Page 78 – Unit 42

Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy

Posted on September 19, 2014November 1, 2018 by Jen Miller-Osborn

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.

The attacks discussed in this blog are related to an APT campaign commonly referred to as “th3bug”, named for the password the actors often use with their Poison Ivy malware. Of note, only the older of the samples we cover in this blog used that password. We don’t know the reason the actors changed this, but it could possibly be in reaction to information widely published on the Internet about their activities, which use that password as a key component to tie the activity together. FireEye in particular published a paper describing several APT campaigns whose activity they correlate using Poison Ivy passwords. Continue reading "Recent Watering Hole Attacks Attributed to APT Group “th3bug” Using Poison Ivy"

Privacy: Why Apple Pay will be Better than Google Wallet

Posted on September 18, 2014 by Ryan Olson

On September 9, Apple announced that the latest iPhone models would come with a new technology called Apple Pay which allows people to purchase items with their phones, both in stores and online. Many smug Android users looked at the announcement and thought “Sounds like Google Wallet. Welcome to 2011 Apple.” As an individual who is well entrenched in the Google ecosystem, (I have a Nexus 5 on in my pocket and a Moto 360 on my wrist) I initially had the same reaction. But, after looking at the two systems more closely, I think Apple Pay will be the better platform for users, and the reason for that is privacy.

apple pay v google wallet Continue reading "Privacy: Why Apple Pay will be Better than Google Wallet"

AppBuyer: New iOS Malware Steals Apple ID and Password to Buy Apps

Posted on September 12, 2014 by Claud Xiao

Palo Alto Networks recently found and analyzed a new iOS malware affecting jailbroken iOS devices in the wild. The malware will connect to C&C server, download and execute malicious executable files, hook network APIs to steal user’s Apple ID and password and upload to the attacker’s server, and simulate Apple’s proprietary protocols to buy apps from the official App Store by victim’s identity. We named this new family AppBuyer.

Background

The AppBuyer was first mentioned by four members of the WeiPhone Technical Group at May 18th, 2014. They remotely assisted a user to find out why some apps periodically had been installed onto his jailbroken iPhone, and finally located two strange files on that device. They found that these files would download, execute and delete other executable files from the Internet. Lastly, they tried to identify the attacker through analyzing the C&C server’s domain name through the samples used. They also provided these samples for downloading. Continue reading "AppBuyer: New iOS Malware Steals Apple ID and Password to Buy Apps"

Palo Alto Networks Identifies 15 Critical Internet Explorer Vulnerabilities

Posted on September 9, 2014 by Ryan Olson

Palo Alto Networks researchers discovered 15 new critical Internet Explorer (IE) vulnerabilities covering IE versions 6, 7, 8, 9, 10 and 11.

Each of these discoveries allows full remote code execution using memory corruption vulnerabilities in IE. They have been documented in Microsoft Security Bulletin MS14-052 and part of the September 2014 Security Bulletin. Palo Alto Networks researcher Bo Qu is credited with these 15 vulnerabilities. Continue reading "Palo Alto Networks Identifies 15 Critical Internet Explorer Vulnerabilities"

Stolen Email Accounts of World’s Top Universities Selling on China’s Largest C2C Platform

Posted on September 4, 2014November 1, 2018 by Claud Xiao

Recently, we found email accounts from top universities across the world being sold on Taobao, the largest consumer-to-consumer (C2C) e-commerce platform in China. Advertised uses for these accounts included registering for special accounts under software developer programs, receiving student discounts or coupons from retailers, and obtaining access to academic databases. This post describes the scope, associated risks, and implications of this activity.

Our investigation began with a Chinese language search for "edu mailbox" in Taobao, which returned 99 results related to stolen university email accounts. The most expensive account was listed at ¥2400 RMB ($390.80 USD), while the cheapest was only ¥0.98 RMB ($0.16 USD).

taobao 1

Figure 1: Results for Chinese language "edu mailbox" search on Taobao.

These accounts, which include an education (EDU) top-level domain email address with valid password, represent 42 of the world’s top universities, across 10 countries: Continue reading "Stolen Email Accounts of World’s Top Universities Selling on China’s Largest C2C Platform"

Bad Certificate Management in Google Play Store

Posted on August 28, 2014November 1, 2018 by Zhi Xu

Following a recent study of apps in the Google Play Store, let’s discuss several security risks caused by the bad certificate management practiced in many Android apps, from social to mobile banking.

All Android apps must be digitally signed with a certificate from the developer. As described in Google’s official document, the app developer is required to create a keystore with a set of private keys, and then use the private key to generate a signed version of apps. This key has to be valid for at least 25 years. These certificates do not have to be generated by a certificate authority and can instead be self-signed. Because this is simpler and allows the author to retain the private key, the majority of Google store apps use self-signed certificates. This means it is the developer’s responsibility to keep the private key safe, whether that developer is a 13-year-old or a multi-national company. As this means the security protecting private keys varies widely, the security risks of bad certificate management cannot be ignored and must be identified, and where necessary, mitigated. Continue reading "Bad Certificate Management in Google Play Store"

Listen: How Evolved 419 Scammers Are Targeting the Enterprise

Posted on August 27, 2014 by Chad Berndtson

Unit 42, the Palo Alto Networks threat intelligence team, will be appearing on a live webcast and Q&A with Dark Reading tomorrow, Thursday, August 28 at 2:00 p.m. EDT.

NetWire and MITRE ChopShop

Posted on August 25, 2014November 1, 2018 by Phil Da Silva

On August 4, Unit 42, the Palo Alto Networks threat intelligence team, released a tool to decrypt the traffic from a Remote Administration Tool (RAT) named NetWire (part of the NetWiredRC malware family). For details of the encryption protocol used please see our earlier post here.

The previously released protocol decoder and parser was originally built as a stand-alone module. As part of Unit 42’s mission to contribute to the security community, we have developed, and are releasing today, a version of the NetWire decryption tool that works within ChopShop, a great open source tool from MITRE that provides a framework for protocol analysis. To use the tool, simply grab the public_tools repo from the Unit 42 GitHub repository. Be sure to point your ChopShop command to that directory using the -M flag.

We hope that this integration of the decryptor tool with ChopShop will provide value to incident responders and security researchers. Continue reading "NetWire and MITRE ChopShop"

Pivot on Google Code C2 Reveals Additional Malware

Posted on August 21, 2014November 1, 2018 by Rob Downs

Last week, we reported on attacks observed against East Asia that used Google Code for command and control (C2). As follow-on to that work, we pivoted on the C2 indicators of compromise (IoCs) within our WildFire platform, looking for additional malicious activity.

One sample in particular caught our attention, downloaded on June 18 from 211.233.89.182 via FTP. While all of the other near-proximity samples downloaded from this Korean IP were flagged as malware by VirusTotal, this one was not at that time. Deeper inspection revealed what this malware was and how it evaded detection by antivirus programs.

The FTP download in question was for a resource innocuously named “p”. Continue reading "Pivot on Google Code C2 Reveals Additional Malware"

Examining the CHS Breach and Heartbleed Exploitation

Posted on August 20, 2014 by Ryan Olson

Yesterday, TrustedSec, a security consultancy based on Ohio, wrote that the recent breach at Community Health Systems (CHS) was the result of exploitation of the Heartbleed OpenSSL vulnerability (CVE-2014-0160). CHS’s 8-K filing on Monday did not reveal how the attackers got into their network, only that the records of approximately 4.5 million patients were stolen in attacks in between April and June of 2014. TrustedSec reports on how attackers were apparently able to glean user credentials from a certain device via the Heartbleed vulnerability and use them to log in via a VPN.

Insecure Internal Storage in Android

Posted on August 18, 2014 by Claud Xiao

Today, Palo Alto Networks researcher Claud Xiao is delivering a presentation titled “Insecure Internal Storage in Android” at the Hacks in Taiwan Conference (HITCON).

Claud is discussing techniques for accessing private data in Android’s internal storage system using the Android Debug Bridge (ADB) backup/restore functionality. While over 85% of active Android devices are vulnerable to this attack, Android includes multiple levels of protection to prevent unauthorized data access. In today’s presentation, Claud will have demonstrated how an attacker could bypass all of those protections to gain access to usernames, passwords and a treasure trove of other data.

To understand this attack, it’s critical to understand how applications use Android internal storage and why unauthorized access to this data is so problematic.

Continue reading "Insecure Internal Storage in Android"

Palo Alto Networks Discovers 3 Critical Internet Explorer Vulnerabilities

Posted on August 16, 2014 by Ryan Olson

Palo Alto Networks researchers discovered 3 new critical Internet Explorer (IE) vulnerabilities covering IE versions 8, 9, 10 and 11.

Each of these discoveries allows full remote code execution using a memory corruption vulnerability in IE. They have been documented in Microsoft Security Bulletin MS14-051and part of the August 2014 Security Bulletin. Palo Alto Networks researcher Bo Qu is credited with all 3 vulnerabilities.

Palo Alto Networks customers are protected from these vulnerabilities through our regular Vulnerability Protection updates, and we recommend Internet Explorer users upgrade to the latest patch from Microsoft.

Continue reading "Palo Alto Networks Discovers 3 Critical Internet Explorer Vulnerabilities"

Attacks on East Asia using Google Code for Command and Control

Posted on August 15, 2014 by Jen Miller-Osborn

Recently, FireEye published a blog titled “Operation Poisoned Hurricane” which detailed the use of PlugX malware variants signed with legitimate certificates that used Google Code project pages for command and control (C2). We were able to uncover multiple additional samples exploiting the same technique as well as an additional Google Code account with multiple projects containing encoded commands.

The attacks against Palo Alto Networks customers, which took place between early June to early July, also targeted users in East Asia; in this case an international law firm’s regional office and a major university. All of the attacks were detected by our WildFire platform.

Of note, three of the Google Code projects associated with the newly uncovered account were added during the past few days, indicating it is still in active use.

Continue reading "Attacks on East Asia using Google Code for Command and Control"

Hunting the Mutex

Posted on August 14, 2014March 23, 2022 by Palo Alto Networks

Summary

Mutex analysis is an often overlooked and useful tool for malware author fingerprinting, family classification, and even discovery. Far from the hypothesized "huge amount of variability" in mutex names, likely hypothesized due to the seemingly random appearance of them, practical mutex usage is embarrassingly consistent. In fact, over 15% of all collected worms share a single mutex [2gvwnqjz].

This blog was sourced from the data generated by the WildFire Analytics cloud, which processes thousands of samples a day and provides insights into various characteristics and behaviors of malware worldwide. But before we get into the details, here is a quick overview of mutexes and why they exist in the first place.

Mutex Overview Continue reading "Hunting the Mutex"

Check Out Scenes from Palo Alto Networks at Black Hat 2014

Posted on August 7, 2014 by Chad Berndtson

From a well-attended session on our advanced endpoint protection, to the buzz at the booth for Unit 42, our threat intelligence team, and a full slate of demonstrations and visualizations, there was plenty to take in at a very busy Black Hat USA.

Here's a look back at Palo Alto Networks at Black Hat: Continue reading "Check Out Scenes from Palo Alto Networks at Black Hat 2014"

Background

Summary

Mutex Overview Continue reading "Hunting the Mutex"

Peace of mind comes from staying ahead of threats. Subscribe today.

Default Heading