McAfee » Jim Walter https://blogs.mcafee.com Blog Central Thu, 19 Feb 2015 22:21:34 +0000 en-US hourly 1 McAfee Customers Protected from Regin Malware Since 2011 https://blogs.mcafee.com/mcafee-labs/mcafee-customers-protected-regin-malware-since-2011 https://blogs.mcafee.com/mcafee-labs/mcafee-customers-protected-regin-malware-since-2011#comments Mon, 01 Dec 2014 11:00:24 +0000 http://blogs.mcafee.com/?p=39599 Protecting customers take precedence over seeking headlines – this was the title of a recent blog by our very own Christiaan Beek into the priorities of the team.  Yet, within 72 hours we were awoken with news of a recently discovered espionage campaign using a toolkit under the name of Regin. McAfee is aware of […]

The post McAfee Customers Protected from Regin Malware Since 2011 appeared first on McAfee.

]]>
Protecting customers take precedence over seeking headlines – this was the title of a recent blog by our very own Christiaan Beek into the priorities of the team.  Yet, within 72 hours we were awoken with news of a recently discovered espionage campaign using a toolkit under the name of Regin.

McAfee is aware of the recent research papers on Regin. Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on active computer processes. McAfee products detected and protected against Regin malware samples mentioned in the report since 2011.

Indeed based on the extensive work conducted by the team since we became aware of it the threat a few years ago we can confirm that in addition to the filenames provided, the following are also used by the toolkit:

  • Ser8UART.sys
  • abiosdsk.sys
  • floppy.sys
  • pcidump.sys
  • pciport.sys
  • qic117.sys

One particularly interesting element is the associated timestamps that can be used to determine how long the threat has been in existence.  Indeed as has been reported elsewhere[i] it was likely in existence as far back in 2006 but upon closer inspection likely considerably earlier than this date.

In terms of the malware itself the driver file has encrypted data as highlighted below:

Image 1

Decryption is achieved simply through XOR with key:

Image 2

The important realization here is that this threat is not ‘new’ to us (or most of the security industry for that matter).   We consider customer security and NDA/confidentiality agreements to be of the uptmost and critical importance.  Our role as a trusted partner far outweighs any need or desire to ‘grab’ headlines.

We have ~40+ samples related to this threat and whilst like the rest of industry the absence of the original, stage 1, dropper limits the ability to fully dissect and analyze in proper running context we will continue to regularly update our 2011 understanding of the malware.  Indeed this applies to all other threats that we continue to identify.

Basic IMPHash relationship diagram below:

Image 3

 

As additional details emerge, we will continue to communicate across our standard channels.

[i] http://www.computerworld.com/article/2851513/traces-of-regin-malware-may-date-back-to-2006.html

The post McAfee Customers Protected from Regin Malware Since 2011 appeared first on McAfee.

]]>
https://blogs.mcafee.com/mcafee-labs/mcafee-customers-protected-regin-malware-since-2011/feed 0
Operation Dragonfly Imperils Industrial Protocol https://blogs.mcafee.com/mcafee-labs/operation-dragonfly-imperils-industrial-protocol https://blogs.mcafee.com/mcafee-labs/operation-dragonfly-imperils-industrial-protocol#comments Wed, 02 Jul 2014 19:52:54 +0000 http://blogs.mcafee.com/?p=36338 Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be […]

The post Operation Dragonfly Imperils Industrial Protocol appeared first on McAfee.

]]>
Recent headlines (here and here) may have struck fear into those living near major energy installations due to references about the Stuxnet malware. In 2009, this particular strain of malware caused significant damage to the Nantanz nuclear facility, reportedly destroying a fifth of Iran’s nuclear centrifuges. Recent reports about Operation Dragonfly, however, appear to be focused on espionage (at least for now), and the scope of the attack appears to be considerably broader than that of Stuxnet.

The various elements associated with Operation Dragonfly draw comparison with Operation Shady RAT; in which at least the first phase targeted specific individuals via email. Beyond the specifics of the operation, however, Operation Dragonfly raises very significant concerns regarding the safety of systems that comprise our critical infrastructure, and in particular regarding the ever-growing supply chain.

This threat was covered in detail in the recently published book “Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure,” coauthored by Raj Samani and Eric Knapp, and edited by Joel Langill. The espionage from Dragonfly could lead to another attack. In the book the authors write: “the SCADA and automation systems within the grid also provide a blueprint to the inner workings of the grid operations. This is valuable intellectual property that could be used for malicious purposes ranging from the influence of energy trading to the development of a targeted, weaponized attack against the grid infrastructure or against the grid operator.”

One of the primary tools leveraged in Operation Dragonfly is Havex. The Havex remote access tool (RAT) can be traced back to (at least) mid-2012 and is not necessarily exclusive to this attack or campaign or actor. Havex is closely related to the SYSMain RAT, and may even be a derivative. We have also observed them used in conjunction. The Trojan is distributed via spear phishing, watering-hole attacks, and by inclusion in exploit kits (such as LightsOut). This family takes advantage of OLE for Process Control (OPC) servers.

The method by which the Havex RAT targeted industrial control systems owners was clever. In addition to spear phishing, the control system vendors’ websites were used as watering holes, ensuring that the delivery of the RAT was highly focused. The next stage, the enumeration of OPC servers, is also clever and very concerning. The malware focuses enumeration on OPC Classic, which lacks the security features of newer OPC variants, and indicates that the attacker is knowledgeable about industrial security—a niche that, to some, benefited from “security through obscurity.” The biggest concern, therefore, is that once again we’re seeing malware targeting an industrial protocol.

In “Applied Cyber Security” the authors wrote, “Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of [a variety of critical systems].

“Industrial protocols in and of themselves represent a challenge to cyber security. … Because most of these protocols provide command and control functionality to the system, an interruption could result in the failure of substation automation, dynamic load management, fault isolation, and even protection systems.”

By specifically targeting OPC Classic, the attacker is likely to discover more vulnerable legacy systems. OPC is extremely common, and can interface with a variety of key systems within almost every industrial environment, from almost every sector. From a network design perspective, OPC uses a wide range of ports; unless OPC is tunneled, firewalls allowing OPC are as open as Swiss cheese. Although there’s still a lot to learn about Havex, this event should inspire asset owners to harden OPC servers, and to assess their networks with this type of attack in mind. Inspection and enforcement of OPC using application-layer firewalls is a good start. Without an industry-wide effort to stem the inherent vulnerabilities in OPC, Havex could prove itself to be another devastating “industrial” RAT—alongside DisktTrack (a.k.a. Shamoon), Duqu, Stuxnet, and Gauss—capable of remote command of control systems. That is something that no one wants to see happen.

For more information, please refer to “Applied Cyber Security and the Smart Grid.”

The post Operation Dragonfly Imperils Industrial Protocol appeared first on McAfee.

]]>
https://blogs.mcafee.com/mcafee-labs/operation-dragonfly-imperils-industrial-protocol/feed 0
Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware) https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-icsa-14-178-01-havex-ics-focused-malware https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-icsa-14-178-01-havex-ics-focused-malware#comments Wed, 02 Jul 2014 02:31:40 +0000 http://blogs.mcafee.com/?p=36314 McAfee product coverage and mitigations for malware or indicators associated with the recent attacks (a.k.a. Dragonfly, Energetic Bear, Havex/SYSMain) on industrial control systems (ICS’s) are listed below. The Havex remote access tool is common across these associated attacks or campaigns–including Dragonfly. We have seen Havex in ICS-specific targeted campaigns. It can detect and affect ICS- […]

The post Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware) appeared first on McAfee.

]]>
McAfee product coverage and mitigations for malware or indicators associated with the recent attacks (a.k.a. Dragonfly, Energetic Bear, Havex/SYSMain) on industrial control systems (ICS’s) are listed below.

The Havex remote access tool is common across these associated attacks or campaigns–including Dragonfly. We have seen Havex in ICS-specific targeted campaigns. It can detect and affect ICS- and SCADA-specific services, such as OPCServer (OLE for Process Control).

McAfee Product Coverage and Mitigation

  • McAfee VirusScan (AV):  Known, associated, malware samples are covered by the current DAT set (7486).   Updated coverage will be included in the July 2 DAT set
  • McAfee Web Gateway (AV): Same as VirusScan coverage.
  • McAfee Application Control: Provides coverage via whitelisting.  Nonconforming executables will not run.
  • McAfee Next Generation Firewall: Partial coverage (for malware artifacts) is available via built-in McAfee AV inspection of  mail, web, and file transfers.

 

Please check back often for updated technical details and product coverage.

 

 

The post Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware) appeared first on McAfee.

]]>
https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-icsa-14-178-01-havex-ics-focused-malware/feed 2
Product Coverage and Mitigation for CVE-2014-1776 (Microsoft Internet Explorer) https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1776-microsoft-internet-explorer https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1776-microsoft-internet-explorer#comments Mon, 28 Apr 2014 20:26:31 +0000 http://blogs.mcafee.com/?p=35024 On April 26, Microsoft released Security Advisory 2963983 for Microsoft Internet Explorer. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is specific to a use-after-free vulnerability in VGX.DLL (memory corruption). Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects […]

The post Product Coverage and Mitigation for CVE-2014-1776 (Microsoft Internet Explorer) appeared first on McAfee.

]]>
On April 26, Microsoft released Security Advisory 2963983 for Microsoft Internet Explorer. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is specific to a use-after-free vulnerability in VGX.DLL (memory corruption). Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects the following:

  • Microsoft Internet Explorer 6
  • Microsoft Internet Explorer 7
  • Microsoft Internet Explorer 8
  • Microsoft Internet Explorer 9
  • Microsoft Internet Explorer 10
  • Microsoft Internet Explorer 11

 

Current McAfee Product Coverage and Mitigation

  • McAfee Vulnerability Manager:  The FSL/MVM package of April 28 includes a vulnerability check to assess if your systems are at risk.
  • McAfee VirusScan (AV):  The 7423 DATs (release date April 29, 2014) provide coverage for perimeter/gateway products and the command-line scanner-based technologies.  Full detection capabilities, across all products, will be released in the 7428 DAT update (release date May 4, 2014).
  • McAfee Web Gateway (AV): The 7423 DATs (release date April 29, 2014) provide coverage.
  • McAfee Network Security Platform (NIPS): The UDS Release of April 28 contains detection.
    • Attack ID: 0x4512e700
    • Name: “UDS-HTTP: Microsoft Internet Explorer CMarkup Object Use-After-Free vulnerability”
  • McAfee Host Intrusion Prevention (HIPS):  Generic buffer overflow protection is expected to cover code execution exploits.
  • McAfee Next Generation Firewall (NGFW): Update package 579-5211 (released April 29, 2014) provides detection.
  • McAfee Application Control: McAfee Application Control provides coverage via the MP-CASP feature. Whitelisting will also prevent post exploitation behavior (ex: execution of dropped executables or the loading of dropped dlls.)

 

Resources

The post Product Coverage and Mitigation for CVE-2014-1776 (Microsoft Internet Explorer) appeared first on McAfee.

]]>
https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1776-microsoft-internet-explorer/feed 3
Product Coverage and Mitigation for CVE-2014-1761 (Microsoft Word) https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1761-microsoft-word https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1761-microsoft-word#comments Tue, 25 Mar 2014 17:53:37 +0000 http://blogs.mcafee.com/?p=34165 On March 24, Microsoft released Security Advisory 2953095 for Microsoft Word. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is a memory-corruption vulnerability that can be invoked when parsing specially crafted RTF files or data. Successful exploitation can give an attacker the ability to run arbitrary code (via remote […]

The post Product Coverage and Mitigation for CVE-2014-1761 (Microsoft Word) appeared first on McAfee.

]]>
On March 24, Microsoft released Security Advisory 2953095 for Microsoft Word. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is a memory-corruption vulnerability that can be invoked when parsing specially crafted RTF files or data. Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects the following:

  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office for Mac 2011
  • Microsoft Office Web Apps 2010 Service Pack 1
  • Microsoft Office Web Apps 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013
  • Microsoft Word 2003 Service Pack 3
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 1 (32-bit editions)
  • Microsoft Word 2010 Service Pack 1 (64-bit editions)
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 (32-bit editions)
  • Microsoft Word 2013 (64-bit editions)
  • Microsoft Word 2013 RT
  • Microsoft Word Viewer
  • Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
  • Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
  • Word Automation Services on Microsoft SharePoint Server 2013

 

Current McAfee product coverage and mitigation

  • McAfee Vulnerability Manager: The FSL/MVM package of March 24 includes a vulnerability check to assess if your systems are at risk.
  • McAfee Host Intrusion Prevention (HIPS): Generic buffer overflow protection is expected to cover code execution exploits.
  • McAfee Network Intrusion Prevention / Network Security Platform (NIPS) : The NSP release of March 27 will include coverage for this threat.
  • Stonesoft (NGFW):  Coverage is provided in Update Package 572-5211 (Released March 27, 2014)
  • McAfee VirusScan (AV): Coverage is provided as Exploit-CVE2014-1761.
  • McAfee Web Gateway (AV): Coverage is provided as Exploit-CVE2014-1761.

 

Cryptocurrency mining

Microsoft’s blog post highlights IP address 185.12.44.51 as a command and control host. This same host has multiple Bitcoin transactions associated with it as a relay. These can be queried and observed via Blockchain.info. As of this writing, the cumulative balance across the associated Bitcoin wallets is BTC 193.5043147 (about US$111,600).

3img2

 

cve_btc_1

 

 

 

Resources

 

 

The post Product Coverage and Mitigation for CVE-2014-1761 (Microsoft Word) appeared first on McAfee.

]]>
https://blogs.mcafee.com/mcafee-labs/product-coverage-mitigation-cve-2014-1761-microsoft-word/feed 3