Breaking Badness Episode 3: Fancy Bear Awakens From Its Winter Slumber

Fancy Bear Awakens From Its Winter Slumber

Coming up this week on Breaking Badness. Today we discuss the DNSpionage, Fancy Bear (APT28) is Back at it Again, and WinRAR Hasn’t Improved Since the Clinton Administration.

Here are a few highlights from each article we discussed:

  1. First reported by Cisco Talos back in November 2018:
    • Threat actors were able to steal login credentials from Lebanese and UAE. governments by hijacking DNS servers to redirect all email and VPN traffic
    • Also allowed threat actors to obtain SSL certs, which allowed them to decrypt any of the intercepted traffic.
  2. Later in January, there was further research reported on by FireEye
    Then the DHS CISA released an emergency directive ordering gov sites to secure their login credentials.
  3. Finally, later still in January, Crowdstrike released a blog post containing a list of domain names associated with this malicious activity or abused by it.
  4. And now – KrebsOnSecurity has released an article where he ran all the domains through passive DNS and found that over 50 middle eastern government agencies had been affected by this campaign – pointing DNS servers to ones in Europe controlled by the threat actors. Next, the threat actors obtained the SSL certs for those sites.
  5. Hackers initially phished credentials for the registrar’s (Key Systems and Frobbit) Extensible Provisioning Protocol (EPP) – which is like a “backend” for DNS that allows providers to notify registries about changes to domain records.
  6. Both Netnod and PCH use DNSSEC (DNS Security Extensions) which is supposed to prevent the type of DNS attack that occurred by requiring digital signatures for all DNS queries for a given domain or set of domains.
  7. However, the attackers first gained credentials, and so when they did attack infrastructure that was supposed to be protected by DNSSEC, they simply logged in and disabled it long enough to get SSL certs.
  8. Later, the attackers forgot to re-disable DNSSEC before intercepting internet traffic.
  9. They attacked 4 different times at the end of Dec 2018/beginning of Jan 2019, each time siphoning passwords/etc for 1 hour and then stopping the attack, most likely to not be noticed.
  10. Then the bad guys targeted PCH directly, and while DNSSEC blocked most of the attacks, two guys who were out traveling and downloading emails to their iPhones from hotel wifi got popped.
  11. Once they were in, no one at PCH got any email for about an hour, but it was so short a period of time that everyone just kind of shrugged it off.
  12. This attack has been attributed to Iran.
  13. In addition, on February 22, ICANN released a statement calling for full DNSSEC usage (here) across all unsecured domain names.
Fancy Bear (APT28) is Back at it Again
  1. Microsoft released a blog post saying they have seen recent cyber espionage activity targeting democratic institutions in Europe.
  2. Not just targeting campaigns – also think tanks and non-profits as well – For example, Microsoft has recently detected attacks targeting employees of the German Council on Foreign Relations, The Aspen, Institutes in Europe and The German Marshall Fund.
  3. Microsoft is saying they believe these attacks were conducted by Strontium, which is their name for APT28 AKA Fancy Bear.
  4. Consistent with campaigns against similar U.S.-based institutions, attackers in most cases create malicious URLs and spoofed email addresses that look legitimate. These spearphishing campaigns aim to gain access to employee credentials and deliver malware.
WinRAR Hasn’t Improved Since the Clinton Administration
  1. WinRAR is a file compression tool used by over 500 million people.
  2. Checkpoint used WinAFL fuzzer to find a 19-year-old logical bug in WinRAR that makes possible to create files in arbitrary folders inside or outside of destination folder when unpacking ACE archives.
  3. The logical bug is Absolute Path Traversal.
  4. WinRAR can be potentially exploited when a user accidentally opens a malicious archive, perhaps one sent by email or downloaded from a website: unpacking it can lead to malware smuggled within the file executing on the next reboot, as a result of this flaw.
  5. The vulnerability lies in unacev2.dll, a library used to parse ACE archives, a little-used compression format that dates back to the 1990s.
  6. An attacker can craft a poisoned ACE archive, disguised as a RAR file, that, when opened by WinRAR, exploits a path traversal flaw in unacev2.dll to trick the archiving tool into extracting the files into a path of the attacker’s choosing.
  7. Because of a directory that WinRAR has access to (C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup), an attacker who knew the user name of the target could get the files to extract into the startup directory and, when the PC was restarted, launch them automatically to effectively get remote code execution on the targeted machine.
  8. WinRAR is going to drop ACE formats altogether.
  9. New as of 02/25: Now the vulnerability is being exploited (here). Malicious email being sent with RAR archive that, when extracted, creates a backdoor on the victim machine in the startup folder.
This Week’s Hoodie Scale

[Tim]: 6/10 Hoodies
[Emily]: 7/10 Hoodies

Fancy Bear (APT28) is Back at it Again
: 5/10 Hoodies
[Emily]: 5/10 Hoodies

WinRAR Hasn’t Improved Since the Clinton Administration
: 3/10 Hoodies
[Emily]: 3/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!