15 Days of January - Kicking the Year off with Badness
Over the past few weeks, the security researcher industry has been abuzz with new exploits, vulnerabilities, campaigns, and other happenings. Executives and business people trying to capture the relevance for defense and profit alike have been asking "what do we know, what does it mean, how can we make money?" The DHS operated US-CERT finally threw in the towel in response to one new exploit and while their reaction seems a bit over-the-top, I think it's telling of an industry wide symptom; fatigue and reality are setting in. There have been a few interesting developments of late, but show what has become a consistent trend in information security; new 0-days, new campaigns, and reminders to be careful.
1. Root certificate authority issues fraudulent certificate for Google.com. The most significant event of the month so far comes from the middle east where root certificate authority (CA) TURKTRUST was used by an unknown adversary to issue and distribute fraudulent browser certificates for the domain google.com as well as others less interesting to users of the west. The Internet, like relationships, are built on trust. I know that Google.com is the real Google.com because my browser contains certificates which match those held on the websites serving Google.com content. These certificates are used not only for validation but also in the encryption process. Whenever we browse to a secure website, our browser and the website compare certificates to ensure they match and to validate each other is who they say they are. Certificate authorities create and distribute these certificates through Internet infrastructure which is automatically absorbed by our browsers. If a fraudulent certificate is issued by a CA, our browsers inherently trust the CA and will download the certificate like an update. Now whatever website we browse to matching that CA will automatically pass information and "trust" the website. Iran has been accused of using this method to distribute fraudulent certificates for Google mail (Gmail) so that they can intercept people in country trying to access Gmail, obtain their credentials, and read their email. Any abuse of Internet trust and authority is bad news. Details are sparse on this event and how the TURKTRUST certs were used and for what purpose has not yet been explained. It's likely this was another attempt to spy on dissidents in foreign countries who subvert nation-state control of Internet content by using free and public communication forums like Gmail. It's essentially a man-in-the-middle attack where someone along the line isn't who they say they are. The worst part about this sort of attack is you have no idea from a user perspective of what is going on. Your browser handles trust in the background.You would have idea that the Google you are logging into, isn't the real one.
2. Red October campaign disclosed by Kaspersky. Next in line comes the recent exposure of a very sophisticated (dare I say likely nation-state sponsored) malicious campaign which has been dubbed "Red October." The name comes from the month of discovery (October, 2012) and the fact that there is Russian implications (mostly in the programming language) throughout the code. This campaign included a very sophisticated family of malware which targeted theft of encrypted documents from specfic targets including government data, aerospace companies, oil and gas companies, nuclear energy, and commerce and trade organizations. It appears the users of this sophisticated malware were attempting to find specific documents and the malware contained the ability to retrieve previously deleted information from local systems and attached peripherals like USB sticks. The malware appears to have some self learning capabilities and would move throughout compromised networks to evade detection, leveraging systems like network devices, PCs, mobile devices, and other systems to move and collect data. Essentially dubbed a cyber espionage weapon, this campaign is believed to have been infecting systems and stealing specific information since 2007. The specific targeting of encrypted documents in a specific format used by NATO implies again nation-state sponsorship and agenda. Decryption functions allowed the malware to attempt to and possibly succeed in understanding the contents of the files it found.
3. Java 0-Day. The year wouldn't start off on the right foot if we didn't have yet another flaw in Java which was already discovered by adversaries and already being used to compromise computers across the Internet. There's plenty of technical stuff out there about this one, so I'll summarize briefly. Basically the web application used by just about every web application using active content has more flaws than previously known which can be used to exploit your computer to execute arbitrary commands. The most common use would be to leverage this flaw to download malware onto a user's computer through their browser. Nothing new. What was interesting to note from this 0-day was the response from DHS run US-CERT. They recommended disabling Java in web browsers until Adobe releases a fix. Some have taken this a step further and have decided that due to the recurring flaws in Java (seems like this has become a monthly problem) that consumers stop using Java altogether. We can assume the adversary has already found more flaws and is already using them to infect and compromise computers without our knowing. US-CERT and others now feel it's simply to dangerous an application to use. I'm not sure I agree, but I understand their concern.
So with this latest round of exploits and happenings, we are reminded that the adversary continues to have a leg up on us. Be careful out there.