ThreatFire Research Blog » Disclosure

Potentially the Largest Breach Ever

admin — Thu, 22 Jan 2009 17:04:00 +0000

Heartland Payment Systems disclosed little information in a press release regarding a security breach that they discovered last week. The company provides “credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide”.
The lack of information in the release is curious, because the news was released right on Jan. 20th, buried amongst the media focus on the new president, and the release contains little details on what may potentially be the largest known breach to date.
“Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.”
“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

It’s interesting and eye-opening that the company did not have systems in place to identify the breach themselves. They were tipped off to it by Visa and MasterCard:
“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

“Heartland apologizes for any inconvenience this situation has caused. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.”

We will monitor for more information regarding the malware itself. However, further details will most likely not be released in the midst of an ongoing investigation.

Internet Explorer 7.0 0day

admin — Tue, 09 Dec 2008 18:58:00 +0000

A suspected IE7 0day has surfaced on servers in China. Ryan Naraine posted information earlier this morning on the state of the patch and the exploit.

A couple of our ThreatFire users unfortunately visited the site, but fortunately they have been protected against multiple exploit attempts from that site. We are trying to trigger and analyze the 0day amongst the others, but it appears to be rather unreliable in exploiting a mshtml.dll vulnerability. The site attempts to attack multiple ActiveX control vulnerabilities, the ancient MS06-014 vuln, and several others. At the very least, the stash of trojans, rootkit components and password stealers delivered by it are prevented by ThreatFire.
Most of the malware appears to be gaming password related, and the 0day exploit implemented in javascript attempts to identify the OS your system is running and attacks WindowsXP or Windows 2003 accordingly.

Be sure to keep your Microsoft patches up-to-date, there should be more later today. A patch for the 0day flaw will follow.

USB Worms and Government Policy

admin — Thu, 20 Nov 2008 22:42:00 +0000

When federal government systems are hit with malware, the incidents often receive no public reporting. However, the slew of infections from removable drive based worms have become so bad on the U.S. Dept of Defense’s infrastructure that they’ve banned usb drives altogether, according to Wired’s reporter Noah Shachtman. It’s unfortunate that these drives are not being properly scanned, and that doing so must not be a part of process to this point.

The military’s policy decision is somewhat unsurprising, considering that the Gammima worm that made it onto the international space station this past August also spread using the Usb autostart technique. Worms have been very effectively spreading using this technique to deliver password stealing components since early 2007, and it’s about time policies are clamping down on the slack. Quick releases of worm variants evading anti-virus scanners continue to use the same autostart technique today. Of course, users running ThreatFire have been protected from these AV-evading autostart worms since they installed it.

Update (11/25/2008): The US-CERT posted information about what they are calling two popular “methods”. Basically, the post describes removable drive-based infection vectors — both to the removable drives, when worms copy themselves to the media from an infected system, and from the removable drives, when a worm abusing Windows’ autoplay functionality executes itself on the system. Nice to see awareness increasing — Autoplay can be dangerous!
It’s not always a waste of time anymore. In addition to running TF, you can scan your usb drives on a system with Autoplay disabled with your anti-virus scanner. The scanning solutions have, for the most part, caught up with the two year old technique.

Nominee’s Yahoo Account Hacked

admin — Thu, 18 Sep 2008 15:33:00 +0000

At BlackHat 2006, the organizers handed out books titled “Perfect Passwords“, a fantastic writeup on selecting, using and evaluating passwords: “Author Mark Burnett has accumulated and analyzed over 1,000,000 user passwords and through his research has discovered what works, what doesn’t work, and how many people probably have dogs named Spot”. Unfortunately, some of the government attendees must have set that book aside to read later. They have the opportunity to reread the text at the book’s preview on Google’s book search.

Yesterday, a link to wikileaks.org made the rounds, along with comments for Sarah Palin, a U.S. Vice Presidential nominee currently in the political media limelight. She reportedly was accused of using a Yahoo! email account for government business to avoid requests under Alaska law for the communications, and hacktivists recently attained access to her Yahoo! account, although it is unclear how they attained access. They posted contents and an index of the mail account on the wikileaks site. Some screenshots of the information were posted on sites like gawker.com. The wikileaks site is either overwhelmed with traffic today or was altogether taken down last night. The Fbi and Secret Service reportedly are investigating the breach.

Simple security practices are necessary to follow. Use a strong password that you can remember, and it’s not “Spot” or “password” (see Perfect Passwords). Pay attention to what you are doing when using your computer and visiting websites or responding to IM and emails or requests for information, and finally, use the secure resources that include antimalware protection provided by your organization.

Update — it appears that the “Forgot your password?” feature was exploited to gain access. Standard security practices would have avoided that problem.

DNS Cache Poisoning

admin — Thu, 24 Jul 2008 18:07:00 +0000

A google search for poison still returns a top result for one of the tackiest 80s pouty lipped glam bands around. They are still on tour, and they probably haven’t even heard of Dns.

Dns cache poisoning (there is a fine wiki for it) vulnerabilities have been all the rage on various security research mail lists for the past couple weeks and should be at the top of any search result list now. New working exploits targeting those vulnerabilities have been created and distributed. Coincidentally, Blackhat is being held next week, where Dan Kaminsky will present his original findings on it. Dan Kaminsky reportedly grouped together a huge number of dns providers and got a patch properly worked out and distributed for this thing.
What does “DNS Insufficient Socket Entropy Vulnerability” really mean to the average end user? Before you ask, there is a hitch. What was supposed to remain mysterious and closeted within the shadowy network security and dns administrator community has been released full force via full disclosure and Metasploit, the open source pen testing tool project run by HD Moore and friends. This addition means that this potentially dangerous information is public and potentially freely usable.
So now go ahead and ask. What does “DNS Insufficient Socket Entropy” really mean to me? If you are a standard user, you’re probably not administering a Dns server, but you (possibly unknowingly) are using Dns. Your ISP maintains these DNS servers, or the routes to them, for you. It is these systems that tell your browser what server to connect with when you are visiting “www.google.com”. They need to send your browser’s requests to your bank’s authentic web site when you attempt to browse it, instead of some creaky old mock up hosted in the furthest reaches of the planet. While you are dependent on Dns servers working properly and supporting “sufficient entropy”, there most likely is nothing you directly can do to administer and patch them.

In the meantime, visit the Microsoft Update site to check for new updates and ensure that third party software on your system is patched. Dns admins need to get their servers patched.
You can check Dan Kaminsky’s own site here or another tool here for information to present to your ISP, if they haven’t yet patched.

Update: Dan Kaminsky posted additional information that “DNS clients are at risk, in certain circumstances”, and that microsoft is patching multiple other dns client-side vuln (”has received two MSRC fixes in the past six months”). So, while the major focus is on the Dns servers, be sure to visit the windowsupdate site and patch away!