Dashboard Global

ASERT Security Intelligence

Summary: A 0day vulnerability in all supported versions of Microsoft Windows, CVE-2014-6352, is being used to compromise victims in targeted attack campaigns. A patch is not yet available, however workarounds exist. In other targeted attack news, threat actors are using the Sofacy/SEDNIT malware against highly sensitive targets. The Tactics, Techniques and Procedures (TTP's) of the attackers - dubbed "Operation Pawn Storm" by Trend - have been profiled and provide valuable insight that can be used to help protect organizations that fit the attack profile. Exploit code for a recently patched Adobe Flash vulnerability - CVE-2014-0569 - is now being used in at least two underground exploit kits, substantially increasing the threat surface for users that are not yet patched. In retail security news, Staples Inc. has launched an investigation into what appears to be a breach of customer credit and debit card data. Security industry analysts suspect Point of Sale malware may be involved.

Title: Exploit Kits Target Recently Patched Flash Vulnerability
Severity Level: Elevated Severity
Published: Thu, 23 Oct 2014 19:29:50 +0000
Exploit code for a recently patched Adobe Flash vulnerability - CVE-2014-0569 - is now being used in at least two underground exploit kits, substantially increasing the threat surface for users that are not yet patched.
Source: Exploit For Patched Flash Vulnerability Already In Two Exploit Kits

Title: Staples Reports Data Breach; Point of Sale Malware Suspected
Severity Level: Normal Severity
Published: Thu, 23 Oct 2014 19:29:50 +0000
Staples Inc. has launched an investigation into what appears to be a breach of customer credit and debit card data. Security industry analysts suspect Point of Sale malware may be involved
Source: Staples confirms data breach investigation | CSO Online

Title: Threat Actors Leverage Sofacy/SEDNIT Malware and Spearphishing Tactics
Severity Level: Elevated Severity
Published: Thu, 23 Oct 2014 19:29:50 +0000
Threat actors using the Sofacy/SEDNIT malware in targeted attacks upon highly sensitive targets continue their operations. The Tactics, Techniques and Procedures (TTP's) of the attackers - dubbed "Operation Pawn Storm" by Trend - have been profiled and provide valuable insight that can be used to help protect organizations that fit the attack profile.
Source: Operation Pawn Storm: The Red in SEDNIT

Title: Sandworm 0day Vulnerability Fix Bypassed - Attacks on CVE-2014-6352 Continue
Severity Level: Elevated Severity
Published: Thu, 23 Oct 2014 19:29:50 +0000
A 0day vulnerability in all supported versions of Microsoft Windows, CVE-2014-6352, is being used to compromise victims in targeted attack campaigns. A patch is not yet available, however workarounds exist.
Source: Attackers Exploiting Windows OLE Zero Day Vulnerability

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 192.69 +58.6 %
33.2%
ping attempt 108.36 +3250.0 %
18.7%
SNMP MS Windows getbulk request 74.71 -23.9 % CVE-2006-5583
12.9%
ntpdx overflow attempt 54.36 +100.0 % CVE-2001-0414
9.4%
SSH brute-force login attempts 27.65 -60.9 %
4.8%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
ping attempt 108.36 +3250.0 %
18.7%
SSLv2 openssl get shared ciphers overflow attempt 27.09 +180.9 % CVE-2007-5135
4.7%
ntpdx overflow attempt 54.36 +100.0 % CVE-2001-0414
9.4%
RPC portmap mountd tcp request 9.64 +100.0 % CVE-2006-0900
1.7%
RPC portmap mountd request TCP 9.64 +100.0 %
1.7%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 168.60 kB +32.7 % CVE-2006-0189
13.8%
UDP/3395 (dyna-lm) 137.00 kB +14.5 %  
11.2%
TCP/5900 116.35 kB +153.7 % CVE-2006-4309
9.5%
ICMP/8 83.47 kB +29.1 %  
6.8%
UDP/4614 82.07 kB +0.7 %  
6.7%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/3438 (spiral-admin) 78.87 kB +inf %  
6.5%
UDP/0 20.42 kB +inf % CVE-1999-0675
1.7%
UDP/123 (ntp) 18.13 kB +inf % CVE-2001-0414
1.5%
TCP/3389 (ms-wbt-server) 17.53 kB +inf % CVE-2005-1218
1.4%
TCP/1433 (ms-sql-s) 10.88 kB +inf % CVE-2008-5416
0.9%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 31 30.31 kB 4 17398 3830
FR (France) 2 1 3.55 kB 10 5581 244
NL (Netherlands) 3 76 128.31 kB 4 1640 311
IR (Iran) 4 1 179.66 kB 0 54 96
DE (Germany) 5 29 61.77 kB 3 2690 400
RU (Russian Federation) 6 157 112.90 kB 5 1175 215
CN (China) 7 30 89.34 kB 5 520 732
ZA (South Africa) 8 10 123.93 kB 0 351 0
GB (Great Britain) 9 1 3.53 kB 3 1577 487
CA (Canada) 10 0 6.07 kB 2 1791 300
KR (South Korea) 11 1 1.58 kB 3 76 1243
TR (Turkey) 12 0 3.47 kB 0 1557 222
RO (Romania) 13 0 30.84 kB 0 832 28
BR (Brazil) 14 3 6.11 kB 0 495 534
MY (Malaysia) 15 0 886.17 B 0 495 553
AU (Australia) 16 0 30.13 B 0 944 318
EU (European Union) 17 0 3.21 kB 0 991 93
PK (Pakistan) 18 1 39.36 kB 0 0 60
IL (Israel) 19 88 31.17 kB 1 57 93
IT (Italy) 20 0 225.04 B 1 817 129
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS16276 (OVH) 1 0 0 B 7 4911 53
AS29073 (ECATEL-AS) 2 74 117.79 kB 2 0 20
AS12880 (DCI-AS) 3 0 74.17 kB 0 0 0
AS4134 (CHINANET-BACKBONE) 4 22 36.70 kB 1 489 284
AS3741 (IS,ZA) 5 9 72.36 kB 0 0 0
AS46606 (UNIFIEDLAYER-AS-1) 6 0 0 B 0 1489 0
AS12695 (DINET-AS) 7 0 52.00 kB 1 0 0
AS24961 (MYLOC-AS) 8 0 50.88 kB 0 0 0
AS11042 (LANDIS-HOLDINGS-INC) 9 0 0 B 0 1386 0
AS12586 (ASGHOSTNET) 10 0 0 B 0 1294 0
AS36351 (SOFTLAYER) 11 0 0 B 0 918 33
AS9116 (GOLDENLINES-ASN) 12 88 30.85 kB 0 0 0
AS13768 (PEER1) 13 0 0 B 1 940 0
AS4837 (CHINA169-BACKBONE) 14 1 20.87 kB 2 0 129
AS45595 (PKTELECOM-AS-PK) 15 0 28.12 kB 0 0 0
AS23352 (SERVERCENTRAL) 16 0 0 B 0 784 0
AS31377 (AKAMAI-BOS) 17 0 0 B 0 728 29
AS26496 (AS-26496-GO-DADDY-COM-LLC) 18 0 0 B 0 780 0
AS33182 (DIMENOC) 19 0 0 B 0 773 0
AS6245 (NETWORK-SOLUTIONS) 20 0 0 B 0 770 0