Response - 14th June 2013
This blog post details the investigation of a recent watering hole attack that we observed on a number of our clients' networks in March this year. It discusses why and how we believe the watering hole site was compromised, as well as the threat actor group we suspect of being responsible for the attack.
A "watering hole attack" is a term used to describe an age old hunting technique employed by both man and beast. A tiger lurks around a source of drinking water where it knows thirsty animals will visit; it waits until an unsuspecting antelope has its head down distracted by its thirst for water and then launches its fatal strike.
In this case the tiger was a state sponsored attacker and the antelope were a variety of target companies, including two of our clients. The watering hole was the member portal of a legitimate website IHS.com, regularly accessed by staff from these target companies, which was compromised so that it infected the visitors’ computers with malware.
The Best Watering Hole
As it turns out the IHS.com website belongs to a company called "Information Handling Services Inc.", located in Colorado, USA. While IHS itself is not a very well-known brand, it is the parent company of other, more familiar, big name companies of which you may have heard, including:
- Jane's Information Group - one of the preeminent sources of information and analysis on military and intelligence matters. Publications include "Jane's Fighting Ships", "Jane's Intelligence Review" and "Jane's Defence Weekly" amongst many others.
- Global Insights – a well-established and respected player in financial, economic and political analysis of countries, regions and industries.
- Cambridge Energy Research Associates (CERA) – advisers to companies and governments worldwide on the supply of energy, geopolitics and strategy.
Aside from these there is a list as long as your arm of subsidiary companies and brands, including large holdings in the areas of scientific research, healthcare and pharmaceuticals, market research, energy, electronics, telecommunications and security. So all-in-all compromising this site was a very good piece of work from the attacker; given the likely attacker motivations and end-targets, a better watering hole probably does not exist...jackpot!
There is little detail available on how or exactly when the attacker managed to get onto the IHS.com site, although there has been some discussion on security mailing lists that this site was compromised by more than one threat actor recently.
In particular on the 22nd February 2013 there was a dump of information by "Parastoo" to Cryptome (see http://cryptome.org/2013/02/parastoo-janes-cbrn.htm).
This dump purports to outline a hack of the IHS.com site and provides details on the infrastructure, technologies and vulnerabilities behind the site. It also lists account and password details and links to exfiltrated data, including dumps of customer and source databases.
Parastoo is a hacktivist group that has claimed, or been implicated in, a number of other high profile attacks, with targets including the International Atomic Energy Agency (IAEA) and the US Department of Energy. Parastoo appears to be motivated by anti-Israel / anti-Zionist sentiment, and selects targets based upon perceived connections with the Israeli state. This targeting and the rhetoric surrounding some of the attacks has led some to speculate on a connection between Parastoo and the Iranian government.
Given the timing of this information dump and the compromise by our attackers, it is likely that the Parastoo dump facilitated the subsequent compromise and setup of the watering hole by our attackers to a greater or lesser extent. We assess ‘probably greater’. There is no suggestion that the two groups are linked in any way.
Beyond this it appears to be fairly certain that the watering hole began actively serving malware on the 12th/13th March. We have not seen any compromises earlier than this and none have been reported in open source.
The Attack Platform - The Hunter Strikes
We initially detected the attack in mid-March, when monitoring by Context’s Response Team picked up beaconing activity to the domain help.yahoo-upgrade[.]com on one of our managed service client’s network. The traffic was consistent with that of a Remote Access Trojan (RAT) known as PlugX. PlugX was the subject of a recent Context white paper and is strongly suspected of being attributable to one of the more aggressive and active Chinese state-sponsored groups, more details on this later.
Investigation of this alert confirmed that there was indeed a host on the client network with an active variant of the PlugX implant. Through correlation with network and proxy logs the compromise was traced back to recent web browsing activity undertaken by the primary user of this host. More specifically, the host had been compromised on 14th March after the user had visited the website IHS.com.
To stretch the watering hole analogy a bit further, the tiger’s teeth and claws in this instance were found to be a malicious Java archive on the IHS website. To avoid raising suspicion this used a fake, self-signed certificate, created under the legitimate name ihs.com.
The JAR file re-directed the user to a second compromised domain and acted as a downloader for the malware installer on this second domain. Following the successful execution of this installer, the RAT commenced beaconing to a third, attacker controlled, domain.
The stages of the compromise can be seen when looking through the network activity at that time for the identified user:
Further investigation of proxy logs revealed that the URL had been accessed by a total of four users during the 28 hours following this initial compromise, however due to blocking by the Bluecoat proxies on the network only this single user was successfully compromised.
...and so a thin film of blood spreads slowly across the surface of the water, as the dust settles and the antelope closes its eyes on the world for the last time.
PlugX - An Old Friend
In this instance, as you can see above, the attack resulted in the download of a malware installer file msinfo.exe. This installer was a self-extracting RAR archive, containing the files Mcvsmap.exe, McUtill.dll and McUtil.DLL.PPT. Analysis of these files using Context's PlugX Decryption Tool confirmed that this was a PlugX variant (version 7.0), masquerading on the victim system as the McAfee VirusMap Reporting Module.
PlugX has been pretty well documented in our white paper and more widely in open source so we will not repeat that analysis in full here. In short though, PlugX is a full featured Remote Access Trojan, giving an attacker almost full control over a compromised host via functionality provided by a plugin architecture, as well as the more traditional remote interactive sessions. PlugX appears to be a Chinese home grown capability and the Response team at Context has seen it grow in prevalence over the last 18 months, being increasingly used by some attacker groups as a replacement for other RATs such as Poison Ivy.
Having established that PlugX had been successfully installed on a particular host, this machine was then investigated and monitored for a short period to see whether the attackers had taken advantage of their success to consolidate their foothold on the network. Fortunately for the client no evidence of this was found, and it was concluded with fairly high confidence that the attackers had not followed up this compromise. They were most likely spending their time leveraging other successful infections on more interesting companies.
When queried about the compromise, the user in question revealed that they had been recently contacted by IHS notifying them of the potential compromise and suggesting that that they undertake precautionary measures. Towards this end various security tools were run by the user without success, however the incident was not brought to the attention of the relevant client security teams and as such not cleaned-up effectively until detected by Context monitoring. User awareness training which would have informed the user how to react in such a situation would have been ideal in this instance, but fortunately no damage resulted.
A couple of weeks after the IHS watering hole had come onto our radar, and this first case had been detected and dealt with, we were contacted by a global FTSE 250 firm. This firm had been notified of a potential compromise through the UK Government’s Cyber Incident Response (CIR) program; the details of the notification were limited to a source IP, destination IP and date relating to the compromise.
The client shared the information they had been given and it was immediately apparent that the notification was related to the IHS attack. With our assistance the client was able to track down seven hosts spread across four countries that had been successfully compromised by the attack.
Upon investigation it turned out that given the time that had elapsed since the attack, anti-virus had actually cleaned up six of the seven compromised hosts. This was interesting because initial investigation showed that the single host that hadn't been cleaned up by anti-virus was compromised by a different family of malware, while the malware that had been cleaned off the six hosts appeared to be the same PlugX variant previously seen.
Prior to this there had been some reports in the security community about different malware being served from IHS.com in different instances. This reporting had indicated that some early compromises had involved the use of malware known as Preshin or ProxyDown, which while apparently being less feature rich than PlugX, included the ability to act as a proxy on a victim network, raising fear from the client that the attacker was staging for a big operation.
Further analysis showed that while the basic attack remained the same (malicious JAR > redirect > installer download > execute) the malware downloaded was indeed Preshin. Reverse engineering work was undertaken internally by our Threat Intelligence team confirming it did not include any capacity to proxy connections, although it was able to undertake basic host and network reconnaissance, as well as download and execute further executables and run ad-hoc batch commands. The fact that the functionality of this malware was relatively basic suggests that it was perhaps intended as a lightweight tool, used to facilitate further access during the first stages of an attack.
Correlation across clients and time indicates that for some unknown reason the attacker originally setup the watering hole to serve Preshin, but shortly after switched to using PlugX. The PlugX variant appears to have been involved in the majority of the compromises that resulted from the attack and as a consequence was relatively quickly picked up by AV and proxy vendors; the Preshin variant does not appear to have had as much attention.
The Tiger - Attribution and Target
This attack was not directly targeted at our clients, but it was effectively a targeted attack against a range of industries who frequently visit the IHS site, including the military, energy, aerospace and security sectors. As part of the analysis work surrounding this incident, Context uncovered malware that is likely related to a historical IHS website compromise, dating back to 2011, attributed to the same actors.
Based on this targeting, the toolsets used and details around the command and control infrastructure, this attack has been attributed to a group referred to within Context and the wider security community as ‘FlowerLady’ or ‘FlowerShow’, with moderate confidence.
The FlowerLady group is believed to be Chinese in origin and is also believed to be state-sponsored as opposed to state-run (i.e. the group is not directly managed by the Chinese state). This group is not known to be attributed to any particular organisation and is likely to consist of individuals driven by nationalistic motivations, attacking Western companies on an opportunistic basis looking for information of economic, technological or military significance, which will then be passed onto the Chinese state or companies for further exploitation.
Part 2 of this blog will look more into the detail of this particular group and provide indicators of compromise to aid detection. To be continued…