Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:50 PM
Connect Directly

Flame Burns Microsoft With Digital Certificate Hack

Microsoft issues emergency patch in wake of digital certificate abuse, and new details revealed on massive Flame C&C infrastructure

The Flame cyberespionage attack took a new twist today as Microsoft issued an emergency patch for all versions of Windows after it discovered the attackers had abused one of its digital certificates to help spread the infection from one machine to others within the targeted organization.

Microsoft over the weekend released a security update and an out-of-band patch that kills three rogue certificates that appeared to be signed by Microsoft and allowed the malware to slip past Windows controls. The software giant did not give details on the actual attack, but according to new analysis by Kaspersky Lab, a Flame module named "Gadget" was used to infect other machines in the same network as the targeted machine, therefore spreading more widely within the targeted organization. Gadget and another module called "Munch" wage a man-in-the-middle attack during a Windows Update session that basically redirects the user's machine to a phony update with the malware, which looks as if were signed by Microsoft but was not.

That, according to Kaspersky's Alex Gostev, chief malware expert, explains how Flame was able to infect fully patched Windows 7 machines.

The attackers preyed on apparent weak encryption in Microsoft's Terminal Services -- specifically an older cryptographic algorithm used in Microsoft's Terminal Server Licensing Service, which lets enterprises enable Remote Desktop services. In addition to the security update issued by Microsoft to kill the rogue certs, Microsoft has also halted issuing certificates for code-signing through Terminal Services.

Mike Reavey, senior director of Microsoft's Security Response Center, says that most companies aren't at risk of attack since Flame was so targeted, and also because now most anti-malware detects and removes Flame. But the worry is that other attackers could copy the method used by Flame and strike at a broader audience: "Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks," he wrote in a blog post today.

Security experts say this hack could have been much worse in the hands of traditional cybercriminals. Researchers believe Flame was a parallel cyberespionage effort to Duqu and Stuxnet, likely the work of a nation-state such as the U.S. and Israel, but no officials have gone on record to confirm it. The New York Times reported on Friday that anonymous U.S. officials confirmed that Stuxnet and its associated espionage were the work of the U.S. and Israeli officials trying to cripple Iran's nuclear weapon development. The so-called "Olympic Games" attacks originated in the Bush administration and continued under the Obama administration.

Flame's abuse of Microsoft's digital certificate demonstrates just how these well-funded and organized cyberespionage efforts take attacks to another level.

"Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened," said Mikko Hypponen, chief research officer at F-Secure, in a blog post today. "I guess the good news is that this wasn't done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency."

According to F-Secure, one module for Flame wages a man-in-the-middle attack on the Microsoft Windows Update system, and then infects the targeted machine. "If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root," Hypponen said.

"This was not a CA [certificate authority] breach, but because weak encryption was used, it was a certificate breach," says Jeff Hudson, CEO at Venafi. "That allowed the code to pretend it was authorized and signed by Microsoft." It's unclear, as yet, whether the attackers used Terminal Services to log onto other systems or to sign other code, he says.

Meanwhile, more information on Flame's command-and-control (C&C) infrastructure was revealed today by Kaspersky Lab and OpenDNS, which sinkholed 30 of the C&C servers supporting the attack. The C&C domains for Flame used a long list of fake identities and various registrars dating back to 2008, and there are more than 80 known domains, with 24 IP addresses currently hosting the domains. The attackers used 22 different registration services. "Flame's command-and-control [infrastructure] is huge, unlike anything we've seen before," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "These servers have been moving all over the world."

The C&C infrastructure initially went dark hours after Kaspersky Lab first reported its findings on Flame last week, Schouwenberg says. Then on Saturday afternoon Eastern time, it came back to life temporarily, with some of the Flame domains pointing to an IP address in Germany, he says, but it's unclear whether that was the attackers or other researchers in action, he says.

Kaspersky and OpenDNS's findings also appear to confirm that Iran was the main target of the Flame attack. The sinkhole contains 45 infected machines from Iran, 21 from Lebanon, and 14 in Sudan. The rest are single-digit infections in other countries, including eight from the U.S.

Dan Hubbard, CTO for OpenDNS, says while his firm can't be sure who's behind Flame, it's unique because it was so well-planned and executed. "The domains were registered by people ... using company names like Nvdia," he says. "We believe, that combined with the small packet size, it was built to go under the firewall, IPS, and data leakage prevention radars to look like regular traffic."

[Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See How Flame Hid In Plain Sight For Years.]

And the domains were not ones historically associated with cybercriminals, he said. "That's very rare," Hubbard says.

The danger with this type of attack is that it's difficult to detect and stop. "This sort of attack is really hard to defend against," says Roger Thompson, chief emerging threats researcher for ISCA Labs. "You simply have to stop this code before it gets running, and, again, the only way to do this is with integrity management and behavior monitoring."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...