Sednit update: How Fancy Bear Spent the Year

By ESET Research

The Sednit group — also known as Strontium, APT28, Fancy Bear or Sofacy — is a group of attackers operating since 2004, if not earlier, and whose main objective is to steal confidential information from specific targets.

This article is a follow-up to ESET’s presentation at BlueHat in November 2017. Late in 2016 we published a white paper covering Sednit activity between 2014 and 2016. Since then, we have continued to actively track Sednit’s operations, and today we are publishing a brief overview of what our tracking uncovered in terms of the group’s activities and updates to their toolset. The first section covers the update of their attack methodology: namely, the ways in which this group tries to compromise their targets systems. The second section covers the evolution of their tools, with a particular emphasis on a detailed analysis of a new version of their flagship malware: Xagent.

The Campaigns

Over the past few years the Sednit group has used various techniques to deploy their various components on targets computers. The attack usually starts with an email containing either a malicious link or malicious attachment. We have seen a shift in the methods they use ‘in the course of the year’, though. Sedkit was their preferred attack vector in the past, but that exploit kit has completely disappeared since late 2016. The DealersChoice exploit platform has been their preferred method since the publication of our white paper, but we saw other methods being used by this group, such as macros or the use of Microsoft Word Dynamic Data Exchange.

The following three sections will describe the different methods used by Sednit’s operator to gain an initial foothold on a target system. Generally, these campaigns will try to install Seduploader on the target system. Seduploader is a first stage backdoor that can be used to assess the target’s importance and download additional malware. If the system is indeed of interest to them, it is likely that Sednit’s operators will eventually install Xagent on it.

Sedkit (Sednit Exploit Kit)

Sedkit was an exploit kit used exclusively by the Sednit group. During its lifetime, Sednit leveraged vulnerabilities in various persistently vulnerable applications, but mostly Adobe Flash and Internet Explorer. When Sedkit was first discovered, potential victims were redirected to its landing page through a watering-hole scheme. Following that campaign, their preferred method consisted of malicious links embedded in emails sent to Sednit’s targets.

Between August and September 2016, we saw several different email campaigns trying to lure the recipients of their messages to a Sedkit landing page. Sedkit’s targets at that time were mostly embassies, and political parties in Central Europe. The next figure shows an email containing such a URL.

The email tries to fool its recipient into believing that the link will ultimately lead to an interesting news story. In this case, the article is supposedly about an earthquake that struck near Rome in August 2016. While the email impersonates someone the victim would consider trustworthy, there are two major hints that could lead an attentive recipient to conclude that this email is fake. The first one is that there are spelling mistakes (e.g. “Greetigs!”). Spelling mistakes are common in malicious Sednit mails. The second one is the URL’s domain part. It is a purely malicious domain, but the path part of the URL actually mimics a real, legitimate link. In this particular case, the URL path is the same as one used in a BBC story about this earthquake. Again, this is a commonly-used Sednit tactic, using popular stories found on legitimate news websites and redirecting targets that click on the emailed URL to the real website, but not before visiting the Sedkit landing page. Besides the BBC, The Huffington Post is another popular media outlet whose stories they like to use as bait.

Firstly, the email’s subject and URL path are not aligned: the former refers to Syria and Aleppo while the latter refers to WADA and Russian hacking. Secondly, there are two glaring spelling mistakes. The first one, is again the use of “Greetigs!” and the second one is “Unated Nations”. Hopefully, someone working for the United Nations’ public relations department would not have such a glaring error in their email signature block.

The last campaign using Sedkit was observed in October 2016. It is interesting to note that the disappearance of Sedkit follows a trend we have seen with other exploit kits. Most of these were relying exploits for older versions of Internet Explorer and/or Flash to perform drive-by downloads. The decline of the majority of exploit kit operations during 2016, including Sednit, could well be attributable to the code hardening performed by Microsoft and Adobe.

Full details of Sedkit’s inner workings can be found in our previously published white paper.

DealersChoice

In August 2016, Palo Alto Networks blogged about a new platform used by Sednit to breach a system initially. This platform, which they called DealersChoice, has the ability to generate malicious documents with embedded Adobe Flash Player exploits. There are two variants of this platform. The first one checks which Flash Player version is installed on the system and then selects one of three different vulnerabilities. The second variant will first contact a C&C server which will deliver the selected exploit and the final malicious payload. Of course, the second version is much harder to analyze, as the document delivered to the targets does not contain all the pieces of the puzzle.

This platform is still in use today by Sednit and, like Sedkit, tracks international news stories and includes a reference to them in their malicious emails, in an attempt to lure the target into opening the malicious document attachment. Sometimes, they also use other, non-political, schemes. In December 2016, they used a rather unusual (for the group) lure:

This email was sent to multiple Ministries of Foreign Affairs and embassies in Europe on December 22nd and 23rd, and contained a Word document attachment that appeared to be a Christmas eCard. Note that this was the first time that we saw the Sednit group use a non-geopolitical phishing gambit attempting to trap their targets. Of course, the Word document, if opened, uses DealersChoice to try to compromise the system. Sednit used DealersChoice intensively in late 2016, but the platform was not seen for a long time after that. In fact, the first time we saw them use it in 2017 was in October.

The complete post can be found on

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Why we should fight for Net Neutrality

By Tony Anscombe

On Thursday 14 December 2017 the Federal Communications Commission (FCC) voted to repeal the rules, known as Net Neutrality, that regulate Internet Service Providers (ISPs), the companies that connect us to the internet.

What is Net Neutrality and why should we care?

The principle behind Net Neutrality is simple: it requires ISPs to treat all data on the internet the same. Discrimination by user, traffic type, website, platform, application, device or method of connection was not allowed. This stopped ISPs from charging more, blocking or slowing down access to websites and online content. It also meant that broadband was treated as a utility in the United States, regulated in similar ways as water and energy supplies.

The FCC voted 3-to-2 in favor of repealing the legislation that has been in effect since 2015. Reactions from numerous organizations were fast, with the Internet Association, which represents tech companies such as Google and Facebook, stating it is considering legal action.

Since Net Neutrality came into effect, consumers have enjoyed a ‘dumb pipe’ approach to their access. The ISP provides the connection and transparently routes traffic, not caring what type of traffic, where or to whom the user is connecting.

This change will potentially allow ISPs to adjust traffic based on who pays. When Ford introduced the Model T back in 1908 they revolutionized the car industry with mass production and a lower cost of purchase and ownership, but what would have happened if the incumbent more expensive manufacturers had been allowed to limit the performance of the Model T so that only their automobiles could travel at speed! The car industry today would look very different.

Challenging the repealing of net neutrality benefits us all: a small startup with a cool idea could easily be suppressed by players that can afford to pay to keep their own traffic prioritized.

“Since Net Neutrality came into effect, consumers have enjoyed a ‘dumb pipe’ approach to their access.”

Granting ISPs the right to shape traffic, allowing for some traffic to be prioritized due to a commercial agreement, may have a negative effect on the outcome of using the service for both the consumer and the company providing the service. Traffic-shaping is used in certain places today: for example, airlines may limit onboard video streaming to ensure that all passengers wishing to use Wi-Fi in the air at least get some type of connection that is not being grabbed by just a few passengers bingeing on their favorite shows.

What happens to freedom of speech if one party has the funding to allow faster access to their published content, making their opposition’s traffic slow to the point of and un-usability. Do we enter a society where only the rich can publish a useable service?

This may sound hypothetical, but 2012, AT&T had to backtrack on a decision to stop subscribers to their unlimited or tiered data plans from using Apple’s then-new Facetime service. They only allowed Facetime access to subscribers of their new shared-data plan. Imagine the reaction of consumers on an unlimited data plan discovering they were unable to use a feature of their new iPhones unless they changed plan? In that instance AT&T claimed they wanted to protect their network from the unknown volume of traffic that Facetime might add, but cynical people may view it as taking the opportunity for enhanced monetization when people purchased a new iPhone. Fortunately, the weight of consumer pressure had this rolled back.

ISPs such as AT&T and Comcast have issued statements stating nothing will change with the repeal of Net Neutrality. The fact remains, though, that Internet Service Providers can implement a system that prioritizes traffic for companies that pay. In the boardroom in 12 months, when revenue targets are not being reached, then the motivation to offer a superior for-fee service to brand A over brand B may be too tempting.

Consumers, businesses and society need to fight to keep the internet an unbiased and free place that does not depend on the decision of a few as to what can be accessed at what speed.

https://www.welivesecurity.com/2017/12/19/fight-net-neutrality/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Adventures in cybersecurity research: risk, cultural theory, and the white male effect

By Stephen Cobb

The digital technologies that enable much of what we think of as modern life have introduced new risks into the world and amplified some old ones. Attitudes towards risks arising from our use of both digital and non-digital technologies vary considerably, creating challenges for people who seek to manage risk. This article tells the story of research that explores such challenges, particularly with respect to digital technology risks such as the theft of valuable data, unauthorized exposure of sensitive personal information, and unwanted monitoring of private communications; in other words, threats that cybersecurity professionals have been working hard to mitigate.

The story turned out to be longer than expected so it is delivered in two parts, but here is the TL;DR version of the whole story:

·         The security of digital systems (cybersecurity) is undermined by vulnerabilities in products and systems.

·         Failure to heed experts is a major source of vulnerability.

·         Failure to heed experts is a known problem in technology.

·         The cultural theory of risk perception helps explain this problem.

·         Cultural theory exposes the tendency of some males to underestimate risk (White Male Effect or WME).

·         Researchers have assessed the public’s perceptions of a range of technology risks (digital and non-digital).

·         Their findings provide the first ever assessment of WME in the digital or cyber-realm.

·         Additional findings indicate that cyber-related risks are now firmly embedded in public consciousness.

·         Practical benefits from the research include pointers to improved risk communication strategies and a novel take on the need for greater diversity in technology leadership roles.

Of course, I am hopeful a lot of people will find time to read all of both parts of the article, but if you only have time to read a few sections then the headings should guide you to items of interest. I am also hopeful that my use of the word cyber will not put you off – I know some people don’t like it, but I find it to be a useful stand-in for digital technologies and information systems; for example, the term cyber risk is now used by organizations such as the Institute of Risk Management to mean “any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems”. (I think it is reasonable to use cyber risk in reference to individuals as well, for example, the possibility that my online banking credentials are hijacked is a cyber risk to me.)

The sources of cyber risk

Like most research projects, this one began with questions. Why do some organizations seem to “get” security while others apparently do not? Why is it that, several decades into the digital revolution, some companies still ship digital products with serious “holes” in them, vulnerabilities that leak sensitive data or act as a conduit to unauthorized system access. Why do some people engage in risky behavior – like opening “phishy” email attachments – while others do not?

These questions can be particularly vexing for people who have been working in cybersecurity for a long time, people like myself and fellow ESET security researcher, Lysa Myers, who worked on this project with me. Again and again we have seen security breaches occur because people did not heed advice that we and other people with expertise in security have been disseminating for years, advice about secure system design, secure system operation, and appropriate security strategy.

When Lysa and I presented our research in this area to the 2017 (ISC)² Security Congress we used three sources of vulnerability in information systems as examples:

1.     People and companies that sell products with holes in (e.g. 1.4 million Jeeps and other FCA vehicles found to be seriously hackable and hard to patch, or hundreds of thousands of webcams and DVRs with hardcoded passwords used in the Mirai DDoS attack on DNS provider Dyn)

2.     People that don’t practice proper cyber hygiene (e.g. using weak passwords, overriding security warnings, clicking on dodgy email attachments)

3.     Organizations that don’t do security properly (e.g. obvious errors at Target, Equifax, JPMorgan Chase, Trump Hotel Collection)

Could it simply be that some percentage of people don’t accept that digital technology is as risky as experts say? Fortunately, the phenomenon of “failure to heed experts” has already been researched quite extensively, often in the context of technology risks. Some of that research was used in the project described here. (A good place to start reading about this research is CulturalCognition.net).

Technology risks in general

Risk is a surprisingly modern concept. For example, risk it is not a word that Shakespeare would have used (it does not appear in any of his writings). The notion of risk seems to have gained prominence only with the widespread use of technology. For example, advances in maritime technology enabled transoceanic commerce, which created risks for merchants shipping goods, which led to the development of financial instruments based on risk calculations, namely insurance policies (for more on the history of risk and risk management see: The New Religion of Risk Management by Peter L. Bernstein, author of Against the Gods: The Remarkable Story of Risk).

Over time, risks arising from complex and widespread technologies and behaviors became matters of public concern and debate. For example, the widespread use of fossil fuels created risks to human health from air pollution. The development of “cleaner” nuclear energy caused heated debate about the hazards of nuclear waste disposal. In Figure 1 below you can see how 1,500 American adults rated the risks from seven technology-related hazards in a landmark 1994 survey, broken down into four demographic groups:

https://www.welivesecurity.com/2017/12/18/adventures-cybersecurity-research/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29