Over half of all organizations assume that their IT networks have been penetrated, or will be in the future. The number of IT professionals admitting that they really don’t have complete control over sensitive systems and data is increasing each year.
The First Line of Defense Has Already Fallen
Perimeter detection is the first line of defense against any attack, whether it be physical, think an alarm going off when security in your home is breached, or an ATM blocking your back card if there have been too many incorrect PIN entries. The issue currently facing many IT experts, security analysts and information security professionals is that there has previously been an over reliance on perimeter detection as the ONLY line of defense. Not only are cyber-attacks completely bypassing perimeter detection, a recent survey reported that up to 30% of all security breaches never triggered the virtual alarms, but that preventative discovery is close to non-existent in many organizations.
What is even more alarming is what happens after a security breach.
The speed with which an organization reacts after a breach is vital in not only securing sensitive information but in examining and investigating exactly what happened, finding the compromised end-points and determining the full data risk impact as fast as possible. The problem is that most organizations are reactive instead of proactively aggressive in their search for potential threats at all times. In the same survey, it was noted that up to 25% of IT security professionals were notified of data breaches and cyber-attacks by a 3rd party. By then it could be too late.
Figuring out what happened after the fact is essential. Yes. Creating a secure environment that STOPS attacks is even more vital. To do that security professionals need to be vigilant, proactive and relentless in their hunt for cyber threats before they become cyber casualties of war.
As indicated in FortiGuard Advisory FGA-2010-53, an attack exploiting a critical zero-day vulnerability in Adobe Flash Player was found very recently roaming in the wild. Although the attack vector in the wild is a PDF file, it is a Flash Player vulnerability indeed (Adobe Reader embeds a Flash Player).
After analyzing the PDF sample, we do confirm that the core ActionScript in the embeded flash file, which triggers the exploit, is almost exactly the same as that of an example on flashamdmath.com, as Bugix Security guessed.
Almost? Indeed: the only difference lies in a single byte (at 0x494A, for those who’d like to make a signature based on that ;)), changed from 0×16 in the example to 0×07 in the exploit code:
What does this correspond to? Simply to an ActionScript Class id sitting in the “MultiName” part of the file (According to Adobe’s ActionScript Virtual Machine 2 Overview):
So, the original fl.controls::RadioButtonGroup class in the example becomes a fl.controls::Button class in the sample. Thus, at runtime, all references that are supposed to point to fl.controls::RadioButtonGroup actually refer to fl.controls::Button… which, somewhere below, triggers the vulnerability:
Based on this, it is not extremely challenging to guess how the attacker discovered this 0day vulnerability: Simply by running a “dummy” fuzzer on basic flash files, as many bug hunters are doing. We had already noticed the same thing likely happened for CVE-2010-1297 and CVE-2010-2884.
Security experts have recently discovered a previously unknown Mac-based spy malware that preys on outdated coding practices to launch real-world attacks on computers in the biomedical research industry.
The unsophisticated and out-of-date code has remained undetected for years on macOS systems. The malware has been labelled Fruitfly and it was first discovered as ‘OSX.Backdoor.Quimitchin’. An IT administrator working for information security firm Malwarebytes was alerted to the malware due to unusual outgoing activity sourced from a Mac computer.
The First Malware of 2017
Researchers are labelling the Fruitfly the first Mac Malware of 2017. Fruitfly is said to contain code dating back to OS X and it has been conducting surveillance on targeted networks for over two years. Fruitfly uses a hidden pearl script which communicates with command and control servers. Disturbingly for targeted biomed companies, Fruitfly can capture webcam, screenshots, grab system uptime while moving and clicking the mouse cursor.
Fruitfly’s reach can extend to connected devices in the same network as the corrupted Mac as it attempts to connect to these also. Fruitfly uses a secondary script along with Java class to conceal its icon from displaying in the macOS Dock. It’s still unknown how the malware was distributed and infected the Macs.
Code Dating from 1998
Researchers have found that the malware’s code pre-dates Apple’s OS X and that it is running on “libjpeg” code, JPEG-formatted images files that were last updated almost 20 years ago in 1998.
How Has it Gone Undetected for so Long?
In a blog post written by Malwarebytes’ Thomas Reed, he speculated that Fruitfly has been used selectively in very tightly targeted attacks which have limited its exposure. International espionage is a buzz topic right now and the nature of this form of attack is a hallmark of past Russian and Chinese attacks aimed at US and European scientific research.
There is a reason that the military conducts repeated simulated training exercises: To ensure that the armed forces will be able to respond to military attacks immediately and effectively. Little wonder then that governments around the world have been doing the same when it comes to a nation’s cyber security. Interestingly, that while the threat of a physical invasion of any western country decreases each year, the threat of cyber-attacks, increases dramatically. A cyber-attack has the potential to decimate many countries’ vital systems including transport, infrastructure (power, water, banking, and healthcare) and ‘cyber war games’ help governments plan against attacks, increase security and lower the chance of complete decimation.
The Cyber Storm – 2006 War Games Begin
One of the earliest tactical training exercises and simulated ‘war games’ was called ‘Cyber Storm’ which took place over the course of a week in February 2006. It was the first ever cyber security exercise to take place and enabled the Department of Homeland Security to prepare for future attacks by highlighting vulnerabilities and weaknesses not only in electronic systems, but in their response to an attack.
Cyber Storm – Attacks on All Fronts
One of the principal objectives was to ascertain the preparedness and response times of different systems and departments to an attack on all fronts. The simulation sought to disrupt key targets, and thwart the government’s ability to respond. Unfortunately it was successful.
The controlled and simulated attack was leveraged against key targets around the world including Washington DC’s metro transport system, hazardous materials in Philadelphia, Chicago and on London’s Underground. People on ‘no-fly’ lists appearing at several airports across the US, utility disruption in Los Angeles and planes flying too close to strategic targets.
The outcome of the exercise highlighted the inability of systems and departments to connect attacks fast enough and not being able to focus on the entirety of the attack, but rather on specific incidences. Overall it was found that, if under cyber-attack, the US may not be able to adequately defend itself fast enough.
‘GhostNet’ is Unveiled
A cyber spy operation that operates internationally and is known as GhostNet was recently uncovered by the Munk Center for International Studies, a security research concern based at the University of Toronto in Canada at the request of Canada’s Information Warfare Monitor (IWM). GhostNet operates from within China and is targeting computers and networks owned by governments around the world.
Spying for Over a Decade
Since 2007 GhostNet has actively targeted diplomats, politicians and media companies. The cyber spy operation installs spyware to invade and monitor their computers. The IWM has established that the cyber espionage is being conducted from various locations in China but stated that there is no conclusive proof of involvement by the Chinese government. Although intelligence analysts have claimed that many governments including the US, Russia and China use computer systems to covertly gather information, authorities in Beijing have denied being involved with GhostNet. It is the first time that researchers have managed to expose an intrusion of this magnitude.
Who is Affected?
According to BBC News Ghostnet has a global reach in over 100 different countries and has already infiltrated more than 1,000 computers. There has been no evidence thus far that any office of the United States government has been infiltrated but diplomatic offices in the US like the Indian embassy in Washington are targeted. It was also discovered that victims in the United Kingdom include the Indian High Commission, International Chamber of Shipping and Associated Press news agency. The first known victim was the Tibetan spiritual leader, the Dalai Lama whose office originated the investigation.
Despite the discoveries made, the invasion is not over. The New York Times reported that GhostNet continues to invade and monitor at least a dozen computers every week.