aka wow on ZATAZ.com
Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack And More
Since the release of MSA-2794220 by Microsoft, regarding the CVE-2012-4792 vulnerability, a Fix-it solution has been provided KB2794220. I urgently advise you to apply this Fix-it solution, or to use another browser, until the release of the final patch surely planned for the 8 January Microsoft Patch Tuesday.
I have some interesting and funny additional information’s regarding the CFR watering hole attack, and I would like to share them with you. But previously I recommend you to read the following analysis done by security companies or independent security researchers:
- “CFR WATERING HOLE ATTACK DETAILS“ from FireEye has been completed with additional information’s.
- “Internet Explorer Zero-Day Used in Watering Hole Attack: Q&A” from Symantec is also a pleasure to read.
- “CVE-2012-4792 – Analysis of today.swf” from StopMalvertising provide also interesting information’s.
Let’s start with the analysis of only two samples, “news_14242aa.html” and “Helps.html“. These two samples are quiet interesting, and a complete blog post is enough for them. I will analyze the other samples in dedicated further blog posts.
news_14242aa.html (545cb268267609910e1312399406cdbc)
This sample was extracted from Google cache with a cache date of 7 Dec 2012 14:12:28 GMT. This sample clearly demonstrate that the compromise of CFR.org wasn’t the 20, or 21 December as mentioned by security companies or medias, but really sooner. The proof is still indexed and in cache of Google.
Helps.html (a25c13d4edb207e6ce153469c1104223)
I received this sample, around the 29 December. This file is the equivalent of the first sample but with some modifications, you can see the differences in the following online diff. Additional languages have been added (jp – ru – ko), all the stuffs regarding Microsoft Office documents have been removed (boy or girl), some additional “blank” locations have been added and the body text has been hide.
Now, if you do research on VirusTotal with this MD5, you can find a relate sample, but with another filename “config.html” who was submitted the 2012-12-31 18:29:47 UTC. Looks like interesting, but has to be confirmed.
If you execute a request on urlQuery in order to search all “config.html” file for the last past month, you will discover a submission, dating from 2012-12-29 22:58:29, for URL “http://www.capstoneturbine.com/_include/config.html” on server 74.62.198.72. If you take a look at the urlQuery report you can see some “deployJavaPlugin” strings.
The Capstone Turbine Corporation company description, make me believe that this company profile could be a choice of quality for targeted attack:
Capstone Turbine Corporation ® is the world’s leading producer of low-emission microturbine systems, and was first to market with commercially viable microturbine energy products. Capstone Turbine has shipped thousands of Capstone MicroTurbine systems to customers worldwide.
By doing a Google dork research “site:capstoneturbine.com “_include”” you can see something strangely similar to CFR.org “news_14242aa.html“ file.
This page is also cached in google cache, and guess what ? Ho, Ho Ho, CVE-2012-4792 is in the house since the 18 December 16:10:40 GMT. So CFR.org was and is not the only target of this attack !
Now we will try to define the date of compromise of Capstone Turbine Corporation through research on Google by another google dork ““capstoneturbine.com” “_include”“. And we can find some interesting informations 
On support.clean-mx.de we can discover that the same “/_include/config.html” URL was indexed since 2012-09-19 04:31:01. But what is awesome is the evidence attached to this submission hoho it is CVE-2012-4969 I discovered in September 
“Grumgog.swf” is in the house.
My conclusions are:
- CFR.org was comprised since minimum beginning December.
- CVE-2012-4792 was present on CFR.org since minimum beginning December.
- CVE-2012-4792 was also used to target visitors of another company named Capstone Turbine Corporation.
- CVE-2012-4792 was present on Capstone Turbine Corporation since minimum 18 December.
- Capstone Turbine Corporation was also used to spread CVE-2012-4969 and this since mid-September.
- Potentially Capstone Turbine Corporation is compromised since minimum beginning September
- Potentially the guys behind CVE-2012-4969 and CVE-2012-4792 are the same.
But, there is always a but in a story, take a look at the first submission for Capstone Turbine Corporation in August, “http://www.capstoneturbine.com/_flash/videos_native/exploit.html “. Imagine
Update 1 – 2013-01-02 1:30 am:
Jindrich Kubec director of Threat Intelligence at avast! confirm presence of CVE-2012-4969 in September on Capstone Turbine Corporation.
@eromangI wrote to Capstone Turbine on 19th Sep about the Flash exploit stuff they were hosting. They never replied. And also not fixed
— Jindrich Kubec (@Jindroush) Janvier 2, 2013
I recommend you to read these related posts
[...] Eric Romang said that Capstone Turbine Corp., which builds power generation equipment for utilities, has been [...]
[...] last month on the CFR.org and Capstoneturbine.com, according to a variety of researchers (including Eric Romang and those from the FireEye Malware Research Lab). Such “watering hole” attacks get [...]
[...] Microsoft has acknowledged in an advisory that the vulnerability has been used in a limited number of targeted attacks. At least one other organization, Chatsworth, Calif.-based microturbine systems supplier Capstone Turbine Corp., had its website compromised to take advantage of the bug, security researcher Eric Romang has in a blog post. [...]
[...] http://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-h… [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang found that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang found that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang found that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang found that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang found that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] last month on the CFR.org and Capstoneturbine.com, according to a variety of researchers (including Eric Romang and those from the FireEye Malware Research Lab). Such “watering hole” attacks get [...]
[...] last month on the CFR.org and Capstoneturbine.com, according to a variety of researchers (including Eric Romang and those from the FireEye Malware Research Lab). Such “watering hole” attacks get [...]
[...] außerdem konnte dort der Angriff bis zum 7. Dezember zurück verfolgt werden. Auch laut Eric Romang war die CFR-Website mindestens schon am 7. Dezember kompromittiert (sein Beweis: Googles Cache). [...]
[...] in the attacks, which targeted the websites of U.S.-based Council on Foreign Policy, as well as Capstone Turbine Corp. But a new Metasploit module using the bug makes attacks more likely against multiple targets, [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang detailed that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] Researcher Eric Romang wrote about another website that was found to be hosting the latest Internet Explorer zero-day,” [...]
[...] hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang detailed that microturbine systems producer Capstone Turbine was also a victim since at least December 18. [...]
[...] Romang, a Luxembourg-based security researcher, reported that he traced the same software used in the CFR watering hole attack to capstoneturbine.com. He [...]
[...] Explorer 6, 7, and 8 are vulnerable to remote code execution hacks. According to researcher Eric Romang, CFR watering hole attack (CVE-2012-4969 and CVE-2012-4792) has also target Capstone Turbine [...]
[...] was hosting malicious content as early as December 21. This week, security researcher Eric Romang, detailed that microturbine systems producer Capstone Turbine was also a victim since at least December [...]
[...] Romang, a Luxembourg-based security researcher, reported that he traced the same software used in the CFR watering hole attack to capstoneturbine.com. He [...]
[...] was hosting malicious content as early as December 21. This week, security researcher Eric Romang, detailed that microturbine systems producer Capstone Turbine was also a victim since at least December [...]
[...] was hosting malicious content as early as December 21. This week, security researcher Eric Romang, detailed that microturbine systems producer Capstone Turbine was also a victim since at least December [...]
[...] A slightly different variant of the attack code used on the CFR website was served from capstoneturbine.com, the website of Capstone Turbine, since at least Dec. 18, Romang said Wednesday in a blog post. [...]
[...] A slightly different variant of the attack code used on the CFR website was served from capstoneturbine.com, the website of Capstone Turbine, since at least Dec. 18, Romang said Wednesday in a blog post. [...]
[...] culprits in a attacks, that targeted a websites of U.S.-based Council on Foreign Policy, as good as Capstone Turbine Corp. But a new Metasploit module regulating a bug creates attacks some-more expected opposite mixed [...]
[...] Microsoft on Saturday acknowledged in an advisory that the vulnerability has been used in a limited number of targeted attacks. At least one other organization, Chatsworth, Calif.-based microturbine systems supplier Capstone Turbine Corp., had its website compromised to take advantage of the bug, security researcher Eric Romang said Wednesday in a blog post. [...]
[...] Eric Romang said that Capstone Turbine Corp., which builds power generation equipment for utilities, has been [...]
[...] first to isolate the script used to launch the drive by download attack used on the CFR web site. Writing on Wednesday, he said the compromise at Capstone predates the attack against the Council of Foreign Relations [...]
I’d like to resolve this, please contact me.
@eromang I wrote to Capstone Turbine on 19th Sep about the Flash exploit stuff they were hosting. They never replied. And also not fixed
@Jindroush @eromang Can you please contact me on this topic? We’d like to clean up whatever may be left over on Capstone’s site.