Pwned Bulletin

executive summary

We at CCFIS deliver penetration testing services and while delivering those services we have found some 0-day exploits. In this bulletin, we have showed that how easy it is for a hacker to compromise in your network ever after implementing best  security solutions. Unfortunately if your security systems or firewalls are not detecting any attacks or not alerting you about any    attack, this doesn’t always mean that you are not being attack, may be you are being attacked and these security solutions are not detecting or blocking it. Developers and solution providers are working 9 to 6 to develop the solution but hackers are    working 0 to 24 to hack the solutions.

Every Web Asset, Hardware device or Application Solution can have vulnerabilities . We at CCFIS find those vulnerabities and report to the organization in our responsible disclosure program. List of our responsible disclosures are attached in next page. It is recommended for everyone to take needful actions when any vulnerability is reported to your organization’s assets. 

Detailed penetration testing report can be shared on request. Please drop a mail at info@ccfis.net and with your intent and purpose and we will send you detailed report after verification.

 "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards."

smartermail 0-day xss vulnerability

Most of us use SmarterMail as mail server for our organizations and business. It has all smart features and almost everything to run your business smoothly. One client who was very much concerned about his mail   server contacted us and   explained that he have  already implemented 256 bit SSL certificate, so is there anything else he needs to do to secure his mail server from their rival companies.

We initially checked for vulnerabilities in Microsoft OS installed on server with enterprise level email security & antivirus. On later stage, we found that everything was updated and OS was equipped we were given two dummy accounts to check vulnerabilities inside the email application.

Unfortunately, we weren’t able to find any vulnerability that can be exploited directly but we found several major XSS based  0-days which might be used for gaining few more access. We    reported these Vulnerabilities to SmarterTools as Responsible Disclosure and also decided to share same with our readers.

 Stored XSS (Notes)

Vulnerability (Steps to reproduce):

1) In SmarterMail there is an option to add “Notes”.

2)In details Box give a JS code as “><img src=x onerror=prompt(document.domain);> and save it.

3) Now when a user opens notes saved by him, this JS code will  execute and XSS will pop up.

 Reflected XSS (Compose Message)

Vulnerability (Steps to reproduce):

1) Select ‘New Message’ and click on the option to insert link.

2) Then in place of URL, write any URL for example ccfis.net

3) Then again select that URL and edit it with payload - “><img src=c onerror=prompt(document.cookie);>

 Reflected XSS (Image Attachment)

While attaching an image named "><img src=x onerror=prompt(document.cookie);>.jpg in SmarterMail using web version, an alert in generated allowing user to inject any arbitrary code that will be executed in server.

 Issues were reported to SmarterTools 4 weeks ago and the patch for the same is yet to release.

Recommendations

· We cannot recommend the best mail sever as developers are only working 9 to 6 to develop the solution but hackers are working 0 to 24 to hack the solutions.

· The best practice is to perform periodic vulnerability assessment and penetration testing of your mail server.

siemens simatic S7-300 exploit

Siemens Simatic S7-3000 is modular mini PLC system for the low-end and mid performance ranges. These appliance are used in manufacturing plants, assembly lines, hospitals and wherever automation required.

After reading about Critical Infrastructures, CIO of a major hospital contacted CCFIS team and asked if we can audit their network. After audit, we found some major vulnerabilities in their network and on later stage those vulnerabilities were fixed and network was secured. After few months, we were called again to audit their SCADA system. We found that hospital was using Siemens  Simatic S7-3000 PLC system and had deployed it in their network to automate and control their system efficiently.

CIO mentioned that they purchased it in 2012 and after that its configuration and setting were never changed or modified. Even the security hardening wasn’t performed on device.

While performing penetration testing, we found this device        vulnerable to Remote Memory Viewing exploit. Through this, an  attacker can view data on memory of PCL. Exploit code for this  vulnerability was written by Dillon Beresford in 2012 with OSVDB-ID: 73645.

With this exploit, our pen-testing team were able to compromise the Siemens Simatic S7-3000 and were able to dump the device memory. As the organization requested to not to disclose much  information and attack methodologies and hence we are sharing only limited information. Another reason for sharing only brief       information is that misuse of these    attacks may lead to mass                destruction.

Recommendations:

· If you have implemented any SCADA based appliance then make sure you have updated its firmware and implemented best security practices.

· For self-vulnerability assessment of your SCADA appliances you may use Nessus plugin  http://www.tenable.com/blog/new-scada-plugins-for-nessus-and-tenable-pvs

· A periodic vulnerability assessment or penetration testing from any third party outsider vendor is recommended to ensure  complete security.

network compromised using microsoft word document

Few months back CCFIS team was    conducting penetration testing of an IT firm. The organization was using multiple layer of security with properly configured firewall, latest updated antivirus, IDS/IPS and whatnot. Inside network they had  already created active directory with proper security policy for all users, central update server and almost all best security practices. Organizations was also ISO 27001 certified. They also trained their employees about cyber security & threats and hence even the weakest line in security chain i.e. the human part was also secured by trainings.

During penetration testing of the network, our team didn’t found any major exploitable vulnerability through which they can enter into the network. And as per client’s requirement, this has to be a complete blackbox testing. 

The company had an online job portal, through which they were posting current opening and receiving applications through  portal. One of our team member, took advantage of MS14-017. The vulnerability was the Microsoft word RTF Memory Corruption RTF Zero-Day Attack CVE-2014-1761 which allows an attacker to run arbitrary code into client’s machine. He immediately binded in house developed backdoor which was less detectable by most of antivirus engines and submitted job application and uploaded his resume which was malicious RTF document.Next morning exactly at 9:41 AM, we got reverse connection from a system which belonged to HR department of that organization. When someone from HR hecked their ERP and clicked this malicious resume, our exploit worked    perfectly fine and established a reverse connection to our server. Later on with this one compromised system using pivoting we found that many more servers and systems were vulnerable to publically knows vulnerabilities. This vulnerability and attack methodology was reported to organization so that they can protect their network from these types of targeted attacks.

Recommendations

· Security is not a onetime investment, it’s more of a regular  practice. To secure your network, you need to keep checking for possible tiny flaws that may lead to a bigger vulnerability.

· Make sure, every software and systems are properly updated of your network.

· ERP or any such system through which you are receiving any files outside your network, should must be sandboxed before bringing directly to production internal network.

fortigate 310b multiple vulnerabilities

CCFIS team works with a quote – ‘give us anything, we will find vulnerability’.     During a presentation, our client asked our sales guy that I am using FortiGate 310B and I am totally secure, why do I need a penetration testing service for my network? Our sales guy committed that your FortiGate device is not secure and our team can find vulnerabilities. Deal was final and we got task to audit latest updated FortiGate 310B.

White testing the firewall, we found    several major and minor vulnerabilities. Even we were able to reboot or shutdown the firewall without having  admin or any credentials. Device was also vulnerable to Cross-Site Request Forgery.

Basic functionality of firewall is to stop DoS and DDoS attack targeted to       network, We have created an InfoSec lab from where we can simulate almost any attack. DoS and DDoS attacks were performed on firewall for stress testing and the device itself was found prone to DoS and DDoS attacks.

FortiGate has a Web Filtering Service called FortiGuard. This help network administrators to block certain category of sites in network. No VPN, torr or any other proxy based tool could bypass this fileting mechanisms. CCFIS team were able to bypass this filtering mechanisms using very simple technique in Opera web browser called Off Road mode or Opera Turbo.

Even the data stored on CompactFlash card of firewall was not encrypted. In case of any physical compromise to network, these data can be extracted to reveal entire network architecture. These configuration data was deleted but with some basic  forensics techniques, we were able to recover the configuration data again.

Few more major vulnerabilities was found on firewall. All issues were reported to FortiGate India team. Fortinet India team immediately forwarded those vulnerabilities to Fortinet US team and they acknowledged the vulnerabilities and patch was  released and was pushed to all Fortinet devices.

Recommendations

Use latest model of firewall or at least use the latest firewall OS

· Choose your firewall brand wisely and do some research before purchasing for some publically available vulnerabilities or exploit.

· While changing CompactFlash of your firewall, make sure that you have destroyed the previous one as this contains configuration file which can reveal network architecture information. And these data can be recovered even after      deleting using some forensics tools.

corporate laptop backdoor

One of our client which is an educational organization, provide laptops to its students, faculties and other staffs for their educational and official work. MNCs, government and almost every organization order laptops is huge quantity and hence the vendor created a separate model specially designed for that particular organization.

Few months back, a vendor reached CIO of organization and gave a laptop for PoC and feasibility testing. Later on this laptop was sent to CCFIS team to check for any possible vulnerabilities. We created a test scenario in our InfoSec lab. Firstly we restored the laptop to its factory setting and downloaded laptop drivers from vendor’s official site. Only operating system and drivers were installed on that laptop. Then we connected this laptop directly with lease line and assigned live IP. Our network support team made sure that no other device was connected between or in the network. The PoC laptop was left for few days and all packets were captured using wireshark.

After two days of packet capturing, the pcap files were sent to our attack analysis lab where every packet was analyzed by team members for any malicious packet.

After analysis, we found that this PoC laptop was connecting and sending data to a Chinese IP, and this Chinese IP belonged to an antivirus server. The question here arises that no antivirus or any other software was installed other than original operating system and device drivers. The same process was repeated on Windows XP, Windows 7 and Windows 8.1 and the result was same on every operating system. Hence we concluded that there isn’t any fault in software part, it’s the hardware which is creating connections and sending data to Chinese IP.

This vulnerability was report to the laptop vendor. First of all they ignored and later on denied any involvement in this act. They concluded by saying that they only assemble multiple components purchased from different other vendors, they don’t actually manufacture every part that are installed on laptop. This means that they need some more quality and security checking procedures.

Recommendations

Before distributing laptop or PC in your organization, check it for any possible backdoor installed in it by vendor. We can help in testing and share the testing procedure on request. We can also help in capacity building for creating such a test bench.

Before signing contract from any vendor, check if vendor was     involved in such activities in past or not. In our case, the vendor was already blocked by government agency of a country.

Android Bulletin

executive summary

Security is no longer a “nice to have,” but a must-have. Modern malwares are not only about stealing files anymore, they are about stealth and complexity too. Targeted attacks, one of the most vicious examples of a stealth threat, they precisely target individuals, businesses, governments and their data. These attacks are a sophisticated weapon to carry out targeted missions in cyber space.

The scenario becomes worst when these attacks are on your mobile devices. A scary fact to admit, our mobile have more critical and private data as compared to our computers. Our mobiles are authorized to access our mailboxes, bank accounts, social networks, online backups and whatnot.

In our digital forensics lab, while investigating client’s case we realized how users were compromised using Android based malware. Later on these malwares were sent to our malware analysis team for further in-depth analysis. In our malware analysis lab, we deeply analyzed malware to understand its working and behavior. In this edition we present few exclusive malware that we found lurking inside users Android devices without their knowledge.

With this research based bulletin we intent to create a research collaboration and educate our reader so that internet community can fight against these cyber threats.

         "The only truly secure system is one that is powered off, cast in a block of                         concrete and sealed in a lead-lined room with armed guards."

google services framework

In Android phones, sometimes you can’t stop malware from “serving” you, especially when the “service” is actually a malicious Android class running in the background and controlled by a remote access tool (RAT). This malware pretended to be a “Google Service Framework” and starts killing all anti-virus processed before performing any malicious activities. We found this fake Google Service Framework when we receive a financial fraud case. This fake app was installed in users mobile in which he had installed few banking applications and linked his account with his phone.

In the past, we have seen Android malware that execute privacy leakage, banking credential theft, or remote access separately, but this malware takes Android malware to a new level by combining all of those activities into one app. In addition, we found the hacker has designed a framework to conduct bank    hijacking.

A few seconds after the malicious app was installed, the “Google Services” icon appears on the home screen. When the icon was clicked, the app asked for administrative privilege. Once administration privileges were assigned, the uninstallation option got disabled and a new service named “GS” was started as shown below. The app icon showed “App isn’t installed.” when the user tried to click it again and the icon was removed automatically.

The malware has plenty of malicious actions, which the RAT can command, as shown below:

Within a few minutes, the app started connecting with the CNC server and begins to receive a task list from it. The server IP was 103.228.65.101, and was located in Hong Kong. We cannot conform that it’s the hacker’s IP or a victim IP controlled by the RAT or some pivoting attack.

After performing these activities, it first kills the antivirus process and then start modifying banking applications. After few house  user received a notification “The new version has been released. Please use after reinstallation.” But usually when an update is available, users are asked to download it not to install it. Android performs the installation itself. The malware then downloaded an app named after “update” and the bank’s short name from the CNC server, for example if SBI is the Bank then it will download SBI Update. Also while the fake banking app was downloading, the malware uninstalled the original bank app.

This was first step, in second step when the command to upload SMS is received from the RAT, all the SMS of Android phone started uploading to the CNC server. It’s more of a complex hijacking framework than a simple malware.

After successful execution of all steps planned by hacker, he was able to access his all bank account and was able to transfer  money from his account. Hacker was also capable to access his SMS for OTPs. This is how his all bank accounts connected to his mobile was compromised.

recommendations

It’s better to have a deep research about any app you install in your phone. If you are using banking applications with your phone then install only those apps which you actually use and do not give administrative access to any app.

sms worm

We received these malware when user complained that he received his mobile bill more than 100 times of his normal bill. Mobile bill showed that he has been sending many international SMS every day. This Android phone was brought to our knowledge for further analysis.

After normal analysis, we didn’t found anything malicious happening on his phone. We changed the SIM card and installed one prepaid SIM and balance was nil within minutes. Later on this case was taken up to our malware analysis lab for further analysis and we found an application named “XXshenqi.A”.

This application came up with free games APK downloaded by user from some torrent site. While installing the game, he was asked to download this  application and claimed that this will work as crack of game and without crack your game will not work. After downloading this    application, the game worked perfectly fine, so the user never cared to remove this crack and this malware had a functionality of spreading SMS worm.

Once the installation was complete, it asked user to fill a registration form. The data of this form were send to malware author.

The real behavior started when the form was filled. First it hides app’s icon from menu then startsregistering the phone to receive/send SMS broadcast and broadcast boot. App started a lot background service and hence slowed down the phone’s performance and  started draining phone’s battery. We also found that the incoming SMS were giving commands to infected phone to execute       malicious behavior, including the transmission of e-mail, send text messages, fake messages, sending malicious downloads links  contacts, etc. Also the user information were send to malware author to his email ID a137736513@qq.com as you can see in below source code extracted from malware.

 recommendations

Installing antiviruses and security solutions doesn’t secure your  device completely. Most of the users are compromised by pirated and fake apps. We recommend you to only download and install app from official market place (Google Play) of your device. Do not install or accept any .apk file until and unless you trust the  vendor or understand what you are doing

 se-cure mobile AV

 We received this fake antivirus in one of C-level employee of an MNC. His complaint was that his official and  personal IDs are used for sending spam message without his knowledge. Obviously our first doubt was that his laptop might be infected but he was using    secured official corporate laptop and hence we didn’t found   anything malicious on his laptop. Then we moved to another devices through which he accessed his emails, and we found that he accessed his mails only from company laptop and from his   Android phone. During investigations, he mentioned that while surfing some sites via mobile, he got a pop-up window saying that you are out 10,000th visitor and hence we are giving you 1 year free license of antivirus program, download and follow the  instructions. He was motivated enough to download it and follow the instructions to install it in his Android phone.

This anti-virus program was actually a spam mail sender and the user had already authorized fake antivirus program to access his Gmail ID. Also, his email was used to send invite to his all personal as well as  official contacts and hence this fake antivirus was spread in his entire office and few more colleagues were using it.

User was also using one reputed antivirus and this program wasn’t detected as malicious as this program as it didn’t performed any malicious activities in beginning. When the program was installed, it automatically established connection to                           http://malicious.coproration.hxor.ex/ and downloaded few more supporting files and these files were actually malicious.

recommendations –

We recommend our readers to not to be fooled by these lucrative offers. Sometimes you may receive offers related to your internet searching habits or page you liked in Facebook but most of them are fake. Do not use or download any pirated antiviruses as these are meant to protect your device and alert you for any possible threats. And if you are using pirated antivirus, it will not alert you anymore. It’s like hiring a thief as guard of your home.

installing genuine “flash player”?

You might be aware about fake antiviruses and fake apps but what about genuine famous apps delivering malware to your device? Few famous and widely used apps are customized by hackers to deliver ransomware to your device. Ransomware is a type of   malware which restricts access to the mobile device that it infects, and demands a ransom paid to the creator of the malware in    order for the restriction to be removed.The malware comes in the form of “flash player” and install like normal apps, it also remains undetected by most of the mobile antiviruses as this app will not perform any malicious    activity, instead it will download some malicious code to perform that  malicious activity on your device. Once this app is installed it starts killing on-system processes and a message appears on users screen to deposit 300$ in order to unlock your own device.

After clicking proceed button a message pop up instructing user to pay $300 to GreenDot MoneyPack and retrieve a coupon code thereafter user will enter that particular code in order to    unlock the device. This makes the malware author untraceable. MoneyPak is a portal to send money to where users need it. It works as a ‘cash top-up card’ and once user have purchased it by a participating retailer with cash or online transfer, he is need to purchase a $300 card and enter the code here.

Even after purchasing $300 card, there is no assurance that your device will work properly like it was working before the invasion.

The malware does its best to be as intrusive as possible by blocking the victim’s normal device-use with the app. It uses a   Java TimerTask, which is set to run every 10 milliseconds, the application will kill any other running processes that the user        interacts except the malware itself. The malware also uses an  Android WakeLock to prevent the device from going to sleep.

In some cases, these apps steals your IMEI too and displays it to the user as a scare tactic. Sometimes user receives threatening messages saying – ‘We know who you are’. In some instances the app sends this IMEI back to its command & control server (C&C) to identify the device later to make it work like a bot.

Most of the time users receives messages and notifications that you have been caught by FBI and this is an FBI malware. Even the malware captures user’s photo from front camera to make the threatening more realistic.

recommendations

Unfortunately, these ransomware are not detected by several  major mobile antivirus and security solutions and these are  extremely hard to remove if you had given this malware device administrator privileges. Flashing or hard resetting your device will work in all cases to get back your phone in proper functioning state. Avoid giving device administration access to applications unless you’re really sure of what they do. Only download apps from developers you know and trust. Download apps like Lookout, which can detect these threats before you open them