Mozilla Firefox web browser under fire: the anatomy of a 0day cyber attack
Earlier, we wrote that the Mozilla Foundation community published a security notification MFSA2015-78, which reported on attacks on users using the 0day exploit for the Firefox web browser. The vulnerability was present in the browser plugin that was responsible for viewing PDF files - PDF.js. The vulnerability allows attackers to bypass the same-origin policy security mechanism and execute remote JavaScript on the user's system. The script allows attackers to access the user's local files, as well as upload them to a remote server.
The Mozilla Foundation recommended that users upgrade to the latest version of the web browser, in which this vulnerability has already been fixed. Our analyst Anton Cherepanov ( @ cherepanov74 ) prepared an analysis of two versions of the malicious script and associated cyber attacks on users of Windows, Linux and OS X.
Our ESET LiveGrid cloud technology shows that the server hosting the malicious script had an IP address of 185.86.77.48. The server has been active since July 27, 2015. This is confirmed by the information of one of the users of the compromised forum.
')
Specialists of the Department for Combating Cybercrime of the Ministry of Internal Affairs of Ukraine promptly responded to our notification and confirmed that the malicious exfiltration server to which the stolen information was sent was located on the territory of Ukraine and was online from July 27, 2015
The server went offline on August 8, 2015.
The first version of the script
The malicious script itself is not obfuscated and simple enough for analysis. However, the script code shows that the attackers had sufficient knowledge of the internal features of Firefox.
The script creates an iframe control with an empty PDF blob object. When the browser needs to open the PDF object with its PDF.js plugin, the new code will be embedded in the generated IFRAME. When executing this code, a wrappedJSObject object will be created, as well as a new property sandboxContext . Further, a special JavaScript function is written to the sandboxContext property; it will be called later by subsequent code. These steps will help to successfully circumvent the same-origin policy mentioned above.
Fig. The code for creating the property sandboxContext .
The exploit is very reliable and stable. However, it may result in a special warning that may attract the attention of advanced users.
Fig. A warning window.
After successful exploitation of the vulnerability, control is transferred to that section of code that is responsible for exfiltration of user data. The script supports Linux and Windows platforms. On Windows, it searches for configuration files owned by popular FTP clients (such as FileZilla, SmartFTP, and others), SVN client, messaging clients (Psi + and Pidgin), and Amazon S3 client.
Fig. List of files on the Windows platform that are interesting to attackers.
These configuration files may contain a saved username and password.
On a Linux system, the script sends the following files to a remote server.
The script also specializes in analyzing the / etc / passwd file to get home directories (homedir) paths for users in the system.
Fig. List of files on the Linux platform that are interesting to attackers.
The script specializes in searching and sending the following types of data to attackers.
Obviously, the purpose of the first version of the malicious script is to collect data that is used by site administrators and webmasters. Such information allows attackers to compromise an even greater number of sites.
Second version of the script
The next day, after the corresponding update was released for Firefox, the attackers decided to refine their script and register two new domains.
The addresses of these new domains are: maxcdnn [.] Com (93.115.38.136) and acintcdn [.] Net (185.86.77.48). The second IP address is identical to the one already used in the first version of the script. The attackers chose these domain names, as they resemble their content delivery network (CDN) .
On the Windows platform, an enhanced version of the script specializes not only in the collection of application configuration files, but also in the collection of text files, the names of which contain various combinations of words set by the attackers in the script.
Fig. List of files for the Windows platform, which collects the second version of the script.
In the case of the Linux script, the attackers also added new search files to it and improved it to work on Apple OS X.
Fig. The list of files for the Apple OS X platform that the second version of the script compiles.
Some Russian-language commentators mistakenly took the malicious script code for Duqu, since some variables in the code have the value “dq”.
Since the vulnerability itself is easy to use and a working copy of the exploit script is available for cybercriminals, some of them have already begun to use it for their own purposes (copycat). We saw that various groups of cybercriminals pretty quickly took this exploit into service. Its placement was observed on adult websites from google-user-cache [.] Com (108.61.205.41). This script performs the same operations as the original version described earlier, but specializes in collecting other files.
Fig. List of files that are interesting to attackers who use a modified version of the script.
Conclusion
The cyber attack on Firefox users using a zero-day exploit described in this post is an example of exploiting a serious software vulnerability. The contents of the exploit show the deeper meaning of the intrinsic features of the Firefox web browser on the part of intruders. This case is also interesting because most other similar exploits are used by attackers to install malware. However, in this case, it is clear that the malicious exploit script itself can perform operations to steal confidential data from the user.
In addition, the specified exploit began to be used by other attackers immediately after its detection in-the-wild. This situation is rather typical of the cybercrime world.
ESET anti-virus products detect various versions of the specified script as JS / Exploit.CVE-2015-4495 . We also recommend that Firefox users update their web browser to the latest version. Note also that the plugin for reading PDF files embedded in Firefox can be disabled by setting the pdfjs.disabled parameter to true.
Compromise Indicators (IoC)
Partial list of compromised servers
hxxp: //www.akipress.org/
hxxp: //www.tazabek.kg/
hxxp: //www.super.kg/
hxxp: //www.rusmmg.ru/
hxxp: //forum.cs-cart.com/
hxxp: //www.searchengines.ru/
hxxp: //forum.nag.ru/
Addresses of servers that participated in cyber attack
maxcdnn [.] com (93.115.38.136)
acintcdn [.] net (185.86.77.48)
google-user-cache [.] com (108.61.205.41)
Malicious Script IDs for SHA-1
0A19CC67A471A352D76ACDA6327BC179547A7A25
2B1A220D523E46335823E7274093B5D44F262049
19BA06ADF175E2798F17A57FD38A855C83AAE03B
3EC8733AB8EAAEBD01E5379936F7181BCE4886B3
The Mozilla Foundation recommended that users upgrade to the latest version of the web browser, in which this vulnerability has already been fixed. Our analyst Anton Cherepanov ( @ cherepanov74 ) prepared an analysis of two versions of the malicious script and associated cyber attacks on users of Windows, Linux and OS X.
Our ESET LiveGrid cloud technology shows that the server hosting the malicious script had an IP address of 185.86.77.48. The server has been active since July 27, 2015. This is confirmed by the information of one of the users of the compromised forum.
')
Specialists of the Department for Combating Cybercrime of the Ministry of Internal Affairs of Ukraine promptly responded to our notification and confirmed that the malicious exfiltration server to which the stolen information was sent was located on the territory of Ukraine and was online from July 27, 2015
The server went offline on August 8, 2015.
The first version of the script
The malicious script itself is not obfuscated and simple enough for analysis. However, the script code shows that the attackers had sufficient knowledge of the internal features of Firefox.
The script creates an iframe control with an empty PDF blob object. When the browser needs to open the PDF object with its PDF.js plugin, the new code will be embedded in the generated IFRAME. When executing this code, a wrappedJSObject object will be created, as well as a new property sandboxContext . Further, a special JavaScript function is written to the sandboxContext property; it will be called later by subsequent code. These steps will help to successfully circumvent the same-origin policy mentioned above.
Fig. The code for creating the property sandboxContext .
The exploit is very reliable and stable. However, it may result in a special warning that may attract the attention of advanced users.
Fig. A warning window.
After successful exploitation of the vulnerability, control is transferred to that section of code that is responsible for exfiltration of user data. The script supports Linux and Windows platforms. On Windows, it searches for configuration files owned by popular FTP clients (such as FileZilla, SmartFTP, and others), SVN client, messaging clients (Psi + and Pidgin), and Amazon S3 client.
Fig. List of files on the Windows platform that are interesting to attackers.
These configuration files may contain a saved username and password.
On a Linux system, the script sends the following files to a remote server.
- / etc / passwd
- / etc / hosts
- / etc / hostname
- / etc / issue
The script also specializes in analyzing the / etc / passwd file to get home directories (homedir) paths for users in the system.
Fig. List of files on the Linux platform that are interesting to attackers.
The script specializes in searching and sending the following types of data to attackers.
- History data (bash, mysql, postgreSQL).
- SSH configuration files and authorization keys.
- Configuration files for remote access software called Remmina.
- FileZilla configuration files.
- PSI + configuration data.
- Text files containing possible account data and command line interpreter scripts.
Obviously, the purpose of the first version of the malicious script is to collect data that is used by site administrators and webmasters. Such information allows attackers to compromise an even greater number of sites.
Second version of the script
The next day, after the corresponding update was released for Firefox, the attackers decided to refine their script and register two new domains.
The addresses of these new domains are: maxcdnn [.] Com (93.115.38.136) and acintcdn [.] Net (185.86.77.48). The second IP address is identical to the one already used in the first version of the script. The attackers chose these domain names, as they resemble their content delivery network (CDN) .
On the Windows platform, an enhanced version of the script specializes not only in the collection of application configuration files, but also in the collection of text files, the names of which contain various combinations of words set by the attackers in the script.
Fig. List of files for the Windows platform, which collects the second version of the script.
In the case of the Linux script, the attackers also added new search files to it and improved it to work on Apple OS X.
Fig. The list of files for the Apple OS X platform that the second version of the script compiles.
Some Russian-language commentators mistakenly took the malicious script code for Duqu, since some variables in the code have the value “dq”.
Since the vulnerability itself is easy to use and a working copy of the exploit script is available for cybercriminals, some of them have already begun to use it for their own purposes (copycat). We saw that various groups of cybercriminals pretty quickly took this exploit into service. Its placement was observed on adult websites from google-user-cache [.] Com (108.61.205.41). This script performs the same operations as the original version described earlier, but specializes in collecting other files.
Fig. List of files that are interesting to attackers who use a modified version of the script.
Conclusion
The cyber attack on Firefox users using a zero-day exploit described in this post is an example of exploiting a serious software vulnerability. The contents of the exploit show the deeper meaning of the intrinsic features of the Firefox web browser on the part of intruders. This case is also interesting because most other similar exploits are used by attackers to install malware. However, in this case, it is clear that the malicious exploit script itself can perform operations to steal confidential data from the user.
In addition, the specified exploit began to be used by other attackers immediately after its detection in-the-wild. This situation is rather typical of the cybercrime world.
ESET anti-virus products detect various versions of the specified script as JS / Exploit.CVE-2015-4495 . We also recommend that Firefox users update their web browser to the latest version. Note also that the plugin for reading PDF files embedded in Firefox can be disabled by setting the pdfjs.disabled parameter to true.
Compromise Indicators (IoC)
Partial list of compromised servers
hxxp: //www.akipress.org/
hxxp: //www.tazabek.kg/
hxxp: //www.super.kg/
hxxp: //www.rusmmg.ru/
hxxp: //forum.cs-cart.com/
hxxp: //www.searchengines.ru/
hxxp: //forum.nag.ru/
Addresses of servers that participated in cyber attack
maxcdnn [.] com (93.115.38.136)
acintcdn [.] net (185.86.77.48)
google-user-cache [.] com (108.61.205.41)
Malicious Script IDs for SHA-1
0A19CC67A471A352D76ACDA6327BC179547A7A25
2B1A220D523E46335823E7274093B5D44F262049
19BA06ADF175E2798F17A57FD38A855C83AAE03B
3EC8733AB8EAAEBD01E5379936F7181BCE4886B3
Source: https://habr.com/ru/post/264619/
All Articles