Blog

Covering the GreedyWonk APT

March 25, 2014 by Ixia Blog Team

In December 2012 when the complete specifications where out for HTML5, the whole Web was teeming with excitement for the online media revolution that the latest installment, of what is the equivalent of web DNA, was about to deliver. Although the greatest feature was fully delivering the client-side experience using a single paradigm, CIOs and CISOs everywhere probably rejoiced at the prospect of getting rid of Adobe Flash Player along with all its vulnerabilities and risks. It’s 2014 and Internet Explorer, still the most widely used browser, has limited support at best and the other browsers have yet to cover all of Adobe Flash’s functionalities.1 Whether we like it or not, Flash is still the most-used platform for online media interactions and the Adobe Virtual Machine is still a necessary presence on most endpoints.

On February 20th 2014 FireEye published its findings on a new Advanced Persistent Threat (APT) called GreedyWonk.2 The APT used a vulnerability that affects all versions of Adobe Flash player below 12.0.0.4 and 11.7.700.261 as detailed in the CVE-2014-0502.3 The attack targeted non-profit websites that cover national security.4 The hacking group behind it showed advanced capabilities and access to Zero-Days, and upon initial compromise, dropped a variant of the Poison Ivy RAT (Remote Access Trojan),5 one of the most powerful cyber weapons out there. Upon inspecting the exploit, we can see that the vulnerability is triggered due to improper memory management when handling SharedObject entities in a multithreaded environment, enabling an attacker to redirect code execution.6 Adobe published a security bulletin with a fix for the vulnerability on the same day.7

Leverage subscription service to stay ahead of attacks

To asses an organization’s defense capabilities against real threats, users of Ixia’s Breaking Point test system rely on the BreakingPoint Application and Threat Intelligence (ATI) subscription service as a simple means of modeling actual attacks as closely as possible. After closely analyzing the exploit elements, Ixia’s ATI Team isolates and assesses the key components that are causing the memory corruption and creates a harmless variant of the attack. The resulting binary is obfuscated and to further evade intrusion detection system (IDS) scrutiny, several transport protocols including HTTP, SMTP, and FTP may be employed to deliver the payload.

Whenever possible, the ATI Team tailors exploit delivery against the attacks that are making the headlines. To this end, the strike for CVE-2014-0502 was modeled to be used inside a browser similarly to how victims were compromised in the GreedyWonk campaign. Multithread support was introduced in Adobe Flash in August 2012 with the release of version 11.4, and for all intents and purposes it’s still a new feature. Given constraints of memory management in shared worker environments, it’s likely that we’ll be seeing more vulnerability in this area soon.

Additional Resources:

View Ixia’s Full ATI Protocol List

[1] http://blogs.html5andcss3.org/html5-browser-support/

[2] http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html

[3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0502

[4] http://www.computerworld.com/s/article/9246475/Adobe_Flash_exploit_targets_security_public_policy_sites

[5] http://www.infosecurity-magazine.com/view/34074/poison-ivy-dissected-commodity-tool-or-apt-weapon/

[6] http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html