Wednesday, April 25, 2012
E-Mail, Source Code From VMWare Bubbles Up From Compromised Chinese Firm
In what looks like the IT equivalent of the Deepwater Horizon oil spill disaster, purloined data and documents, including source code belonging to the U.S. software firm VMWare, continue to bubble up from the networks of a variety of compromised Chinese firms, according to "Hardcore Charlie," an anonymous hacker who has claimed responsibility for the hacks.
In a statement on the VMWare Web site, Ian Mulholland, Director of VMWare's Security Response Center, said the company acknowledged that a source code file for its ESX product had been leaked online. In a phone interview, Mulholland told Threatpost the company was monitoring the situation and conducting an investigation into the incident.
"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," VMware said in a statement.
VMWare's ESX is a product that is used to virtualize computing environments. The leaked documents include a source code file that VMWare has shared with its industry partners and internal company e-mail messages. He said that VMWare doesn't yet know the source of the leak, nor can it rule out a breach of its own source code repository. Subsequent releases from "Hardcore Charlie" - who claims to have downloaded some 300 Megabytes of VMWare source code - may make the provenance of the documents clearer, he said.
The leaked documents include what appear to be internal VMWare communications, pasted onto CEIEC letterhead and with official looking stamps. One email exchange, dated June 5, 2003 is from Jeffrey Sheldon to an internal VMWare listserv and has the subject "code review:untruncating segments. The e-mail exchanges are likely communications that were manually added into the company's source code repository to provide context for developers, Mulholland told Threatpost
The release of source code and developer commentary is the latest in an odd string of document leaks that are tied back to attacks on CEIEC, the China Electronics Import & Export Corporation in March. That breach is linked to a compromise of Web based e-mail accounts at the e-mail hosting company Sina.com, according to the hacker known as "Hardcore Charlie," who communicated with Threatpost via IRC (Internet Relay Chat.) After stealing encrypted account credentials to hundreds of thousands of Sina.com accounts, Hardcore Charlie said he sought the help of another hacker, who uses the handle @YamaTough, to crack the cryptographic hashes used to secure the credentials. With the cracked credentials in hand, he said he and fellow hackers began looking for accounts of interest. One they stumbled upon was apparently used by a CEIEC subsidiary in India and contained the credentials for a range of VPN (Virtual Private Network) accounts that linked into CEIEC's main corporate network.
In all, the hack of Sina.com provided access to a slew of firms in the ASIAPAC region, in addition to CEIEC. Those include China North Industries Corporation (Norinco) WanBao Mining Ltd, Ivanho and PetroVietnam, he told Threatpost. In all, the hackers claim to have collected more than a Terabyte of data from the companies, with more added every day, Hardcore Charlie told Threatpost.
"We are still sorting it out and still have access to the companies," he said.
Its unclear how the compromised firms got access to the documents. CEIEC has been described as an import/export company with deep ties to the Chinese government and Ministry of Foreign Trade. The company now functions as a primary contractor on many overseas projects, which may give it access to a wide range of business partners, according to published reports such as this. Hardcore Charlie said that the company has cut off access to its main network. However, the group retains a foothold on the networks of other firms and continues to collect a dog's dinner of leaked documents, including countless shipping documents from the U.S. Military operation in Afghanistan - many of recent vintage - Microsoft Excel spreadsheets and Adobe PDFs with subjects like "ITVs Need To Be Recharged," "WZG Gry Carrier Updated Report," and "WZG I_Tracker Updates." Most of the documents are not classified and provide dry details of U.S. Military transports within Afghanistan. During an IRC chat with Threatpost, Hardcore Charlie claimed to have received one such document, forwarded from a server operated by Wanbao Mining Co. It is unclear how the document got from the U.S. Military's unclassified network (NIPR Net) to the Wanbao server.
In an e-mail statement to Threatpost on April 11, a spokesman for the U.S. Cyber Command said it is aware of the media reports about the leaks, but "doesn't discuss operational matters - perceived or otherwise" as a matter of policy.
Richard Bejtlich, the Chief Security Officer at security firm Mandiant and author of the TaoSecurity blog, said the jumbled collection of documents don't tell a coherent story or suggest any organized data collection activity. "When its all jumbled like that, I wonder if they're sitting on a TOR exit node and just assembling what comes out and calling it a dossier," he told Threatpost in a phone interview. The transport documents are not typical of the kind of information that is being stolen from U.S. systems by China, but Bejtlich said that their presence in the hands of Chinese companies and Hardcore Charlie is cause for concern. "I would bet people are taking this seriously, but maybe not as seriously as other kinds of breaches."
He said the military, as well as the companies involved should take steps to verify that the leaked documents are authentic, and not forgeries. After that, they should investigate the source of the leaks: whether there are compromised systems at their source, or broken "business processes" in which human error or malicious insiders are the source of the data leaks. He said that direct company-to-company spying by Chinese firms would be a new development. "Most of what we see can be traced to one of 20 groups," he said.
VMWare declined to say whether it had contacted law enforcement, saying only that it was leveraging all "external and internal" resources to look into the alleged leak. The company said it takes the threat seriously and would continue to provide updates on that investigation through its Security Response Center.
Editor's Note: This story was updated to correct a reference to the Twitter handle of the hacker YamaTough. The original story referred to that hacker as "Rama Tough." 4/25/2012
Commenting on this Article will be automatically closed on July 24, 2012.
Kaspersky Confirms New Mac Trojan Used for Targeted Attacks
Researchers at Kaspersky Lab have confirmed that a new variant of malware targeting Macs is a directed attack. Called SabPub, the Trojan allows the attackers full control over the system, and unlike Flashback - the other Mac malware dominating the headlines - this one seems to have a distinct reason for living.
Kaspersky calls the SabPub discovery proof that it is an APT. I, along with many others in the industry, am not a fan of the term mostly because its roots are in marketing and not security. However, at the heart of the term is the notion that someone is deliberately attacking an organization’s network or assets, and they’re doing so with little to no resistance. In this case, that’s exactly what SabPub is doing.
SabPub's infection levels are low, something that marks it as a possible directed attack, Kaspersky says. It spreads via Microsoft Word documents, and leverages the same Java vulnerability used by Flashback in order to gain a foothold on the computer. Once it is installed on a Mac, it will connect to a C&C and wait for instructions. On a whim, Kaspersky installed SabPub on a test system and let it run.
“The attackers seized control of the infected system and started analyzing it. They sent commands to view the contents of root and home folders and even downloaded some of the fake documents stored in the system. This analysis was most likely performed manually, and not using some automated system, which is unlikely in the widespread “mass-market” malware. Therefore, it can be confirmed that this backdoor is an example of an Advanced Persistent Threat in active use,” the Russian security firm explained in a statement.
“The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.”
It’s important to remember that this latest Mac threat isn’t Mac alone. Windows users are just as vulnerable to it depending on their system setup and personal computing habits.
“The SabPub backdoor once again reveals that not a single software environment is invulnerable,” Kaspersky’s Chief Security Expert, Alexander Gostev, said.
For more information, SecurityWeek’s Brian Prince covered Kaspersky’s earlier SabPub research last week. You can read that article here. In related news, Symantec has also discovered a variant of SabPub. Their analysis is here.