Another LinkedIn Sockpuppet

According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna.

https://hk.linkedin.com/pub/anna-sentina/100/757/193

Sr Researcher at “Head Hunter”.

I’m not so sure about that.

According to IMDb, Anna Sentina is really Anna Akana.

http://www.imdb.com/name/nm4331196/

Anna’s IMDb profile.

Maybe LinkedIn should start charging to “verify” recruiter accounts?

At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount of cost would do two things. First, it would add value to actual recruiters. And second, it would help clean out the fakes as LinkedIn’s security team could then scrutinize the accounts of so-called recruiters who decide not to verify. Alternatively, accounts claiming to be recruiters that aren’t verified could be labeled as “unverified”.

But that’s probably not going to happen anytime soon. So for now, try to be selective with your LinkedIn connections.

@5ean5ullivan

Related: LinkedIn Sockpuppets Are Targeting Security Researchers



Can the “Speakularity” Be Secured?

In December 2010, journalist Matt Thompson predicted a future in which “automatic speech transcription will become fast, free, and decent.” He called this future the “Speakularity” – playing on the concept of the technological singularity.

In Thompson’s words:

“So much of the raw material of journalism consists of verbal exchanges — phone conversations, press conferences, meetings. One of journalism’s most significant production challenges, even for those who don’t work at a radio company, is translating these verbal exchanges into text to weave scripts and stories out of them.”

“After the Speakularity, much more of this raw material would become available. It would render audio recordings accessible to the blind and aid in translation of audio recordings into different languages. Obscure city meetings could be recorded and auto-transcribed; interviews could be published nearly instantly as Q&As; journalists covering events could focus their attention on analyzing rather than capturing the proceedings.”

“Imagine if that capability were opened up to citizens — if every on-air utterance of every pundit, politician, or policy wonk were searchable on Google.”

But that capability wouldn’t be open to just good citizens…

https://commons.wikimedia.org/wiki/File:Loose_lips_might_sink_ships.jpg

Writing in the September 3rd issue of Nautilus, James Somers take a deep drive at the idea and asks, will recording every spoken word help or hurt us?

He imagines a near future in which all business meetings are transcribed as part of “The Record”.

“We are going to start recording and automatically transcribing most of what we say. Instead of evaporating into memory, words spoken aloud will calcify as text, into a Record that will be referenced, searched, and mined. It will happen by our standard combination of willing and allowing. It will happen because it can. It will happen sooner than we think.”

“It will make incredible things possible. Think of all the reasons that you search through your email. Suddenly your own speech will be available in just the same way.”

Sounds wonderful? Not so fast.

“[Consider] what it might be like to live in a society where everything is recorded. There is an episode of the British sci-fi series Black Mirror set in a world where Google Glass–style voice and video recording is ubiquitous. It is a kind of hell.”

A kind of hell. Indeed. It’s already difficult enough for people to forgive and forget. Imagine the difficulty doing so if your spoken words are immortalized.

But let’s not overreact just yet.

“Between these visions of heaven and hell lies the likely truth: When something like the Record comes along, it won’t reshape the basic ways we live and love. It won’t turn our brains to mush, or make us supermen. We will continue to be our usual old boring selves, on occasion deceitful, on occasion ingenuous. Yes, we will have new abilities—but what we want will change more slowly than what we can do.”

Yes, let’s hope.

CBC’s Spark interviews Somers here:

Something like the Speakularity is getting closer, I think. Auto-transcribing business conferencing services seem very much like something the lifeloggers among us will want to use if and when they become available. And when there are people who want to use them, somebody will build them.

So that causes me to consider this important question… can the Speakularity be secured?

It’s not difficult to imagine people discussing corporate strategy and other sensitive proprietary information indiscriminately within earshot of a microphone. After all, they already do. (Phones.) Fortunately, it’s not trivial to hack everybody’s phone and it generally requires expensive tools.

But imagine if seachable audio of personal, corporate, and government speech is just sitting somewhere in the cloud, there for the taking. Today’s data breaches could look like small potatoes by comparison.

@5ean5ullivan



Freedome Tracking Protection Comparison

Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites.

Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category.

Page Load Speed Comparison

Page Load Speed Comparison

As you can see, there’s quite a measurable effect on several sites; Huffington Post and USA Today loaded in half the time (2.1x faster). Conclusion: blocking trackers saves time.

And here’s a graph of size comparisons.

Page Load Size Comparison

Page Load Size Comparison

With Tracking Protection enabled, CNNMoney only loaded 1.4MB compared to 3MB. AccuWeather loaded 10.4MB compared to 17.3MB. Conclusion: blocking trackers saves bandwidth.

Happy surfing Freedome lovers!

@5ean5ullivan

¹ The testing was done from our Helsinki-based lab via Freedome’s Netherlands-based exit node.



Apple iOS 9 Security Features

Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements.

Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example.

iOS 9 improved security

Source: Apple

Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium.

A small change that I’ve noticed while testing iOS 9’s public beta is related to Windows¹.

This is the prompt you’ll see when connecting an iOS 9 device to a computer with iTunes installed (which includes anything running OS X).

And this is the prompt you’ll see when connecting an iOS 9 device to a (Windows) computer with no iTunes drivers installed.

iOS 9, Allow this device to access photos and videos?

Allow this device to access photos and videos?

It’s a subtle but interesting difference. Allow implies limited access, whereas trust implies something greater. There have been cross-platform malware attempts aimed at iOS in the past. With this allow prompt, a careful observer could determine when such cross-platform malware is present. If you connect your iOS 9 device to a Windows computer that you know doesn’t have iTunes installed and are asked to trust… don’t.

Another small but very welcome change that I wrote about in July is a new Safari feature.

Scam sites attempting to lock Safari into an endless loop of JavaScript alert dialogs will find their efforts foiled by Safari’s new option to “Block Alerts”.

iOS 9 Safari, Block alerts from?

Block alerts from?

All in all iOS 9 looks good. I hope to see some more security info during Apple’s event today, and I’m looking forward to iOS 9’s public release scheduled for September 16th.

@5ean5ullivan

¹ Testing with Kali Linux yielded a “trust” prompt.



Sofacy Recycles Carberp and Metasploit Code

1. Introduction

The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590.

If the exploit is successful, it installs a Sofacy downloader component, which is different from what we have seen before. This downloader was based on the notorious Carberp source code, which leaked out into the public domain in the summer of 2013.

1.1 Bootstrapped Firefox Add-on

Aside from zero-day exploits, we have also encountered the Carberp-based downloader deployed via other means, such as a bootstrapped Firefox add-on, during spring this year. But what is a bootstrapped add-on? According to Mozilla, it is a type of add-on that you can install and use without needing to restart the browser.

The installation of this Sofacy add-on mostly relies on social engineering. When the user visits the malicious or compromised website, they are prompted to install the add-on.

HTML5 Rendering Enhancements 1.0.

Figure 1: Sofacy HTML5 Rendering Enhancements add-on

The main code is stored in the bootstrap.js file within the add-on package. Once the add-on is activated, the JavaScript will download the Sofacy Carberp-based downloader from the following URL:

hxxp://dailyforeignnews.com/2015/04/Qih/north-korea-declares-no-sail-zone-missile-launch-seen-as-possible-reports/579382/hazard.edn

The payload will be saved locally as vmware_manager.exe.

This bootstrapped add-on technique isn’t entirely new, it has been documented since 2007, and has been used mostly by potentially unwanted applications. However, this is the first time that we have seen Sofacy use this method. Most of the code in Sofacy’s bootstrap.js file was copied directly from Metasploit, including the GUID {d0df471a-9896-4e6d-83e2-13a04ed6df33}, as well as the add-on name “HTML5 Rendering Enhancements“. Whereas, the downloading of the payload section was copied from one of Mozilla’s code snippets.

2. Technical information about the dropper and DLL

The exploit document or add-on carries a simple PE executable, which installs an embedded DLL to the system. The executable file is around 100KB in size, not packed with any file compressor, but the DLL is compressed using the standard Windows APIs and decompressed with RtlDecompressBuffer before dropped on the disk. One notable common feature appearing in all the samples we’ve seen is a temporary file named jhuhugit.temp. This filename is about the only clear text string in the EXE, most of the other strings are obfuscated with a XOR algorithm using a fixed 11-byte key. Another interesting string appearing in some of the samples is encryption key “bRS8yYQ0APq9xfzC“. This happens to be one of the fixed “main passwords” found from the Carberp source GitHub tree.

The DLL is executed with a system executable rundll32.exe, by running an export named as “init”. The DLL itself doesn’t have much functionality. It simply just sits in a loop, querying one of its fixed C2 servers every 30 minutes. We haven’t yet been able to retrieve any live payloads from the servers, but based on the code, the DLL would just execute the payloads exactly the way itself was executed in the first place. The C2 server addresses and other configuration data are obfuscated using the same 11-byte XOR key algorithm. Nothing really fancy here so far, but the same Carberp password, also used by all the DLL’s we’ve seen, got us curious enough to discover what’s the connection.

By carefully reverse engineering the DLL, it became apparent that this family is based on the Carberp source code. The code repository is not exactly the same as what can be found from GitHub, but close enough to make such claims, as we’ll see later. Features used by this Sofacy based on the Carberp sources include API resolving algorithm and code injection mechanism. Also the algorithm used for generating random URL’s is loosely based on the Carberp.

3. Comparison to Carberp source code

3.1. API resolving algorithm

In the public Carberp source code, APIs are resolved at run time using code constructs like this:

#define pLoadLibraryA   pushargEx< DLL_KERNEL32, 0xC8AC8026, 2 >

In this example, the function pLoadLibraryA is defined by another function, pushargEx, which gets the following arguments:

  • Module identifier is DLL_KERNEL32 in this example
  • Function name hash is C8AC8026, which is calculated at run time
  • Function cache index is 2

The function pushargEx has multiple definitions, including all possible amount of function arguments. Here is an example of a definition for 5 arguments:

inline LPVOID pushargEx(A a1, B a2, C a3, D a4, E a5)
{
    typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E);
    newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
    return func(a1, a2, a3, a4, a5);
}

PushargEx ends up to function GetProcAddressEx2, which locates the API function address based on the name hash and then the address is executed. The purpose of this construct is to be able to use standard Win32 API functions normally in the code, by just putting a character ‘p’ to the beginning. The resulting compiled code is not very easy to read, thus slowing down the reverse engineering process. It also has additional benefit of making the code truly position independent, which is good for code injections.

Carberp’s source tree includes a list of API hashes, and the corresponding cache indexes in a nice list like this.

Carberp API list.

Figure 2: Carberp API list

Now back to the Sofacy binary code. It is apparent from the decompiled example snippet that it uses the same hashing algorithm and index numbering.

Sofacy GetModuleHandleA

Figure 3: Sofacy GetModuleHandleA

GetModuleHandleA is just one of the many functions resolved dynamically by Sofacy. But they all fit exactly to the Carberp source code – the hashes and arguments match, as well as the indexing (see index number #43 from Figure 2).

Looking further to the API resolver, we can observe striking similarities in functions named as GetProcAddressEx and GetProcAddressEx2. Here’s a screenshot of GetProcAddressEx2 from Carberp sources and a decompiled code from Sofacy binary, side by side.

GetProcAddressEx2 from Carberp and Sofacy.

Figure 4: GetProcAddressEx2 from Carberp and Sofacy

And here’s a similar comparison for GetProcAddressEx from Carberp sources and decompiled code from a Sofacy binary.

GetProcAddressEx from Carberp and Sofacy

Figure 5: GetProcAddressEx from Carberp and Sofacy

In the decompiled code snippets, all the function names and variables have been named according to the Carberp sources on purpose, just for the sake of demonstration.

3.2. Code injection

Sofacy uses code injection for all networking code by injecting its own functions to browser processes. The processes are located using the Carberp process name hashing algorithm. The purpose of this setup is most likely to get around personal firewalls and other behavior detection systems.

The injection starts with a function named as InjectIntoProcess, which opens a process, injects code with InjectCode4 and runs it with CreateRemoteThread. Below is a snippet from Carberp.

InjectCode4 from the Carberp source.

Figure 6: InjectCode4 from the Carberp source

InjectIntoProcess and InjectCode4 from the Sofacy binary combines this functionality.

InjectIntoProcess from Sofacy

Figure 7: InjectIntoProcess from Sofacy

Figure 8: InjectCode4 from Sofacy

Figure 8: InjectCode4 from Sofacy

3.3. Mysterious Main Password

In the Carberp sources, there exists a password called as MainPassword, or RC2_Password or DebugPassword. One of the possible values of this password is “bRS8yYQ0APq9xfzC“, also used by Sofacy. The purpose of this password in Carberp is for example encrypting HTTP traffic. However, in Sofacy, it is used in quite a different manner. Sofacy has a modified algorithm for API resolution that uses the same password. In Carberp, the resolver has a clear text list of DLL names, which the index parameter in GetProcAddressEx2 refers to. In Sofacy, this list is obfuscated with a simple XOR-based algorithm, using the Carberp “main password”.

4. Conclusions

Based on the analysis presented in this blog post, it should now be evident that the new Sofacy downloader is based on Carberp source code. However, there are also some very strong differences, for example the API resolver and its use of the Carberp main password. What can we conclude about this connection? We think it means the Sofacy gang has a private source tree of Carberp source code. The use of the password for protecting DLL names in the resolver suggests that the source is more recent than what is publicly available in GitHub. Does it mean the Sofacy gang just cloned the source tree and continued development, or is it developed further by somebody else somewhere behind the scenes? That, we don’t know yet. But the Sofacy connection, in addition to recent incidents by Anunak/Carbanak (also based on Carberp) indicate that Carberp is still alive and kicking.

5. Hashes

Bootstrap.js:

e7d13aed50bedb5e67d92753f6e0eda8a3c9b4f0

Droppers:

b8aabe12502f7d55ae332905acee80a10e3bc399
015425010bd4cf9d511f7fcd0fc17fc17c23eec1
51b0e3cd6360d50424bf776b3cd673dd45fd0f97
4fae67d3988da117608a7548d9029caddbfb3ebf
b7788af2ef073d7b3fb84086496896e7404e625e
63d1d33e7418daf200dc4660fc9a59492ddd50d9
b4a515ef9de037f18d96b9b0e48271180f5725b7
f3d50c1f7d5f322c1a1f9a72ff122cac990881ee

DLL’s:

5c3e709517f41febf03109fa9d597f2ccc495956 (decompiled code examples)
ed9f3e5e889d281437b945993c6c2a80c60fdedc
21835aafe6d46840bb697e8b0d4aac06dec44f5b
d85e44d386315b0258847495be1711450ac02d9f
ac61a299f81d1cff4ea857afd1b323724aac3f04
7319a2751bd13b2364031f1e69035acfc4fd4d18
b8b3f53ca2cd64bd101cb59c6553f6289a72d9bb
f7608ef62a45822e9300d390064e667028b75dea
9fc43e32c887b7697bf6d6933e9859d29581ead0
3b52046dd7e1d5684eabbd9038b651726714ab69
d3aa282b390a5cb29d15a97e0a046305038dbefe


Buy Your Freedome With Cash Money

Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem.

You can buy Freedome with cash money.

Cash can buy your Freedome.

Bitcoin not required.

Let’s say you’re in Germany. Just go visit one of cyberport.de or notebooksbilliger.de‘s physical locations and pick up a box.

Freedome for sale.

Freedome (code) inside a box.

The box is available at finer retailers in several regions, Tweet at @FreedomeVPN for more info.

Regards,
@mikko



Today’s Best Email

Software engineers automate everything…

A farewell message generated using a Markov chain model trained on past farewell emails.

Goodbye “Markov”!

Tags:


LinkedIn Sockpuppets Are Targeting Security Researchers

Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate.

Here’s an example of one so-called “recruiter” account.

Jennifer White's LinkedIn profile

Who is this woman?

Areas of interest include pen testing and social engineering? You don’t say.

“Jennifer” supposedly works for Talent Src a.k.a. Talent Sources.

Talent Src's LinkedIn page.

(Note its specialties.)

A reverse image search shows that Talent Source’s logo isn’t original.

Google Images result for Talent Source's logo.

Google Images result for Talent Source’s logo.

And its Twitter account uses an egg. (Lazy.)

https://twitter.com/talent_src

@talent_src

Here are Jennifer’s supposed colleagues…

The employees of Talent Source.

The “employees” of Talent Source.

Each recruiter account is focused on a particular type of specialist.

Reverse image searches of Alex, John, Monika, and Silvia yielded no results… at first. Daavid flipped the images and then located mirror copies on Instagram as well as some legitimate LinkedIn profiles. Reverse image search engines would do well to offer mirror searches as an option. We weren’t able to locate the source of Jennifer’s photo.

And now, Jennifer and the other recruiter accounts are gone.

This seems to be the modus operandi of whomever is behind these accounts, as Fox-IT’s Yonathan Klijnsma explained on Twitter.

(Or attractive male.)

Discouragingly, Daavid discovered that one of Jennifer’s connections gave her a bunch of endorsements for skills that the account clearly didn’t deserve based on the published work history. At least, not unless retailers are training clerks to reverse engineer software. When asked about it, the connection (an employee of a large US-based defense contractor) admitted that it was a bad habit to give out such endorsements without really knowing the other person.

Indeed.

If you look back to the employee list, you’ll see that “Hannah” was focused on security executives. Let’s hope none of them gave away any important details.

@5ean5ullivan



You’ve Got Robot Mail

I listened to the BBC World Service’s Click podcast this morning during my commute and learned that Posti (Finland’s postal services provider) is testing drone delivery.

http://www.posti.fi/lennot/

Source: Posti

Posti has a video of the “robottikopteri” in action on its YouTube channel.

Coincidentally, on my walk home last night, I heard the sound of a quadcopter flying around somewhere my neighborhood. A telling sign of the times? Will we all soon need to get used to the overhead drone of UAVs?

For a deeper discussion on the many possibilities, pros and cons, that may result from drone/UAV tech, check out these episodes of Click:

@5ean5ullivan



Trackers Are Out Of Control

Modern web analytics and tracking are completely out of control. And it’s not even a privacy issue for me at this point – it’s more about usability. Trackers are practically recreating the “dial-up Internet” experience. (Ask your parents, kids.) It’s 2015 – but a lot of websites load like it’s 1999.

And it seems like the problem turns up just about everywhere these days.

Let’s take a look at a well known brick and mortar retailer’s website using Ghostery for visualization. Here’s the US localization of Ikea’s website, with third-party cookies enabled.

Ikea's US localization with third-party cookies allowed.

Ikea’s US localization with third-party cookies allowed. (Firefox 40 for Windows.)

According the Ghostery, 9 different tracker resources are loading. (I use Ghostery for visualization, not for blocking.) Okay, fair enough.

Now here’s the Finnish localization of Ikea’s website, with third-party cookies not allowed.

Ikea's Finnish localization with third-party cookies disabled.

Ikea’s Finnish localization with third-party cookies disabled.

According to Ghostery, 11 different trackers are loading. But remember… this is with no third-party cookies. So what happens when third-party cookies are enabled?

38 more trackers come join the party!

Ikea's Finnish localization with third-party cookies allowed.

Ikea’s Finnish localization with third-party cookies allowed.

That’s 49 trackers in total. (Feels just a bit excessive, no?)

I really don’t get this, I just want to do some window-shopping before I visit the physical store.

But anyway…

If an opening set of trackers are allowed to load successfully and to drop their cookies, they’ll often go fetch more resources, and that slows down your browsing as a result.

I typically disallow all third-party cookies in my efforts to block trackers. This very rarely creates any conflicts for me. However, one of my colleagues has tested this setting and discovered that he cannot sign-in to sites such as Sony’s PlayStation Network. (But for that I’d recommend a using a second browser.) So factor that in mind.

In your primary browser, I recommend setting “accept third-party cookies” to “never”.

Here’s Firefox 40 for Windows.

about:preferences#privacy

Firefox > Options > Privacy

Here’s the settings in Chrome 44 for Windows.

chrome://settings/content

Chrome > Settings > Show advanced settings > Content settings

And here are the settings for iOS 9.

iOS 9 Settings, Safari, Privacy & Security

iOS 9 > Settings > Safari > Privacy & Security

I use “Allow from Current Website Only” in iOS.

iOS 9 Settings, Safari, Privacy & Security, Block Cookies

iOS 9 > Settings > Safari > Privacy & Security > Block Cookies

And then of course, you can also block tracking resources on the network side via a VPN with tracking filters.

Ikea's Finnish localization with third-party cookies allowed, using Freedome.

Ikea’s Finnish localization with third-party cookies allowed, using Freedome.

As you can see above, our Freedome VPN reduces the number of trackers that attempt to load to a mere two. Much better.

Whatever approach you opt for, killing trackers as early as possible will yield a better browsing experience.

Happy hunting.

@5ean5ullivan



Visiting INTERPOL’s New Complex

Me and Su Gim Goh from our Malaysian lab had a chance this week to visit INTERPOL’s new Global Complex for Innovation which is located in Singapore. Inside, a fleet of analysts from around the world investigate international crime – including cyber-crime. While we can’t go into details, it was nevertheless impressive to see the level of […]

2015-08-28

Amazon Says No To Flash Ads

Flash-based malvertising has run amok lately. So it was only a matter to time before something like this was announced: “Beginning September 1, 2015, Amazon no longer accepts Flash ads on Amazon.com, AAP, and various IAB standard placements across owned and operated domains.” Amazon is doing more than banning Flash. For example… Content must only […]

2015-08-21

It’s A Trap!

Be careful out there. Simple bait often works best… Here’s a example of some current spam with an Excel file attachment named: Payment instruction & Swift.xls The Excel file attachment contains malicious Macro programming which will attempt to download and install DarkComet RAT. F-Secure detects this attachment (and others like it) as W97M.Downloader.C. Nasty stuff. […]

2015-08-18

About The Security Content Of iOS 8.4.1

Whenever there’s a new version of iOS, I always like to know more about the security updates. Apple Support hosts the main Apple security updates page. From there you can find the update information for iOS 8.4.1, which addresses 71 vulnerabilities. This update is not very large in file size, so all things considered, it’s […]

2015-08-14

Malware On The Water

Never seen this before: lyrics for first verse of Deep Purple's "Smoke on the Water" embedded in a malware sample pic.twitter.com/iHlO2Ef2tl — Artturi Lehtiö (@lehtior2) August 13, 2015

2015-08-13

Duke APT Group’s Latest Tools: Cloud Services and Linux Support

Recent weeks have seen the outing of two new additions to the Duke group’s toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it’s written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we […]

2015-07-22

I, For One, Welcome Our New Platforming Overlords

Latest attempt to inject Mario with AI is unnerving: http://t.co/PN48GQAHNI ~ Mario is apparently the form of the destructor. #singularity — Sean Sullivan (@5ean5ullivan) January 20, 2015

2015-01-20