Dashboard Global

ASERT Security Intelligence

Summary: While various threat actors are always involved in continuous APT-style attacks, several of these attacks have been uncovered this week. Insight from this recent advanced threat activity reported includes Kaspersky Labs and F-Secure discussing a campaign known as CozyDuke. CozyDuke has targeted the White House and the US Department of State as well as other victims. In a separate report, a group known as APT28 have used a patched Adobe Flash vulnerability and an unpatched (0-day) Windows privilege elevation flaw to attack targets of strategic interest to the APT28 threat actor group, including western defense and military contractors. On the commodity malware front, the Upatre downloader has seen a burst of recent development effort as it begins incorporating encryption, SSL communications, and social engineering tactics in the latest campaigns. Upatre has been used for several years with great success and has greatly enriched the underground economy as it has delivered threats such as Game Over Zeus, Dyreza, Neverquest and other types of malware. Trend Micro has reported an increase in fileless malware that hides in locations often overlooked by security products and support staff. These tactics are not new, but reflect the continued evolution of the threat landscape as miscreants seek to avoid detection and prolong access. In financial security news, Point of Sale security practices continue to be a problem with one vendor reportedly using the same password since at least 1990. F-Secure reports on a cross platform malware known as Janicab that targets Windows and Mac using Python and VBScript.

Title: APT28 Group Attack Campaigns Leverage 0day Exploit Code
Severity Level: Normal Severity
Published: Thu, 23 Apr 2015 22:49:26 +0000
Indicators suggest that the nation-state threat actor group known as APT28 has recently engaged an attack campaign against strategic targets utilizing two distinct types of exploit code. One exploit was for a recently Adobe Flash vulnerability and the other is related to an unpatched privilege escalation vulnerability in Windows itself.
Source: Russian hackers exploit Flash, Windows flaws to spy on diplomats | ZDN ...

Title: CozyDuke APT Campaign Targets White House
Severity Level: Normal Severity
Published: Thu, 23 Apr 2015 22:49:26 +0000
Kaspersky Labs has reported on an APT campaign targeting the White House and the US Department of State. The APT campaign is known by the names CozyDuke, CozyBear, CozyCar, or "Office Monkeys." The malware uses fraudulent certificates for code signing and the Microsoft CryptoAPI implementation of RC4 for encryption.
Source: The CozyDuke APT - Securelist

Title: Point of Sale Security Infrastructure Weaknesses
Severity Level: Normal Severity
Published: Thu, 23 Apr 2015 22:49:26 +0000
In addition to other security problems, default credentials continue to pose security problems for a variety of systems. Point of Sale infrastructure has been compromised through weak security for a long time, as recently discussed at the RSA security conference. While weak security and default passwords are convenient for vendors and users, the risks are too high. Despite PCI guidelines, Point of Sale infrastructure continues to suffer from insecure configuration and other vulnerabilities.
Source: POS vendor uses same password - 166816 - non-stop since 1990 • The R ...

Title: Upatre Advancements: Encrypted Attachments, SSL, and Compromised Accounts
Severity Level: Normal Severity
Published: Thu, 23 Apr 2015 22:49:26 +0000
The Upatre downloader, first discovered in 2013 has made recent changes to increase malware detonation rates and improve post-compromise survival through improved evasion techniques. The phishing campaigns have added a social engineering component by using compromised email accounts to add credibility to the messages.
Source: Upatre Using Encrypted Attachments and SSL

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 369.37 +55.1 %
61.0%
SSH brute-force login attempts 66.99 +77.4 %
11.1%
Outbound Teredo traffic detected 32.04 +35.6 % CVE-2007-3038
5.3%
MYSQL brute-force login attempts 21.37 -10.4 %
3.5%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
ping attempt 13.28 +113.0 %
2.2%
SNMP MS Windows getbulk request 18.30 +111.9 % CVE-2006-5583
3.0%
HTTP Proxy Request attempt 0.91 +100.0 %
0.1%
MALWARE Suspicious 220 Banner on Local Port 0.71 +100.0 %
0.1%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 353.92 kB -6.5 % CVE-2006-0189
22.2%
TCP/5900 139.13 kB +15.1 % CVE-2006-4309
8.7%
TCP/23 (telnet) 56.66 kB -23.0 % CVE-2007-0956
3.5%
UDP/19 (chargen) 51.78 kB +580.3 %  
3.2%
UDP/1900 (ssdp) 48.29 kB +5.9 % CVE-2006-3687
3.0%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5061 (sip-tls) 15.08 kB +inf %  
0.9%
UDP/5064 (ca-1) 15.02 kB +inf %  
0.9%
UDP/5070 14.94 kB +inf %  
0.9%
UDP/5080 12.61 kB +inf %  
0.8%
UDP/5075 12.34 kB +inf %  
0.8%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 70 147.53 kB 3 144994 2268
FR (France) 2 2 535.78 kB 10 18857 136
DE (Germany) 3 6 87.06 kB 1 16478 229
GB (Great Britain) 4 2 96.34 kB 1 14734 153
CA (Canada) 5 18 27.63 kB 0 16787 67
CN (China) 6 70 214.19 kB 1 6437 907
TR (Turkey) 7 1 1.86 kB 0 11665 241
PL (Poland) 8 1 27.47 kB 0 11115 30
CL (Chile) 9 0 407.13 B 0 11510 35
RO (Romania) 10 1 5.79 kB 0 9229 131
RU (Russian Federation) 11 8 16.55 kB 0 8635 116
EU (European Union) 12 42 22.56 kB 0 6216 21
KR (South Korea) 13 170 69.64 kB 1 1758 1605
ID (Indonesia) 14 1 366.58 B 0 6129 17
IT (Italy) 15 2 8.57 kB 0 5389 258
BR (Brazil) 16 7 7.79 kB 0 4460 687
AU (Australia) 17 0 442.51 B 0 5710 80
NL (Netherlands) 18 62 27.42 kB 2 3496 277
IN (India) 19 2 13.83 kB 0 4152 28
PT (Portugal) 20 0 6.27 kB 0 3317 0
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS12322 (PROXAD) 1 1 526.79 kB 6 6888 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 2 0 0 B 0 18658 0
AS32400 (HWSERVICES-32400) 3 0 0 B 0 14610 0
AS33182 (DIMENOC) 4 0 0 B 0 12394 0
AS14259 (Gtd) 5 0 0 B 0 10122 0
AS24940 (HETZNER-AS) 6 0 0 B 0 9721 0
AS16276 (OVH) 7 0 3.54 kB 5 7169 98
AS46606 (UNIFIEDLAYER-AS-1) 8 0 0 B 0 7255 34
AS17054 (AS17054) 9 0 0 B 0 6220 0
AS12824 (HOMEPL-AS) 10 0 0 B 0 6095 0
AS26347 (DREAMHOST-AS) 11 0 0 B 0 5128 0
AS4134 (CHINANET-BACKBONE) 12 19 53.81 kB 1 3213 151
AS36351 (SOFTLAYER) 13 0 0 B 0 4205 293
AS4837 (CHINA169-BACKBONE) 14 36 112.63 kB 0 1376 67
AS15169 (GOOGLE) 15 2 0 B 0 4556 72
AS30060 (VERISIGN-ILG1) 16 0 0 B 0 4295 0
AS46549 (GVO) 17 0 0 B 0 3620 0
AS13768 (PEER1) 18 0 0 B 0 2617 33
AS32244 (LIQUID-WEB-INC) 19 0 0 B 0 2675 0
AS11042 (LANDIS-HOLDINGS-INC) 20 0 0 B 0 2629 0