Exploit This

Security News, Exploits, and Vulnerabilities.

FBI: $3M Bounty for ZeuS Trojan Author

The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.

So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — of Bogachev and his trusted associates.

TurboTax’s Anti-Fraud Efforts Under Scrutiny

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax — allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their collective fight against the multi-billion dollar problem of tax refund fraud.

TA15-051A: Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing

Original release date: February 20, 2015

Systems Affected

Lenovo consumer PCs that have Superfish VisualDiscovery installed and potentially others.

Overview

“Superfish” adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.

Description

Starting in as early as 2010, Lenovo has pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for “Superfish.” All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic “man in the middle” attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.

Although Lenovo has [1] stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

The underlying SSL decryption library from Komodia has been found to be present on other applications, including “KeepMyFamilySecure.”  Please refer to CERT [2] Vulnerability Note VU#529496 for more details and updates.

To detect a system with Superfish installed, look for a HTTP GET request to:

superfish.aistcdn.com

The full request will look like:

http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.

Impact

A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.

Solution

Uninstall Superfish VisualDiscovery and associated root CA certificate

Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this includes Superfish Visual Discovery.

It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on [3] deleting and [4] managing certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”

Mozilla provides similar [5] guidance for their software, including the Firefox and Thunderbird certificate stores.

References

Revision History

  • February 20, 2015

This product is provided subject to this Notification and this Privacy & Use policy.

Equation Group: from Houston with love

In 2009, an international scientific conference on Energy and Space technologies was held in Houston. The organizers sent out a post-meeting CDROM. The disk used in the Houston attack represents a rare and unusual operation for the Equation Group.

BE2 Extraordinary Plugins, Siemens Targeting, Dev Fails

Our November post introducing our BlackEnergy2 (BE2) research described new findings on the group’s activity. We presented both details on their plugins and significant findings about some of their targets and victims. In this post, let’s examine several additional plugins more… Read Full Article

The Rise in State Tax Refund Fraud

Scam artists stole billions of dollars last year from the U.S. Treasury by filing phony federal tax refund requests on millions of Americans. But as Uncle Sam has made this type of fraud harder for thieves to profit from, the crooks have massively shifted their focus to conducting refund fraud at the state level. Or at least according to Intuit Inc., the makers of TurboTax: The company says it believes that shift is responsible for a whopping 3700 percent increase in fraudulent state tax refund filings this year in some states.

The Desert Falcons targeted attacks

The Desert Falcons are a new group of Cyber Mercenaries operating in the Middle East; there are more than 3,000 victims in 50+ countries around the world, more than 1 million files were stolen including diplomatic, military and financial documents.

‘Spam Nation’ Wins PROSE Award

I am pleased to announce that my new book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door, has been honored with a 2015 PROSE Award in the Media & Cultural Studies category.

A Fanny Equation: “I am your father, Stuxnet”

During our 2014 research into the Equation group, we created a special detection for the group’s exploitation library, codenamed “PrivLib”. To our surprise, this detection triggered a worm from 2008 that used the Stuxnet LNK exploit to replicate, codenamed Fanny.

Equation: The Death Star of Malware Galaxy

The Equation group is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. It is probably one of the most sophisticated cyber attack groups in the world.

%d bloggers like this: