Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/15/2014
04:35 PM
50%
50%

'Hurricane Panda' Cyberspies Used Windows Zero-Day For Months

The vulnerability is one of multiple issues patched this week by Microsoft that have been targeted by attackers.

A sophisticated group of hackers believed to be from China has been caught using a Windows zero-day bug in a spate of attacks against technology infrastructure companies around the world.

Dubbed "Hurricane Panda," researchers at CrowdStrike spotted the group earlier this year exploiting one of the privilege escalation vulnerabilities (CVE-2014-4113) patched Tuesday by Microsoft. The vulnerability is one of three privilege escalation issues the attackers leveraged in their campaign.

CrowdStrike first detected the attacks in spring, when the group was detected on a victim's network. After the attackers were initially stopped, they continued to attempt to regain access on a daily basis.

"These attempts begin with compromising web servers and deploying Chopper webshells and then moving laterally and escalating privileges using the newly discovered Local Privilege Escalation tool," blogs Dmitri Alperovitch, CTO of CrowdStrike.

"Their RAT of choice has been PlugX configured to use the DLL side-loading technique that has been recently popularized among Chinese adversaries," he continues. "Perhaps their most outstanding technique has been the use of free DNS services provided by Hurricane Electric to return an attacker-controlled IP address for lookups for popular third-party domain names. Hurricane Panda is known to use the 'ChinaChopper' Webshell, a common initial foothold for many different actors. Once uploading this webshell, the actor will typically attempt to escalate privileges and then use a variety of password dumping utilities to obtain legitimate credentials for use in accessing their intelligence objectives."

The zero-day reported by CrowdStrike was also reported by FireEye, and affects all x64 Windows variants up to and including Windows 7 and Windows Server 2008 R2. On systems with Windows 8 and later variants with Intel Ivy Bridge or later generation processors, SMEP (Supervisor Mode Execution Prevention) will block attempts to exploit the bug and result in a blue screen, Alperovitch says.

"The exploit code is extremely well and efficiently written, and it is 100 percent reliable," he said. "The adversary has gone through considerable effort to minimize the chance of its discovery -- the win64.exe tool was only deployed when absolutely necessary during the intrusion operations and it was deleted immediately after use. The build timestamp of the Win64.exe binary of May 3, 2014 suggests that the vulnerability was actively exploited in the wild for at least five months."

The privilege escalation issue was not the only bug patched this week by Microsoft that has been the target of zero-day attacks. Reports have surfaced that attackers have also been targeting CVE-2014-4148, which, like CVE-2014-4113, is addressed by MS14-058. Both are vulnerabilities in the Windows kernel.

Attackers have also targeted CVE-2014-4114 [MS14-060], which researchers at iSight Partners have linked to cyber-espionage attacks on NATO, Ukrainian government organizations, European telecommunications firms, the energy sector (specifically in Poland), and other targets. The group behind those attacks has been nicknamed Sandworm, and is believed to have been around since 2009.

Microsoft also identified an Internet Explorer vulnerability (CVE-2014-4123) that has been the subject of limited attacks as well. The flaw could be used to escalate privileges. It is patched by MS14-056. 

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 3:24:43 PM
Re: Escalation of RAT's and Elevation
I personally don't believe it is a coding flaw but the nature of the beast, in regards to operating systems.  There are certain functions that happen on an OS that require SYSTEM or ROOT access in order to function.  To a normal user these processes or daemons function happily in the background.  To an attacker they are the express ticket to the penthouse if they can just catch a ride.

Unless we completely overhaul the modern operating system from the ground up, these types of exploits are here to stay.  Even if we did try to start over from scratch I am not confident we could completely correct this problem.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 3:20:23 PM
What were they after?
"After the attackers were initially stopped, they continued to attempt to regain access on a daily basis."

To me, this is the most striking comment in the article.  Why was this target so important?  Is it just a case of trying to regain a foot hold or were they after something important?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/16/2014 | 9:34:40 AM
Escalation of RAT's and Elevation
What can be attributed to the recent rise in RAT's? It seems that many of the vulnerabilities that have been discovered recently whether it be Linux or Windows allow for the malicious intender to elevate privileges and backdoor in. Is this due to an overlooked flaw in the coding or is this because some level dictates that this ability is required to run certain designed functionalities?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.