Dashboard Global

ASERT Security Intelligence

Summary: The wide-reaching effects of the OpenSSL Heartbleed vulnerability continued to be unveiled this week,with recent news that some Android and BlackBerry devices are affected, causing millions of smartphones to be vulnerable. Other ubiquitous applications havealso been impacted, including OpenVPN. Additionally, while many vulnerable websites have since been patched, there have been issues in the certificate revocation and re-issuing process. News of attackers taking advantage of websites vulnerable to Heartbleedwas announced this week as well : the Canadian Revenue Agency was compromised and taxpayer data stolen, while another popular UK forum was breached as well. Publicly available attack tools and methods continue to be published, making exploitation of the Heartbleed vulnerability easy.Several important updates have been released this week.Oracle's quarterly patch update includes several critical updates for vulnerabilities in Java, MySQL, Fusion Middleware, and more. Android has released a patch for an icon hijacking vulnerability, while Adobe Reader for Android has also been updated to prevent the execution of arbitrary code via a maliciously crafted PDF. The slow patch cycle characteristic of Android devices poses a potential security risk for organizations with supportive BYOD policies.In other news, the German Aerospace Centre confirmed that it was compromised in an apparent cyber espionage attack. Advanced attackers continue to infiltrate sensitive systems, often remaining undetected for months or years.

Title: German Aerospace Centre Compromised in Targeted Attack
Severity Level: Normal Severity
Published: Thu, 17 Apr 2014 19:53:00 +0000
The German Aerospace Centre (DLR) was reportedly targeted in a cyber espionage attack. In addition to space and aeronautics research, DLR also conducts research on armament and rocket technologies.
Source: German Space Research Center Under Espionage Attack: Report | Security ...

Title: Updates Released for Flaws Affecting Android Devices
Severity Level: Elevated Severity
Published: Thu, 17 Apr 2014 19:53:00 +0000
Two security flaws in Google's Android operating system have been addressed. The first is a bug in Adobe Reader 11.1.3 for Android could allow for the execution of arbitrary code on Android devices. [https://threatpost.com/arbitrary-code-execution-bug-in-android-reader/105421] The second, an icon hijacking vulnerability, has been mitigated with an update from Google [http://www.securityweek.com/google-patches-android-icon-hijacking-vulnerability]
Source: Adobe issues silent security update in Reader for Android | ZDNet

Title: Heartbleed Heartache Continues
Severity Level: Extreme Severity
Published: Thu, 17 Apr 2014 19:53:00 +0000
Repurcussions from the OpenSSL Heartbleed vulnerability disclosed last week continues, with potentially compromised certificates still being used and multiple applications and devices still affected by the OpenSSL flaw.
Source: Heartbleed disclosure timeline: who knew what and when

Title: Oracle Releases Critical Patch Update
Severity Level: Extreme Severity
Published: Thu, 17 Apr 2014 19:53:00 +0000
Oracle's quaterly patch has released 104 fixes for multiple products including Java, Fusion Middleware, and MySQL. [http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html]
Source: Oracle Fixes 104 Security Vulnerabilities in Quarterly Patch Update

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 1047.54 -19.2 %
56.7%
POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System 220.79 +100.0 %
12.0%
SNMP MS Windows getbulk request 135.86 +449.5 % CVE-2006-5583
7.4%
Microsoft Windows IIS Server Translate Header attempt 89.00 -31.5 % CVE-2000-0778
4.8%
SSH brute-force login attempts 81.30 -31.4 %
4.4%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP MS Windows getbulk request 135.86 +449.5 % CVE-2006-5583
7.4%
POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System 220.79 +100.0 %
12.0%
DOS Excessive SMTP MAIL-FROM DDoS 6.41 +100.0 %
0.3%
Microsoft Windows ASN.1 Library buffer overflow attempt 6.36 +100.0 % CVE-2003-0818
0.3%
ASN.1 constructed bit string 4.95 +100.0 % CVE-2005-1935
0.3%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 537.49 kB -13.6 % CVE-2006-0189
14.8%
TCP/80 (http) 528.82 kB +89.2 % CVE-2008-5457
14.5%
TCP/5900 306.57 kB -20.6 % CVE-2006-4309
8.4%
ICMP/8 184.69 kB -20.8 %  
5.1%
UDP/10320 170.12 kB -0.1 %  
4.7%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/110 (pop3) 50.58 kB +inf % CVE-2004-2375
1.4%
TCP/7402 (rtps-dd-mt) 23.15 kB +inf %  
0.6%
TCP/1433 (ms-sql-s) 22.45 kB +inf % CVE-2008-5416
0.6%
TCP/80 (http) 528.82 kB +89.2 % CVE-2008-5457
14.5%
TCP/5000 (commplex-main) 79.86 kB +67.6 % CVE-2001-0876
2.2%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 84 533.55 kB 15 94690 270
CL (Chile) 2 1 5.61 kB 0 89856 2
CN (China) 3 155 888.27 kB 4 5623 341
TR (Turkey) 4 1 25.75 kB 2 30684 12
CA (Canada) 5 43 42.82 kB 4 22988 53
DE (Germany) 6 19 106.58 kB 6 17533 6
FR (France) 7 237 219.04 kB 6 13774 8
GB (Great Britain) 8 32 153.08 kB 2 15568 76
NL (Netherlands) 9 16 171.03 kB 5 7794 38
RU (Russian Federation) 10 138 178.79 kB 8 4026 34
BR (Brazil) 11 87 159.21 kB 0 3974 3
ZA (South Africa) 12 16 140.35 kB 0 2223 0
SE (Sweden) 13 407 137.00 kB 1 1206 5
EU (European Union) 14 6 9.71 kB 0 4417 0
PL (Poland) 15 6 5.51 kB 1 4298 2
IT (Italy) 16 5 18.06 kB 0 3600 5
ES (Spain) 17 0 26.64 kB 0 2600 8
UA (Ukraine) 18 6 19.50 kB 4 2741 1
MX (Mexico) 19 184 65.62 kB 0 624 4
AU (Australia) 20 8 2.81 kB 1 2471 8
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS14259 (Gtd) 1 0 0 B 0 89008 0
AS56363 (MARKUM-AS) 2 0 0 B 0 23568 0
AS15169 (GOOGLE) 3 0 0 B 0 16251 0
AS4837 (CHINA169-BACKBONE) 4 14 451.37 kB 0 0 55
AS24940 (HETZNER-AS) 5 0 0 B 0 12869 0
AS30496 (COLO4) 6 0 0 B 0 11137 0
AS16276 (OVH) 7 1 52.99 kB 5 9017 2
AS4134 (CHINANET-BACKBONE) 8 54 235.50 kB 0 3313 72
AS46606 (UNIFIEDLAYER-AS-1) 9 0 0 B 0 8138 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 10 0 0 B 0 7116 0
AS12322 (PROXAD) 11 224 193.26 kB 2 1357 0
AS16265 (FIBERRING) 12 1 83.52 kB 2 3677 0
AS13335 (CLOUDFLARENET) 13 0 0 B 0 5592 0
AS22898 (ATLINK) 14 0 0 B 0 5356 0
AS53665 (BODIS-1) 15 0 0 B 0 5195 0
AS3301 (TELIANET-SWEDEN) 16 400 124.63 kB 0 0 0
AS47583 (HOSTINGER-AS) 17 0 0 B 0 3755 0
AS8402 (CORBINA-AS) 18 0 130.14 kB 0 0 0
AS26347 (DREAMHOST-AS) 19 0 0 B 0 3641 0
AS17054 (Unknown) 20 0 0 B 0 3445 0