Websense® Security Labs™ and The Websense ThreatSeeker® Network have detected that the government-related websites ict.org.il and herzliyaconference.org have been involved in a "waterhole" attack and are injected with malicious code that serves as an exploit for Internet Explorer vulnerability CVE-2012-4969. The first website describes itself as the “International Institute for Counter-Terrorism”. Both websites seem to be connected and governed by a leading Israeli academic institution called the IDC. 

The malicious code found on the websites is identical and was identified as CVE-2012-4969 - an Internet Explorer vulnerability that was verified as a zero-day at the time and was found to be exploited in the wild on September 2012. It was found by Eric Romang from Zataz.

From our initial checks, the websites still serve the malicious code on specific paths, and have been serving the malicious code from as early as the 23rd of January 2013. At the time of this writing, the malicious code on ict.org.il appears to be fully functional, but the malicious code on herzliyaconference.org doesn't seem to be functional (the main page that initiates the exploit seems to have been removed; although subsequent pages are still available, on their own they won't serve a successful exploit).

The attack seems to be very similar to the spear-phishing attacks we reported on with the "Rotary Domains" (Part 1 & 2) that served CVE-2012-4792 - that's the same zero-day that was found on cfr.org. The attack on IDC uses a Flash file to conduct a "heap spray" attack. The Flash file appears to have the misspelled string "heapspary".  According to Symantec, this string may be evidence that the "Elderwoord" group is behind this attack, because there's a similarity to the cfr.org attack, which held the same string "heapspary" in a Flash file as well. We're not completely convinced by this theory; this may indeed suggest a connection to the "Elderwoord" project, but may instead suggest the use of the same toolkit by different perpetrators. 

One of the most interesting techniques employed by this attack, which we described in detail in our previous "Rotary Domains" posts, is that the dropped malware is actually embedded as a XORed list of bytes on the page and assigned to a Javascript variable with a marker at the start of the stream.  After exploitation is successful, then on the client side the shellcode initiates a thorough search for a certain marker in memory called "KKONG".  When this marker is found, then the stream is extracted and de-XORed to form the actual malware binary, which is then run. This is an interesting technique that is also good for Sandbox evasion and reminds us of the "Drive by cache" techniques also found to be popular with spear-phishing attacks in the last two years. The difference in this method is that it's sort of a "Drive by marked memory object".

Websense Security Labs™ has contacted the IDC to report the compromise; as of this writing we had not heard back yet from the IDC.

The Israeli website for the “International Institute for Counter-Terrorism” and its mission statement is shown here:

Technical details

As described, the attacks on both websites are identical. The exploit chain starting point is in an HTML file on a dedicated directory.  We're not certain if this specific path was sent in spear-phishing emails, or if the main page of each of the websites referred to this path. If you have any more details on this, please do let us know.

Here are the exploit chains for ict.org.il and herzliyaconference.org:

hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)

hxxp://www.ict.org.il/js/logo4969.swf -> Flash heap-spray + exploit.html loader

hxxp://www.ict.org.il/js/exploit.html -> Dropped file cache + Exploit Loader

hxxp://www.ict.org.il/js/Protect.html -> Exploit CVE-2012-4969

hxxp://www.herzliyaconference. org/_modules/80.html -> Flash file loader (AceInsight report)

hxxp://herzliyaconference .org/_modules/logo4969.swf -> Flash heap-spray + exploit.html loader

hxxp://herzliyaconference. org/_modules/exploit.html -> Dropped file cache + Exploit Loader

hxxp://herzliyaconference. org/_modules/Protect.html -> Exploit CVE-2012-4969

Let's have a look at the specific exploit chain on ict.org.il.   The file 1.html is used just as a loader for the malicious file logo4969.swf.  Besides the loading of the malicious file, there are no malicious indicators on the page, but just the HTML Flash container/loader:

The loaded Flash file initiates a heap-spray attack, but it also acts as the caller to the Exploit Loader page exploit.html - it loads it through some Actionscript commands embedded in the Flash file, to evaluate some Javascript code to be executed on the page and load exploit.html, as seen in the next picture snippet from the file: 

exploit.html holds some Javascript code and an especially long variable. This variable starts with a marker "KKONG" that is later searched for by the shellcode that resides inside the loaded Flash file on the client side. The file is obfuscated with a simple XOR 0xBF. The page also loads the actual exploit page by calling an iframe to Protect.html:

Protect.html holds the exploit code to CVE-2012-4969. The exploit code is obfuscated with a simple obfuscation technique: 

After the exploit is triggered by Protect.html, the code will jump to the sprayed shellcode on the heap.  In return, the shellcode will scan the memory for the marker mentioned earlier: "KKONG". After the marker is found, the shellcode strips the stream following the marker and gets it de-XORed with the value 0XBF to form a valid executable file.  That file is then written to the Windows local machine's temporary folder and executed to infect the machine with a persistent backdoor.

The executed file dw20.exe (MD5:d2354e9ce69985c1f55dbad2837099b8) acts as a dropper and has the same name as the file dropped with Rotary domains attack. The threat stays persistent on the system by dropping another file to the Windows directory called startup.dll (MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a) that registers as an auto-started service called WindowsUpdata. Check out this complete report from ThreatScope™. The backdoor service is actually installed under a registry key called "RAT", which is not very discreet, to say the least, and the backdoor connects to a C2 that is recognized by our service as suspicious hxxp://interfacet.oicp.net:88. It appears that oicp.net is a web host that is located in China. Custom hosts on the site have been found to be involved in targeted attacks in the past (1 2); however, the specific host actually points to an IP address of 65.19.141.203 located in Fremont, California, United States. Looking closer at this IP address, we could see that it hosts a lot of mayhem, as well as many other hosts that are associated that use host names on *.oicp.net that we have already classified in a security category:

One of the most interesting parts is that the IP address to which the C2 points is hosted on an IP address range that belong to Hurricane Electric, a US-based internet service provider that got some headlines lately for being the first Internet Backbone to Connect to 2,000 IPv6 Networks. An Interesting article from 'The Droid Tech Guy' illustrates how, although web traffic in China is very restrictive and censored, its architecture is actually one of the most advanced.  According to the article, one of its advances is that it employs a security feature known as Source Address Validation Architecture (SAVA). To quote from the article: "This feature puts security checkpoints throughout the system and then builds up a database very systematically. This database will contain trusted computers and their IP addresses. This system will then authenticate who is sending what. This way, the possibility of sending malicious data becomes a lot more difficult, nearly impossible, like many say." 

This is a good point that makes us ponder - could it be that threats that originate from China are actually safer, from the attacker's perspective, if hosted outside of China? That may well be the case. 

In summary, we had a look at high profile government related website that got compromised in a 'waterhole' attack and employed some interesting technique. It looks as if targeted attacks have now been surfacing regularly and more frequently, with more attacks that are now exposed almost on a weekly basis. Those kinds of rapid discoveries may cause the players behind state-sponsored attacks or other miscreant groups to increase their level of sophistication. However, we believe that the sophistication of such attacks directly depends on the protection level employed by the target. If defense levels are mediocre or "just enough," then attackers will probably do just that much to get past them. The tough questions one should ask one's self in today's threat landscape is "what am I doing to not be the next victim?" and, even more importantly, "what am I going to do when I do become one?".  We believe that post-infection mitigation plans should be given the same emphasis as prevention and putting adequate protection in place.

Websense Protection

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).  ACE protected against this threat in real-time and against the different stages of the attack progression, also known as the "kill chain". You can find in the next link more information about the 7 stages of advanced threats. Here is a recap how ACE protected against the different stages:

Lure stage: protection confirmed, the lure is the first stage of the attack and in this case it was those URLs that loaded a malicious flash file:

hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)

hxxp://www.herzliyaconference.org/_modules/80.html -> Flash file loader (AceInsight report)

Dropper stage: not applicable, the dropper is the stage where a file passes through the gateway and inspected in real-time, however, this is not applicable for this attack as the file was hidden and obfuscated in memory and reconstructed on the client side - this is a typical sandbox evasion technique. 

Calling home stage: protection confirmed, the calling home stage is the destination that the malware connects to after getting successfully installed on the victim's machine. In this attack the malware initiated connection to a destination that is already known to us hxxp://interfacet.oicp.net:88 (AceInsight report).

For participation in data analysis, special thanks to: Gianluca Giuliani

Thanks to the Websense® ThreatSeeker® Network, we have discovered another interesting case of malicious web injection. This one tries to install a Java-based back door on visitors' systems. Its target is the pay-per-click company PocketCents, which has recently been targeted by two additional attacks. This company's business makes it a really interesting target for this type of attack. Given the intensive tracking they advertise in their mission statement, it seems likely that the attackers could be interested in customer information and user accounts. How better to get that information than with a backdoor installed on each visitor machine? 

The following screen capture shows the injection still active at the start of our analysis:

The first interesting thing here is that it is not the usual exploitation scheme: there are no Java vulnerabilities involved in this injection, just Java code. So the code is executed by the browser without any kind of exception or memory trick.

Running of this malicious applet during our investigation did, however, generate a lot of alerts, as shown below:

The URLs from which the Java applets are executed are hosted by dropbox.com:

The "ogi45r.jar" applet works as a dropper for the jRat_tiny.jar file, as shown below. It  also ensures that the Java context is running, using the "redir"  parameter defined in the applet section. The value of the "redir" parameter is "hxxp://rs-ps.org," which seems to be a website used to provide a platform for online, Java-based games:

The "jRat_tiny" JAR file loads the stored file with the code shown above. Here's a further look into the code of this JAR file:

In the code above, the first point of interest is the use of resources to hide information. In this case, the resources are used to store two files: "enc.dat" and "key.dat".  The first, "enc.dat," is an encrypted DES3 binary file. Once decrypted, it's executed by the Java RE command-line tool. It provides remote access to the systems with a list of commands worthy of the best RAT tools around. The second file, "key.dat," is a sort of configuration file. It's used along the initialization code, in which the first line the DES3 key is stored. The "key.dat" file is mapped on the "arrayOfStrings" array. The screenshot below shows the code snippet that, when given the DES3 key (stored in the first line of the file key.dat and referenced by the Java array "arrayofStrings[0]") and the encrypted stream , generates another Java applet. 

The "key.dat" file contains the following:

Except for the first value (the byte-based DES key), the content is encoded with the HEX values of the ASCII chars. Here's the decoded "key.dat" file:

Another interesting thing is that, due the multi-platform nature of this language, this RAT is able to detect the system on which it is running, and is totally platform-independent:

Above, we can see the attempts to detect the right command line for the environment in which "tiny_jRat.jar"  has been executed. The aim of this code is to locate the right Java interpreter path on the impacted systems, and to run the decrypted Java file stored in the resources. Due to strong evidence that the "enc.dat" file was encrypted with DES3, I decided to write a light Java decrypter based on the DES3 algorithm using the cryptographic APIs of the Java framework:

The result of this really light  DES3 decrypter (the code is available for other researchers, though it is not so complicated to write), when given the encrypted file and the Secret Keys retrieved by the configuration file as input, is to show that "key.dat" is a new JAR file which is the real RAT. Here is the code obtained from the new JAR file:

Again, it seems that we have a configuration file and an encryption key . This time, they use the AES algorithm, following implementation of Java class "L," which, thanks to the method "d," is able to decrypt the stream stored in the "config.dat" file, using the key stored in the "key.dat" file. The content of the key file is the following:

Here is a snippet of the AES decryption code:

With this information, it's possible to write an AES decrypter to get the configuration parameters. These include the C&C IP address and the TCP port used to contact the remote server owned by the RAT administrator to run the commands on the impacted systems, as well as other information. Looking around in the code, we can determine a lot of the features implemented by this RAT:

- DDOS routine

- command-line based commands

- remote process handling (kill , create new process, etc.)

- network commands, such as netstat

- injecting audio advice 

- download and upload  files from the impacted systems.

and so on.

The messages sent from remote systems by the RAT administrators seem to be handled in the Java class "B." For example, here is the code to list the running processes on the victim's system:

Here, the commands "KILLPROCESS"  and " GETFILE" exfiltrate files from the impacted system:

Here, the HTTP DOS engine is used for this kind of activities:

Here is a service feature used by the RAT administrator to receive the system logs file: 

A lot of other features and interesting details have also been detected. Although execution of this RAT is mitigated by Java protection when web browsers try to download and execute applets like this one, we think that this kind of platform-independent tool that doesn't require an exploitation chain could be a growing concern in the future. We have no idea how many users have been impacted by this injection. At this time, the dropbox.com JAR files have been removed.

Through our ThreatSeeker Network, we have detected that a lot of URLs are injected with the same threat:

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).

Over the weekend, information started appearing that there was a new Java zero-day vulnerability (CVE-2012-4681) being used in a small number of attacks. We have analyzed samples from the attack and can confirm that Websense customers using products that have our Advanced Classification Engine (ACE) have been protected against this zero-day attack by real-time analytics dating back to early 2009.

We have confirmed that the exploit doesn't work on version 1.6.x of Java, but it does work on 1.7.0.5 and 1.7.0.6 (latest available versions). David at Errata Security has tried and verified that the same exploit works just as well on Linux and OS X including Mountain Lion 10.8.1. That's right folks, yet another cross-platform vulnerability in Java, and with the increasing amount of Mac malware that we're seeing, we wouldn't be surprised if this starts being used against Mac users shortly. 

Regardless of which browser and operating system that you use, make sure you disable or better yet, uninstall Java, unless you really need it. Brian Krebs has instructions on how to disable Java in browsers both on Windows and Mac. There's already a Metasploit module for the new vulnerability, which increases the risk of it being applied in attacks against a larger amount of targets.

The obfuscated JavaScript above will download a file called applet.jar (VirusTotal report), which, in turn, uses the vulnerability to download the payload hi.exe (VirusTotal report) that it saves as update.exe and executes on the system. The downloaded EXE file is a variant of Poison Ivy that tries to connect to a known malicious host in Singapore. See our ThreatScope report for more information about the file.

Today news broke that at least one organization in the energy sector was hit by malware named Shamoon or DistTrack. We’ve been looking at the related malware samples and can confirm that Websense products that have our Advanced Classification Engine (ACE) have had proactive detection in place since 13 December, 2010, more than 18 months prior to this attack.

Once enabled, the malware is very aggressive and destructive, something that is rarely seen in attacks. Most attacks are designed to be persistent on a system for a long period of time. Shamoon/DistTrack does the opposite in that it overwrites files on the hard-drive, after which it overwrites the master boot record (MBR), rendering the computer un-bootable.

The malware consists of three components:

• Dropper – This is the most essential component in that it installs the malware. It is also the file that ACE has been detecting.
• Wiper – This is the component that overwrites files and the MBR.
• Reporter – This module reports a list of found files to the C&C.

As mentioned earlier, the Dropper has been detected since 13 December, 2010. Detection for the Wiper and Reporter components was added this morning.

When the Dropper executes, it installs several files on the system, including a signed driver (not malicious) that is used to interact with the file system. We are not sure how the malware writers were able to sign the file using a 3rd party organization’s certificate. Most likely it was stolen in a previous attack.

Here are some MD5s of samples involved in this attack:

41f13811fa2d4c41b8002bfb2554a286

3b740cca401715985f3a0c28f851b60e

d214c717a357fe3a455610b197c390aa 

b14299fd4d1cbfb4cc7486d978398214 

We're continuing to monitor the situation.

The Websense® ThreatSeeker® Network has detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed "Zegost" on the systems of visitors to these websites.

This vulnerability (CVE-2012-0507) was also used in the Amnesty International UK website compromise and in the INSS website compromise that we reported a few months back. It's interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn't necessarily indicate a link between all the compromises, we found further common characteristics between the compromises of the Amnesty UK website and the Nepalese government website by analyzing the backdoor C&C points when we noticed that they connected to the same domain in China. 

The backdoor variant in this attack is known to have been used in other targeted attacks that were aimed at Uyghurs, Tibetans, and others in that area.

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

Technical Analysis

According to Cyberwarnews, in early 2012, the websites of Nepalese institutions, such as the police, suffered two other types of attacks mainly in the form of defacements and data leakage. But it's not just Nepal that has been affected. This region has recently seen a sequence of targeted attacks and APTs.

Below is the content of the Nepalese National Information Technology Center (NITC) Web page along with the injected code marked in red: 

The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework. If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f).

The ThreatSeeker Network was able to connect that same executable file dropped from nitc.gov.np (National Information Technology Center) to another Nepalese government website, opmcm.gov.np (Office of the Prime Minister and Council Minister website), as shown below:

The red, boxed URL is the website of the Office of the Prime Minister and Council Minister. We found out that this particular website was compromised this year, at least from May 9-15, to serve this same backdoor executable (MD5: 3c7b7124f84cc4d29aa067eca6110e2f):

The content that was injected between these dates at the website of the Office of the Prime Minister and Council Minister was identical to the code injected at the National Information Technology Center website, confirming that the same attack vector was used for both:

We detected that the dropped backdoor "tools.exe" (MD5: 3c7b7124f84cc4d29aa067eca6110e2f) is a variant "AD" of the backdoor Zegost. This backdoor toolkit or remote administration tool (RAT) has also been involved in other targeted attacks in Asia, according to an analysis by AlienVault in their research blog.

Thanks to the Websense ThreatScope® sandbox service, the C&C address was detected at "who.xhhow4.com," as shown in the picture below (for the complete sandbox report, click here). 

The domain "hhow4.com" was also used as a C&C point for the dropped backdoor served at the compromised Amnesty  UK website, where that variant specifically connected to the address at "shell.xhhow4.com" (for the complete sandbox report, click here).

Both C&Cs are hosted at IP address 184.22.171.216:

The domain "xhhow4.com" is hosted in China by a Web hosting company known as Hichina Zhicheng Technology Co., Ltd. The next image shows a Robtex DNS names graph analysis for that domain:

Once the backdoor is installed on the impacted system, it initiates connections from local TCP port 1320. The destination address is to the C&C  at "who.xhhow4.com" and uses remote TCP port 53  (usually the port reserved for the DNS Zone transfer). However, it's important to note that the traffic wasn't DNS traffic but the proprietary protocol used by the backdoor for remote communications. Below is the first connection sequence between the backdoor and the C&C:

By decoding the TCP stream, it is possible to recognize that custom encryption was used to exchange information with the C&C. The network traffic starts also with a keyword, "URATU," as shown below: 

Once executed, the binary creates a Mutex named "microsoft.com" reported below:

The backdoor also uses common features like other common backdoors, such as keylogging, and supports the ability to accept and run commands remotely. As in other cases, we can see that this backdoor isn't highly complex at all, but it's certainly no less effective than other complex malware once executed on the target systems. Another interesting aspect of this backdoor file is that it's signed with what appears to be an invalid\fake certificate issued to 360.cn (a Chinese ISP) by VeriSign, as shown in the properties box:

The certificate contains the following details:

Having malicious code signed with certificates is a trend that we’ve seen in other targeted attacks that can reduce the effectiveness of human and automatic countermeasures. 

In this blog, we covered the compromise of Nepalese government websites in what appears to be a chain of targeted attacks. We managed to connect those attacks to a previously reported attack that took place in a different country: the compromise of the Amnesty International UK website. This shows that cyber warfare is trending and kicking and that there's certainly an effort by international players to stay dominant and persistent in that realm.

Security Researchers: Gianluca Giuliani, Elad Sharf.

The 2012 Summer Olympic Games in London, England (July 27 to August 12) will mark the third time the city has hosted this event. When previous London Olympics were held in 1908 and 1948, cyberattacks weren't even the stuff of science fiction. This time around, they are a real concern. Hackers are already taking advantage of the huge explosion in search engine requests, ticket sales, online streaming, and social media postings that will occur as a result of this 17-day sports event. 

The 2008 Beijing Olympics were the target of about 12 million cybersecurity incidents per day. In February, we blogged about Olympic ticket scams associated with the 2012 London games, but that was only the beginning. Ticket scams are a major security concern due to the money involved; four years ago, tickets to the Beijing Opening Ceremony were sold on the black market for $26,000 each.

The U.K. government is preparing for all kinds of attacks, from actual terrorism to computer threats. Cabinet Office minister Francis Maude said, "We have rightly been preparing for some time--a dedicated unit will help guard the London Olympics against cyberattacks. We are determined to have a safe and secure Games." He added that an essential element of security is keeping updated on emerging threats: "Our responses have to be fast and flexible. What works one day is unlikely to work a matter of months or even weeks later."

The event has been called "the first social Olympics," and organizers anticipate social media will be more important than ever, which means online security is more of a concern than ever. Records will be broken not only on the track and in pools, but also in internet traffic. Ofcom, the U.K. telecom regulator, anticipates the wireless spectrum demand to double in London during the games.  Websense® will help administrators control bandwidth consumption by using our Advanced Classification Engine™ (ACE) to classify streaming media and internet video from the Olympics into the Special Events category.

Games organizers have set up an Olympic Athletes' Hub to encourage connection among competitors and fans, but at the same time, have imposed some very strict limits on how they can use social media. We first heard back in January from a friend who is one of the 70,000 Games Makers volunteers that she and her colleagues were warned their social media use might compromise the reputation and security of the event.

Ticket purchasers are also being told that they may not "license, broadcast or publish video and/or sound recordings, including on social networking websites and the internet more generally, and may not exploit images, video and/or sound recordings for commercial purposes under any circumstances, whether on the internet or otherwise, or make them available to third parties for commercial purposes."

Whether any of this will or even can be enforced remains to be seen. The official IOC guidelines apply (in theory) only to "participants and other accredited persons," but there is a great deal of confusion and concern about what can and can't be shared, and by whom.  U.K. legal consultant Rachel Boothroyd provides a useful overview, guidelines, and summary primarily for social media professionals.

Anyone can be targeted by email scams abusing the "London 2012" name, claiming the recipient has won tickets or a large amount of money from a nonexistent "Olympics lottery." The recipient is given a claim number and told to contact a claim agent—and of course, advised to keep the information confidential until the prize is claimed, to avoid spreading the word about the scam. As we have seen in many previous email scams, victims are told they have to make some kind of payment to claim their prize. An official lottery will pay you right away and will not require payment to release your winnings. Email scams often give themselves away through poor use of English, misspellings, U.K. phone numbers starting with 070, and personal email accounts like Gmail or Hotmail accounts. 

Common sense may keep you safe in most situations, but hackers and spammers are quickly coming up with new ideas on how to attract and take advantage of new victims. 

Websense is protecting our customers from scams and other security problems by ACE, our Advanced Classification Engine.  

Yesterday we posted about a new strain of highly advanced malware (APT), dubbed Flame. It is potentially the most advanced malware to date, at least in terms of functionality combined with the ability to stay hidden over a long period of time. It’s also unusually large (20 MB), whereas most attacks contain small files (under 1MB). The file is so large because it incorporates a broad set of capabilities including recording audio, taking screenshots, compiling a list of nearby Bluetooth devices, and more. It even includes some rare techniques not commonly found in malware, such as using the LUA scripting language for some of its functions. The primary function of Flame is to collect and upload information.

While it really doesn't do anything we haven't seen before in other malware attacks—what’s really interesting is that it weaves multiple techniques together and dynamically applies them based on the capabilities of the infected system. Also, Flame has been operating under the radar for at least two years, which counter intuitively may partially be attributed to its large size.

Flame has been found mainly in the Middle East, specifically: Egypt, Iran, Israel, Lebanon, Palestine, Saudi Arabia, Sudan, and Syria. Based on historical APT patterns, the target region, and complexity/quality of the code, our guess is that Flame was created by one or more Western intelligence agencies. I don't think we'll see too many copycats of Flame, but we will see more targeted attacks against nations. This is following the trend we have been seeing of nation vs. nation web threats that go beyond off-the-shelf Remote Access Kits.

How effective Flame has been remains to be determined, as there still have only been a small number of infections discovered. While we have identified it in approximately eight countries, it is targeted and on only a select number of systems. We will be sure to keep our readers updated on our findings.

It’s also important to mention that our Websense Web Security Gateway (Anywhere), Cloud Web Security, Cloud Email Security, and Email Security Gateway (Anywhere) customers all have protection in place for known samples of Flame. All of these solutions leverage our ACE (Advanced Classification Engine) technology.

Do you have any questions on Flame? If so, leave a comment and we can discuss.

Recently, our friends over at Symantec released a report about an attack named Nitro. This targeted attack allowed unknown attackers to target several types of organizations, the latest known attacks occurring in the chemical sector, where 29 different targets were confirmed.
 
The attacks follow a standard pattern for tools and techniques used in previous attempts. An email is sent to several recipients within an organization with an attachment or link pointing to a file. These files are repacked variants of Poison Ivy, a very popular Remote Access Tool (RAT). The Command & Control servers for this tool use Dynamic DNS services extensively to provide the hostname and IP address lookup.

Screenshot of the Poison Ivy builder application.

This is precisely why Websense released a Dynamic DNS category earlier this year. In its default configuration, products that have this category will not allow these RATs to successfully communicate. With this new category, our Websense Security Gateway and Hosted Web solutions will not allow traffic from PoisonIvy at all, due to the way it communicates over port 80. In this way, Websense customers remain protected from this popular form of target attack.

For more information about how Websense protects against APTs and Targeted Attacks see our white paper.

Symantec's full report can be downloaded here.

The security industry is buzzing today after Symantec released a whitepaper on a threat known as Duqu. What's interesting about Duqu is that it's heavily based on the Stuxnet source code, a worm that targets industrial control systems (ICS). The Stuxnet source code has never been made available publicly; it's only available to the original attackers. Therefore it's reasonable to assume that Duqu is written by the same people.

Duqu is not designed to attack Programmable Logic Controllers (PLCs) or any type of automation equipment, which was the ultimate purpose of Stuxnet. Instead, it acts as a reconnaissance tool that is designed to steal private information about these systems. With the information it obtains, further targeted attacks similar to Stuxnet can be executed.

One of the DLL drivers used in the Duqu attack is signed with a certificate issued to C-Media Electronics Corporation, a technology company in Taiwan. The certificate was revoked on 14th October, 2011:

While information about the Command & Control servers are still being researched, all known URLs are categorized as security risks (including a Dynamic DNS domain, a new category we released a few weeks ago for this specific purpose). Websense customers are protected against this family of malware and Advanced Persistent Threats  (APT) attacks with ACE, our Advanced Classification Engine.

Symantec curently has the most information available about this threat as they were the ones to first receive the sample. Their whitepaper can be found here.

Over the past few years, Websense Security Labs has been monitoring an increasing trend in unwanted email being sent from webmail accounts. Initially these accounts were on hosted freemail providers, but externally facing corporate webmail accounts have recently been targeted. The technique is the same in both attack scenarios: Account passwords are either phished or subjected to a brute force password attack. Once an account is compromised, the attacker can send email messages to contacts and other addresses using the compromised company's reputation to avoid detection by spam filters.

Recently we have detected a disturbing shift in this trend, with email marketing organization web accounts being compromised and used to send spam, which often contains malicious links.

Below is an example of spoofed email originally sent from an email marketing company based in Argentina. In this case, the account belongs to a large electrical retailer who has both online and store-front outlets.

We can validate that this email came from the email marketing company's infrastructure using the Sender Policy Framework (SPF) records published for its domain.

The account was used to send out spoofed email that appears to originate with an international clothing retailer. However, some of the links in the email direct the recipient to a similarly named domain ‘<companydomain>-billings.com’, which was registered on the day of the attack. This site hosts a zip file containing a malicious fake invoice named ‘<companyname>_Order_16YWBoG.exe’. At the time this email campaign started, this file had 0% coverage by the AV community.

The day after the first email messages were sent, the attacker compromised another account on the same Argentinian email marketing company website, this time registering a new domain ‘<companydomain>-support.com’. On the third day, the attacker switched to an email marketing company based in Australia. As before, they registered a new domain, but instead of including this domain ‘<companydomain>-invoice.com’ in the email, they compromised an Australian travel company's website and used it as a redirector. This travel company owned the Australian email marketing company account that was used to send the spoofed email. The additional step was probably taken to avoid basic outbound email filtering by the marketing company.

One thing these marketing companies have in common is that they appear to include their account names in the user part of the email address combined with their own domain. This makes it very easy for an attacker to subscribe to a newsletter and receive account and marketing website details.

As more companies use third-party email marketing organizations to handle their commercial email requirements, are they inadvertently risking their reputations and the repeat business of their loyal customers? We think they could be.

Most email marketing web accounts require basic password authentication. If an account is compromised, the attacker has access not only to an efficient email sending infrastructure and campaign editing tools, but also customer email details too. Even worse, most of the major email marketing companies also integrate with many online CRM services, giving the attacker the additional option to resell an organization's information to its competitors. So to the attacker these marketing companies represent soft and potentially lucrative targets.

So when your email marketing account is created, does it meet your company's password policy? Does your marketing department share this account and leave the password posted on the pin board? Remember: A simple password may be all that is stopping your organization from sending your entire customer base a malicious email.