Dashboard Global

ASERT Security Intelligence

Summary: Advanced attacks and attacks on government agencies were in the news this week. An attack campaign against East Asian government agencies has been detected. Threat actors involved in the campaign put forth substantial effort to cloak their activities by trojaning legitimate binaries that introduced malware into server operating systems. Malware used in the campaign was first seen 'in the wild' in September 2013 and the campaign continued until early 2015.Kaspersky Labs is reporting on an APT group, dubbed Naikon, that targets nations in the Southeast Asia area. Using extensive target research, the threat actor group uses phishing campaigns with well written documents focused on specific areas of interest to the intended victims.The Internal Revenue Service has disclosed an unauthorized access incident that caused 100,000 taxpayer records to be breached. The criminals unsuccessfully attempted to access an additional 100,000 records. The IRS systems were not directly breached, however the information was disclosed through weak authentication mechanisms.Researchers recently discovered a new form of ransomware which allows criminals an easy financial opportunity. Discovered on May 19, Tox is considered the first ransomware toolkit for the everyday criminal, similar to how other crimeware toolkits offer botnet and banking trojan packages such as Zeus to general malevolent users.FireEye recently discovered a new Point-of-Sale malware they have named 'NitlovePOS.' The malware is spread using a broad SPAM campaign and attempts to avoid detection by hiding files in Alternate Data Streams (ADS) on the exploited computer's file system. Domain registration for the domains associated with the campaign began on 2015-04-07 and accelerated around 2015-05-19.Researchers recently discovered an embedded Linux malware compromising systems to create a botnet used to bolster social networking profile stats for profit. Dubbed Moose, it primarily impacts consumer routers. However, it is possible to impact other embedded linux devices that use MIPS and ARM architectures. Known targeted devices include equipment manufactured by Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone.

Title: Tox Ransomware
Severity Level: Normal Severity
Published: Thu, 28 May 2015 22:33:11 +0000
Researchers recently discovered a new form of ransomware which allows cybercrime malware consumers a shot at the lucrative market. Discovered on May 19, Tox is considered the first ransomware toolkit for the everyday criminal, similar to how other crimeware toolkits offer botnet and banking trojan packages to general malevolent users, like Zeus [http://www.fortiguard.com/legacy/analysis/zeusanalysis.html].

Title: Embedded Linux Malware-Moose is Loose in Your Hoose
Severity Level: Normal Severity
Published: Thu, 28 May 2015 22:33:11 +0000
Researchers recently discovered an embedded Linux malware compromising systems to create a botnet used to bolster social networking profile stats for profit. Dubbed Moose, it primarily impacts consumer routers. However, it is possible to impact other embedded linux devices that use MIPS and ARM architectures. Known targeted devices include equipment manufactured by Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL and Zhone.
Source: Dissecting the Linux/Moose malware

Title: East Asian Government Agencies Targeted Using Modified Executables
Severity Level: Normal Severity
Published: Thu, 28 May 2015 22:33:11 +0000
An attack campaign against East Asian government agencies has been detecting using altered program files. The legitimate programs were altered to import a malicious binary named to match the purpose of the host program. Malware used in the campaign was first seen 'in the wild' in September 2013 and the campaign continued until early 2015.
Source: Attack Gains Foothold Against East Asian Government Through Auto Start

Title: Kaspersky Documents Naikon APT Group
Severity Level: Normal Severity
Published: Thu, 28 May 2015 22:33:11 +0000
Kaspersky Labs is reporting on an APT group, dubbed Naikon, that targets nations in the Southeast Asia area. Using extensive target research, the threat actor group uses phishing campaigns with well written documents focused on specific areas of interest to the intended victims.
Source: The Naikon APT and the MsnMM Campaigns - Securelist

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 136.16 +5.7 %
40.0%
SSH brute-force login attempts 50.17 +0.8 %
14.7%
ntpdx overflow attempt 27.68 +13.3 % CVE-2001-0414
8.1%
MYSQL brute-force login attempts 24.93 +60.9 %
7.3%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
bad HTTP/1.1 request, Potentially worm attack 1.40 +100.0 %
0.4%
MYSQL brute-force login attempts 24.93 +60.9 %
7.3%
ping attempt 9.04 +45.3 %
2.7%
ntpdx overflow attempt 27.68 +13.3 % CVE-2001-0414
8.1%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 816.23 kB -14.9 % CVE-2006-0189
43.2%
TCP/23 (telnet) 189.62 kB -6.8 % CVE-2007-0956
10.0%
TCP/5900 158.37 kB +22.3 % CVE-2006-4309
8.4%
TCP/22 (ssh) 56.10 kB -3.2 % CVE-2002-0639
3.0%
UDP/123 (ntp) 51.04 kB +36.8 % CVE-2001-0414
2.7%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/3306 (mysql) 10.84 kB +inf % CVE-2008-0226
0.6%
TCP/21 (ftp) 8.82 kB +inf % CVE-2009-3023
0.5%
TCP/1433 (ms-sql-s) 20.05 kB +80.8 % CVE-2008-5416
1.1%
TCP/3389 (ms-wbt-server) 20.47 kB +52.5 % CVE-2005-1218
1.1%
UDP/123 (ntp) 51.04 kB +36.8 % CVE-2001-0414
2.7%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 66 393.59 kB 3 4800 2685
CN (China) 2 45 255.34 kB 1 0 1005
FR (France) 3 1 188.44 kB 10 250 208
DE (Germany) 4 14 150.63 kB 1 299 266
KR (South Korea) 5 60 63.07 kB 1 73 1096
RU (Russian Federation) 6 21 82.16 kB 0 82 166
BR (Brazil) 7 1 34.68 kB 0 126 557
NL (Netherlands) 8 8 43.58 kB 2 125 257
SE (Sweden) 9 0 37.10 kB 0 115 114
GB (Great Britain) 10 2 9.45 kB 1 323 369
CA (Canada) 11 9 20.93 kB 0 444 89
PL (Poland) 12 2 26.76 kB 0 219 23
CH (Switzerland) 13 0 20.97 kB 0 51 136
UA (Ukraine) 14 2 23.92 kB 0 73 69
EU (European Union) 15 0 17.45 kB 0 192 48
AT (Austria) 16 17 17.67 kB 0 22 71
MY (Malaysia) 17 0 2.52 kB 0 17 247
AU (Australia) 18 0 1.15 kB 0 280 120
TR (Turkey) 19 0 2.58 kB 0 345 47
IT (Italy) 20 2 4.20 kB 0 30 176
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS12322 (PROXAD) 1 0 179.72 kB 6 59 0
AS30083 (SERVER4YOU) 2 0 138.64 kB 0 0 0
AS8972 (PLUSSERVER-AS) 3 0 105.77 kB 0 0 0
AS4837 (CHINA169-BACKBONE) 4 10 95.95 kB 0 0 50
AS4134 (CHINANET-BACKBONE) 5 14 73.26 kB 1 0 165
AS29073 (ECATEL-AS) 6 8 55.08 kB 1 0 30
AS23650 (CHINANET-JS-AS-AP) 7 14 55.36 kB 0 0 0
AS6939 (HURRICANE) 8 6 53.21 kB 0 19 0
AS9318 (HANARO-AS) 9 44 44.64 kB 0 0 80
AS36351 (SOFTLAYER) 10 0 0 B 0 153 598
AS46664 (VOLUMEDRIVE) 11 0 42.58 kB 0 0 18
AS7203 (LEASEWEB-US) 12 0 34.47 kB 0 0 0
AS32097 (WII-KC) 13 0 29.83 kB 0 0 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 14 0 0 B 0 780 0
AS2914 (NTT-COMMUNICATIONS-2914) 15 7 20.72 kB 0 0 19
AS16276 (OVH) 16 0 6.06 kB 5 221 80
AS8560 (ONEANDONE-AS) 17 12 14.19 kB 0 0 49
AS39912 (I3B-AS) 18 17 16.97 kB 0 0 0
AS20115 (CHARTER-NET-HKY-NC) 19 17 16.67 kB 0 0 0
AS31820 (PUGMARKS) 20 11 15.95 kB 0 0 0