Security Week 13: Doctor Who fans were found in the CIA, APT29 allows backdoor traffic through Google, start the SAP GUI patch

The main news of the week: real old school nerds who are fan of “Doctor Who” work at the CIA. After all, someone thought of dubbing a tool for infecting password-protected macbooks with a “sonic screwdriver” (Sonic Screwdriver). Thank you Uncle Assange for this invaluable information!

So let's get this all in order. A new portion of the documents stolen from the CIA appeared on WikiLeaks. A fresh touchdown is called pathetic Dark Matter, but the documents in it are not the first freshness, dated 2008-2012. Nevertheless, they give an idea of ​​the methods and capabilities of the American intelligence service.

It turns out that nine years ago the knights of the cloak and dagger attacked the sacred - on our iPhones and MacBooks. Even then they had at their disposal an excellent set of tools for spying on users of malic technology.

The most recent document from Dark Matter is the manual to the already mentioned Sonic Screwdriver. This is an implant to the Apple Thunderbolt adapter firmware on Ethernet, and it is needed in order to force the MacBook to boot from the USB flash drive, ignoring the boot password. The procedure is very simple: plug the adapter into the Thunderbolt port, the USB flash drive into USB, turn on the MacBook. And that's all. True, on the flash drive of the brave jasonborn a gentleman's kit must be prepared for infecting the computer with any spyware, the descriptions of which WikiLeaks also kindly provided.

So, the DarkSeaSkies set consists of three components:
')
● DarkMatter - EFI-driver, prescribed in the Macbook firmware, and installing spyware components. If he cannot find a pre-registered management server on the Internet, decides that the turnout has failed, and cleans from the computer all traces of activity, including himself;

● SeaPea — an implant of Mac OS X kernel space that provides for hiding processes and files from the user, as well as launching other tools;

● NightSkies is a Mac OS X user space spy implant. It can execute commands from the CIA server, send the requested files from the MacBook to the server and vice versa, and also execute files for execution.

The tactics of using DarkSeaSkies is very much in the spirit of the CIA. This is not the NSA egg heads, you need to work in contact with the goal. To infect the victim’s makbuk, the agent must have physical access to it. And in the papers with WikiLeaks, recommendations are made simply to transfer the object of an already infected macbook in the form of a bribe or a gift, for example, to a wedding.

So, colleagues, if the CIA gave you a MacBook for the wedding, write down at least some secret documents on it so as not to upset the guys. They tried. Secret documents, by the way, can be downloaded from WikiLeaks.

As for iPhones, for them the agency has prepared a version of the same NightSkies, which provides a full set of features for controlling the device. The implant works when using certain applications (browser, email client, maps and others).

NightSkies is put directly into the iPhone's system software by flashing it through iTunes. The procedure is described in sufficient detail and leaves a few questions to Apple regarding the security of iOS. True, the documents are old and the NightSkies version is intended for the antique iPhone 3G, but for certain the agency also managed to concoct the soft for the new devices. In a word, we are waiting for new podgons from Assange.

APT29 allowed backdoor traffic through google

News Research In 2015, researchers at the University of Berkeley described domain fronting technology designed to hide the true endpoint of traffic. As it turned out, the group APT29 (aka Cozy Bear) has long adopted this technique and successfully used it.

The meaning of domain fronting is to send traffic destined for the management and control server through any legitimate service. In this case, the guys from APT29 dared to drive traffic through Google in the dark, and over the years of their subversive activity no one had guessed.

How it was: the Trojan installed the Tor service cynically disguised as a Google application on the victim’s machine and raised the backdoor running through ports 139, 445 and 3389. The backdoor traffic was wrapped in TOR, then using the meek plug-in was encoded in HTTP for the meek traffic reflection server , after which the whole matryoshka was crammed into TLS for the Google server. The main thing in this scheme is the meek server located in the same cloud as Google.

The Google server, upon detecting that an HTTP request for the server located in its CDN has arrived, redirects it to the address. The meek server decodes the traffic and sends it to the TOR network, through which it safely reaches the backdoor management server.

From the point of view of the administrator of the attacked computer, Google services communicate with the Google server, that is, nothing suspicious happens ... As a result, Google has already broken the elegant scheme by putting out the meek server in its cloud, however this technology can use other CDNs, so we do not relax.

Hole in SAP client

News At SAP again found a vulnerability. This time, not in the server, but in the client, which is much worse and this is why.

Bezopasniki love to find vulnerabilities in SAP products, at the moment they know about 3800. The company smartly patches holes, and administrators tirelessly (I want to believe) roll updates. But one thing is to patch the server (there may be one or two of them on the network), but the SAP GUI is often installed on all of the company's machines. And there may be many thousands of them in large organizations. This causes problems.

In this case, exploiting a vulnerability requires compromising the SAP server, which somewhat reduces the risk. However, if cyber gangs did succeed in hacking it, all the SAP GUI machines would be like an open door for them - even though you’ve been pouring malicious ABAP code everywhere, sending Trojans, create chaos. How do you, for example, have the prospect of simultaneously launching an extortionist coder on two thousand machines? Start rolling patches.

Antiquities

"HH & HH-4091"

Non-dangerous resident virus. Encrypted. Standardly infects .COM files when they are launched. On infection, renames the file to * .A *, writes it to it, and then renames it back. On Mondays, it writes 0 to port A0h and B0h to port 41h (?). It searches for the “Esik” line on the screen and, if found, after some time turns into the graphic video mode and displays the jumping ball. Intercepts int 1Ch, 21h. It contains the text: "# (- 28 = CIPV] HARD HIT & HEAVY HATE the HUMANS !!! [HH & HH the H.]".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 69.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.