Flame Burns Microsoft With Digital Certificate Hack

  /     /     /  
Publicated : 22/11/2024   Category : security


Flame Burns Microsoft With Digital Certificate Hack


Microsoft issues emergency patch in wake of digital certificate abuse, and new details revealed on massive Flame C&C infrastructure



The Flame cyberespionage attack took a new twist today as Microsoft issued an emergency patch for all versions of Windows after it discovered the attackers had abused one of its digital certificates to help spread the infection from one machine to others within the targeted organization.
Microsoft over the weekend released
a security update and an out-of-band patch
that kills three rogue certificates that appeared to be signed by Microsoft and allowed the malware to slip past Windows controls. The software giant did not give details on the actual attack, but according to new analysis by Kaspersky Lab, a Flame module named Gadget was used to infect other machines in the same network as the targeted machine, therefore spreading more widely within the targeted organization. Gadget and another module called Munch wage a man-in-the-middle attack during a Windows Update session that basically redirects the users machine to a phony update with the malware, which looks as if were signed by Microsoft but was not.
That, according to Kasperskys Alex Gostev, chief malware expert, explains how Flame was able to infect fully patched Windows 7 machines.
The attackers preyed on apparent weak encryption in Microsofts Terminal Services -- specifically an older cryptographic algorithm used in Microsofts Terminal Server Licensing Service, which lets enterprises enable Remote Desktop services. In addition to the security update issued by Microsoft to kill the rogue certs, Microsoft has also halted issuing certificates for code-signing through Terminal Services.
Mike Reavey, senior director of Microsofts Security Response Center, says that most companies arent at risk of attack since Flame was so targeted, and also because now most anti-malware detects and removes Flame. But the worry is that other attackers could copy the method used by Flame and strike at a broader audience: Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks, he wrote in a blog post today.
Security experts say this hack could have been much worse in the hands of traditional cybercriminals. Researchers believe Flame was a parallel cyberespionage effort to Duqu and Stuxnet, likely the work of a nation-state such as the U.S. and Israel, but no officials have gone on record to confirm it.
The New York Times

reported on Friday
that anonymous U.S. officials confirmed that Stuxnet and its associated espionage were the work of the U.S. and Israeli officials trying to cripple Irans nuclear weapon development. The so-called Olympic Games attacks originated in the Bush administration and continued under the Obama administration.
Flames abuse of Microsofts digital certificate demonstrates just how these well-funded and organized cyberespionage efforts take attacks to another level.
Having a Microsoft code signing certificate is the Holy Grail of malware writers. This has now happened, said Mikko Hypponen, chief research officer at F-Secure,
in a blog post today
. I guess the good news is that this wasnt done by cyber criminals interested in financial benefit. They could have infected millions of computers. Instead, this technique has been used in targeted attacks, most likely launched by a Western intelligence agency.
According to F-Secure, one module for Flame wages a man-in-the-middle attack on the Microsoft Windows Update system, and then infects the targeted machine. If successful, the attack drops a file called WUSETUPV.EXE to the target computer. This file is signed by Microsoft with a certificate that is chained up to Microsoft root, Hypponen said.
This was not a CA [certificate authority] breach, but because weak encryption was used, it was a certificate breach, says Jeff Hudson, CEO at Venafi. That allowed the code to pretend it was authorized and signed by Microsoft. Its unclear, as yet, whether the attackers used Terminal Services to log onto other systems or to sign other code, he says.
Meanwhile, more information on Flames command-and-control (C&C) infrastructure was revealed today by Kaspersky Lab and OpenDNS, which sinkholed 30 of the C&C servers supporting the attack. The C&C domains for Flame used a long list of fake identities and various registrars dating back to 2008, and there are more than 80 known domains, with 24 IP addresses currently hosting the domains. The attackers used 22 different registration services. Flames command-and-control [infrastructure] is huge, unlike anything weve seen before, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. These servers have been moving all over the world.
The C&C infrastructure initially went dark hours after Kaspersky Lab
first reported its findings on Flame last week
, Schouwenberg says. Then on Saturday afternoon Eastern time, it came back to life temporarily, with some of the Flame domains pointing to an IP address in Germany, he says, but its unclear whether that was the attackers or other researchers in action, he says.
Kaspersky and OpenDNSs findings also appear to confirm that
Iran was the main target
of the Flame attack. The sinkhole contains 45 infected machines from Iran, 21 from Lebanon, and 14 in Sudan. The rest are single-digit infections in other countries, including eight from the U.S.
Dan Hubbard, CTO for OpenDNS, says while his firm cant be sure whos behind Flame, its unique because it was so well-planned and executed. The domains were registered by people ... using company names like Nvdia, he says. We believe, that combined with the small packet size, it was built to go under the firewall, IPS, and data leakage prevention radars to look like regular traffic.
[Easy-to-crack encryption likely helped keep Flame alive, as well as its resemblance to conventional software. See
How Flame Hid In Plain Sight For Years
.]
And
the domains
were not ones historically associated with cybercriminals, he said. Thats very rare, Hubbard says.
The danger with this type of attack is that its difficult to detect and stop. This sort of attack is really hard to defend against, says Roger Thompson, chief emerging threats researcher for ISCA Labs. You simply have to stop this code before it gets running, and, again, the only way to do this is with integrity management and behavior monitoring.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Flame Burns Microsoft With Digital Certificate Hack