Security Week 37: Bug-bugzilla, Karbanak from back, C & C on fishing

In the new episode of the series, based on the news in the field of information security:

- Hacking Bugzilla once again reminds that passwords must be not only complex, but also unique.
- The Carbanak campaign, responsible for stealing hundreds of millions of dollars from financial institutions, has been seen in Europe and the USA.
- Research "Lab" on how to transfer the command server spyware campaign from the "very difficult to find" to the level of "look for the wind in the field"

As well as unclosed telnet in Seagate WiFi disks, patches, fishing and music viruses from the past. I remind the rules: each week the editors of the news site Threatpost selects the three most significant news, to which I add an extended and merciless comment. All episodes of the series can be found here .

Summarize the survey from the previous release: Most often the router is updated every couple of years or even less (31% chose this option). 28% never updated the router. 210 people took part in the survey. Thanks to all!
')
Hacking bug tracker Bugzilla
News FAQ on the attack.

In the issue for the 34th week, I raised the topic of responsible disclosure of information about vulnerabilities, using examples to show when it is possible and when it is not desirable to disclose information about bugs found. The story of hacking a Mozilla bug tracker shows when to disclose information about vulnerabilities is not worth it. Well, of course: not yet repaired. In August , a patch was released for the Firefox browser, covering a vulnerability in the embedded PDF viewer. It was discovered thanks to the user who became the victim of the exploit and reported the incident: the source of the attack was a “prepared” advertising banner, and the result was stolen personal data.

I suspect that already in the process of releasing the patch, it became clear to the developers that the bug is not new. The Bugzilla system already had information about it, albeit in a closed part of the public. There were suspicions of unauthorized access, which were confirmed last week. At the same time, there was no “hacking” as such: they simply identified the privileged user, found the password from the hacked base of another resource, which coincided with the password for Bugzilla.



As a result, attackers have had access to “secret bugs” since September 2014, and possibly since September 13th, that is, a couple of years. During this time, according to data from a very detailed FAQ, released in the wake of the investigation, hackers had access to information about 185 bugs, including 53 serious vulnerabilities. 43 vulnerabilities from this list have already been closed by the time of unauthorized access. Of the remaining ten, two vulnerabilities “leaked” less than a week before the patch, five theoretically could be exploited in a period from a week to a month before closing. The remaining three vulnerabilities could be used 131, 157 and 335 days before the patch was released. This is the worst news about this hacking, although the Mozilla developers "do not have evidence that these vulnerabilities were exploited" in practice. From more than fifty bugs in practice involved only one.

In general, the moral of this story is clear, and then of course I want to climb on the armored car and declare instructively: “Comrades! Ladies and Gentlemen! Friends! Use unique passwords for each resource! ”. But not everything is so simple: such a scheme of work makes it almost necessary to use a password manager. And even if you have it, then you need to thoughtfully and patiently change the passwords on all the resources that you actively use. And ideally - in general at all. Meanwhile, according to our data, only 7% of users work with password managers all the time. It is interesting to compare with the audience Habra, therefore, at the end of the post another poll.

New versions of Carbanak are attacking the US and Europe
News February study "Laboratories". New CSIS study .

I will quote the February announcement of our research on the “great robbery”:

“The attackers could transfer funds to their own accounts, manipulate the balance so that numerous security systems did not notice this. Without complete control over the domestic banking systems, it was impossible to turn such an operation. Therefore, after the penetration, various methods were used to gather information about how the bank infrastructure is arranged, including video recording. ”



Thanks to the cooperation with law enforcement agencies, the damage from Carbanak, a complex, multi-stage attack on financial institutions, was estimated at a billion dollars, with more than a hundred casualties — large companies. But it was in February, and at the end of August, researchers at the Danish company CSIS discovered a new modification of Carbanak. The differences between the new and old versions are small, in particular for connecting to the management server instead of the domain name, a permanent IP address is used. But the plugins used to steal data are similar to those mentioned in the February study "Laboratories".

According to CSIS, the goal of the new version of Carbanak has become large companies in Europe and the United States.

Turla APT: hiding C & C via satellite internet
News Previous news. Research

Turla’s cyber espionage campaign has been investigated for quite a long time by several information security expert companies, including Kaspersky Lab. Last year we published a detailed study on how to penetrate victims' computers, gather information, and send data to management servers. At each stage of this relatively complex campaign, many tools are used — spear-phishing with infected documents that exploit zero-day vulnerabilities, infected websites, various data collection modules used depending on the task and importance of information, a complex network of proxies and Command & Control servers. The result (according to data of August last year): several hundred victims in 45 countries of the world, mainly in Europe and in the Middle East.

This week, the expert of the "Laboratory" Stefan Tanase published the results of a more detailed study of the final stage of the attack - when data is transmitted to the management server. To collect information, Turla, like other APT-class attacks, uses a variety of methods, for example, a bulletproof hosting. But when the end point of information following becomes a specific server on a particular hosting, the probability of its confiscation by law enforcement agencies (and simply disconnection by the provider) noticeably differs from zero, how many proxy chains do not line up.

Here the satellite Internet comes to the rescue. Pros: the server can be placed anywhere in the satellite coverage area (and it is also easy to move to another location). Disadvantages: renting a two-way channel with a minimum decent width is very expensive, and, again, easily tracked on a paper trail. So, the method of data delivery, discovered by our expert, does not require renting a channel at all.

There is such a thing as " satellite fishing ": when slightly modified software on a satellite terminal does not discard data packets that are not intended for a specific subscriber, but collects them. As a result, the "fisherman" gets not intended files and web pages, and indeed any data. This works under one condition: if the data stream is not encrypted. In the attack, Turla uses approximately the same method, with one clarification: when listening to the traffic, it is necessary to determine the victim's IP - the legal and unsuspecting owner of the satellite Internet terminal, and force the infected machines to send data to this IP.

At the same time, special ports are used for communication, which are closed on conventional systems, and data packets arriving at these ports are simply discarded by the victim's network equipment. But those who listen to traffic can intercept this data without revealing their location.

I remember that the old radio telephones did not encrypt voice communications at all, with the expectation that you simply couldn’t buy devices for reception at these frequencies. At first, it was so, but rather quickly, all-wave radios began to be sold at every corner and cost a penny. The analogy is rather strained, because you will still have to spend a couple of thousand dollars on a set for receiving and processing data using the Turla method. But the bottom line is that in satellite Internet systems there is a “innate” vulnerability that is used by attackers. What to do with this is not very clear.

And the result is that the approximate location of the Turla command server coincides with the coverage area of ​​the satellite operator:



Further traces are lost.

What else happened:
They found another extortioner Trojan for Android, which communicates with the command server via the XMPP protocol. Chats and other IMs use PC malware to coordinate their work for a long time, so the news confirms once again: mobile threats evolve similarly to desktop ones, only faster.

Regular patches of critical vulnerabilities in Google Chrome (update to version 45).

In the "wireless" hard drives Seagate found a sweet couple of unclosed access via telnet and hard-coded password from the root. The news is important, but we have already discussed this topic in detail last time in relation to routers. Conclusion: to all that distributes WiFi, you need to protect especially carefully. And now even the WiFi cameras are distributed.

Antiquities:
"Manowar-273"

Resident harmless virus, standardly infects COM- and EXE-files when they are launched for execution (COMMAND.COM file is infected by the "Lehigh" algorithm). Contains the text “Dark Lord, I summon thee! MANOWAR.

"Iron-Maiden"

Non-resident very dangerous virus, standardly infects COM files of the current directory. Since August 1990, depending on the current time, it can erase two random sectors on the disks. Contains the text "IRON MAIDEN".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Pages 70.75.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.