Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/15/2014
04:35 PM
50%
50%

'Hurricane Panda' Cyberspies Used Windows Zero-Day For Months

The vulnerability is one of multiple issues patched this week by Microsoft that have been targeted by attackers.

A sophisticated group of hackers believed to be from China has been caught using a Windows zero-day bug in a spate of attacks against technology infrastructure companies around the world.

Dubbed "Hurricane Panda," researchers at CrowdStrike spotted the group earlier this year exploiting one of the privilege escalation vulnerabilities (CVE-2014-4113) patched Tuesday by Microsoft. The vulnerability is one of three privilege escalation issues the attackers leveraged in their campaign.

CrowdStrike first detected the attacks in spring, when the group was detected on a victim's network. After the attackers were initially stopped, they continued to attempt to regain access on a daily basis.

"These attempts begin with compromising web servers and deploying Chopper webshells and then moving laterally and escalating privileges using the newly discovered Local Privilege Escalation tool," blogs Dmitri Alperovitch, CTO of CrowdStrike.

"Their RAT of choice has been PlugX configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries," he continues. "Perhaps their most outstanding technique has been the use of free DNS services provided by Hurricane Electric to return an attacker-controlled IP address for lookups for popular third-party domain names. Hurricane Panda is known to use the 'ChinaChopper' Webshell, a common initial foothold for many different actors. Once uploading this webshell, the actor will typically attempt to escalate privileges and then use a variety of password dumping utilities to obtain legitimate credentials for use in accessing their intelligence objectives."

The zero-day reported by CrowdStrike was also reported by FireEye, and affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. On systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP (Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen, Alperovitch says.

"The exploit code is extremely well and efficiently written, and it is 100 percent reliable," he said. "The adversary has gone through considerable effort to minimize the chance of its discovery -- the win64.exe tool was only deployed when absolutely necessary during the intrusion operations and it was deleted immediately after use. The build timestamp of the Win64.exe binary of May 3, 2014 suggests that the vulnerability was actively exploited in the wild for at least five months."

The privilege escalation issue was not the only bug patched this week by Microsoft that has been the target of zero-day attacks. Reports have surfaced that attackers have also been targeting CVE-2014-4148, which, like CVE-2014-4113, is addressed by MS14-058. Both are vulnerabilities in the Windows kernel.

Attackers have also targeted CVE-2014-4114 [MS14-060], which researchers at iSight Partners have linked to cyber-espionage attacks on NATO, Ukrainian government organizations, European telecommunications firms, the energy sector (specifically in Poland), and other targets. The group behind those attacks has been nicknamed Sandworm, and is believed to have been around since 2009.

Microsoft also identified an Internet Explorer vulnerability (CVE-2014-4123) that has been the subject of limited attacks as well. The flaw could be used to escalate privileges. It is patched by MS14-056. 

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 3:24:43 PM
Re: Escalation of RAT's and Elevation
I personally don't believe it is a coding flaw but the nature of the beast, in regards to operating systems.  There are certain functions that happen on an OS that require SYSTEM or ROOT access in order to function.  To a normal user these processes or daemons function happily in the background.  To an attacker they are the express ticket to the penthouse if they can just catch a ride.

Unless we completely overhaul the modern operating system from the ground up, these types of exploits are here to stay.  Even if we did try to start over from scratch I am not confident we could completely correct this problem.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 3:20:23 PM
What were they after?
"After the attackers were initially stopped, they continued to attempt to regain access on a daily basis."

To me, this is the most striking comment in the article.  Why was this target so important?  Is it just a case of trying to regain a foot hold or were they after something important?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/16/2014 | 9:34:40 AM
Escalation of RAT's and Elevation
What can be attributed to the recent rise in RAT's? It seems that many of the vulnerabilities that have been discovered recently whether it be Linux or Windows allow for the malicious intender to elevate privileges and backdoor in. Is this due to an overlooked flaw in the coding or is this because some level dictates that this ability is required to run certain designed functionalities?
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.