Security Week 32: Sauron project, vulnerability in iOS, worm in PLC
Meanwhile, a cozy security digest turned one year old. How fast time flies! In the issue for the 32nd week of last year, I wrote about a hole in Android, a vulnerability in Fiat Chrysler cars and the concept of Do Not Track 2.0. What changed? I still don’t feel a lack of security news, on the contrary. There are changes for the better, but not everywhere, which just can be seen in the example of these three old messages. Stagefright. Since the discovery of the vulnerability, several more media-processing- related issues have been identified , and recently serious holes have been added to them .mainly affecting Qualcomm devices. Such a lot of work on bugs is a good sign, especially since within a year the problem of delivery of patches began to be solved. Not on all devices, and with varying success with different vendors, but there are positive developments.
Car safety remains a daunting topic. On the one hand, revelations of the level of last year’s news about wireless hacking of a car did not appear, on the other hand, the absence of loud disclosures does not mean security. Rather, the reason is that the auto industry is closed to independent researchers. A good story on the subject happened this week: researchers from the University of Birmingham revealeddetails of the vulnerability of the standard anti-theft system that has been installed on Volkswagen vehicles since 1995. It was very easy to intercept signals from a wireless key fob of such a system. It is important that all the data was in the hands of researchers already in 2013, but VW slowed down the publication of the report in a lawsuit. They can also be understood, but judging by indirect data, only the public did not know about the vulnerability of the alarm system, but criminals have been using it for a long time. In this scenario, the car owner is better to still know about the potential insecurity of the standard system.
Well, privacy. With privacy, it did not get better, rather the opposite. Existing systems and related encryption algorithms are testedthe reliability of the researchers, plus the whole year there has been a discussion about access to encrypted data by government agencies and equivalent organizations. But there are also positive aspects, for example, the transition to WhatsApp and Viber data encryption. Let's get back to today's news. Absolutely all digest editions are available by tag .
Project “Sauron” - a new targeted campaign takes into account the mistakes of its predecessors
News . Research "Laboratory". Symantec study .
Earlier this week, Lab experts and Symantec researchers independently published a report of a new APT attack. We call it ProjectSauron, our colleagues - Strider. "Sauron" uses quite advanced methods of attack, data collection and exfiltration, although not as cool as, for example, in The Equation. Perhaps the main features of the attack are maximum sharpening for the victim and the maximum difficulty of detection. Malicious components are stored only in RAM; for each victim, its own set of malware, domains and servers for data output is created. And for exfiltration, a whole arsenal of tools is used: from standard ones, but using strong encryption, to operating internal mail servers and outputting data from air-gapped systems using cleverly marked flash drives. A positive point is the availability of methods to combat crowbars and such a classification: malicious activity was detected using our solution to protect against targeted attacks . More technical details in a detailed lab report in PDF .

A screenshot of our advanced attack tracker hints that there are a lot of such attacks.
IOS 9.3.4 closes the critical RCE vulnerability
News . Advisory on Apple.
Winner in the shortest news of the week nomination. In the next update of the iOS mobile operating system, Apple closed a dangerous vulnerability that allowed the application to execute code with kernel privileges. All! Apple can afford this: the system code is closed, relations with external researchers are also conducted non-publicly. Even Apple’s recently launched Bug Bounty program is conducted privately: as reported from the field, only two dozen researchers have been invited to the program, and no, they won’t even tell us exactly who. By the way, Apple thanks the Chinese team Team Pangu, a group of hackers specializing in jailbreaks for vulnerability information.
Researchers revealed proof of concept for a worm living in
News programmable logic controllers . PDF study.
And here is the compote promised last week - another interesting study from the Blackhat conference. Researcher Maik Bruggemann of OpenSource Security spent quite some time analyzing the interaction of Siemens Programmable Logic Controllers (PLCs) with the TIA Portal management console.
Having discovered security holes, in particular in methods for checking code integrity and password protection, he showed how the controllers themselves can be infected. This is a key point: if earlier the discussion of the security of industrial systems was built around the protection of control software and systems, now we are talking about a possible compromise of the controllers themselves - devices are relatively simple and therefore not perceived as a threat. But in vain: the demonstration shows, for example, how to establish communication between the worm and the command center outside the network.

Fortunately, this is still a proof of concept, not a real worm. The iron maker, Siemens, even claims that the demonstration was of a very theoretical nature. In particular, to realize his idea, the researcher turned off security systems, which under normal conditions should always be turned on. Nevertheless, the picture is beautiful and frightening: in today's production of potentially vulnerable computers there are dozens, and so it turns out that hundreds. Bruggemann concludes: manufacturers need to change their approach to security. Good, but not specific: in this case, you can start by monitoring the integrity of the code for the PLC, and preferably not only by the vendor.
What else happened:
A serious vulnerability in the implementation of TCP protocol in Linux, allowing to intercept traffic.
The authors of Carbanak may have been involved in the attack on the Oracle POS system .
Microsoft seems to have big problems with the SecureBoot system (and jailbrokers have a holiday).
Antiquities:"V-492"
A resident very dangerous virus. It infects COM files when they are executed. It does not check the length of files. It copies itself to the end of the file and changes its first 6 bytes (JMP xx xx zz zz zz).
When activated, it searches for the file C: \ COMMAND.COM and infects it. It then remains resident in memory. To do this, the virus copies itself to the interrupt vector table at address 0000: 0200. Periodically erases several sectors with random numbers. Modifies int 1Ch and int 21h. Contains the command 'PUSH 100h', therefore it does not apply to computers with an 8086/88 processor.
Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 87.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.