Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/4/2012
02:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Flame Burns Microsoft With Digital Certificate Hack

Microsoft issues emergency patch in wake of digital certificate abuse, and new details revealed on massive Flame C&C infrastructure

The Flame cyberespionage attack took a new twist today as Microsoft issued an emergency patch for all versions of Windows after it discovered the attackers had abused one of its digital certificates to help spread the infection from one machine to others within the targeted organization.

Microsoft over the weekend released a security update and an out-of-band patch that kills three rogue certificates that appeared to be signed by Microsoft and allowed the malware to slip past Windows controls. The software giant did not give details on the actual attack, but according to new analysis by Kaspersky Lab, a Flame module named "Gadget" was used to infect other machines in the same network as the targeted machine, therefore spreading more widely within the targeted organization. Gadget and another module called "Munch" wage a man-in-the-middle attack during a Windows Update session that basically redirects the user's machine to a phony update with the malware, which looks as if were signed by Microsoft but was not.

That, according to Kaspersky's Alex Gostev, chief malware expert, explains how Flame was able to infect fully patched Windows 7 machines.

The attackers preyed on apparent weak encryption in Microsoft's Terminal Services -- specifically an older cryptographic algorithm used in Microsoft's Terminal Server Licensing Service, which lets enterprises enable Remote Desktop services. In addition to the security update issued by Microsoft to kill the rogue certs, Microsoft has also halted issuing certificates for code-signing through Terminal Services.

Mike Reavey, senior director of Microsoft's Security Response Center, says that most companies aren't at risk of attack since Flame was so targeted, and also because now most anti-malware detects and removes Flame. But the worry is that other attackers could copy the method used by Flame and strike at a broader audience: "Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," he wrote in a blog post today.

Security experts say this hack could have been much worse in the hands of traditional cybercriminals. Researchers believe Flame was a parallel cyberespionage effort to Duqu and Stuxnet, likely the work of a nation-state such as the U.S. and Israel, but no officials have gone on record to confirm it. The New York Times reported on Friday that anonymous U.S. officials confirmed that Stuxnet and its associated espionage were the work of the U.S. and Israeli officials trying to cripple Iran's nuclear weapon development. The so-called "Olympic Games" attacks originated in the Bush administration and continued under the Obama administration.

Flame's abuse of Microsoft's digital certificate demonstrates just how these well-funded and organized cyberespionage efforts take attacks to another level.

"Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," said Mikko Hypponen, chief research officer at F-Secure, in a blog post today. "I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."

According to F-Secure, one module for Flame wages a man-in-the-middle attack on the Microsoft Windows Update system, and then infects the targeted machine. "If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root," Hypponen said.

"This was not a CA [certificate authority] breach, but because weak encryption was used, it was a certificate breach," says Jeff Hudson, CEO at Venafi. "That allowed the code to pretend it was authorized and signed by Microsoft." It's unclear, as yet, whether the attackers used Terminal Services to log onto other systems or to sign other code, he says.

Meanwhile, more information on Flame's command-and-control (C&C) infrastructure was revealed today by Kaspersky Lab and OpenDNS, which sinkholed 30 of the C&C servers supporting the attack. The C&C domains for Flame used a long list of fake identities and various registrars dating back to 2008, and there are more than 80 known domains, with 24 IP addresses currently hosting the domains. The attackers used 22 different registration services. "Flame's command-and-control [infrastructure] is huge, unlike anything we've seen before," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "These servers have been moving all over the world."

The C&C infrastructure initially went dark hours after Kaspersky Lab first reported its findings on Flame last week, Schouwenberg says. Then on Saturday afternoon Eastern time, it came back to life temporarily, with some of the Flame domains pointing to an IP address in Germany, he says, but it's unclear whether that was the attackers or other researchers in action, he says.

Kaspersky and OpenDNS's findings also appear to confirm that Iran was the main target of the Flame attack. The sinkhole contains 45 infected machines from Iran, 21 from Lebanon, and 14 in Sudan. The rest are single-digit infections in other countries, including eight from the U.S.

Dan Hubbard, CTO for OpenDNS, says while his firm can't be sure who's behind Flame, it's unique because it was so well-planned and executed. "The domains were registered by people ... using company names like Nvdia," he says. "We believe, that combined with the small packet size, it was built to go under the firewall, IPS, and data leakage prevention radars to look like regular traffic."

[Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years.]

And the domains were not ones historically associated with cybercriminals, he said. "That's very rare," Hubbard says.

The danger with this type of attack is that it's difficult to detect and stop. "This sort of attack is really hard to defend against," says Roger Thompson, chief emerging threats researcher for ISCA Labs. "You simply have to stop this code before it gets running, and, again, the only way to do this is with integrity management and behavior monitoring."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13139
PUBLISHED: 2019-08-22
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the ...
CVE-2019-15325
PUBLISHED: 2019-08-22
In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a protection mechanism is present when actually it is not.
CVE-2019-15326
PUBLISHED: 2019-08-22
The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal.
CVE-2019-15327
PUBLISHED: 2019-08-22
The import-users-from-csv-with-meta plugin before 1.14.1.3 for WordPress has XSS via imported data.
CVE-2019-15328
PUBLISHED: 2019-08-22
The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has XSS.