Information Security News
The Syrian Electronic Army has made old hat of hacking major US media outlets throughout the past year, and Reuters was no exception. However, while visitors to the news outlet's site undoubtedly noticed the SEA's handiwork on display temporarily this afternoon, security researcher Frederic Jacobs is reporting this latest breach was not due to any wrongdoing from Reuters.
Users trying to read the story "Attack from Syria kills Israeli teen on Golan, Israel says" (restored as of Sunday evening) were redirected to the message above at times throughout the day. And on Medium, Jacobs wrote that SEA compromised the site by targeting the New York-based ad network Taboola. While the security researcher is unsure of how SEA managed to compromise Taboola (based on previous attacks, he hypothesizes a phishing campaign like what The Onion faced), Jacobs had a pretty good idea as to why.
"By compromising Taboola, the value of the compromise is significantly higher than just compromising Reuters," Jacobs wrote. "Taboola has 350 million unique users and has partnerships with world’s biggest news sites including Yahoo!, the BBC, FoxNews, the New York Times… Any of Taboola’s clients can be compromised anytime now."
by Sean Gallagher
If you've traveled and tried to get on the Internet, you've probably seen some pretty suspicious looking Wi-Fi networks with names like "Free Wi-Fi" and "Totally Free Internet." Those are likely access points you'd best avoid. But there's a much bigger threat to your security than somebody randomly fishing for you to connect to them—the networks you've already connected to and trusted, like AT&T and Xfinity.
Mobile broadband providers are eager to get you to connect to their Wi-Fi-based networks while you’re away from home. AT&T has built a network of free hotspots for customers at thousands of places—including train stations, as well as Starbucks and McDonald's locations across the country. Comcast has spread its Xfinity wireless network far and wide as well, turning customers’ cable modems into public Wi-Fi hotspots accessible with an Xfinity account login.
These free Wi-Fi connections are popular, for good reason—they help reduce the amount of broadband cellular data you consume, and they often provide better network speeds than what you can manage over a 4G connection. But they also offer a really easy way for someone to surreptitiously tap into your Internet traffic and capture your account information for less-than-friendly purposes. Millions of AT&T and Xfinity customers could be leaving themselves exposed to surreptitious hacking of their Internet traffic, exposing their personal data as a result.
While working a recent forensics case I had the opportunity to spread the proverbial wings a bit and utilize a few tools I had not prior.
In the midst of building my forensic timeline I set out to determine the initial attack vector, operating on the assumption that it was either web-based content via a malicious ad or a site compromised with a web exploit kit, or was a malicious link or document attachment via email. One interesting variable stood out while reviewing the victim's PST file. Her company was in the midst of hiring, seeking candidates for a few positions, and was receiving numerous emails with resume attachments, both PDF and DOC/DOCX. I had already discovered the primary malware compromise of the victim's system so I simply needed to see if there was a malicious email that had arrived prior based on time stamps. One particular email with a Word doc attached stood right out as it arrived at 12:23am on the same day of the malware compromise later at noon. Antimalware detection immediately identified the attachment as TrojanDownloader:W97M/Ledod.A. This alleged resume attachment was also for a John Cena, which cracked me up as I am indeed familiar with the WWE professional wrestler of the same name. Unfortunately, technical details for W97M/Ledod.A were weak at best and all I had to go from initially was "this trojan can download and run other malware or potentially unwanted software onto your PC." Yeah, thanks for that. What is a poor forensicator to do? Frank Boldewin's (Reconsructer.org) OfficeMalScanner to the rescue! This tool works like a charm when you want a quick method to scan for shellcode and encrypted PE files as well as pulling macro details from a nasty Office documents. As always, when you choose to interact with mayhem, it's best to do so in an isolated environment; I run OfficeMalScanner on Windows 7 virtual machine. If you just run OfficeMalScanner with out defining any parameters, it kindly dumps options for you as seen in Figure 1.
For this particular sample, when I ran
OfficeMalScanner.exe "John Cena Resume.doc" scan the result "
No malicious traces found in this file!" was returned. As the tool advised me to do, I ran
OfficeMalScanner.exe "John Cena Resume.doc" info as well and struck pay dirt as seen in Figure 2.
When I opened
C:\tools\OfficeMalScanner\JOHN CENA RESUME.DOC-Macros I was treated to the URL and executable payload I was hoping for as seen in Figure 3.
A little virustotal.com and urlquery.net research on dodevelopments.com told me everything I needed to know, pure Lithuanian evil in the form of IP address 126.96.36.199.
A bit of trekking through all the malicious exe's known to be associated with that IP address and voila, I had my source.
See Jared Greenhill's writeup on these same concepts at EMC's RSA Security Analytics Blog and our own Lenny Zeltser's Analyzing Malicious Documents Cheat Sheet where I first learned about OfficeMalScanner. Prior related diaries also include Decoding Common XOR Obfuscation in Malicious Code and Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan (Lenny is El Jefe).
I hope to see some of you at SANSFIRE 2014. I'll be there for the Monday evening State of the Internet Panel Discussion at 7:15 and will present C3CM Defeating the Command, Control, and Communications of Digital Assailants on Tuesday evening at 8:15.