100% Uptime | TechSNAP 100

100% Uptime | TechSNAP 100

We’ve warned against it for nearly 100 episodes, this week we’ll share the fallout from NBC.com getting hacked, Bit9’s whitelist technology is use against them and their customers.

Plus the bad news for Java users, a batch of your questions, and some big surprises.

Thanks to:

Use our code hostdeal4 to score economy hosting for $1 a month, for one year.

35% off your ENTIRE order just use our code go35off4 until the end of the month!

 

Visit techsnap.ting.com to save $25 off your device or service credits.

 

Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

   

Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

  • Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
  • NBC website compromised, malicious code injected

    • The official website of US broadcasting and media giant NBC was found to contain a malicious iframe pointing visitors to the RedKit Exploit Kit
    • The exploit kit used one of the vulnerabilities patched in Java 7u11 (released January 13th, although the issue was not fully fixed until Java 7 u13 on February 1st), as well as a .PDF exploit to drop the Citadel banking Trojan, a variant of the Zeus botnet only ever sold to the russian underground, to prevent infiltration by authorities and security companies
    • This attack could have been much worse if it has used one of the newer vulnerabilities that had not been patched until u15 (February 19th) or u17 (March 4th)
    • Many users are likely still using somewhat outdated versions of java due to the rapid release and the inefficacy of the java updater, and the addition of the .PDF exploit ensured a wider vulnerability
    • The attackers likely had ongoing access for a time, as the URL target of the iframe changed rapidly to avoid blocking of the delivery sites
    • One of the domains used in the iframe was an internationalized domain name, which translated from russian to my-new-sploit.com
    • The version of the Citadel trojan used in the exploit was only recognized by 3 of the 46 virus scanners on virustotal.com on the date of the attack
    • The infection was also detected on other NBC sites such as latenightwithjimmyfallon.com and jeylenosgarage.com, so it was likely an exploit against the CMS
    • These trusted sites are especially valuable as attack vectors for malware authors, because of their huge traffic volumes and the fact that users expect the large trusted sites to be free of malware or other risk
    • Facebook’s malware scanner detected something was wrong (since iframes of .jar and .pdf files are usually only seen in attacks), and blocked users from posting links to NBC.com (We have discussed Facebook malware scan that is part of their spider that fetches the preview images)
    • The malware was first detected by researchers at 16:43 CET on the 21st, it is unclear how long the injection was on the site before it was discovered
    • The malware was removed from the site by 21:28 CET
    • Researchers Post
    • Additional Coverage

    Bit9’s cloud security app compromised, 32 pieces of malware whitelisted

    • Bit9 is a security company whose main product is an application control software, which basically monitors all of the applications and processes running on a server or end-user device, and reports any unusual activity (applications not on the cloud maintained whitelist)
    • Customers of Bit9 include the US government, banks, oil and energy companies, defence contractors and 30 companies from the Fortune 100 list
    • Attackers managed to compromise one or more virtual machines at the company and gained access to a code signing certificate, subsequently using it to sign 32 pieces of malware, effectively whitelisting them
    • It turns out, due to an “operational oversight” a “handful” of computers at Bit9 did not run Bit9’s own software, so the intrusion was not detected or prevented
    • As such, Bit9 claims that the compromise was not due to a problem with their software
    • Bit9’s investigation suggests that only three of their customers were affected by the illegitimately signed malware
    • Bit9 revoked the certificate that was used to sign the malware (and probably all previously whitelisted binaries, Bit9 claims it was no longer actively using the stolen certificate, but that it was still valid), got a new certificate and resigned the whitelisted apps, and patched their software to blacklist anything signed with the revoked certificate
    • It is interesting to note that the most often touted features of the Bit9 system is that it stops new and unknown malware, because it only allows approved applications to run, the opposite of traditional anti-virus applications, which rely on a blacklist of known malware. In this case, it might have been that the compromised caused Bit9 to allow known malware that would have been stopped by traditional anti-virus to run on the target systems
    • Bit9 is not saying which of its customers were targeted, but based on other information and the list of industries Bit9 said were not targeted, it appears to have been a defence contractor
    • Official Update Announcement
    • Bit9 says the attackers originally compromised their systems in July of 2012 view an SQL injection flaw in software that was running on an internet accessible web server
    • From the web server, the attackers were able to compromise two legitimate user accounts, and eventually use those to access a virtual machine that contains the private keys for the code-signing certificate
    • The virtual machine that was compromised was shut down a few days later, the compromise undetected
    • In January that virtual machine was started again, and the compromise was eventually detected
    • Bit9 says evidence suggests that they were not the ultimate target of the attack, but rather just a stepping stone to eventually compromise one of their customers
    • Bit9’s audit showed that the source code for their software was not accessed or modified
    • The attackers later executed a watering hole attack (similar to the mobile developer forum attack that compromised twitter, facebook, apple and microsoft) against the 3 target Bit9 customers
    • The attack used a java vulnerability to execute the HiKit and Unixhome backdoors, two of the binaries that had been signed with the stolen Bit9 certificate. Rather than these being blocked by Bit9 as intended, because they had been signed by Bit9, they were whitelisted and allowed to run in the highly secured network of the defense contractors
    • Krebs on Security Coverage – Part 1 Part 2
    • Security Ledger coverage

    Oracle issues another emergency Java patch after McRAT exploits new 0-day in the wild

    • The fix covers CVE–2013–1493 and CVE–2013–0809
    • The latter vulnerability is in the colour management system of Java 2D and allows an attack to use a specially crafted image file to execute a memory corruption attack. The attack targets the JVM’s internal data structures and overwrites the areas of memory that control whether the security manager to enabled or not
    • The exploit has been seen in the wild, successful exploited to drop the McRAT trojan
    • The security company that discovered the exploit reported that the McRAT trojan was communicating with the same Command and Control server that was used in an earlier attack against security company Bit9
    • FireEye blog post
    • Additional Coverage
    • The issue was originally reported on February 1st, Oracle claimed that was too late to be included in the February 19th patch. Oracle planned to sit on the update until the next scheduled update in April, but once it was being exploited in the wild they were forced to release this update
    • Java Security bulletin
    • Security Explorations has reported 7 more java vulnerabilities since February 25th
    • Oracle has rejected issue #54 claiming it is not a vulnerability, but the polish firm and US-CERT disagree, Security Explorations has sent additional details and proof of concept to help Oracle understand the vulnerability
    • Oracle has issued tracking numbers for issues #56–60 but clarifies that the issues are not ‘confirmed’ yet
    • This seems to signal an increasing resistance from Oracle and acknowledge and fix the bugs that researchers report, until it is too late and they are being actively exploited

    Feedback

    Round Up:

Question? Comments? Contact us here!