Cyber Espionage Campaign Compromises Web Properties to Target US Financial Services and Defense Companies, Chinese Dissidents – CVE-2015-0071 and CVE-2014-9163
Requests for Technical Indicators / For More Information
High level details of this campaign – including iSIGHT’s assessment of the actors behind it – can be found below.
Further information will be provided in two live briefings by iSIGHT and Invincea to any interested parties:
Wednesday, February 11th at 10:00 a.m. eastern – register here
Wednesday, February 11th at 2:00 p.m. eastern – register here
Full report with technical indicators:
- To support organizations in determining their potential exposure to this campaign, iSIGHT is making available a broader technical report – inclusive of indicators – through a formal vetting process.
- To request the full technical report, please follow this link and complete the necessary information. Note that you will need to provide professional credentials including work email and telephone and that iSIGHT may contact you to verify those credentials prior to releasing the report.
- If you have a media related inquiry regarding this disclosure, please contact iSIGHT at 994.9349 or by sending email to email@example.com.
In late November of 2014, through the natural course of our research and analysis on cyber espionage activities, iSIGHT Partners discovered through multiple sources – including its partnership with Invincea – an active watering hole campaign utilizing the legitimate and heavily trafficked Forbes.com website and multiple other (more obscure) websites around the world.
Based on our visibility, the campaign was only active on the Forbes.com website for a brief duration – lasting from November 28th through December 1st of 2014. It should be noted that our visibility is limited and there is a possibility of a longer duration of activity.
The perpetrators of this campaign are believed to be the Chinese cyber espionage team dubbed Codoso Team by iSIGHT for a number of reasons detailed further in this report.
Although the Forbes.com website is one of the most heavily trafficked in the world, we believe the campaign to be highly targeted in nature. We do not believe this to be an operation intent on infecting millions of victims but cannot state with certainty true numbers.
The exploitation was dependent on a zero-day vulnerability in Adobe Flash. This was the primary and critical vector in the attack. This vulnerability was patched on December 9th of 2014 (CVE-2014-9163). This attack was not possible after users applied this patch.
On modern operating systems, the Flash vulnerability was paired with a mitigation bypass in Internet Explorer. By itself, the bypass posed no risk for exploitation. A patch for the mitigation bypass is releasing today (2.10.15) as CVE-2015-0071 in order to provide an extra layer of protection against future attacks.
Detail on the technical aspects of this campaign can be found further in this blog.
Based on the use of the Forbes.com website – ranked as the 61st most popular in the United States and 168th most popular in the world by the Alexa ranking service – it is possible the reach of this campaign could be vast – it may include business and industry leaders, investors and other individuals at Fortune 500 companies and beyond.
We have confirmed targeting of United States Defense Contractors and United States Financial Services companies.
It is critical to note that visibility is limited and that there was a potential for broader targeting from this group (and potentially other threat actors).
Cyber Espionage Campaign Attributed to Codoso Team
We believe the compromise was carried out by Chinese cyber espionage operators referred to by iSIGHT as Codoso Team based on technical indicators in connected malware as well as the use of the same undisclosed exploit in incidents consistent with Chinese cyber espionage targeting.
- Malware leveraged in the incident included resources written in simplified Chinese and bore a resemblance to variants of Derusbi, malware unique to Chinese cyber espionage operators.
- The command and control (C&C) domain used by malware in the incident was passively connected to tiiztm.com, a domain leveraged in several Chinese cyber espionage incidents associated with Codoso Team.
- At least three additional sites also hosted the same exploit prior to its public disclosure. These sites contained iFrames that pointed visitors to 126.96.36.199/wvvwwvw/main.swf. The sites are associated with Chinese dissident issues to include the Uyghur minority and Hong Kong democracy.
- gokbayrak[.]com is a website for East Turkistan interests including the World Uyghur Congress, a regularly targeted organization.
- turkkonseyi[.]com is the website of the Turkic Council. The Turkic Council is an organization for promoting cooperation between Turkish-speaking countries with an interest in the Uyghur minority, which is ethnically Turkic.
- cefc[.]com[.]hk is the website for the geopolitical think tank Centre d’Etudes Franais sur la Chine Contemporaine (French Center for Research on Contemporary China).
iSIGHT has tracked Chinese cyber espionage operators Codoso Team since at least 2010. The group is known to target multiple industries including:
- Political Dissidents
- Global Think Tanks
Codoso Team has been implicated in a series of attacks since 2010 – many of which involve exploitation of zero-day vulnerabilities:
- October 2010 – Watering hole attack using the Norwegian Nobel Peace Prize Committee website
- Zero-day exploit impacting Mozilla Firefox (CVE-2010-4765)
- April 2011 – Spear-phishing attack targeting government
- Zero-day exploit impacting Adobe Flash (CVE-2011-0611)
- May 2013 – Watering hole attack using multiple websites to target the Uyghur minority and think tanks
- Zero-day exploit impacting Internet Explorer (CVE-2013-1347)
It should be noted that the use of Derusbi malware variants is a common theme amongst this group – including in the recently observed watering hole attacks using Forbes.com. Given the use of Derusbi there is often conflation with a group publicly known as Deep Panda. We believe these to be different, yet connected, teams.
Technical Details – How the Attack Worked:
The attack was executed against specific targets by compromising the Forbes.com “Thought of the Day (ToTD)” Adobe Flash widget (see picture below) that appears initially whenever anyone visits any Forbes.com page or article.
The attackers took advantage of a vulnerability within the parseFloat function in Adobe Flash – subsequently patched on December 9, 2014 as CVE-2014-9163. Once users applied the December 9 patch, they faced no risk from this attack. Flash failed to properly validate user supplied data prior to copying it into a fixed sized buffer on the stack. This resulted in a standard buffer overflow style attack where the attacker could supply any address to redirect execution to. On systems without Address Space Layout Randomization (ASLR) this is trivial since the addresses are fixed and known in advance.
On modern operating systems with ASLR enabled, the attackers could not know which address they should use when exploiting this parseFloat buffer overflow vulnerability. ASLR is part of a layered security defense in modern operating systems and makes it more difficult to gain reliable code execution for attackers. For an attacker to successfully gain reliable code execution they often use an ASLR bypass. In this instance, this was accomplished by using a RegExp information leak.
About the RegExp Information Leak:
The attackers utilized an information leak to gain reliable code execution on systems with Address Space Layout Randomization (ASLR) enabled. In order to bypass ASLR this exploit utilized an information leak to determine the addresses of DLLs which would normally be random and not know in advance to an attacker.
Details on how the RegExp info leak was used in the wild by a flash exploit:
This data is actually from the jscript9.dll as shown below.
This leaked memory is returned to the Flash exploit and then treated as a String object. Using this String object it can determine the base address of jscript9.dll and dynamically find ROP gadgets such as “pop ebp; ret”. Once it has determined all the ROP gadgets it needs; it can build a ROP chain that can be used for reliable exploitation.
As the Adobe vulnerability in question was patched on December 9, 2014. iSIGHT focused its attention on technical coordinated vulnerability disclosure with Microsoft.
Given that affected parties were notified and CVE-2014-9163 was patched December 9, we did not witness a major surge / broader propagation of the exploit based upon our visibility into the team’s command and control infrastructure.
Detection of the Attack by Invincea:
Invincea’s footprint now stretches to more than 1.8 million machines around the globe – protecting unsuspecting users from spear-phishing attacks, watering hole and web-based drive-by attacks without the need for signatures or advanced knowledge of the threat. Invincea creates a virtual container on user’s devices in which highly targeted applications. This container walls malware off from the host and users’ data while detecting all types of malware (including zero-days) using advanced behavioral based techniques. When an attack is detected, it is immediately stopped in its tracks and high level forensic data is captured.
In late November of 2014, one of Invincea’s clients – a United States Defense Industrial Base company encountered an attack while visiting the Forbes.com website. That attack was detected and thwarted by Invincea’s Advanced Threat Protection endpoint product, FreeSpace, even as the attack evaded several layers of network defenses at the company and in spite of the attack employing 0-day exploits.
Today, Invincea has published a blog detailing its visibility into this attack – that blog can be found here.
Requests for Technical Indicators:
As mentioned at the beginning of this blog, iSIGHT is providing indicators of compromise to all concerned parties through a vetting process to assist organizations in analyzing their potential exposure. To request the technical report click here.
UPDATED 10.8.15 to remove references to Sunshop Group given new details.