The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity

Two weeks ago, news broke about strategic web compromise (SWC) activity on the website for the U.S. organization, Veterans of Foreign Wars (VFW). This activity leveraged exploit code for a zero-day vulnerability now identified as CVE-2014-0322 and ultimately infected victims with ZxShell malware. CrowdStrike Intelligence attributed this attack to the AURORA PANDA adversary; however, the discovery of additional indicators revealed that another adversary was leveraging the same vulnerability...

1 month 2 weeks ago | MORE

Details about Apple SSL vulnerability and iOS 7.0.6 patch

On February 21st, 2014 Apple pushed out an emergency SSL security update for iOS (7.0.6). John Costello, CrowdStrike's Sr. SDET Engineer, and myself reverse engineered the binary patches in order to analyze the vulnerability and its full impact. Given the fact that the patches are not yet available for all impacted systems, we are not yet publishing full technical details of this vulnerability so as not to make life easier for attackers. However, we decided to release some...

1 month 3 weeks ago | MORE

Mo' Shells Mo' Problems - Deep Panda Web Shells

Disclaimer: CrowdStrike derived this information from investigations in non-classified environments.  Since we value our client's privacy and interests, some data has been redacted or sanitized.

Crowdstrike presents “Mo’ Shells Mo’ Problems” - A four part series featuring two unique web shells used by a Chinese threat group we call Deep Panda. The series will culminate with a CrowdCast in April 2014 detailing a case study of the incident response investigation conducted to identify...

1 month 3 weeks ago | MORE

Post-Snowden Forensics

It has been over six months since Edward Snowden’s unprecedented NSA leaks, and we are still a long way from being able to assess the damage.  Worldwide trust in United States tech companies has undoubtedly been shaken.   Cisco Systems blamed a ten percent revenue drop on fallout from the leaks.  Microsoft is offering the ability for foreign customers to have their data stored outside of the United States.   And Silicon Valley stalwarts from Apple to Google to Yahoo have spent considerable...

2 months 14 hours ago | MORE

Native Java Bytecode Debugging without Source Code

At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be...

2 months 1 day ago | MORE

Through the Window: Creative Code Invocation

Recently, while analyzing a targeted attack, CrowdStrike observed an interesting code invocation technique that we want to describe here. This particular technique can be used to invoke code that has been injected into explorer.exe.

Many targeted attacks involve executing malicious code. No matter how a target gets infected, at some point an adversary typically aims to execute some kind of remote access tool (RAT), which is then used, for example, to exfiltrate critical information...

2 months 1 week ago | MORE

Increased Cyber Targeting Expected Out of China

Talk about a rough week - last week was one of cyber turmoil for the Chinese government.  First, on 21 January 2014, the International Consortium of Investigative Journalists (ICIJ) released an exposé on China’s Elite politicians and their connections to offshore accounts giving credence to the idea that they are hiding their wealth from the general public.  Then, in the same day, in what was likely a mistaken case of DNS poisoning by the Great Firewall of China, all of China’s Internet...

2 months 1 week ago | MORE

2013 Year in Review: Actors, Attacks, and Trends

As 2012 was winding down, the CrowdStrike Intelligence team was in hot pursuit of an adversary who was leveraging a Strategic Web Compromise (SWC) attack using an exploit for an at-the-time unpatched vulnerability (CVE-2012-4792). This attack was a harbinger of what was to follow throughout 2013. These attacks, commonly called “watering holes”, do not rely on social engineering and weaponized documents to victimize their prey. Instead, sites known to be of interest to the victim...

2 months 3 weeks ago | MORE

Actionable Indicators for Detection of Signs of Compromise from Target-related Breaches

A lot of press stories and blogs have been written about the Target breach in the last month after Brian Krebs broke the story on December 20th. However, very little detail has been released up until now about how the attack was conducted and actionable intelligence that potential other victims can use to detect signs of similar breaches on their network.

CrowdStrike has been collecting and analyzing intelligence about this attack for the past month for our customers and we have...

2 months 4 weeks ago | MORE