About these ads


Posts Tagged ‘Flame’

June 2012 Cyber Attacks Timeline (Part II)

July 5, 2012 1 comment

Part I (1-15 June) at this link

From an information security perspective, the second half of June has been characterized by the hacking collective UGNAZI (and its members) and also by an individual hacker: .c0mrade AKA @OfficialComrade.

Both entities have left behind them a long trail of Cyber Attacks against different targets (in several cases the real extent of the attack is uncertain) and with different techniques, although it is likely that the UGNAZI collective will be forced to change the plans after the arrest of the group’s leader, JoshTheGod, nearly at the end of the month (27thof June), effectively they have considerably reduced the rate of their cyber attacks in the second part of the analyzed period.

On the other hand, hospitals, banks, several major airlines are only few examples of the preys fallen under the attacks carried on by .c0mrade. Plese notce that from  Cyber Crime perspective,  is also interesting to notice the High Roller Operation, a giant fraud against the banking industry, unmasked by McAfee.

Needless to say, the Cyber War front is always hot, most of all in Middle East, were several DDoS attacks targeted some Israeli institutions and, most of all, an alleged unspecified massive Cyber Attack targeted tje Islamic Republic of Iran.

The hacktitic landscape is completely different: maybe hacktivists have chosen to go on vacation since June 2012 has apparently shown a decreasing trend, in sharp contrast with an year ago, when the information security community lived one of its most troubled periods.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timeline.

Read more…

About these ads
Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Middle East Cyber War Reloaded

I have just received an email from the israeli hacker dubbed you-ri-k@n providing me with some details about a peculiar Cyber Attack against an Iranian news web site. Looks like you-ri-k@n has a kind of predilection for Iran: you will probably remember him for his last cyber attack (nearly a couple of months ago) targeting the Iranian Meteorological Organization.

This time the victim is the Islamic Republic Of Iran Broadcasting World Service, whose main page currently shows a fake news reporting the death of Mahmoud Ahmadinejad, the sixth and current President of the Islamic Republic of Iran, in a plane crash.

Click To Enlarge

Clicking on the “News” button redirects the user to an image where (few) additional details about the fake incident are provided:

Few days ago, with the flame still burning, Iranian officials claimed to be under the fire of a massive cyber attack. Of course this isolated episode may not be compared with Stuxnet or The Flame, nevertheless it shows that, even if in a microscopic scale, the cyber tension between the two countries is still high.

The Flame Burning Inside Stuxnet

June 12, 2012 1 comment

While the U.S. and Israel keep on mutually claiming the Stuxnet’s paternity, Kaspersky Lab has unveiled further details about Flame that allow to connect it with the infamous malware targeting Iranian Nuclear Plants.

Are the two 21st century Cyber Weapons really correlated? Due to some architectural differences, the first data seemed to exclude any similarities between the two platforms: the so-called Tilded platform which Stuxnet and Duqu are based on, and the brand new platform from which Flame has been developed. In any case never trust appearances, as a small detail dating back to 2012 has unveiled a landscape that seems completely different from what was previously believed, which suggests the hypothesis that the Stuxnet malware had a kind of “proto flame” inside.

The Cyber Spy Story begins in October 2010 when the automated systems by Kaspersky Lab detected a False (Stuxnet) Positive. This sample apparently looked like a new variant (Worm.Win32.Stuxnet.s) but a deeper analysis showed (then) no apparent correlation with Stuxnet so it was subsequently dubbed Tocy.a.

Only two years later, in 2012, after the discovery of Flame, the russian security firm started to compare the brand new malware with previously detected samples to find any similarities. And guess what? The nearly forgotten Tocy.a was nearly identical to Flame. A further check to logs, allowed to discover that the Tocy.a, apparently an early module of  Flame, was actually similar to “resource 207” from Stuxnet, and this similarity was the reason why the automatic system had previously classified it as Stuxnet.

Resource 207 is a 520,192 bytes Stuxnet encrypted DLL file that contains another PE file inside (351,768 bytes). It was found in the 2009 version of Stuxnet, despite it was dropped in the 2010 evolution, with its code merged into other modules. The PE file is actually a Flame Plugin, while the purpose of Resource 207 on the 2009 variant of Stuxnet was just to allow the malware propagation to removable USB drives via autorun.inf, as well as to exploit a then-unknown vulnerability (MS09-025) to escalate privileges in the system during the infection from USB drive.

Given the evidences collected, researchers suggests that, although Flame has been discovered a couple of years after Stuxnet, it was already in existence when Stuxnet was created (Jan-Jun 2009), having already a modular structure. The “Resource 207″ module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046), while the Flame module in Stuxnet exploited a vulnerability which was unknown then, allowing an escalation of privileges, presumably exploiting MS09-025.

Part of the Flame code was used in Stuxnet despite, after 2009, the evolution of the Flame platform continued independently from Stuxnet.

Probably, this is the second important discovery about Flame after the MD5 Collision Attack, which enabled to malware to hide the download of its own modules behind Windows Updates.

Regarding the MD5 Collision Attack, I suggest you to have a look at this very interesting presentation. You will be amazed in discovering that the first successful demonstration of this attack took, in 2008 (the alleged year in which Flame was created), about 2 days on a cluster of 200 PS3s (corresponding to about $20k on Amazon EC2). Together with the complexity of the attack, this aspect is enough to suggest a state-sponsored origin for the malware (i.e. the need of huge resources and know-how). But there’s more: to make the MD5 Collision Attack successful in Flame, the Attackers, had to overcome a huge obstacle corresponding to prediction the Serial Number of the Certificate (which is based on a sequential certificate number and the current time). Nothing strange apparently, except for the fact that they had a 1-millisecond window to get the certificate issued. What does this mean in simple words? A large number of attempts required to get the certificate issued at the right moment, an effort 10-100x more costly that the original MD5 Collision Attack Demonstration.

Now I understand why the Iran Cyber Warfare Budget is estimated to be “only” USD 100 Million

The 2010 Olympic Games

Two months again and the World will assist to the 2012 London Olympic Games. Unfortunately the same is not true for Information Security Professional for which the Olympic Games have started approximately two years ago in Iran, more exactly during the summer of 2010 when the infamous malware Stuxnet (the first 21st Century Cyber Weapon) became public, unleashing its viral power to the entire World.

Apparently Olympic Games have nothing to deal with Stuxnet… Only apparently since “Olympic Games” is just supposed to be the code-name of the cyber operation,  begun under the Bush administration and accelerated by Mr. Obama, aimed to build the first Cyberweapon targeting the Iranian Nuclear Facilities. This is in few words the genesis of Stuxnet, at least according to a controversial article published by The New York Times, which anticipates a book on the same argument by David E. Sanger (Confront and Conceal, Obama’s Secret Wars and Surprising Use of American Power), and which is generating a comprehensible turmoil.

Of course many words have been spent on the argument and probably (too) many will be spent as Stuxnet has not proven to be an isolated case. Moreover (is this a coincidence?) these revelations of the NYT came out in the aftermath of the discovery of the Flame Malware which is further fueling the tension in Middle East and, if officially confirmed, could set a potentially dangerous precedent for other countries looking to develop or expand their own clandestine cyber operations.

I think I cannot give any useful contribution to the debate, if not a humble suggestion to read this interesting interview to F-Secure CRO Mykko Hypponen who explains the reason antivirus companies like his failed to catch Flame and Stuxnet… If really the alleged NYT revelations will encourage other countries to enhance their cyber arsenal, there is much to be worried about, even because the 21st century cyber weapons have shown, so far, a clear attitude to escape from the control of their creators.

Israel Blamed for Fueling the Flame Cyber Weapon in Middle East

The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict cooperation coproduction between  CIA and Mossad.

Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.

Consequantly it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).

Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

A Flame on the Cyberwarfare Horizon

May 28, 2012 6 comments

Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.

Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.

Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.

The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:

  • The Cyber Weapon Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
  • According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
  • Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
  • Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
  • The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
  • Flame includes a piece of code (about 3000 lines) written in LUA, a not so common occurrence for malware;
  • Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
  • Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
  • Flame may also replicate via local networks using the following:
    1. The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
    2. Remote jobs tasks.
    3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.
  • So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.

With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.

This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.


Get every new post delivered to your Inbox.

Join 2,705 other followers