Forbes.com, Adobe Flash Player, and Your Email

What do the three topics in today’s title have in common?  Quite a bit if you are in the malware business!  Near the top of the Tech news today is the story that Forbes.com, the 61st most popular website in the United States, has been distributing malware through it’s “Thought Of The Day” advertisements application.

When first visiting Forbes, regardless of which article link you have clicked on from your websearch, newsreader, Facebook/Twitter link, or email recommendation, you don’t go directly to the article.  Instead you are taken to a “Thought Of The Day” page, where Forbes is able to sell some of their most valuable advertisements.

Those advertising spaces are valuable. They are displayed to all visitors to the website. That’s a lot of traffic and exposure for the advertisers. However, not all of those advertisers are genuine companies looking to promote their products or brands. Cybercriminals have also taken advantage of these ad blocks and have been using them for their own forms of adverts – Otherwise known as malvertising. These malvertising advertisements link to phishing websites or sites containing exploit kits that silently download malware.

The Patching Myth

The story, which was first shared with the media by Andrea Peterson via her technology policy blog at the Washington Post. She interviewed iSight Partners’ Steve Ward and was told that from at least November 28th to December 1st, two specific vulnerabilities were used in this attack.  The first was a vulnerability in Adobe Flash Player known in the industry as CVE-2014-9163.  Many Windows users faithfully patch their Microsoft software, including Windows and Internet Explorer, but fail to patch other applications that interact with their web browser.   In this case, unless the user had patched their version of Adobe Flash Player AFTER December 9th, the day that Adobe released their patch, APSB14-27, they would have been vulnerable to attack. The website was delivering their attack until December 1st.  That means EVERYONE WAS VULNERABLE!  This condition, called a 0-day, is when hackers are actively exploiting a vulnerability for which there is no patch.

Many websites require the use of Adobe Flash in order to deliver animated advertisements, or to enable certain functionality of their websites.  Apple Computers took a great deal of heat by refusing to allow Flash to be used in the iOS operating system used on iPhones and iPads.  Their claim that this was a security feature is regularly proven.

The second exploit used in this attack was a vulnerability in Internet Explorer versions 9 and higher, known by its Common Vulnerabilities and Exposures id CVE-2015-0071.  A patch for this vulnerability was released by Microsoft – MS15-009 – on February 10, 2015. It was another 0-day vulnerability that was being actively exploited in the wild.

Exploit Kits

An Exploit Kit is a way of delivering not just two exploits, but in some cases dozens.  In the Forbes situation, a very advanced actor used two previously unpublished vulnerabilities to attack computers.  If a visitor to the Forbes.com site was using Internet Explorer on a current version of Windows, the IE9 vulnerability was exploited. If they had Adobe Flash Player installed and were using an older version of Windows, that was the path of attack.

Exploit kits do that on steroids.  Three of the most popular exploit kits today are the Angler Exploit Kit, the Rig Exploit Kit, and the Sweet Orange Exploit Kit.  Criminals who run these malware delivery systems allow other criminals to subscribe to them so that whenever a new vulnerability is made public, these kits can take advantage of that vulnerability. Additional exploits are uploaded to the kit. For example, late last year, Rig was updated to include CVE-2014-0515 (another Flash Exploit, patched by Adobe in April 2014) and CVE-2014-0569 (another Flash Exploit, patched by Adobe in October 2014).  Sweet Orange did both of those, and also CVE-2014-6332, a Microsoft Windows exploit patched in Critical Security Patch MS14-064.

The way the Exploit Kits work is they search for vulnerabilities on web visitors’ computers that can be exploited. When a vulnerability is discovered, it is used to push the payload of the criminals’ choice.  So ANY malware that a criminal wants to deliver can be silently downloaded as the payload of an Exploit Kit.  But first, they have to get a visitor to go to the site that is hosting the Exploit Kit.

After purchasing access to an Exploit Kit, criminals place their “license” to the Exploit Kit on a distribution page. They must then determine how they will drive traffic to that website.  Some criminals do that by introducing malicious advertisements into ad networks (malvertising), causing their ads to show up on high-ranking websites such as Yahoo, the New York Times, Amazon.com, and YouTube.  They can also place their malware on any website where they manage to acquire the userid and password of the webmaster. Sometimes that password gathering happens via a targeted phishing attack, such as those used to take over the Twitter accounts of CNN and Time Magazine.  Other times the passwords are harvested through regular password-stealing software, such as the Dyre Trojan or GameOver Zeus.

Of course, millions of websites have their own vulnerabilities that allow massive exploitation, such as the WordPress exploits in December 2014 where more than 100,000 websites began distributing malware called SoakSoak, leading Google to temporarily block access to more than 10,000 WordPress sites in their search results!  (According to Tripwire’s State of Security report, 23% of all websites run WordPress!)

A new explosion in Exploit Kit variants is likely after today’s revelation that the RIG Exploit Kit source code has been leaked online.

Exploit Kits and Spam

If a criminal doesn’t have the means to break in to sophisticated advertising networks, and doesn’t have ready access to webmaster passwords, the old reliable delivery mechanism is spam email. It’s not as sophisticated, but spam is still one of the most successful malware-delivery methods!  Cisco’s 2015 Annual Security Report shared the surprising news that spam volumes had risen by 250% in 2014. Perimeter security and web filtering are often effective at preventing users from visiting websites hosting Exploit Kits. In the case of the former, it can be difficult for criminals to bypass those security controls. In the case of the latter, not all organizations have web filters in place. The leading theory behind the rise in spamming is the realization by cybercriminals that the attack vector is still highly effective. Targeting end users allows cybercriminals to bypass perimeter security by attacking the weakest link in the security chain: End users.

Other sources have reached a contrary but equally harmful conclusion.  For example, PhishMe Intelligence shows there was a 56% DROP in spam volume in 2014; however, the percentage of emails that were deemed malicious increased to an average of 10%, with spikes as high as 40%!  (See InfoSecurity magazine – Spam Volumes Drop but Unsolicited Emails Get More Malicious).

All too often, malware authors use multiple delivery mechanisms to infect end users. One of the most famous examples of recent “dual-delivery” malware is the CryptoWall malware that proved to be so popular in 2014. As Phil Muncaster shared in Infosecurity magazine last month, links to CryptoWall 3.0 are commonly found both in spam and drive-by forms of Exploit Kits. It doesn’t matter which delivery method is used, the underlying architecture of the payload malware is identical.

The Ad-Blocking Controversy

Several popular security products either specifically block online advertising, or block the ads as a side-effect of not allowing code to execute from unapproved pages.  For example, see the Forbes “Home USA” news index page from today, as viewed in Chrome, and as viewed in Firefox with “NoScript” running.

In the top image, visiting the Forbes webpage results in top and bottom ads and an Adobe Flash Player-based video ad on the left of the page.  Visiting with FireFox with NoScript running prevents all of those ads from being displayed. That means malvertising is blocked, but so are legitimate adverts.

Where is the controversy?  The ethical question is that I am allowed to read Forbes magazine for free as a result of the contracts that Forbes has to display their ads to their customers.  When I choose not to view ads for free content, am I not breaking the implied economy of the online world?  As the saying goes “If you are not paying for something, you are not the customer, you are the product!”  Online web pages sell our advertising market eyeballs to their vendors, but in viewing these ads are we exposing ourselves to risk?

Some online sources have revealed there were 5.3 trillion online advertisements displayed last year.  “Only” a few million of those were malicious. On the same list we see that 50% of the clicks on mobile ads are accidental. Interestingly, Solve Media claims you are more likely to survive a plane crash than click a banner ad.

I’ll end this post with an amusing news story about the Flash malware at Forbes.  NBC News had a video story about the article.  I couldn’t see it, because my Firefox won’t play the Flash Player unless I specifically allow it. However, they published the story about the malware attack on Forbes users, and included a Flash advertising block underneath.

Anthem and Post-breach phishing awareness

The Anthem data breach on February 5, 2015 raised the high-water mark on healthcare data breaches. The Anthem breach smashed all previous records, exposing close to 80 million members’ records. It was the largest healthcare data breach ever discovered by a considerable distance. Only a very small number of healthcare data breaches have been reported that have exceeded 2 million records.

In the United States, data breaches impacting the protected health information of patients and health plan members are required to be reported to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR). OCR maintains a searchable data base of all healthcare data breaches that have impacted 500 or more individuals. Many of those data breaches were relatively minor; a misdirected batch of emails for example. Not all of those healthcare data breaches required such extensive actions and mitigations as the latest Anthem ‘mega’ breach.

Anthem’s CEO has now established the website “AnthemFacts.com” containing a Frequently Asked Questions document about the data breach, but the media offers plenty of alternative sources of Facts and FAQs.

Previous Largest Healthcare Data Breaches

The previous largest ever healthcare data breach occurred in 2011. The records of 4.6 million active and retired military personnel were reported stolen after back-up tapes of their health records disappeared from a data contractor’s car in San Antonio, Texas.  SAIC, the contractor involved, had no reason to believe the tapes were the target of the theft, or whether the thief even knew what he or she was stealing. (see Records of 4.9 mln stolen from car in Texas data breach ).

The second largest healthcare data breach occurred in 2014. Tennessee-based Community Health Systems experienced an “external criminal cyber-attack” in April and June of 2014 that resulted in the theft of the protected health information of its patients.  CHS’s Media Notice said it had worked closely with Federal law enforcement and believed they were the victim of an “Advanced Persistent Threat” group originating from China.  The HHS database indicates 4.5 million patient records were exposed in that breach.

The third largest healthcare data breach ever reported to OCR by a HIPAA-covered entity affected Advocate Medical Group.  4 million patient records were stolen from the company on July 15, 2013.  The unencrypted patient health records were stored on four laptop computers. It was unclear whether the laptops were stolen for their value or for the data that may have been stored on them.

The lawsuits filed on behalf of the potential victims were dismissed. In order “to claim injury, whether actual or threatened, the plaintiffs must establish it is ‘distinct and palpable’ and ‘fairly traceable’ to the defendant’s actions and that the requested relief would substantially redress the loss.”  (See Illinois court dismisses claims of potential loss from Advocate data breach ). The plaintiffs were unable to provide sufficient evidence to prove that was the case.

Other than the Xerox data breach, which cost the company the State of Texas Medicare contract in 2014, no other healthcare data breach listed on the OCR breach portal has resulted in the theft or exposure of more than two million records.

Healthcare Data Breach Lawsuits

As Forbes magazine recently explained, the number of records stolen in the Anthem cyberattack exceeds the sum of all the healthcare data breaches reported in the previous five years!   Anthem, which fell from its 52-week high stock price of $143.65 to $134.79 today following the announcement of the cyberattack, has already had four class action lawsuits filed against it. (See Cohen and Malad Anthem Lawsuit, Morris v. Anthem, Juliano v. Anthem (Alabama-based), and D’Angelo et. al. v. Anthem )

What all of these lawsuits claim, is the theft of current and former Anthem customers’ electronic protected health information puts plaintiffs and class members at an increased risk of suffering identity theft and fraud.  Specifically, the following data elements:

  • Full names
  • Birthdates
  • Email addresses
  • Employment details
  • Social Security numbers
  • Incomes
  • Home addresses

Anthem only has 34 million current customers and almost 80 million records were exposed. The breach therefore likely affects former customers and other family members included on the health plans.

The lawsuits make much of the fact that the U.S. Department of Health and Human Services’ Office for Civil Rights has previously fined Anthem for using “inadequate safeguards” to protect customer records. The California Attorney General has also taken action against Anthem, and specifically pointed at the fact that the company was storing customers’ Social Security numbers in an unencrypted format. (A 2013 report by the California OAG about 131 separate data breach incidents outlines that 1.4 million Californians would have been protected had their data been encrypted.)  Critics of Anthem have pointed out that the company was previously warned about the potential for breaches of ePHI in an FBI Private Industry Notification dated 8 April 2014 titled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain.”

Anthem is also accused of “failing to provide timely and accurate notice of the Anthem data breach” in violation of state data breach statutes in California, Colorado, Connecticut, Georgia, Kentucky, Virginia, and Wisconsin.

Be Alert for Phishing and Related Scams

While the theft of credit card data may seem harmful, credit monitoring is usually offered and credit card companies quickly re-issue cards that have been stolen in a cyberattack. Most victims of credit card fraud are also reimbursed for any fraudulent charges on their cards. Unfortunately, Social Security numbers are never re-issued. There is also unlikely to be any reimbursement or refunds if identities are stolen and financial losses are suffered.  Customers who have their SSN and personal data stolen are especially vulnerable to scams and face an elevated risk of identity theft and fraud for a lifetime. Anthem will certainly not be offering a lifetime of identity theft protection and credit monitoring services to breach victims.

Anthem services customers in the following states:

California Colorado Connecticut
Georgia Indiana Kentucky
Maine Missouri Nevada
New Hampshire New York Ohio
Virginia Wisconsin

Any company also servicing customers in those states should warn their Customer Service personnel to be on the alert for social engineering scams, possibly by telephone. Once the stolen Anthem data has been sold on, there will likely be many scammers who attempt to gain access to accounts or try to reset password on Anthem members’ other accounts that use their email addresses as their username.

Several reports have already been received of phishing emails claiming to be advising potential victims of how to take advantage of data monitoring offers from Anthem. Security journalist Brian Krebs has already published reports on some of the phishing scams. ( Phishers Pounce on Anthem Breach ).  Krebs refers to Steve Ragan’s Salted Hash article in which he shared an internal memo explaining the data breach was not discovered until an employee noted that their account had been being used without their authorization to perform queries in a database.  Eventually it was determined those queries had been on-going since December 10, 2014, although they were not discovered until January 27, 2015 and not verified until January 29, 2015.

Several news sources have made much of the fact that Anthem’s customers include defense contractors such as Northrop Grumman Corporation and The Boeing Company in Missouri.  Several sources reported to Bloomberg that this attack fits the nature of attacks from the People’s Liberation Army’s Unit 61398; a Shanghai-based hacking group whose members were indicted by Federal prosecutors last year.  If this is proven to be true, the cyberattack may have been conducted for espionage reasons. Data stolen in the attack would therefore be unlikely to be sold on to scammers. However, if that is the case, the data could be used in spear phishing attacks to obtain even more sensitive information on the victims.

Botnets, APTs, and Malicious Emails: The Commonest Methods of Attack

A question that we regularly receive at PhishMe is “How do the higher skilled cyber criminals get into major networks?” – The answer is botnets, APTs and malicious emails in most cases.

The way Advanced Persistent Threat-style actors are described by the media often leaves the average reader believing that these intrusions are performed by Mission: Impossible’s Ethan Hunt!  But the truth is that even the APT-level hackers often gain their initial foothold into your network through the most common and trustworthy means of infection — a malicious email.

But surely these are highly crafted, customized and targeted spear-phishing emails, right?  Sometimes.  But more often than not, the initial foothold into the network comes from common malware that is broadly distributed through spam.

Selling Logs

Most of the major botnets in circulation today are known for a primary activity, such as the Financial Crimes aspects of Zeus, Cridex, and Dyre. Whether it is those Financial Crimes botnets, or ClickFraud botnets such as Bamitol, ZeroAccess, or MeVade or spamming botnets such as Cutwail and Kelihos, the criminals often include additional functionality to “remote control” the infected computers to allow them to drop ADDITIONAL malware on the same systems.

Security journalist (and now New York Times Best Seller) Brian Krebs has been making this point for quite some time.  In his article The Scrap Value of a Hacked PC he points out that one use of a compromised PC is to use that PC to access Corporate E-mail accounts.  Later in 2012, he also explored the variety of additional uses of a hacked PC in his article Exploring the Market for Stolen Passwords.  More recently his article One-Stop Bot Chop-Shops pointed out some of the many additional ways that criminals monetize their bots, including selling the raw botnet logs – “huge text files that document notable daily activities of the botted systems.”

Fox-IT / Group-IB and Anunak

Netherlands-based Fox-IT and Moscow-based Group-IB have just released a report called “Anunak: APT Against Financial Institutions” (PDF) which they describe as a new group of cyber criminals who have stolen tens of millions of dollars, credit cards, and intellectual property.  In the report, the team documents one of the main methods the criminals were able to penetrate more than fifty financial institutions, as well as oil and gas companies, and government agencies:

“To find such malicious programs the criminal group keeps in touch with several owners of large botnets that massively distributes their malware.  The attackers buy from these botnet owners the information about IP addresses of computers where the botnet owners have installed malware and then check whether the IP address belongs to the financial and government institutions.  If the malware is in the subnet of interest, the attackers pay the large botnet owner for installation of their target malware.  Such partner relations were established with [several botnet owners] including Zeus.” (p. 5 of the Anunak report)

The report goes on to actually provide Python source code used by the Anunak actors to scan large collections of log data for networks that may be of high value.

Once the malware actors identify a desirable bot, they pay the large botnet owner to install software that provides remote control to the Anunak group instead, and then proceed with their attack.  At this point, the criminal can fully control the machine that has been identified in a desirable target network, and will often read the victim’s emails in order to find people within the target organization who would be appropriate targets to try to gain higher levels of access to desirable systems.  Because they now have access to previous communications, it becomes easier for them to provide a compelling social engineering email based on prior communications, and being sent FROM WITHIN THE TARGET NETWORK by a known associate of the email recipient!  These are the highly-customized spear-phishing emails that give APT actors their reputation — but in this case, the FIRST STEP in the criminals’ version of the Cyber Kill Chain is to take advantage of a large botnet that has by coincidence, rather than by design, been installed on a machine of interest to the Anunak criminals.

One of the botnets known to be used by these criminals is Andromeda.  In the example detailed on page 10 of the Anunak report, combined with indicators from the appendix of the report, we find that malware named “001.photo.exe” that used as its Command & Control domains the addresses ddnservice10.ru and ddnservice11.ru on IP address 144.76.215.219 are definitely associated with these actors.

PhishMe Intelligence

PhishMe Intelligence subscribers can find samples of this threat by using the “URL search” and entering the partial string “ddnservice” which will show 18 major spam campaigns tied to those two domains via their Malware Watch List entries.  Those domains were active from September 26, 2014 until November 6, 2014, at which time the criminals shifted their usage to dns22dns22.ru.

While the most common email subject used by this campaign was “my new photo ;)” email subjects related to “Order Details” and “New offer Job” and others were also commonly seen.  The malware distribution network, commonly known as SmokeLoader, is used in many instances to install the Andromeda botnet, as in the Anunak example.

The current C&C address for this group, first seen on December 19, 2014, is “fudsufsd3.com” which is associated with IP addresses:

178.132.206.57 – hosted at JSC KazakhTelecom (ASN 9198)
46.151.52.73 – hosted at VDS INSIDE, Ltd. (ASN 61214)
62.76.184.68 – hosted at the famously malicious “IT House, Ltd” on ASN 57010.

According to Passive DNS, ddnservice10.ru was seen on near-neighbor IP addresses to two of these — 62.76.189.169 (ASN 57010) used on and after October 31, 2014 and 178.89.191.146 and 178.89.191.167 (ASN 9198) used on and after September 27, 2014 and October 23, 2014 respectively.

Two Attacks… Two Dyres… All Infrastructure

Over the last few days, we have seen two waves of Dyre. The attackers have changed things up a bit and made it harder to analyze. By using memory forensics techniques, we took a peek into their command and control (C2) infrastructure. The #1 rule of memory forensics…everything has to eventually be decoded, and we’re going to use this to our advantage. Here’s a quick look at the waves of emails we received. (Figures 1 and 2)

Figure 1 phishing fax

Figure 1 — First wave of Dyre

.NET Keylogger: Watching Attackers Watch You

Throughout life, there are several things that make me smile. Warm pumpkin pie, a well-placed nyan nyan cat, and most of all – running malware online – never fail to lift my mood. So imagine my surprise to see, after running a malware sample, that the attackers were watching me. Here’s a screenshot of a phishing email we received, which contained a keylogger written in .NET.

Figure-1-Phishing-Screenshot

Figure 1 — Screenshot of phishing email

National Cybersecurity Awareness Month 2014

With National Cyber Security Awareness month (NCSAM) upon us, the national spotlight is on best practices to stay safe and protect your data online. Thanks to the support of the National Cyber Security Alliance, Department of Homeland Security, and the White House , the month of October will feature a number of initiatives designed to increase the knowledge base about cyber security issues with the general population and promote DHS’ “Stop. Think. Connect.” program to empower individuals to be safer online. PhishMe is proud to participate by being a 2014 NCSAM champion, and have made a number of resources available to individuals looking to learn more about how to protect themselves from phishing, and to organizations trying to change their users’ behavior with more effective employee security training programs.

Bash Vulnerability CVE-2014-6271 – Worm-able and Possibly Worse Than Heartbleed

Post Updated 9/30/2014

Several months ago, the Internet was put to a halt when the Heartbleed vulnerability was disclosed. Webservers, devices, and essentially anything running SSL were affected; as a result, attackers were able to collect passwords, free of charge.

With Heartbleed, the exploit made a splash and many attackers started to use the vulnerability. One of the more high-profile attacks of Heartbleed was the CHS attack, where the attackers siphoned 4.5 million patient records by attacking a Juniper device, then hopping onto their VPN.

So how can something be bigger than Heartbleed? I’m glad you asked.