Dashboard Global

ASERT Security Intelligence

Summary: Distribution of malware using malicious Microsoft Office macros is on the rise. Popular malware used by cybercriminals including Rovnix, Neverquest and Dridex have been distributed via the tactic. A recent issue in a hospitality and convention Internet access system called InnGate has put hospitality environments’ information at risk. Malicious threat actor campaigns known as 'Dark Hotel' may have been aware of this and other similar flaws. This flaw may have been in existence for some time, increasing chances that threat actors may have compromised a large amount of user information. Using JavaScript and a little social engineering, Cryptolocker 3.0 is seeing marked success. Emails were discovered claiming to be resumes from potential job applicants masquerading the Javascript files used to download the malware. An emergent banking Trojan dubbed Slave recently started its campaign with the targeting of Polish financial institutions. Researchers recently discovered a new Point of Sale malware they have named PoSeidon. Like most PoS malware, it scrapes the RAM of infected terminals for credit card information. PoSeidon is just the latest in a long line of PoS malware threats that are taking a heavy toll on payment infrastructure in countries that are not yet using the EMV standard. Spammers are also gaining traction by using email standards intended to limit SPAM. By using standards like DMARC, SPF and DKIM, spammers are able to track the overall delivery success or failure of their messages and modify contents to further avoid SPAM filters. Finally, on Wednesday, March 25th, Cisco released their bi-annual updates for IOS. The updates correct Denial of Service, interface queue wedges, and remote code execution issues.

Title: Malicious Macros Dropping Multiple Malware Threats
Severity Level: Normal Severity
Published: Thu, 26 Mar 2015 21:46:00 +0000
Word and Excel files are being spammed that contain malicious macros that have been observed downloading a variety of malware threats such as Vawtrak/Neverquest, Dridex, Rovnix, and Betabot. Clearly, cybercriminals are experiencing success with this tactic as its use has been on the rise in recent months after a long period of inactivity.
Source: Macro-based Malware Increases Along with Spam Volume, Now Drops BARTALEX

Title: New Banking Trojan Targeting Poland
Severity Level: Normal Severity
Published: Thu, 26 Mar 2015 21:46:00 +0000
A new banking trojan, dubbed Slave, is targeting Polish banks using JSON webinjects [http://securityblog.s21sec.com/2015/03/new-banker-slave-hitting-polish-banks.html]. Current known samples have a time check function set to 1 April 2015 hindering the execution of the malware after that date. Despite this current situation, threat actors could easily perform an update to further extend the life of the malware.
Source: S21sec Security Blog: New banker 'Slave' hitting Polish Banks

Title: Cisco Issues Denial of Service and Memory Vulnerability Patches
Severity Level: Normal Severity
Published: Thu, 26 Mar 2015 21:46:00 +0000
On Wednesday, March 25th, Cisco released their bi-annual patch updates for IOS. The updates correct Denial of Service, interface queue wedges, and remote code execution issues.
Source: Denial of Service and Memory Vulnerabilities Patched in Cisco IOS

Title: Rsync Misconfiguration Puts Hotel Users at Risk
Severity Level: Normal Severity
Published: Thu, 26 Mar 2015 21:46:00 +0000
Researchers from Cylance revealed a serious misconfiguration in a hospitality and convention Internet access system called InnGate, provided by ANTLabs [http://blog.cylance.com/vulnerability-cve-2015-0932?hs_preview=TdeI1s0U-2624678011]. Rsync, a common unix-based utility for file transfer and file sync, was wide-open on the devices with no network access control and no authorization control, allowing anyone the means to tamper with and compromise not only the devices themselves but the means to sniff traffic from all guests using the system as well as the capability to compromise other systems via lateral movement attacks.
Source: Hotel Internet Gateways Patched Against Remote Exploit

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 256.31 +34.3 %
54.3%
SSH brute-force login attempts 72.40 +29.3 %
15.3%
Outbound Teredo traffic detected 21.19 +55.8 % CVE-2007-3038
4.5%
MYSQL brute-force login attempts 16.08 -31.9 %
3.4%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 257.75 kB +34.9 % CVE-2006-0189
24.5%
TCP/5900 130.04 kB +2.7 % CVE-2006-4309
12.3%
TCP/23 (telnet) 84.09 kB -21.6 % CVE-2007-0956
8.0%
TCP/22 (ssh) 36.94 kB -4.7 % CVE-2002-0639
3.5%
TCP/80 (http) 28.11 kB +47.8 % CVE-2008-5457
2.7%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/443 (https) 16.26 kB +inf % CVE-2007-5135
1.5%
TCP/445 (microsoft-ds) 11.50 kB +inf % CVE-2009-3103
1.1%
TCP/1234 (search-agent) 9.82 kB +inf %  
0.9%
TCP/3389 (ms-wbt-server) 8.58 kB +inf % CVE-2005-1218
0.8%
TCP/5631 (pcanywheredata) 8.29 kB +inf % CVE-2005-3934
0.8%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 66 110.99 kB 3 132392 2180
FR (France) 2 3 114.46 kB 10 20066 237
DE (Germany) 3 11 99.84 kB 1 18687 252
CA (Canada) 4 2 7.08 kB 0 18044 107
CN (China) 5 60 362.16 kB 1 5689 938
GB (Great Britain) 6 1 5.54 kB 1 12838 212
TR (Turkey) 7 0 828.82 B 0 11504 187
CL (Chile) 8 0 418.85 B 0 11669 26
RU (Russian Federation) 9 14 15.34 kB 0 8296 179
PL (Poland) 10 1 14.67 kB 0 8343 37
RO (Romania) 11 0 3.58 kB 0 7541 74
ID (Indonesia) 12 1 82.22 B 0 7364 19
BR (Brazil) 13 2 2.74 kB 0 5202 1032
IT (Italy) 14 2 3.42 kB 0 6486 132
KR (South Korea) 15 140 90.24 kB 1 1633 1281
IN (India) 16 7 2.50 kB 0 5051 83
NL (Netherlands) 17 51 36.28 kB 2 3763 234
EU (European Union) 18 0 2.25 kB 0 4842 55
AU (Australia) 19 0 628.38 B 0 3414 93
SE (Sweden) 20 0 17.07 kB 0 2190 329
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS26496 (AS-26496-GO-DADDY-COM-LLC) 1 0 0 B 0 18714 0
AS24940 (HETZNER-AS) 2 0 0 B 0 11030 51
AS33182 (DIMENOC) 3 0 0 B 0 10924 0
AS14259 (Gtd) 4 0 0 B 0 9863 0
AS12322 (PROXAD) 5 0 110.80 kB 6 5674 0
AS16276 (OVH) 6 0 2.41 kB 5 8638 59
AS17054 (AS17054) 7 0 0 B 0 7222 0
AS46606 (UNIFIEDLAYER-AS-1) 8 0 0 B 0 6978 19
AS4837 (CHINA169-BACKBONE) 9 12 136.99 kB 0 1672 133
AS36351 (SOFTLAYER) 10 0 0 B 0 4720 24
AS4134 (CHINANET-BACKBONE) 11 25 61.39 kB 1 2258 121
AS15169 (GOOGLE) 12 0 0 B 0 3817 208
AS12824 (HOMEPL-AS) 13 0 0 B 0 3857 0
AS26347 (DREAMHOST-AS) 14 0 0 B 0 3352 0
AS31034 (ARUBA-ASN) 15 0 0 B 0 3258 0
AS13768 (PEER1) 16 0 0 B 0 3118 0
AS30060 (VERISIGN-ILG1) 17 0 0 B 0 3051 0
AS12670 (AS-COMPLETEL) 18 0 0 B 0 2961 0
AS11042 (LANDIS-HOLDINGS-INC) 19 0 0 B 0 2882 0
AS32244 (LIQUID-WEB-INC) 20 0 0 B 0 2612 0