NEWS FROM THE LAB - Friday, September 28, 2012

CVE-2012-1535 and Nuclear Warheads Posted by Sean @ 13:30 GMT

Our corporate business team has an upcoming "software updater" feature in our Protection Service which they want to market. So they asked our lab analyst @TimoHirvonen to provide them with an example demonstrating the amount of time it takes to go from vulnerability to exploit.

Here's the timeline Timo came up regarding CVE-2012-1535:

  •  2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.
     (Security update available for Adobe Flash Player)
  •  2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.
     (CVE-2012-1535: Adobe Flash being exploited in the wild, CVE-2012-1535 - 7 samples and info)
  •  2012-08-17: Exploit is added to Metasploit Framework — a public, open-source tool for developing and executing exploits.
     (Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit)

As you can see, it doesn't take much time at all to commoditize a vulnerability into an exploit.

And then Timo got curious (as he often does) and decided to research the exploit itself, Exploit:SWF/CVE-2012-1535.B.

He did some searching and found this Digital4rensics Blog post, which links to a VirusTotal report on a doc file called 110630_AWE Platinum Partners.doc. Symantec has a CVE-2012-1535 post that shows a censored screenshot of the e-mail (or at least similar) with the document attached. And Contagio has a list of multiple Word docs using the same exploit.

So Timo located a few examples:

CVE-2012-1535 Docs

110630_AWE Platinum Partners.doc turned out the be the most interesting. According to the Digital4rensics Blog linked to above, AWE Limited is an Australian Oil & Gas company. But that didn't sound right to Timo. He recognized the name Tybrin in one of the other docs, and connected it to Jacobs' TYBRIN Group, which does U.S. Department of Defense work.

So then, let's take a look at the decoy document dropped by 110630_AWE Platinum Partners.doc:

Working together to keep our world safe and secure by ensuring warheads are always available

"Working together to keep our world safe and secure by ensuring warheads are always available."


That doesn't sound related to an oil and gas company…

Searching on LinkedIn for people named in the decoy document lead to another organization called AWE, this time in UK:

Atomic Weapons Establishment

It appears that AWE stands for Atomic Weapons Establishment.

Regardless of the content of the files, we don't know who was targeted with this attack and we don't know who submitted these documents to VirusTotal.

SHA1 of 110630_AWE Platinum Partners.doc: 51bb2d536f07341e3131d070dd73f2c669dae78e
SHA1 of decoy: 0eb24ffa38e52e4a1e928deb90c77f8bc46a8594