Blog

Blogs are a highly effective means of communicating the findings of our research quickly. We believe it is vital to share our knowledge and experience, within our client base and with the wider security community. Blog entries cover a wide range of topics and technologies, including more niche subjects of particular interest to companies or organisations in specific industry sectors, such as financial services, retail, legal and defence.

Our blog has frequently stimulated feedback, debate and discussion among readers, with this debate sometimes extending into social media. It has also sometimes led to direct responses from particular technology companies, keen to address the issues to which we have drawn their attention.

Subjects covered in the blog include:

  • Malware
  • Server technologies
  • Application testing
  • Secure development techniques
  • Wireless technologies
  • Hardware security issues security trends
  • Mobile devices and gadgets
  • Cloud technologies

Blog Posts

In January, Cisco published a blog post on the ubiquitous Fiesta Exploit Kit (EK) which is quite active at the moment. To supplement their analysis, this post takes a look at an individual Fiesta drive-by attack observed by Context as part of our managed Targeted Attack Detection Service (TADS). The post also shows the methodology we used to investigate the incident and decode the traffic.

Read more...

On 2nd January 2014 a Systems Administrator at the Monju fast breeder reactor facility in Japan noticed suspicious connections emanating from a machine in the control room, coinciding with what was a seemingly routine software update to a free media player.

Read more...

Microsoft recently released the security bulletin MS13-052 which contains a number of fixes for .NET vulnerabilities, which were discovered by myself. One of them, CVE-2013-3133 is particularly interesting so I thought I would write a blog about the issue and how it could have been exploited. CVE-2013-3133 came about due to the way dynamically created method content was implemented in the framework through the DynamicMethod class (and anything which uses it). As it is now fixed I can reveal more details about the issue. Before we delve into that, I will set the scene so that you can understand why this was a problem in the first place.

Read more...

A client approached us this week with an interesting issue: several members of their staff were being tracked online and their location, the country at least, was being posted online every 12 hours. The members of staff had prominent roles in the organisation and with a little bit of effort it was not impossible to find their names and mobile numbers, but how was their location being leaked and what other data did the attackers have access to?

Read more...

This blog post describes a vulnerability in Windows RT, the ARM based version of Windows 8 which runs on tablets such as the Surface RT. Normally Windows RT blocks code not signed by Microsoft from executing, the vulnerability abuses functionality in Windows Powershell, a .NET based task automation framework to circumvent this restriction without requiring further ‘Jailbreaking’ of the device. It follows the process through which the vulnerability was identified and how it was ultimately exploited.

Read more...

All too often Context responders find themselves dealing with clients who have not prepared for what we see as inevitable compromises. The result is that the compromise is not dealt with swiftly, the response is confused in both technical and business terms, investigations become more difficult, and the impact is greater.

Dealing with incidents effectively requires planning, anticipation and practice. This blog highlights the path to preparedness to ensure that when the inevitable happens, you are ready.

Read more...

Context Threat Intelligence uncovers successor to ‘BaneChant’ malware - ‘StrangeLove’.

Tracking this malware family since December 2012, Context previously identified this activity as an offshoot of a larger Command and Control infrastructure seen to be targeting both political and economic targets. In our Threat Advisory we detail the latest incarnation of the code and provide information to protect against it. 

This updated version of the downloader associated with the ‘MM Core’ implant uses slightly modified network traffic to avoid previous on-the-wire detection. Antivirus detections are nil across the board for the second stage implant despite its similarity to the previously reported version.

Read more...

This blog post details the investigation of a recent watering hole attack that we observed on a number of our clients' networks in March this year. It discusses why and how we believe the watering hole site was compromised, as well as the threat actor group we suspect of being responsible for the attack.

A "watering hole attack" is a term used to describe an age old hunting technique employed by both man and beast. A tiger lurks around a source of drinking water where it knows thirsty animals will visit; it waits until an unsuspecting antelope has its head down distracted by its thirst for water and then launches its fatal strike.

Read more...

On 16th April Oracle released Java 7 Update 21 (which you should install now if you haven’t already!) This release fixes all the Java vulnerabilities disclosed to Oracle during the recent Pwn2Own 2013 competition held at the CanSecWest security conference in Vancouver on the 6th March 2013, alongside a significant number of other bugs. James was the first winner of the Java exploit competition at this event, and this blog provides an both an overview of his winning entry, and an insight into just how difficult it is to fully secure a complex system such as Java against a determined attacker.

Read more...
On the 13th February 2013, the newest version of James Forshaw's Canape network tool became available for download; this release was originally marked for December but due to various presentations including Bluehat and CCC the release was delayed. Anyway it is here now, below is a short blog post with James' description of some of the highlights of the release and why it is worthwhile upgrading to Canape v1.2. Read more...
On the 21st October Context consultant Alex Chapman will be presenting at the Ruxcon conference in Melbourne. Alex will be describing how to inspect, manipulate and exploit the main remote administration protocol used by both VMware ESXi and other VMware products such as Workstation, using Context’s network protocol analysis tool, Canape. This blog provides an overview of one of the new advanced features of Canape, Layer Sections, and how they can be used to strip away SSL encryption from the middle of complex network protocols such as the VMware ESXi management protocol. Read more...
This blog post details a vulnerability that was found in SAP’s Host Control service. The vulnerability allows for 100% reliable full code execution as the SAP administrator from an unauthenticated perspective. This vulnerability was patched in May 2012 (SAP Security Note 1341333); however at the request of SAP we have delayed the publication of the details by 3 months. As I believe the vulnerability and the technique used to exploit it are technically interesting, I thought I would go into more depth than a typical advisory normally would.. Read more...
In May 2012 Microsoft released MS12-035 which was a security update for all versions of the .NET framework (including v4.0) based on some security research I performed over 12 months prior. It aimed to fix some serious issues in the way the .NET framework handled binary object serialization, which could lead to remote code execution or privilege escalation. While the update certainly mitigated some of the more immediate threats there is still a significant attack surface left, which leads me to the topic of this blog post; if you use .NET remoting services in your estate then you might be at risk of compromise. Read more...

In the last blog post, we looked at the processes and steps involved in a successful malware campaign. The series covered the Trojan Carberp and the many aspects to its functionality that resulted in a complex and technically advanced piece of malware. In this post, we will look at a newer trend in malware that we are experiencing an increase in: Exploit Packs and Ransomware; with a particular focus on the Blackhole Exploit Kit and a post infection feature recently added Zeus that leads to users being held to ransom. In previous analysis that we have conducted, malware had the primary aim of stealth, evasion and data extraction. Context and the industry as a whole is now seeing an increase in drive-by download attacks that lead to infection from “Ransomware” malware that result in users being extorted for money. The extortion usually stems from files being encrypted or system lockouts occurring. In the majority of cases, users will pay the fee to have the system unlocked or look to AV companies for remediation.

Read more...
In this post of the series, I will go into some detail on the various mitigations and configuration changes required to be made to your SAP environment to help protect against the attacks described in the two previous posts. While some of the mitigations are general network security recommendations, such as appropriate network segregation and filtering, others are specific to SAP and the security risks posed by a default Netweaver installation. The recommendations listed here by no means constitute a complete SAP hardening guide, and only serve to address the issues described in my previous blog posts. In September 2010, SAP released a fairly comprehensive Netweaver security guide taking into consideration attacks currently possible and further reading is highly recommended. Read more...

During our research last year into Cloud Node security here here we identified a security vulnerability affecting some customers at Rackspace and at VPS.NET, which were two out of the four providers we tested. Subsequent research found that VPS.NET’s service based on OnApp technology used by over 250 other providers, some of whom may share the same vulnerability. While Rackspace know of no instance of customer data being compromised through this vulnerability, they asked us to delay publication of its findings until Rackspace engineers could fully remediate the vulnerability and secure their customers. Rackspace recently completed those remediation efforts, and worked with us to publish our full findings, in hopes that they are helpful to other Cloud hosting providers and their customers.

Read more...
In this blog post, I'll describe the Frame Leak Attack technique and show how it can be used by a remote attacker to steal sensitive information from users through their web browser. I'll demonstrate how this attack can be used to mine information from documents stored in a corporate SharePoint installation. This blog post also contains a demo that shows how information can be extracted from a user’s LinkedIn account using the same technique. Finally, I’ll explain how to protect your site against this kind of attack. Read more...

In my previous posting, a malicious PDF was analysed that originated from a targeted email campaign that exposed a number of users to infection. The PDF file implemented standard exploitation techniques to exploit issues in Adobe PDF reader to download an executable from a known malicious URL. In this post I will look at how the malware sample persists on the infected host using stealth, anti-debugging and common userland hooking and rootkit techniques.

Read more...
A number of our clients have asked for advice regarding the HTTPS BEAST attack. This blog is intended to give a more realistic overview of what the attack means to those who are concerned with the effect that it may have on their web applications, and answer some of the questions received. BEAST is short for Browser Exploit Against SSL/TLS. This vulnerability is an attack against the confidentiality of a HTTPS connection in a negligible amount of time. That is, it provides a way to extract the unencrypted plaintext from an encrypted session. Read more...
A Remote Administration Tool (otherwise known as a RAT) is a piece of software designed to provide full access to remote clients. Capabilities often include keystroke logging, file system access and remote control, including control of devices such as microphones and webcams. RATs are designed as legitimate administrative tools, yet due to their extensive capabilities are often seen used with malicious intent. When a RAT is found to be the source of an infection, typical analysis of the malicious binaries will resolve the capabilities being provided to the attacker which is often not enough information. In order to identify what malicious activity has occurred, we need to examine the network traffic and the commands sent by the attacker. However, most RAT traffic is hiden with encryption or obfuscation. In this blog post we take a look at a RAT called Dark Comet. We will run through the capabilities provided by the tool, examine the associated network traffic, identify the encryption algorithm and show how the key can be identified with a little analysis of an infected hosts. Read more...

In this blog I will describe a new type of security vulnerability which can allow full internal system access from the internet from an unauthenticated perspective. This technique exploits insecurely configured reverse web proxies to gain access to internal/DMZ systems. Apache web server is affected by this issue when running in reverse proxy mode; Context have worked with Apache to produce a patch which reduces the risk of exploitable misconfiguration.

Read more...
This is the second in a series of posts about SAP infrastructure security, specifically related to RFC vulnerabilities and common misconfigurations that can be exploited by an attacker to gain unauthorised access to a SAP environment. In this post I will be demonstrating how some of the RFC vulnerabilities previously described can be exploited by the freely available, python based ERP penetration testing platform – Bizploit. Read more...
In this series of posts I aim to cover in depth some of the publically known infrastructure vulnerabilities that affect SAP systems, how to use public domain tools to test your current deployments for these issues and how best to address them. While the industry is slowly taking note of SAP related security beyond segregation of duties, there is still a significant lack of awareness of vulnerabilities and attacks against SAP systems, which prompted this series of posts. Read more...
In this blog post Context demonstrates how to steal user data through web browsers using a vulnerability in Firefox’s implementation of WebGL. This is a continuation of our research into serious design flaws that could affect any browser which implements WebGL, currently Chrome and Firefox. Read more...
Due to the high level of interest in Context’s blog posting on the Security issues within WebGL we are releasing the following further information to aid in the understanding of the issues. Read more...
Context is currently undergoing a research project into the new WebGL technology and have uncovered serious security flaws. WebGL provides web pages with the functionality to access the lower level graphics driver in a way that previously was only available to local applications. This new access allows for web pages to create 3D graphics with the same level of speed and detail as PC games. However, from a security perspective allowing low level access to a graphics card to potentially malicious web pages carries a huge security risk. These risks stem from graphics cards/drivers having not been written with security in mind, the interface (API) they expose assumes that the applications are trusted but now this axiom is no longer true. Context have investigated this technology and have found fundamental design issues which currently expose users of the internet to having their PCs exploited. This includes breaking of the cross domain security principle, denial of service potentially leading to full exploitation of a user’s machine. Read more...
One of the issues Context encounters time and time again is web servers supporting version 2 of the SSL protocol. The weaknesses in SSL2 have been known for fifteen years, and could aid an attacker in decrypting traffic between his victim and the target website, so it’s a significant issue. However, considering the severe consequences, surveys have shown 35% of web servers on the internet still support it. This blog post explains the biggest weakness in SSL2, the method used to exploit it, and asks the question, should SSL2 be keeping you awake at night? Read more...

Context is asked on a regular basis to evaluate the security of current mobile devices, especially smart phones, for use in the enterprise environment. Data security is of the upmost importance to our clients, any technique which could compromise their information is taken very seriously. One of the most underestimated attack vectors on a smartphone is its USB connection. In the not so distant past this was purely used for data access, but is now also the main charging connection on a device. This blog post discusses the risks inherent in this dual purpose on the two most popular enterprise smartphones, the RIM blackberry and the Apple iPhone, in what scenario data is exposed, how much information an attacker could gather and potential ways this can be solved at the enterprise level.

Read more...
Context encounters a wide range of server technologies during the course of penetration testing, often there are known vulnerabilities that can be used to exploit them, other times Context create new attacks. Context will be blogging about these techniques starting with JBoss RMI Twiddling. JBoss is an open source Java based application server which is widely used in corporate environments. In the past it has had its share of security vulnerabilities most of which have been addressed by adequate patches; however it is still distributed with several insecure options enabled by default. A large number of JBoss installations have not been extensively hardened and therefore are vulnerable to the attacks detailed in this post, that under certain circumstances lead to full system compromise. Read more...
Context encounters numerous malware samples on a daily basis and this series of malware posts intends to provide a detailed analysis of the threats posed by malicious software that affect business today. The series aims to take the reader through the various stages of an attack against an organisation. This first posting presents an in-depth investigation into a PDF-based malware attack. This initial analysis covers an exploit-laden PDF document, the JavaScript payload and malicious shellcode responsible for the second-stage delivery of malware. This infection vector is currently one of the most common methods of malware propagation and through this series of postings, Context aim to deliver a greater visibility on how such attacks occur in the real world. Read more...

© Copyright 2013 Context Information Security