Elderwood and the Department of Labor Hack

Recently, the Department of Labor (DoL) and several other websites were compromised to host a new zero-day exploit in Internet Explorer 8 (CVE-2013-1347). Researchers noted similarities between this attack and earlier ones attributed to Elderwood, a distinct set of tools used to develop several past strategic website compromises. We have not, however, identified any evidence for this conclusion. Several fundamental differences exist that make it unlikely that this latest exploit was produced by the Elderwood kit.

  • The Elderwood kit provides several reusable techniques for spraying the heap with Adobe Flash and bypassing DEP with other plugins. However, the DoL exploit avoids the need to use plugins by copying the code for a new exploit technique from Exodus Intelligence. This significantly improved the reliability of the exploit and the number of visitors it affected.
  • Elderwood campaigns have hosted their files directly on the compromised website. However, the DoL website was injected with code redirecting the visitor to an attacker-controlled host, which then attempted to load the exploit. This makes it more difficult for researchers to investigate this incident.
  • Elderwood campaigns use primitive host fingerprinting techniques taken from sample code on the internet to determine the exploitability of visitors. However, the DoL fingerprint code has been developed by the attackers to collect significantly more data and is not used for determining exploitability. This fingerprint information is uploaded to the attacker-controlled host for future use.

In addition, we have identified sample code discoverable on the internet as the source of several JavaScript functions that appear in both exploits. For example, the cookie tracking code was copied nearly verbatim from “Using cookies to display number of times a user has visited your page” which includes code originally from the JavaScript Application Cookbook.

The Elderwood Exploit Kit

Elderwood is a distinct set of reusable tools that has been developed by or for the Aurora APT group (sometimes known as or related to Nitro, VOHO, Violin Panda, or Mandiant Group 8). Our firm has tracked the use of the Elderwood kit due to the unique nature of the strategic website compromises and zero-day exploits it has been used to develop. We will discuss our analysis of this proprietary exploit kit in a series of blog posts this week.

In the blog posts that follow, we use the latest zero-day strategic website compromise attributed to the Elderwood kit as a case study. We use evidence from this attack to determine the sophistication of the tools provided by the kit and determine the capabilities required to operate it. By doing so, we hope to have a more honest discussion about the reality of this threat and the effectiveness of current defenses against it. At the end of our case study, we predict future use and developments of this kit and present recommendations to stay ahead of such attacks in the future.

Case Study Overview

In early December 2012, several websites were compromised and subtly repurposed to host a 0-day exploit for a use-after-free vulnerability in Internet Explorer 6, 7, and 8. The changes to these websites were not detected until several weeks later. The timeline of the attack was as follows:

Security vendors have termed this type of attacks, where a public website is compromised in order to exploit its visitors, “watering holes.” We believe a more descriptive definition is provided by ShadowServer, who describes attacks of this nature as “strategic website compromises.” Each compromised website is strategically selected for the character of web traffic that visits it. Instead of the attacker bringing victims to their website, the attacker compromises the websites that intended victims already view.

Components of the Attack

Several discrete components must be engineered and integrated by attackers in order to pull off a strategic website compromise. We describe these components below.

  • Vulnerability: Reproducible trigger of a code execution flaw in software installed on client systems, such as Adobe Reader or Internet Explorer.
  • Exploit: Code that uses the vulnerability to execute a program of the attacker’s choice (a payload) on the victim’s computer.
  • Obfuscation: Techniques applied to the exploit and payload to evade network and host-based detection systems.
  • Fingerprinting: Code to determine whether to serve an exploit to a victim’s computer.
  • Payload: Shellcode and malware that runs on the victim’s computer to further control it.
  • Compromised website: A website not legitimately owned or operated by the attackers, but that the attackers have manipulated into hosting their exploit and payload code.

The attackers placed several files on the CFR website. We enumerate these files and their roles in the compromise process below. Variations on these filenames were used across multiple compromised websites but they generally correspond to the list below.

  • config.html performed fingerprinting of the intended victims and determined whether they were a supported target of the developed exploit code.
  • news.html, robots.txt, and today.swf contained the exploit code for the zero-day vulnerability that had been discovered. robots.txt obfuscated critical sections of the exploit code to mitigate the risk of detection.
  • xsainfo.jpg contained one stage of the malware to be installed on victims that were successfully exploited.

We have posted the original files from this attack for readers to reference (pw: infected). In tomorrow’s post, we investigate the tools provided by the Elderwood kit for developing exploits from discovered vulnerabilities.

If you’re interested in learning more about how modern attacks are developed and performed, consider coming to SummerCon early next month and taking one of our trainings. Subscribe to our newsletter to stay up-to-date on our trainings, products and blog posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,629 other followers

%d bloggers like this: