Unpatched Mac bug gives attackers “super user” status by going back in time

Researchers have made it easier to exploit a five-month-old security flaw that allows penetration testers and less-ethical hackers to gain nearly unfettered "root" access to Macs over which they already have limited control.

The authentication bypass vulnerability was reported in March and resides in a Unix component known as sudo. While the program is designed to require a password before granting "super user" privileges such as access to other users' files, the bug makes it possible to obtain that sensitive access by resetting the computer clock to January 1, 1970. That date is known in computing circles as the Unix epoch, and it represents the beginning of time as measured by the operating system and most of the applications that run on it. By invoking the sudo command and then resetting the date, computers can be tricked into turning over root privileges without a password.

Developers of Metasploit, an open-source software framework that streamlines the exploitation of vulnerabilities in a wide array of operating systems and applications, recently added a module that makes it easier to exploit the sudo vulnerability on Macs. The addition capitalizes on the fact that all versions of OS X from 10.7 through the current 10.8.4 remain vulnerable. While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes, thanks to the systemsetup binary.

Read 4 remaining paragraphs | Comments


    






Hacker pleads guilty to charges he sold “magic passwords” to sensitive networks

A Pennsylvania man has pleaded guilty to charges stemming from a scheme to hack in to sensitive computer networks operated by the University of Massachusetts-Amherst and other sensitive organizations and then sell "magic passwords" providing backdoor access to others.

Andrew James Miller, 23, of Devon, Pennsylvania, pleaded guilty to one count of conspiracy and two counts of computer intrusion, a press release issued Tuesday by the Justice Department said. Court records show a plea agreement in the case was entered on July 15. He faces a maximum penalty of 20 years in prison at sentencing, which is scheduled for November 19.

According to an indictment filed in Massachusetts federal court in June 2012, Miller and other members of a hacking group called the Underground Intelligence Agency hacked into networks and installed backdoors that provided almost unfettered "root" access to anyone who possessed the "magic passwords." He then sold access to the magic passwords and advice on how intruders could avoid being detected. In some cases he also sold lists containing hundreds of usernames and passwords that provided root access. In addition to the University of Massachusetts, affected organizations included Massachusetts-based RNK Telecommunications and Crispin Porter and Bogusky, an advertising and digital agency in Colorado.

Read 2 remaining paragraphs | Comments


    






Francophoned – A Sophisticated Social Engineering Attack

In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.

The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in Ukraine. Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files. 

These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of aggressive social engineering. In May 2013, Symantec Security Response published details on the first attacks of this type targeting organizations in Europe. Further investigations have revealed additional details of the attack strategy, attacks that are financially motivated and continue to this day.

 

Aggressive tactics

Many organizations and their banks employ defenses to prevent unauthorized money transfers. However, the attackers exercised additional aggressive social engineering tactics to defeat each of the defensive practices. For example, in one instance:

  • The attacker initially compromised systems within an organization using their RAT.
  • Once the systems were infected with the RAT, the attacker retrieved identifying information, including disaster recovery plans, of the organization’s bank and telecom providers, its points of contact with both providers and its bank and telecom account data.
  • Using this data, the attacker was able to impersonate a company representative and called the organization’s telecom provider. They proved their authenticity to the telecom provider, claimed that a physical disaster had occurred and said that they needed all of the organization’s phone numbers to be redirected to attacker-controlled phones
  • Immediately following the phone number redirection, the attacker faxed a request to the organization’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts.
  • As this was an unusual transaction, the bank representative called the organization’s number on record to validate the transaction. This call was redirected to the attacker who approved the transaction.
  • The funds were successfully transferred to multiple offshore accounts, which were subsequently laundered further through other accounts and monetary instruments.

In another case, the attacker needed to use a proprietary in-house system to transfer funds that employed a two-factor hardware dongle. In this operation:

  • The attacker, who was impersonating IT staff, called the victim and informed them that some system maintenance was required on the fund transfer system. 
  • They convinced the victim that, due to customer privacy reasons, the monitor needed to be turned off while they performed the task.
  • While the monitor was off, the attacker used the in-house system to transfer large sums of money to offshore accounts using the victims existing and active access to the system.

In yet another instance, the attackers didn’t utilize any malware at all. In this operation:

  • The attacker impersonated a bank employee and sent an email to an actual bank employee, in impeccable French, mentioning that the bank’s computer systems were being upgraded.
  • The following day the attackers called the email recipient, claiming to be working for the same bank, and requested a ‘test’ wire transfer.
  • The ‘test’ wire transfer lead to money being sent to an offshore account.

 

Victims

Based on investigations into the attack, there were several different French-based organizations that were affected. The attacker’s goal was to wire funds from the accounting or equivalent department within the company to an offshore account.

Franco1.png

Figure 1. Industries targeted by Operation Francophoned

In most cases, the first victim was an administrative assistant or accountant within the organization. In cases where the initial victim did not have rights to wire funds, the attacker used the victim’s credentials to identify an employee within the accounting department that had this authority. The attacker then conducted further social engineering activities to compromise that individual’s computer.

 

Attacking on the move

By examining emails and C&C traffic, we were able to determine that the attacker is located in, or routing their attacks through Israel. The originating IP addresses in Israel, however, are unusual as they are within a netblock for mobile customers of an Israeli telecom company. Furthermore, by performing traffic analysis, we were able to determine that the attacks are indeed originating from a mobile network and, crucially, that the attacker is using mobile Wi-Fi hotspots.

operation_of_C&C_server.png

Figure 2. Operation Francophone C&C traffic

Mobile Wi-Fi hotspots act like GSM cellular radios (equivalent to a GSM phone) that can provide Internet access to a computer system through the mobile phone network. This potentially provides anonymity for the attacker if the GSM SIM card for the mobile Wi-Fi hotspot is purchased in cash at a bazaar or private sale. Many 3G providers around the world allow the purchasing of a prepaid data plan without verifying the identity of the buyer. As a result, telecom records will not lead to an individual. 

Even more surprising, the traffic analysis indicates that the attacker was on the move when they were conducting the attacks. These operational security techniques make the attacker extremely difficult to trace. The use of such a technique for cybercrime illustrates the increasingly sophisticated techniques that attackers employ. Finding a moving mobile Wi-Fi hotspot requires active on-the-ground on-call personnel with special equipment and the telecom provider’s assistance to triangulate its location.

Francophoned is a good example of how cybercriminal operations are becoming increasingly sophisticated, a trend that is likely to continue in the future.

Symantec would like to thank the Computer Emergency Response Team of Ukraine (CERT-UA) for their assistance with this research.