Dashboard Global

ASERT Security Intelligence

Summary: The APT group known as Darkhotel continues to engage in attack activity and has recently expanded the geographic boundaries of their campaigns. Employees of targeted organizations that engage in travel should maintain vigilance. Darkhotel has been known to use a variety of attack tactics, including the use of 0day exploit code to accomplish their objectives. It is therefore important to close the window on known 0day vulnerabilities via robust patching mechanisms. Patches were released for a variety of Microsoft products as well as Adobe products recently. In some cases, attacks have been observed in the wild and exploit code has been made public. Software patching is vital, but is only one aspect of security, as we learn by covering attack tactics used in a five-year data-siphoning compromise of various press release organizations that enabled a lucrative insider trading group to make approximately one hundred million dollars. Improper or ineffective monitoring of internal systems and networks enabled the attackers to stay unnoticed for a lengthy period, a sad state of affairs that is all too common. Another common state of affairs that has made the news involves a DDoS attack upon the Carphone Warehouse that was positioned as a distraction from a more serious compromise that affected the integrity and confidentiality of the organization, to include a leak of sensitive user data. DDoS may simply be a cover for more nefarious activities and therefore organizations need to be prepared. Even the most prepared organizations may have a difficult time detecting advanced compromises of their routing infrastructure, as Cisco has published information about IOS boot code being modified by attackers and deployed on various targets. Detailed information about the intent of the malicious ROMMON images is not currently available, however various nation-states are known to be equipped with the resources needed to carry out such an attack.

[more]

Defending the White Elephant

Click here to download the full report that includes attack details, TTPs and indicators of compromise.   Myanmar is a country currently engaged in an important political process. A pro-democracy reform took place in 2011 which has helped the government create an atmopshere conducive to investor interest. The country is resource rich, with a variety of […]

The post Defending the White Elephant appeared first on Threat Intelligence.


Mon, 31 Aug 2015 11:00:00 +0000

Espionage, Spying and Big Corporate Data, These Are a Few of China’s Favorite Things

ASERT provides a weekly threat bulletin for Arbor customers that highlights and analyzes the week’s top security events and provides other pertinent infosec material. Recently, we covered the public notification of a United Airlines breach by possible Chinese state-sponsored threat actors. In this blog, we offer an alternative hypothesis to the conclusions many have drawn […]

The post Espionage, Spying and Big Corporate Data, These Are a Few of China’s Favorite Things appeared first on Threat Intelligence.


Mon, 17 Aug 2015 16:31:56 +0000

Automating Intelligence: Discovering Recent PlugX Campaigns Programmatically

One of the hardest things to do when you are receiving malware that have “anonymized” (e.g. name-is-hash) names or general samples that lack any indication of the infection vector is to determine the origin of the file and its intended target. Even harder is when you do not receive telemetry data from products that contains information […]

The post Automating Intelligence: Discovering Recent PlugX Campaigns Programmatically appeared first on Threat Intelligence.


Mon, 03 Aug 2015 11:00:51 +0000

An Update on the UrlZone Banker

UrlZone is a banking trojan that appeared in 2009. Searching its name or one of its aliases (Bebloh or Shiotob) reveals a good deal of press from that time period along with a few technical analyses in 2009 [1] [2], 2012 [3], and 2013 [4]. Despite having a reputation of evolution, there doesn’t seem to […]

The post An Update on the UrlZone Banker appeared first on Threat Intelligence.


Tue, 21 Jul 2015 08:00:31 +0000

Flu season starting early: the H1N1 Loader

The H1N1 Loader appears to be a relatively new downloader family that, to the best of our knowledge, was initially discovered and analyzed by the security community in May 2015. We have seen several samples show up in our malware zoo this Spring and have documented our preliminary findings from a network communications perspective in a […]

The post Flu season starting early: the H1N1 Loader appeared first on Threat Intelligence.


Tue, 14 Jul 2015 09:00:20 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 205.95 -52.7 %
49.3%
SSH brute-force login attempts 97.73 -30.7 %
23.4%
MYSQL brute-force login attempts 29.01 +11.4 %
6.9%
RPC portmap listing UDP 111 22.44 +1817.9 %
5.4%
ntpdx overflow attempt 21.58 +182.7 % CVE-2001-0414
5.2%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
RPC portmap listing UDP 111 22.44 +1817.9 %
5.4%
ntpdx overflow attempt 21.58 +182.7 % CVE-2001-0414
5.2%
Microsoft Windows ASN.1 Library buffer overflow attempt 0.65 +22.1 % CVE-2003-0818
0.2%
ASN.1 constructed bit string 0.64 +22.0 % CVE-2005-1935
0.2%
MYSQL brute-force login attempts 29.01 +11.4 %
6.9%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 303.69 kB -15.0 % CVE-2006-0189
28.8%
TCP/23 (telnet) 235.90 kB +26.1 % CVE-2007-0956
22.4%
TCP/5900 78.47 kB -41.5 % CVE-2006-4309
7.4%
TCP/8080 (webcache) 60.59 kB -34.6 % CVE-2007-5461
5.7%
TCP/8118 (privoxy) 50.02 kB -38.9 %  
4.7%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/123 (ntp) 9.22 kB +inf % CVE-2001-0414
0.9%
UDP/5061 (sip-tls) 7.44 kB +inf %  
0.7%
TCP/25 (smtp) 4.54 kB +inf % CVE-2008-0394
0.4%
TCP/3128 (squid) 4.39 kB +inf % CVE-2007-0247
0.4%
TCP/135 (epmap) 4.28 kB +inf % CVE-2007-2446
0.4%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 91 178.05 kB 3 4093 2675
CN (China) 2 45 302.31 kB 1 0 371
DE (Germany) 3 24 148.09 kB 1 355 203
KR (South Korea) 4 3 9.04 kB 1 23 1510
BR (Brazil) 5 5 10.17 kB 0 30 1083
NL (Netherlands) 6 52 55.88 kB 2 104 159
CA (Canada) 7 0 42.22 kB 0 379 68
FR (France) 8 17 22.85 kB 10 367 191
RU (Russian Federation) 9 9 22.45 kB 0 36 142
GB (Great Britain) 10 2 4.95 kB 1 412 203
TR (Turkey) 11 0 20.53 kB 0 116 51
CH (Switzerland) 12 0 1.80 kB 0 44 282
IT (Italy) 13 0 2.41 kB 0 124 214
HU (Hungary) 14 0 334.97 B 0 375 95
IN (India) 15 1 7.54 kB 0 81 134
ES (Spain) 16 1 11.37 kB 0 34 85
TH (Thailand) 17 0 5.15 kB 0 18 168
GR (Greece) 18 47 13.14 kB 1 0 0
MY (Malaysia) 19 0 4.45 kB 0 0 135
RO (Romania) 20 11 7.84 kB 0 66 41
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS4809 (CHINATELECOM-CORE-WAN-CN2) 1 0 156.95 kB 0 0 0
AS4134 (CHINANET-BACKBONE) 2 25 60.21 kB 1 0 110
AS30083 (SERVER4YOU) 3 0 62.85 kB 0 33 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 4 0 0 B 0 1595 0
AS16276 (OVH) 5 15 36.10 kB 5 331 54
AS8972 (PLUSSERVER-AS) 6 11 48.68 kB 0 34 0
AS4837 (CHINA169-BACKBONE) 7 2 42.68 kB 0 0 20
AS29073 (ECATEL-AS) 8 50 42.66 kB 1 0 0
AS34289 (WEBART-AS) 9 0 37.68 kB 0 0 0
AS16265 (LEASEWEB-NETWORK) 10 1 26.52 kB 0 19 26
AS8560 (ONEANDONE-AS) 11 12 23.07 kB 0 15 0
AS15169 (GOOGLE) 12 0 0 B 0 149 281
AS9318 (HANARO-AS) 13 0 921.37 B 0 0 299
AS4766 (KIXS-AS-KR) 14 0 5.50 kB 0 0 207
AS12322 (PROXAD) 15 1 15.54 kB 6 67 0
AS9121 (TTNET) 16 0 17.01 kB 0 0 17
AS6428 (CDM) 17 0 17.32 kB 0 0 0
AS6939 (HURRICANE) 18 7 17.13 kB 0 0 0
AS6128 (CABLE-NET-1) 19 49 14.15 kB 0 0 0
AS174 (COGENT-174) 20 0 12.91 kB 0 0 28