims.

Anthem services customers in the following states:

California Colorado Connecticut
Georgia Indiana Kentucky
Maine Missouri Nevada
New Hampshire New York Ohio
Virginia Wisconsin

Any company also servicing customers in those states should warn their Customer Service personnel to be on the alert for social engineering scams, possibly by telephone. Once the stolen Anthem data has been sold on, there will likely be many scammers who attempt to gain access to accounts or try to reset password on Anthem members’ other accounts that use their email addresses as their username.

Several reports have already been received of phishing emails claiming to be advising potential victims of how to take advantage of data monitoring offers from Anthem. Security journalist Brian Krebs has already published reports on some of the phishing scams. ( Phishers Pounce on Anthem Breach ).  Krebs refers to Steve Ragan’s Salted Hash article in which he shared an internal memo explaining the data breach was not discovered until an employee noted that their account had been being used without their authorization to perform queries in a database.  Eventually it was determined those queries had been on-going since December 10, 2014, although they were not discovered until January 27, 2015 and not verified until January 29, 2015.

Several news sources have made much of the fact that Anthem’s customers include defense contractors such as Northrop Grumman Corporation and The Boeing Company in Missouri.  Several sources reported to Bloomberg that this attack fits the nature of attacks from the People’s Liberation Army’s Unit 61398; a Shanghai-based hacking group whose members were indicted by Federal prosecutors last year.  If this is proven to be true, the cyberattack may have been conducted for espionage reasons. Data stolen in the attack would therefore be unlikely to be sold on to scammers. However, if that is the case, the data could be used in spear phishing attacks to obtain even more sensitive information on the victims.