Tag: fireeye

Stuxnet gets a copycat

copycatOne of the most complex bits of malware in history has a copycat and no-one knows who created it.

Stuxnet was designed by the Israeli and US intelligence forces to shut down the Iranian nuclear weapons programme. It did its job rather well and even took down a few Middle Eastern businesses too.

Now, researchers have disclosed a piece of industrial control systems (ICS) malware inspired heavily by Stuxnet. Dubbed IRONGATE the code replaces certain types of files, and was seemingly written to target a specific control system configuration.

Security outfit Fireeye says that it is may not be a government which has released IRONGATE but whoever did it was clearly inspired by Stuxnet.
He said that the code is a blend of techniques written by someone who understands Stuxnet really well.

IRONGATE attacks, a Siemens testing environment called PLCSIM. Like Stuxnet, IRONGATE replaces a Dynamic Link Library (DLL), a small collection of code that can be used by different programs at the same time, with a malicious one of its own.

It records five seconds of traffic from the Siemens’ system to the user interface, and replays it over again, potentially tricking whoever is monitoring the system into thinking everything is fine, while the malware might manipulate something else in the background.

It was so good that when FireEye tested it no anti-virus vendors thought the files were malicious.

“Siemens Product Computer Emergency Readiness Team (ProductCERT) confirmed that IRONGATE is not viable against operational Siemens control systems and determined that IRONGATE does not exploit any vulnerabilities in Siemens products,” FireEye’s report reads.

But IRONGATE differs from Stuxnet in the way it avoids detection. IRONGATE will sense if it’s within a VMware virtual machine or a Cuckoo Sandbox environment. Stuxnet only looked for various antivirus programs on the target system, FireEye note.

FireEye team does not think that IRONGATE is the work of Stuxnet’s authors. For a start it is much older and its history only stretches back to 2012. IRONGATE lacks the sophistication you would expect from a nation state.

People are not spending on security

Were-Doomed-The-Dads-Army-StorySecurity outfit FireEye released some disappointing results and claim it is because firms are skimping on their security budgets.

FireEye forecast a bigger than expected loss for the first quarter and said it expected growth in cyber security spending to slow this year.

FireEye Chief Executive Dave DeWalt said sales across the industry were boosted by “emergency spending” last year as major hacking attacks prompted some companies to place massive orders.

“Now I see a much more normalized spending environment,” he said in an interview ahead of the company’s quarterly earnings call with analysts.

The company forecast an adjusted loss per share of 49-53 cents per share for the quarter ending March, bigger than the 40 cent loss analysts were expecting on average.

DeWalt said the buying of iSight Partners and Invotas this year would hurt profitability in the short term as both businesses were subscription-based.

Subscriptions bring in less money in the short term.

The company bought privately held iSight for $200 million in January to boost its cyber intelligence offerings for governments and businesses.

While demand for more sophisticated security offerings has surged in the face of an increase in cyber hacking, FireEye is facing intense competition from Palo Alto Networks, Proofpoint and Imperva.

FireEye’s fourth-quarter billings was $256.9 million – at the lower end of the $257 million-$258 million the company had estimated in January.

FireEye said net loss attributable to common shareholders increased to $136.1 million, or 87 cents per share, in the quarter ended Dec. 31, from $105.7 million, or 72 cents per share, a year earlier.

Revenue rose 29.2 percent to $184.8 million, missing analysts’ average estimate of $185.3 million.

Apple faces more cyber attacks

Apple blossom, Mike MageeA report said that malware aimed at Apple devices has doubled this year, and will face further attacks in 2016.

The BBC reported that Symantec and FireEye are predicting that Apple will face increased threats in 2016.

The Apple operating system – OS X – is subject to way fewer attacks than Windows, Symantec said, but the number was seven times greater this year and last.

Attacks on Apple’s iOS operating system, used in iPads and iPhones is also increasing.

Apple notebooks have shown steady growth during 2015 while Windows notebook sales have been flat.

That may be the reason for hackers taking time to devise methods involving Apple users.

FireEye tried to cover up patched vulnerabilities

who-framed-roger-rabbit-christopher-lloyd-judge-doomThere was a row at the London security conference 44CON as a US security company FireEye attempted to kill off public disclosure of a major series of vulnerabilities in its suite.

The patched flaws included the default use of the ‘root’ account on a significant number of the Apache servers providing services to FireEye’s clients.

An attacker able to compromise the server would face no further permissions barriers in obtaining any data and starting or manipulating any connections or file/database operations of which the server is capable.

On 13 August, FireEye got an injunction in a German District Court, to prevent the security researcher who found the vulnerabilities from discussing it in a keynote speech at the conference.

However it was not served until the 2 September which meant that he could not contest the gagging order in time.

Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and worked with the company to fix it. However, FireEye decided that no disclosure of the vulnerabilities should be allowed to take place. Presumably because it was worried that its high profile customers might be a little worried. Security software is supposed to stop hacks not enable them.

When questioned about the injunction by the Stack  FireEye said that all it wanted was for the researchers not to reveal the companies IP address.

“No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now.

“Our customers are protected. This was not about stopping them from issuing a report neither the vulnerabilities, it was about protecting intellectual property that they didn’t have a legal right to publish,” a spokesFireEye said.

Android gets a malware kicking

A mobile botnet called MisoSMS is giving the Android platform a kick in the botnets, stealing personal SMS messages and sending them to attackers in China.

God knows what a Chinese hacker would do with the information that I am still “in the pub and will be late home”, or “can you turn the oven on for fish and chips” which are the content of my SMSes in the last few days.

However Researchers at FireEye claim that MisoSMS as “one of the largest advanced mobile botnets to date” and warning that it is being used in more than 60 spyware campaigns.

FireEye found that the infection started in Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China.

So far FireEye’s research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family. It also has an elaborate command-and-control system that uses more than 450 malicious e-mail accounts.

FireEye’s Vinay Pidathala said MisoSMS uses a malicious Android app called “Google Vx” that masquerades as an Android settings app.

Using a bit of trickery to get itself installed, the app secretly steals the user’s personal SMS messages and emails them to a webmail command-and-control.

What is unusual about this method is that some SMS-stealing malware sends the contents of users SMS messages by forwarding the messages over SMS to phone numbers under the attacker’s control. Others send the stolen SMS messages to a CnC server over TCP connections.

MisoSMS sends the stolen SMS messages to the attacker’s email address over an SMTP connection.

Pidathala said that Fireeye had managed to get all of the reported malicious e-mail accounts  deactivated as part of a mitigation strategy with law enforcement and security response officials in Korea and China.