Last week the Bromium Labs team was contacted by a Fortune 1000 customer that detected an interesting attack via one of their installed LAVA sensors. We get such events frequently from our customers; however this attack was a bit different. The attack was a classic waterhole attack targeting potential viewers of a technology startup in the Oil and Gas sector. Interestingly, this attack occurred days after the company announced a sizable funding grant. It’s likely that the attackers were expecting more traffic to the website and hoped to increase their chances of a successful infection. The names of the companies involved are redacted and they have confirmed that the infection has been remediated and both have confirmed that no sensitive information was leaked.
Attacks on the ONG sector are not new and attacks targeting companies in this sector might be premeditated. Bromium Labs is working with the target and we’ll update the blog if there’s any significant development.
The event we received was dated 09/04/2014. The alert produced the following malware graph which confirms the infection, at a glance (click to enlarge):
After analyzing the captured forensic evidence, we found some interesting traits.
This week I presented at Black Hat USA. The talk is titled “Poacher turned gatekeeper: lessons learned from eight years of breaking hypervisors”. The main points were:
- Describe the attack surface of Type 1 and Type 2 hypervisors
- Show that despite not being 100% bulletproof, hypervisors are still the best usable way to isolate potentially malicious code
- Describe a few generic methods to harden a hypervisor
- Discuss four new VirtualBox vulnerabilities
- Discuss DMA attacks against DeepSafe
The whitepaper is here, enjoy.
Tom Sutcliffe and Thomas Coudray
You walk into a coffee shop and take a seat. While waiting for your coffee, you take out your smartphone and start playing a game you downloaded the other day. Later, you go to work and check your email in the elevator. Without you knowing, an attacker has just gained a foothold in your corporate network and is steadily infecting all your colleagues’ smartphones too.
We don’t talk about Android much here on the Bromium Labs Blog, but now and again we like to tinker. Recently my colleague Thomas Coudray and I have been looking at an Android remote code execution vulnerability to see how much of a problem it is in real-world usage.
While privilege-escalation techniques are common on Android (and form the basis for the common practice of ‘rooting’ a device), remote code execution is a rarer and much more dangerous type of vulnerability. It allows an attacker to run code of their choosing on a user’s device without their knowledge or permission. This bug was particularly interesting because it appeared to still be exploitable even on a fully-patched latest-model Android device, a full 18 months after it was fixed. We wanted to see if this was true and if so, how much effort was required to exploit it. We found that the scenario described above is an all-too-real possibility.
The Bromium Labs team got together and came up with a summary of notable exploitation trends that we observed in the first 6 months of 2014. There were some interesting takeaways:
- Internet Explorer took the cap for historic high number of security patches in over a decade, and that feat was accomplished in the first 6 months of 2014!
- As timelines to the next version of the latest Internet Explorer shrink, time to the next security patches have also shrunk. Expect more to come.
- In 2013, Oracle Java was labeled as the notorious king for malware authors and zero day attacks, exploit kits had a field time with it. Notably, there were no reported zero day exploits targeting Java in H1 2014.
- Adobe Flash continued to be exploited by zero days and also providing attackers with newer avenues to exploit the browser (Internet Explorer).
- Attackers developed novel ways to attack browsers leveraging ‘Action Script Spray’ to bypass ASLR. This was used by several zero day exploits in the wild.
It’s evident that attackers continue to shift focus in between ubiquitous internet facing applications, but there’s a common theme throughout – attacking the end users. Will Java attacks continue to decline this year? Would attackers continue to focus on exploiting Internet Explorer? We’ll soon find out.
The full report is available to download here.
” Lasker does not play chess, he plays dominoes. ” – David Janowski, 1910
Alice sees her “browser” as the computer, not the network or operating system. This trend will only get stronger as BYOD takes hold. We’re in a brave new world, where traditional security models based on clear boundaries break down. Modern browsers’ cornerstone security approach, same-origin policy, entails significant complexity and controls only a limited subset of cross-domain interactions. Highly granular isolation within this context ends up breaking existing web-apps. In an odd way, one can see flashbacks and parallels to the old MS-DOS era.
However, the state of the art in exploitation is now more dominoes than chess. Eve can bypass the sandbox via techniques ranging from kernel exploits to plugins to get to Alice. We now take a look at what happens with just a few tricks from an evergreen bag.
Let’s install the latest:
Alice then confidently proceeds to browse to her favorite videos. Unfortunately, Eve has compromised the site and planted an exploit with a custom payload. Conventional layers of defense including AV, sandboxes and firewalls fail to stop the attack:
If Alice was protected by vSentry, the attack would have been captured within a micro-VM. Her SOC team would then be able to trace Eve’s tracks via LAVA:
Perhaps, Chrome should dance with Bromium.
Training is an important part of the secure development lifecycle. It’s something EVERY security conscious organization should be engaged in. But getting good training that is relevant to your developers and testers, as well as security engineers and researchers is hard to find. That’s why I developed a full two day course called “Application Security: for Hackers and Developers”. In the course I cover the 4 pillars of application security: Code auditing, Fuzzing, Reverse Engineering, and Exploit Development. 5 years ago when I realized there was no course that taught all 4 subjects in a balanced and deeply technical manner, I resolved to create one.
Over the last 4 years, I have offered the course to hundreds of students, who afterwards were equipped and energized to face their security threats and research goals. To give people a small taste of this course, I’ve partnered with BlackHat to offer a free 35min webinar on application security. The link to join the web training is here: https://www.blackhat.com/html/webcast/06192014-appsec-overview-deep-dive-and-trends.html The event happens on June 19th, 2014.
I hope you’ll join us for the webcast, and perhaps I’ll see you in Las Vegas for the next offering of the full, hands-on course:
The training is Aug 2-3 or Aug 4-5, 2014. Sign up, and keep securing your code!
If you see a text and / or HTML document on your Desktop called HOW_TO_DECRYPT with the following contents: then you were unfortunate to be a victim of another crypto-ransomware. Recently, several of our field engineers encountered this piece of ransomware encrypting files on victim machines. This new ransomware is being distributed via Java drive-by-downloads and it’s likely that more victims could be targeted with this new attack vector. We were able to capture the sample inside a micro-VM implemented in our product so we have all the files and traffic involved in the attack. This allows us to skip the Java exploit and 1st layer dropper for now and focus on the actual malware dropped. If we find something noteworthy in other parts of attack we’ll post a follow up article. Read more…