SuperFishy Mistake | TechSNAP 202

SuperFishy Mistake | TechSNAP 202

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, we’ll break down how this is possible, the danger that still exists & more.

Plus the story of a billion dollar cyber heist anyone could pull off, the Equation group, your questions, our answers & much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

APT Attack robs banks

  • A staggering APT attack has been conducted against over 100 banks in 30 countries, and has reportedly managed to steal as much as 1 billion USD.
  • “In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.”
  • While investigating, Kaspersky Labs found no malware on the ATM, just a strange VPN connection
  • Later, they were called into the bank’s headquarters, after the bank’s security officer got an alert about a connection from their domain controller to China
  • Kaspersky Video
  • “In order to infiltrate the bank’s intranet, the attackers used spear phishing emails, luring users to open them, infecting machines with malware. A backdoor was installed onto the victim’s PC based on the Carberp malicious code, which, in turn gave the name to the campaign — Carbanak.”
  • “After obtaining control over the compromised machine, cybecriminals used it as an entry point; they probed the bank’s intranet and infected other PCs to find out which of them could be used to access critical financial systems.”
  • “That done, the criminals studied the financial tools used by the banks, using keyloggers and stealth screenshot capabilities.”
  • “Then, to wrap up the scheme, the hackers withdrew funds, defining the most convenient methods on a case-by-case basis, whether using a SWIFT transfer or creating faux bank accounts with cash withdrawn by ‘mules’ or via a remote command to an ATM.”
  • On average, it took from two to four months to drain each victim bank, starting from the Day 1 of infection to cash withdrawal.
  • The oldest code that could be found related to these attacks was from August 2013
  • Additional Coverage – NY Times
  • Additional Coverage – ThreatPost
  • Additional Coverage – SecureList
  • Report PDF
  • This attack is related to the malware installed directly on ATMs that we have reported on before

Lenovo spyware installs own Root CA

  • It has been discovered that Lenovo has been shipping devices preinstalled with an advertising application called SuperFish
  • This “Visual Discovery” advertising system injects picture ads for items related to search terms into your google search results, and other websites
  • While this is bad enough, and upsets many people, the bigger problem is how they do it
  • In order to snoop upon the search terms you are using, SuperFish must intercept your encrypted communications with Google and others
  • In order to do this, the SuperFish software installs its own SSL Root Certificate Authority into the trusted certificate store
  • This makes your machine trust every certificate signed by SuperFish
  • The proxy that SuperFish installs, intercepts all of your web traffic, when it sees you trying to make a secure connection, which it would not be able to snoop on, what it does is create (on the fly), a new certificate for the site you are trying to visit (,, whatever), and signs it with its private key
  • Now your browser trusts the authenticity of this fake certificate, so it does not issue a warning, and you are completely unaware that SuperFish is intercepting all of your communications
  • There are a number of security problems with this, including, does SuperFish sign a ‘valid’ certificate even for invalid certificates, like self signed certificates, meaning that an attack could trick you into going to a website, and seeing it as authentic when it is not, because SuperFish has signed a fresh certificate for it
  • Worse, because of the way SuperFish works, rather than relying on the SuperFish backend infrastructure to generate these bogus certificates, instead SuperFish ships the private key for their fake Root CA with their software
  • Researchers at Errata Security were able to crack the password used to encrypt the private key in only 3 hours
  • The password was: komodia
  • He found it fairly easily, first using procdump to defeat the self-encryption used by SuperFish (procdump wrote out the binary as it was in memory after it had decrypted it self)
  • Next, he ran the standard unix tool ‘strings’ on the resulting file, and found the encrypted SSL private key
  • After failed attempts to brute force it, or run a dictionary attack against it, he went back to his ‘strings’ file
  • After filtering it down to only include short all lowercase words, he used it as a dictionary, and found the password
  • Now, anyone can download the SuperFish software, extract the certificate and private key, and start signing bogus certificates for any website they wish, and every Lenovo or other machine that has the SuperFish software installed, will happily accept it as genuine
  • SuperFish CEO Adi Pinhas tells Ars that “Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement
  • While Lenovo and SuperFish disabled the server side component of SuperFish, which will prevent it from showing the ads, it seems that even uninstalling the SuperFish software, does not remove the trusted root certificate, leaving the users vulnerable to Man-In-the-Middle attacks
  • It is unclear what the certificate pinning feature in Google’s Chrome browser did not prevent this from working
  • Given that this same technique is popular in corporate security software, and there are also open source application proxies that can do it (OpenBSD’s relayd for one), it may be that Google had to relax their requirements to be compatible with corporate networks
  • Lenovo Forums
  • Additional Coverage – ThreatPost
  • Additional Coverage – TheNextWeb
  • Additional Coverage – TechSpot
  • Additional Coverage – ZDNet

The Equation Group — Part of the NSA?

  • Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations.
  • Known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods +
  • Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
  • An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.
  • The trump card for the Equation Group attackers is their ability to inject an infected machine’s hard drive firmware. This module, known only by a cryptic name – “nls_933w.dll”, essentially allows the attackers to reprogram the HDD or SSD firmware with a custom payload of their own creation.
  • One of the Equation Group’s malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
  • Additional Coverage – Ars Technica
  • Additional Coverage – ZDNet
  • Additional Coverage – Digital Munitition



Question? Comments? Contact us here!