lundi 28 octobre 2013

American authorities charge UK man with hacking Army, Missile Defense Agency and NASA websites

A 28-year-old man from Stradishall, England has been charged in the United States with hacking into US government and military computers, stealing sensitive data and causing millions of dollars in damages.

The New Jersey US Attorney’s Office announced on Monday that Lauri Love of the United Kingdom was indicted with breaching thousands of computer systems, including those belonging to the Army, the Pentagon’s Missile Defense Agency and NASA. A separate complaint filed in the Eastern District of Virginia also accuses Love of participating in an operation earlier this year spearheaded by the hacktivist movement Anonymous.


An arrest warrant for Love was signed last week and he was detained on Friday by investigators with the UK’s Cyber Crime Unit of the National Crime Agency (NCA) in connection with an ongoing probe conducted by that agency, US Attorney for the District of New Jersey Paul Fishman said Monday.

Fishman’s investigative team say Love and unnamed co-conspirators hacked into those computers during the last year, installing hidden “shells” or “backdoors” within the networks allowing them to return at later times and pilfer private data.
 The indictment accuses Love of stealing personally identifiable information for thousands of military servicemen and government employees. In July 2013 chat logs monitored by federal investigators, Love allegedly told his co-conspirators he had obtained “basically every piece of information you'd need to do full identity theft on any employee or contractor” for the government agency that he had last hacked. Conversations earlier that year with co-conspirators reveal that Love announced in the IRC channel, “we might be able to get at real confidential shit” after compromising US networks.

 “Collectively, the hacks described herein substantially impaired the functioning of dozens of computer servers and resulted in millions of dollars of damages to the Government Victims,” US prosecutors claim. In New Jersey, Love was charged with one count of accessing a US department or agency computer without authorization and one count of conspiring to do the same.

 A separate criminal complaint filed in US District Court for the Eastern District of Virginia is ripe with testimony from a Federal Bureau of Investigation officer who says Love also accessed without authorization protected computers belonging to the United States Department of Health and Human Services, the US Sentencing Commission, Regional Computer Forensics Laboratory, and US Department of Energy.


Prosecutors say Love masterminded the hacks over Internet Relay Chat, or IRC, where he discussed with co-conspirators vulnerabilities discovered in American networks and ways to exploit servers using a method called a SQL injection.
According to the complaint filed in Virginia, Love and his conspirators targeted the website of the US Sentencing Commission beginning in late 2012, and in January of this year they altered the website to display a video that criticized the guidelines with respect to Internet-related crimes.
“As a result of the intrusion and defacement, the USSC website was unavailable to the public for roughly three weeks,” prosecutors say, causing more than $5,000 in damage and again damaging a US government computer.
The defacement occurred in early 2013 shortly after the death of computer prodigy Aaron Swartz, who committed suicide days earlier while awaiting trial over his own high-profile hacking trial. The international hacktivist group Anonymous authored a statement on the hacked Sentencing Commission website in honor of the activist and coder, and as part of “Operation Last Resort,” a larger movement that cited the treatment of Swartz as well as the “erosion of due process, the dilution of constitutional rights [and] the usurpation of the rightful authority of courts by the ‘discretion’ of prosecutors,” as the catalyst for an attack.
“This website was chosen due to the symbolic nature of its purpose — the federal sentencing guidelines which enable prosecutors to cheat citizens of their constitutionally-guaranteed right to a fair trial, by a jury of their peers — the federal sentencing guidelines which are in clear violation of the 8th amendment protection against cruel and unusual punishments. This website was also chosen due to the nature of its visitors. It is far from the only government asset we control, and we have exercised such control for quite some time,” in part reads the messaged posted on the Sentencing Commission’s website earlier this year.
The court documents unsealed this week allege that Love participated in the government intrusions using a handful of Internet aliases, including “nsh,” “route,” “peace” and “shift.” During one of those hacks, prosecutors say the attack originated out of a domain purchased with a PayPal account registered to “lauri.love@gmail.com.”
After Love’s arrest was announced on Monday, the evidence unsealed began to partially reconstruct the last few years of the mysterious alleged cybercriminal. A cursory Google search for the email address uncovered by authorities tie Love to a “Reclaim the Streets” demonstration scheduled for the British Election Day in May 2011.
“It may be the most important election in our lifetimes; it certainly looks to be the closest. Many are disillusioned, many are apathetic, many believe it's a contest between clowns for the lesser of a few feebles. Whatever you believe, we can all agree that the election could do with being a hell of a lot more FUN,” the flyer for the event reads. “RECLAIM THE SEATS aims to turn the election into a festival, and bring the people together instead of dividing them.”
A Google search also revealed chat log from 2005 and 2008 hosted publically online in which an IRC participant named “nsh” divulged his email address as being the same cited five years later by US prosecutors. RT has also discovered a Twitter account registered to @LauriLove that advertised the same email address in public tweets.

The Twitter account believed to belong to Love ceased making posts two years ago, but dispatches from throughout 2011 suggest Love was involved in the Occupy Glasgow movement at Glasgow University in Scotland.
“We have retaken the university,” Love told the Herald Scotland in a March 2011 article about the growing school protests.
RT has also located video on YouTube of a speech presented at a University of Glasgow protest in May 2011 by a Lauri Love.

Evasive Tactics: Terminator RAT

FireEye Labs has been tracking a variety of advanced persistent threat (APT) actors that have been slightly changing their tools, techniques, and procedures (TTPs) in order to evade network defenses. Earlier, we documented changes to Aumlib, the malware used in the attack against the New York Times, and Taidoor, a malware family that is being used in ongoing cyber-espionage campaigns particularly against entities in Taiwan.
 In this post we will explore changes made to Terminator RAT (Remote Access Tool) by examining a recent attack against entities in Taiwan. We recently analyzed a sample that we suspect was sent via spear-phishing emails to targets in Taiwan. As shown in Figure 1, the adversary sends a malicious Word document, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7), that exploits CVE-2012-0158, which subsequently drops a malware installer named “DW20.exe”. This particular malware is interesting because of the following:

 It evades sandbox by terminating and removing itself (DW20.exe) after installing. Malicious behavior will only appear after reboot.

 It deters single-object based sandbox by segregation of roles between collaborating malwares. The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server.

It deters forensics investigation by changing the startup location.

 It deters file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

The ultimate payload of the attack is Terminator RAT, which is also known as FakeM RAT. This RAT does not appear to be exclusively used by a single APT actor, but is most likely being used in a variety (of possibly otherwise unrelated) campaigns. In the past, this RAT has been used against Tibetan and Uyghur activists, and we are seeing an increasing number of attacks targeting Taiwan as well.

 However, these attacks use some evasive tactics that demonstrate the evolution of Terminator RAT. First, the attackers have included a component that relays traffic between the malware and a proxy server. Second, they have modified the 32-byte magic header that in previous versions attempted to disguise itself to look like either MSN Messenger, Yahoo! Messenger, or HTML code.

 These modifications appear to be an attempt to evade network defenses, perhaps in response to defender’s increasing knowledge of the indicators of compromise associated with this malware. We will discuss the individual components of this attack in more detail.


1. DW20.exe (MD5: 7B18E1F0CE0CB7EEA990859EF6DB810C) DW20.exe was found to be the installation executable file. It will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”. The former is used to store the configurations and executable files (svchost_.exe and sss.exe) and the latter is used to store the shortcut link files. This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup” with the location of its path (see Figure 2).




Figure 2 The executable file “sss.exe” was found to be the decrypted form of the resource named 140 with type “ACCELORATOR” (likely misspelling of Accelerator – see Figure 3). This resource was decrypted using customized XTEA algorithm and appended with an encrypted configuration for the domains and ports.


After installation, DW20.exe deletes and terminates itself. The malwares will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot. 2. sss.exe (MD5: 93F51B957DA86BDE1B82934E73B10D9D) sss.exe is an interesting malware component. As a researcher would analyze it independently, it is not considered a malicious program. This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000. To achieve this, it first tries to identify the list of proxy servers that are used within the system using “WinHttpGetIEProxyConfigForCurrentUser”, and the discovered proxy servers and related ports are stored in the same directory in a file named “PROXY” (see Figure 4).


When there is a new incoming TCP connection over port 8000, it will attempt to create a local to proxy socket connection. With that, it will check connectivity with the CnC server. If the response is 200, it will then start to create a “relay link” between the malware and the CnC server (see Figure 5). The “relay link” was created using two threads, where one thread will transfer data from socket 1 to socket 2 (see Figure 6) and the other will do vice versa.


As depicted in Figure 7, the user agent is hard coded. It is a possible means to identify potentially malicious traffic, as Internet Explorer 6 is significantly outdated and “MSIE 6.0.1.3” is not a valid version token.


The configurations for the malicious domains and ports to use are located at the last 188 bytes of the executable file (see Figure 8). The first 16 bytes is the key (boxed in red) to decrypt the remaining content using modified XTEA algorithm (see Figure 9). The two malicious domains found were “liumingzhen.zapto.org” and “liumingzhen.myftp.org”


3. Network Traffic The Terminator sample we analyzed, “103.doc” (md5: a130b2e578d82409021b3c9ceda657b7) was not configured with fake HTML, Yahoo Messenger, or Windows Messenger traffic header as it had in past variants. However, the content is encrypted in exactly the same way as previous versions of Terminator RAT.


The decrypted content reveals that the malware is sending back the user name, the computer name and a campaign mark of “zjz1020”.


This particular sample is configured to one of two command and control servers: liumingzhen.zapto.org / 123.51.208.69 liumingzhen.myftp.org / 123.51.208.69 We have located another malicious document that has a Taiwan-related decoy document that drops this same version of Terminator RAT.


The sample we analyzed (md5: 50d5e73ff8a0693ed2ee2d320af3b304) exploits CVE-2012-0158 and has the following command and control server: catlovers.25u.com / 123.51.208.142 The command and control servers for both samples resolved to IP addresses in the same class C network. 4. Campaign Connections In June 2013, we investigated an attack against entities in Taiwan that used spear-phishing emails to deliver a malicious attachment.
The malicious attachment “標案資料.doc” (md5: bfc96694731f3cf39bcad6e0716c5746) exploited a vulnerability in Microsoft Office (CVE-2012-0158), however, the payload in this case was a different malware family known as WinData. The malware connected to the same command and control server, liumingzhen.zapto.org, but the callback is quite different: XYZ /WinData.DLL?HELO-STX-1*1[IP Address]*[Computer Name]*0605[MAC:[Mac Address]]$ In a separate case where liumingzhen.zapto.org has been used as the command and control server, the payload was neither WinData nor Terminator RAT, but another type of malware known as Protux. The sample we analyzed in August 2012 for this case was “幹!.doc” (md5: 01da7213940a74c292d09ebe17f1bd01). This particular threat actor has access to a variety of malware families and has been using them to target entities in Taiwan for more than a year.

 Conclusion
 Terminator RAT is an example of how malware are increasingly becoming more sophisticated and harder to detect. There is a need for continual research to understand various techniques, tactics, and procedures used by the adversaries. Detection of exploitation and identification of anomalous callbacks are becoming extremely critical in preventing the malware from installing into the system or phoning back to the command control servers.

samedi 19 octobre 2013