Supply Chain Attack Hits Organizations In South Korea

Supply Chain Attack Hits Organizations In South Korea:

Supply-chain attacks are very difficult to detect and prevent because malware comes from an outside source considered trustworthy. Contaminating the waterhole, though, is sometimes easier to achieve than going directly after the target, who may have strong defenses in place.

(Via BleepingComputer)

I would change this to say, “Supply-chain attacks are very difficult to detect and prevent because malware comes from an outside source assumed trustworthy, if considered at all.” This is true for most companies.

I appreciate a subtile approach regardless of a malicious actor’s malevolence:

The malicious actor made sure that the compromised version of the software did not spread to entities that were not of interest. For this, they set up the update server to send out the infected files only if their target was located within a specific range of IP addresses.

To avoid detection, the malicious update was signed with a valid certificate stolen from the remote solutions provider. It is unclear when this occurred, but researchers say that on April 8 they found a piece of malware that hid under the same stolen certificate.

With signed malware and access to the update server, all the threat actor had to do was to wait for a client to request a software update.

If the call came from the targeted IP range, the attacker sent the update server the malicious file packaged as “update.zip.” When the update executed, so did the 9002 RAT inside it.

Considering that the update process is likely encrypted by default, catching this early in the kill chain is unlikely.

See Wired’s writeup on NotPetya.

Also on:

Now You See Me – H-worm by Houdini | FireEye Blog

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

via Now You See Me – H-worm by Houdini | FireEye Blog.

22 Hours: Average Time It Takes Malware Distributors To Exploit News

Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact, the Research Team of Eleven, leading German e-mail security provider, now sees instances of criminals inventing “breaking news” that appears to relate to high-profile current events.

The Eleven Research Team continually analyzes malicious campaigns that exploit breaking news using the CNN name and other prominent news outlets to lure email recipients to malicious sites. The average time between an actual news event and its exploitation hovered around 22 hours during the last three months.

On Friday, September 6, malware distributors invented fake news designed to take advantage of public interest in the possibility of a U.S. airstrike against Syria. The emails used the subject line, “The United States Began Bombing,” and were crafted to appear as a legitimate CNN news alert. It is an example of the cybercriminal community harnessing the interest and anxiousness about current events to increase the success of their malicious campaigns.

via 22 Hours: Average Time It Takes Malware Distributors To Exploit News.

Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets | FireEye Blog

FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled ‘Operation DeputyDog’, began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9.

via Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets | FireEye Blog.

FireEye did a part II as well:
Operation DeputyDog Part 2: Zero-Day Exploit Analysis (CVE-2013-3893)

In our previous blog post my colleagues Ned and Nart provided a detailed analysis on the Advanced Persistent Threat (APT) Campaign Operation DeputyDog. The campaign leveraged a zero-day vulnerability of Microsoft Internet Explorer (CVE-2013-3893). Microsoft provided an advisory and ‘Fix it’ blog post.

I am happy to announce that Xiaobo Chen, a well-known security researcher, has recently joined FireEye Labs. We worked together on the analysis of this zero-day vulnerability. In this blog, we will provide a deep dive on the exploitation part of the campaign.

Despite the targeted nature of these attacks, the exploit identifies numerous language packs (en, zh, fr, de, ja, pt, ko, ru) and software versions, which is uses to specify the correct ROP chain. Commented-out code suggests that the exploit initially targeted IE8 XP users, and IE8 and IE9 Windows 7 users who also had MS Office 2007 installed. In our tests, we observed that the exploit ran successfully on systems running both MS Office 2007 and 2010.

BLYPT: A New Backdoor Family Installed via Java Exploit | Security Intelligence Blog | Trend Micro

Recently, we have observed a new backdoor family which we’ve called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey.

Currently, this threat is primarily hitting users in the United States; however it seems that consumers (as opposed to businesses) are the most affected.

via BLYPT: A New Backdoor Family Installed via Java Exploit | Security Intelligence Blog | Trend Micro.

Darkleech Says Hello | FireEye Blog

At approximately 7:29 AM PDT today, we were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit. Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services. The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users. More information on this third-party compromise (of video.js) can be found here.

via Darkleech Says Hello | FireEye Blog.

Malware on oil rig computers raises security fears – Houston Chronicle

This article from the Houston Chronicle highlights the need for layered security including proper VLAN design to segregate & contain malware as part of security:

Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.

The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.

The way the article reads it seems like these platforms have large flat LANs, where employees’ personal equipment is on the same network as the production equipment. I’m a fan of placing SCADA systems in their own VLAN with non-routable IP addressing – Internet and the rest of your local network. Place a physical firewall device between the SCADA LAN and the regular LAN, but lock that firewall down. Selectively open ports for maintenance and restrict when done. Monitor the heck out of the thing.

InfoSec professionals, how would you handle this type of situation?

via Malware on oil rig computers raises security fears – Houston Chronicle.