Targeted Attacks Using Confusion (CVE-2012-0779)

Adobe today issued a security bulletin for a vulnerability in Flash Player, which is currently being used in limited targeted attacks. The targeted attacks leveraging the Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability have been in the wild for over a week. The vector of infection, as in most targeted attacks we see, are custom crafted emails with malicious attachments.

For the exploit to successfully work, the malicious attachments need to be opened on a computer with a vulnerable version of Adobe Flash Player. The malicious documents contain an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it. Symantec detects this payload as Trojan.Pasam.

So far we have identified multiple targets across manufacturers of products used by the defense industry, but this is likely to change in the coming days.
 


 

Some of the subject lines observed in this campaign:

  • [EMAIL USERNAME], The disclosure of [REDACTED] secret weapon deals with the Middle East
  • [EMAIL USERNAME], I heard about the consolidation of [REDACTED], is that true?
  • [COMPANY NAME] is in the unpromising situation after acquisition by [COMPANY]
  • Invitation Letter to [REDACTED] 2012
  • some questions about [REDACTED]
  • China-Russia Joint Military Exercises
  • FOR more information

A sampling of file names for the documents used in this campaign:

  • Consolidation Schedule.doc
  • [COMPANY NAME REDACTED].doc
  • [REDACTED] Invitation Letter to [REDACTED] 2012
  • questions about your course.doc
  • military exercise details.doc

When the user opens the malicious document the vulnerability is exploited in the background and the document is displayed to the end user. The malware authors created several junk documents for such display. Some used scraps of information from public press releases and some were written with the pretext of inviting the recipient to conferences. Others contained random data.
 


 

The malicious files we have observed so far are contacting servers hosted in China, Korea, and the United States to acquire the necessary data to complete the exploitation. This attack is targeting Adobe Flash Player on Internet Explorer for Windows only.

We have seen many of these files circulating in the wild, therefore we advise users to keep their security solutions up to date, and update to the latest version of Flash Player as quickly as possible.

Everyone Has Been Hacked. Now What?

Oak Ridge National Laboratory was hit by a targeted hacker attack in 2011 that forced the lab to take all its computers offline. Photo: Oak Ridge National Laboratory

The attackers chose their moment well.

On Apr. 7, 2011, five days before Microsoft patched a critical zero-day vulnerability in Internet Explorer that had been publicly disclosed three months earlier on a security mailing list, unknown attackers launched a spear-phishing attack against workers at the Oak Ridge National Laboratory in Tennessee.

The lab, which is funded by the U.S. Department of Energy, conducts classified and unclassified energy and national security work for the federal government.

The e-mail, purporting to come from the lab’s human resources department, went to about 530 workers, or 11 percent of the lab’s workforce.

The cleverly crafted missive included a link to a malicious webpage, where workers could get information about employee benefits. But instead of getting facts about a health plan or retirement fund, workers who visited the site using Internet Explorer got bit with malicious code that downloaded silently to their machines.

Although the lab detected the spear-phishing attack soon after it began, administrators weren’t quick enough to stop 57 workers from clicking on the malicious link. Luckily, only two employee machines were infected with the code. But that was enough for the intruders to get onto the lab’s network and begin siphoning data. Four days after the e-mails arrived, administrators spotted suspicious traffic leaving a server.

Only a few megabytes of stolen data got out, but other servers soon lit up with malicious activity. So administrators took the drastic step of severing all the lab’s computers from the internet while they investigated.

Oak Ridge had become the newest member of a club to which no one wants to belong – a nonexclusive society that includes Fortune 500 companies protecting invaluable intellectual property, law firms managing sensitive litigation and top security firms that everyone expected should have been shielded from such incursions. Even His Holiness the Dalai Lama has been the victim of an attack.

***

Last year, antivirus firm McAfee identified some 70 targets of an espionage hack dubbed Operation Shady RAT that hit defense contractors, government agencies and others in multiple countries. The intruders had source code, national secrets and legal contracts in their sights.

Source code and other intellectual property was also the target of hackers who breached Google and 33 other firms in 2010. In a separate attack, online spies siphoned secrets for the Pentagon’s $300 billion Joint Strike Fighter project.

Then, last year, the myth of computer security was struck a fatal blow when intruders breached RSA Security, one of the world’s leading security companies that also hosts the annual RSA security conference, an august and massive confab for security vendors. The hackers stole data related to the company’s SecurID two-factor authentication systems, RSA’s flagship product that is used by millions of corporate and government workers to securely log into their computers.

Fortunately, the theft proved to be less effective for breaking into other systems than the intruders probably hoped, but the intrusion underscored the fact that even the keepers of the keys cannot keep attackers out.

Sanctions, Legal Fees Piling Up for Man Claiming Facebook Ownership

Paul Ceglia

The man who claims a 50 percent stake in Facebook was ordered Thursday to pay the social-networking site’s attorneys an additional $16,851, bringing to nearly $97,000 in sanctions and fees a federal judge has levied against Paul Ceglia in a bizarre lawsuit over the company’s origins.

The order from U.S. Magistrate Leslie Foschio comes in a lawsuit Ceglia brought against Mark Zuckerberg, Facebook’s chief. Ceglia claims a 2003 contract between him and Zuckerberg, allegedly crafted while Zuckerberg was a Harvard University student, promised him half of the company. It’s a contract that Zuckerberg and Facebook’s forensic experts have maintained is forged.

The $97,000 likely means little to Facebook monetarily as it is preparing for a $100 billion IPO that could net Zuckerberg $1 billion. But Facebook has shown no sign that it is willing to pay Ceglia to go away — as it did with the Winklevoss twins who accused Zuckerberg of stealing their idea after they hired him to help code their own social network.

The sanctions and fees (.pdf) against Ceglia began piling up in January, when a judge ordered the Buffalo wood-pellet salesman to pay $5,000 for stonewalling an order to provide his passwords to e-mail accounts so Facebook’s forensics experts could examine them. Facebook’s investigators say those accounts included an original engineering contract between the two that didn’t involve Facebook.

Along with the original $5,000 sanction, a judge tacked on an additional $75,776, at Facebook’s request, to pay for Facebook’s legal bills while trying to enforce the original order that Ceglia produce his e-mail and passwords.

Adding salt to a wound, Magistrate Foschio on Thursday added another $16,851 to the tab (.pdf), for Facebook’s expenses “incurred preparing and defending the initial fee application.”

Ceglia has two weeks to pay the money, or to provide his tax returns and financial statements proving he can’t afford it.

FBI Wants Backdoors in Facebook, Skype and Instant Messaging

Photo: samuraijohnny/Flickr

The FBI has been lobbying top internet companies like Yahoo and Google to support a proposal that would force them to provide backdoors for government surveillance, according to CNET.

The Bureau has been quietly meeting with representatives of these companies, as well as Microsoft (which owns Hotmail and Skype), Facebook and others to argue for a legislative proposal, drafted by the FBI, that would require social-networking sites and VoIP, instant messaging and e-mail providers to alter their code to make their products wiretap-friendly.

The FBI has previously complained to Congress about the so-called “Going Dark” problem – the difficulty of doing effective wiretap surveillance as more communications have moved from traditional telephone services to internet service companies.

Under the Communications Assistance for Law Enforcement Act, or CALEA, passed in 1994, telecommunications providers are required to make their systems wiretap-friendly. The Federal Communications Commission extended CALEA in 2004 to apply to broadband providers like ISPs and colleges, but web companies are not covered by the law.

CNET reports that in addition to this push from the FBI, the Federal Communications Commission may be looking at reinterpreting CALEA to demand that video and non-telephone-replacement VoIP products such as Skype and Xbox Live be modified to include backdoors that allow FBI surveillance.

The news comes on the heels of another FBI plan that began kicking around in 2010 that would require backdoors in encrypted communication systems. That proposal, which would revisit the encryption wars of the 1990s, has failed to gather administration backing.