Invincea Threat Research Report
February 10, 2015
A Chinese advanced persistent threat (APT) compromised Forbes.com to set up a watering hole style web-based drive-by attack against US Defense and Financial Services firms in late November 2014. The brazen attack used chained 0-days against Adobe Flash and Microsoft Internet Explorer 9+ to attempt to gain access to internal networks at these companies. This report is the first to detail the attack against strategic US interests to China.
iSIGHT Partners has attributed the attack to a Chinese actor group they call Codoso, which FireEye also calls the Sunshop Group. The group has been previously linked to campaigns against US Government, military, Defense Industrial, think tanks covering foreign affairs, financial services, energy firms, and political dissidents. This disclosure is timed with the release of Microsoft’s patch for CVE-2015-0071 on February 10, 2015 to ensure a patch for both 0-days is now available and recommended to apply (the Adobe Patch was available December 9th).
Requests for Technical Indicators / For More Information
High level details of this campaign can be found in the rest of the blog below.
Further information will be provided in two live joint briefings by Invincea and iSIGHT Partners to interested parties on Wednesday, February 11th at 10:00 a.m. ET and 2:00 p.m. ET – you may register for either of those briefings by clicking on the appropriate link above.
To request the full technical report, please follow this link below to iSIGHT Partners and complete the necessary information. Note that you will need to provide professional credentials including work email and telephone and that iSIGHT may contact you to verify those credentials prior to releasing the report. – See more at: http://info.isightpartners.
Targeted Attack Using Forbes.com
In late November 2014, a United States Defense Industrial Base company encountered an intrusion attempt while visiting the Forbes.com website – the 61st most popular website in the United States and the 168th most popular in the world according to Alexa. That attack was detected and thwarted by Invincea’s Advanced Threat Protection endpoint product, FreeSpace, even as the attack evaded several layers of network defenses at the company and in spite of the attack employing 0-day exploits.
Invincea’s footprint now stretches to more than 1.8 million machines around the globe – protecting unsuspecting users from spear-phishing attacks, watering hole and web-based drive-by attacks without the need for signatures or advance knowledge of the threat. Invincea creates a virtual container on users’ devices in which highly targeted applications such as web browsers, Adobe Reader, and Microsoft Office run. This container walls malware off from the host and users’ data, while detecting all types of malware (including unknown malware) and zero-day exploits, using advanced behavioral based techniques. When an attack is detected, it is immediately stopped in its tracks and high level forensic data is captured.
Separately and concurrently, iSIGHT Partners was tracking Codoso activity related to Chinese cyber espionage and discovered through various sources the Forbes.com website was being used to target US Defense and large Financial Services firms. Further investigation found three additional obscure websites being used by Codoso to target dissident groups.
The attack was executed against specific targets by compromising the Forbes.com Thought of the Day (ToTD) Adobe Flash widget (see picture below) that appears initially whenever anyone visits any Forbes.com page or article. Our analysis concluded that this widget was compromised and using a Flash 0-day exploit to gain control of unsuspecting users’ machines within targeted firms. Invincea successfully blocked the attack before it could progress further and compromise proprietary data.
The Flash 0-day was patched December 9th, 2014 by Adobe and is designated CVE-2014-9163 in the National Vulnerability Database. Further analysis by iSIGHT Partners revealed that the exploit employed an additional 0-day bypass mitigation vulnerability in Internet Explorer (CVE-2015-0071), when needed, in order to bypass Address Space Layout Randomization (ASLR) protections available in IE version 9+. iSIGHT Partners tested fully patched version of IE v10 and Adobe Flash at the time of the campaign and noted the attack succeeded. Attacks against IE8 and earlier on Windows XP will succeed without requiring use of the IE 0-day.
iSIGHT Partners confirmed with Microsoft the vulnerability was indeed an active 0-day mitigation bypass vulnerability in IE9+. Invincea and iSIGHT Partners agreed at Microsoft’s request not to disclose details of the vulnerability until a patch was available February 10th, 2015.
Significance of Attack
In the world of cyber threats, the chained 0-day exploit is a unicorn – the best known attack with chained 0-days was the Stuxnet attack allegedly perpetrated by US and Israeli intelligence agencies against Iran’s nuclear enrichment plant at Natanz as part of an operation known as Olympic Games.
Given the highly trafficked Forbes.com website, the exploit could have been used to infect massive numbers of visitors. In fact it was not used for that purpose. Across Invincea’s large footprint of over 20,000 firms, Invincea and iSIGHT can confirm only certain US Defense and financial services firms were targeted with this exploit from Forbes.com during this time period.
iSIGHT has attributed the attack to the Codoso Team (aka Sunshop Group), which has been known to target:
- US Government
- Defense Industrial
- Think tanks covering foreign affairs
- Financial services,
- Energy firms, and
- Political dissident groups.
While we can confirm targeting against US Defense and Financial Services firms at this time, there is potential for broader targeting from this group (and potentially other threat actors).
Attribution to Codoso Team (aka Sunshop Group)
iSIGHT Partners is attributing the attack to Chinese cyber espionage operators referred to by the moniker Codoso Team based on technical indicators in connected malware as well as the use of the same undisclosed exploit in incidents consistent with Chinese cyber espionage targeting.
Please see the accompanying iSIGHT blog here for more details on technical indicators leading to attribution.
Anatomy of Watering Hole Attack
Below is a pictorial representation of the watering hole attack for illustrative purposes.
In the campaign from late November 2014, Invincea captured the specific attack logs from Invincea FreeSpace users at targeted firms. Below is a screen shot from Invincea Management Server of the initial chain of events from when a user visits Forbes.com to when the exploit has successfully executed a command shell.
As seen above, the first visit to Forbes redirected to an IP address. This web site hosts the Flash exploit. We can examine the web site at the IP address shown below.
Searching UrlQuery for information on this IP address shows they do not determine that anything malicious was served, except for a single IDS server that detected something. Why only a single instance? Perhaps due to aggressive beaconing to the host, or lack of bandwidth?
Note that this is a Linode.com host. Linode is known for its free Linux hosting and is often used by hackers and groups to run free IRC servers and other exploit campaigns. In this instance, Linode is hosting a Flash exploit on this specific landing page that triggered an IDS event at least once.
When the eye-blaster Thought of the Day widget opens, it delivers the Flash exploit, dropping hrn.dll on the local system (see below). The DLL is reflectively loaded into the memory. Once in memory, the exploit gains administrative privileges and opens a command prompt. Next the victim system was scanned to report on its current patch levels, network mapping, and complete IP configuration, including any open VPN connections. With Invincea running on the user’s machine, this was all contained and the exploit did not compromise the host.
It should be noted that this entire chain of events lasted only 7 seconds. But let’s review what we do know beginning with the dropping of the hrn.dll file into reflective memory. First, several iterations of files were written to the AppData Local directory, beginning with xjjzzb, (and then xjjzzb_1,2, etc) then later iuhyam, and finally uxyjpt. In each instance, it ran systeminfo.exe from the local system, which will completely enumerate the system information such as processor speed, number of cores, the BIOS information, your login server, memory, what types of USB drives, disk size, and lots more. You can run this command yourself from the command prompt to see how much information is dumped about the system.
Next, the Trojan performs ipconfig/all to get all of the default gateways, including any connected VPNs. It performs a tasklist /v which will verbosely print all of the running processes, showing any security products that are enabled.
And then the process beacons out to a different Linode.com host at iad12s04-in-f22.1h100.net. This seems to be a command and control server for this specific botnet. UrlQuery has lots of information about this host, and even revealed the path to the control panel which will show the currently enrolled number of bots, followed by other unlabeled columns, which likely represent the number of various exploits or vulnerabilities used to enroll the victims into the botnet.
Screenshot of the Botnet stats: h[xx]p://iad12s04-in-f22.1h100.net/irwravxrc/getuau.html
Next, the process repeats itself over and over again, perhaps attempting different exploits.
VirusTotal has also seen several similar beacons from this site:
Many websites have vulnerable plugins, themes, and custom apps for publishing platforms- whether it is based on Cold Fusion or WordPress or common bulletin board systems. Botnets routinely probe web servers to search for known vulnerable plugins and can often exploit those vulnerabilities automatically, leaving malicious Java scripts, PHP files or Flash exploits behind. Therefore, web users are often at the mercy of the patch cycle and attentiveness of website administrators to keep these vulnerable plugins up to date and search for dropped files left behind by exploits. In other words, while there has been much attention on malvertising, website plug-ins pose a significant threat to users as well. Ad blockers are not effective against these website plug-ins.
Invincea users, and therefore, the enterprises to which they belong, are immune to attacks launched by vulnerable websites. And if there is a highly trafficked website that is dropping exploits such as Forbes.com, there is the potential for multiple infections within a single enterprise, providing potential remote access to an adversary.
Adversarial Intelligence, Attribution and Indicators
While Invincea successfully detected and blocked the intrusion at its defense company customers, iSIGHT Partners was integral in tracking indicators from the attack back to campaigns from the Chinese actor.
The integration of Invincea FreeSpace reporting from the blocked and captured attack with iSIGHT’s threat intelligence platform provided context to the thwarted attacks, giving a full picture to organizations as to who is targeting them, with what kind of attack, and in many cases, why. The collaboration between Invincea and iSIGHT and responsible disclosure with Microsoft demonstrates the power of intelligence integration with advanced threat protection tools in protecting organizations everywhere.
iSIGHT and Invincea are providing indicators of compromise to all concerned parties through a vetting process to assist organizations in analyzing their potential exposure.
Please see iSIGHT Partners’ blog on this topic here.
- To support organizations in determining their potential exposure to this campaign, iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.
- To request the full technical report, please follow this link and complete the necessary information. Note that you will need to provide professional credentials including work email and telephone and that iSIGHT may contact you to verify those credentials prior to releasing the report.