One of the zero-day flaws patched by Microsoft on Tuesday had been used for some time by a group with suspected Chinese government ties that targets technology companies, CrowdStrike's chief executive said Tuesday.
CEO Dmitri Alperovitch said his CrowdStrike has been battling with the group, which the company dubbed "Hurricane Panda," on a daily basis since earlier this year.
"They've been very persistent actors," Alperovitch said in a phone interview Tuesday. "We believe with confidence they're indeed tied to the Chinese government in their objectives."
Hurricane Panda has targeted technology infrastructure companies, Alperovitch said. He said he could not identify the companies, which use CrowdStrike's services.
CrowdStrike analysts often see attacks in action and work to boot the hackers from networks. It results in a fast-playing offense and defense, which Alperovitch said can lead to mistakes by the hackers seeking to keep their foothold.
"We are able to literally record every command they try and understand immediately what they're doing," he said.
For example, the analysts will often see hackers mistype commands, such as "hsotname" instead of "hostname" and "romote" for "remote," as they hastily try to maintain their access.
Hurricane Panda is noteworthy for using tightly written exploit code, "win64.exe," that allowed the group to move through network systems once a computer had been hacked. That tool would be uploaded using a webshell nicknamed "ChinaChopper" that the attackers had placed on a company's servers, Alperovitch said.
Win64.exe, which runs on 64-bit Windows systems, takes advantage of a privilege escalation vulnerability, which can allow attackers to gain administrative rights to other programs from the account of a user who doesn't have those permissions.
Microsoft patched the vulnerability, CVE-2014-4113, on Tuesday, but Hurricane Panda had been using it for a while. CrowdStrike notified Microsoft of the flaw when it discovered the attackers were using it, Alperovitch said.
If successfully exploited, the flaw allows arbitrary code to be run in kernel mode, allowing an attacker to install programs, view or change data or create new accounts with full administrator rights, according to a blog post from Symantec on Tuesday.
Privilege escalation flaws aren't rare, but it is uncommon to see one used for so long by a group, which indicates that the attackers have "knowledge about non-public exploitable security bugs, which usually means the exploit was either bought from a supplier or developed in-house," Alperovitch wrote in a post on the company's blog.
Win64.exe contained an interesting embedded string of characters, "woqunimalegebi," which translates to a Chinese swear word, Alperovitch said. The word is often misspelled in Chinese to avoid being blocked by the country's filtering equipment, and that intentional error changes the meaning of the vulgarity to "fertile grass mud horse in the Mahler Gobi Desert," according to CrowdStrike.
Alperovitch said it's hard to say why programmers insert such messages, but "perhaps they were trying to send a message to anyone that is reverse engineering the code."
Send news tips and comments to [email protected]. Follow me on Twitter: @jeremy_kirk
View the original article here
Angela Gunn, an old friend who is working as a security researcher these days was explaining some of the problems with traditional approaches to thinking about security. But she is focused on Hewlett-Packard's latest push, which is to think like a bad guy trying to break into computer networks and databases.
We were both attending the HP Protect conference here, which spotlighted the "Think Like a Bad Guy" theme pretty much everywhere you looked. "Really," she said, "you have to think like whoever the bad guy is working for." My friend had a point. While it's important to understand the cyber-criminal's approach when they're attacking you, the only way to really understand them is to understand their motivations. What is it they're looking for when they break into your network?
I found out when I entered the conference display floor and wandered to the back of the room to the Bad Guys Lair. This required a walk through a smoke-filled corridor crisscrossed with laser beams to reach a bunch of people sitting around among pizza boxes, soda cans and bags of empty calories. These were the HP "Bad Guys." I later found out that I could have gone around to the rear entrance and avoided the drama. Leave it to security guys and corporate hackers to engineer in an analog back door.
What I found there laid out clearly was what HP means about thinking like a bad guy. On a wall-sized screen were employment ads for low-level hackers to run a local mission, provide expertise in specific areas of some operating systems, or perhaps infiltrate an office and drop off a malware laden USB memory stick. On another screen there was page after page of ads for commercial software, but these packages were commercial malware designed to sniff out credit cards or passwords. These applications were sold and licensed just like software from big-name software companies.
Want an app to read credit card numbers from Firefox? That'll be $500. Want one that does Firefox and Internet Explorer? You can upgrade for an additional $500. One of the security researchers, who we'll call "Sam" (they don't want their real names used in public) explained that one of his colleagues maintained between eight and 10 identities on those hacker websites so they can keep up with what's current. Then he showed me where you can buy credit card numbers. Unfortunately, this illustrated just how easy it is to obtain those numbers, and how easy it is to create counterfeit credit cards.
He took a blank plastic card with a magnetic stripe, ran it through a device and created a blank credit card in less than five seconds. So I asked him how useful such a card would be. What he told me is enough to immediately stop using any card without an EMV chip.
