Dashboard Global

ASERT Security Intelligence

Summary: Another large system intrusion has occurred that has been reportedly connected to Chinese-backed threat actors. Indicators discovered during the investigation of the recent intrusion against the U.S. Office of Personnel Management revealed a likely targeting of other US based organizations. After receiving the indicators, United was quickly able to confirm a breach. The scope of the incident is still under investigation however the data has significant strategic value.Symantec has published a report tracking the activities of APT group Black Vine since 2012. Based on common tactics, techniques and procedures (TTPs), the group has been tracked targeting multiple industries including aerospace, energy, healthcare, finance, and the defense industrial base.News media reports have focused on a malware tool, dubbed HAMMERTOSS, used by a Russian APT group. The tool is believed to be an emergency backdoor for the group to maintain persistence if the primary backdoor is detected and removed. While the techniques used in the malware have been previously discovered in other malware, the combination has created an intrusion platform with a high degree of operational security for the threat actors.ESET is reporting on an APT group targeting Ukrainian government, military, and media targets. The malware used in the campaigns was first detected in 2011 and was rarely seen until re-emerging last year.Researchers unveiled two unique vulnerabilities this week affecting the majority of all Android users. The first, Stagefright, already has a patch available and impacts over 95% of all Android users. The second, and potentially more destructive vulnerability, affects approximately 50% of all Android users.ISC has announced a new remotely executed denial of service vulnerability in ISC Bind 9, the reference implementation for production DNS servers that is often used in dedicated network appliances.

Title: Operation Potao Express - A Resurfacing APT
Severity Level: Normal Severity
Published: Thu, 30 Jul 2015 22:01:56 +0000
ESET is reporting on an APT group targeting Ukrainian government, military, and media targets. The malware used in the campaigns was first detected in 2011 and was rarely seen until re-emerging last year.
Source: Operation Potao Express: Analysis of a cyber-espionage toolkit

Title: United Airlines Announces Breach Tied to China
Severity Level: Normal Severity
Published: Thu, 30 Jul 2015 22:01:56 +0000
Another large system intrusion has occurred that has been reportedly connected to Chinese-backed threat actors. Indicators discovered during the investigation of the recent intrusion against the U.S. Office of Personnel Management revealed a likely targeting of other US based organizations. After receiving the indicators, United was quickly able to confirm a breach. The scope of the incident is still under investigation however the data has significant strategic value.
Source: China-Tied Hackers That Hit U.S. Said to Breach United Airlines - Bloo ...

Title: Android - Two Separate Threats Impact Majority of Users
Severity Level: Normal Severity
Published: Thu, 30 Jul 2015 22:01:56 +0000
Researchers unveiled two unique vulnerabilities this week affecting the majority of all Android users. The first, Stagefright, already has a patch available and impacts over 95% of all Android users. The second, and potentially more destructive vulnerability, affects approximately 50% of all Android users.
Source: New vulnerability can put Android phones into permanent vegetative state

Title: APT Group Black Vine tied to Anthem, Aerospace Breaches
Severity Level: Normal Severity
Published: Thu, 30 Jul 2015 22:01:56 +0000
Symantec has published a report tracking the activities of APT group Black Vine since 2012. Based on common tactics, techniques and procedures (TTPs), the group has been tracked targeting multiple industries including aerospace, energy, healthcare, finance, and the defense industrial base.
Source: Black Vine: Formidable cyberespionage group targeted aerospace, health ...

[more]

An Update on the UrlZone Banker

UrlZone is a banking trojan that appeared in 2009. Searching its name or one of its aliases (Bebloh or Shiotob) reveals a good deal of press from that time period along with a few technical analyses in 2009 [1] [2], 2012 [3], and 2013 [4]. Despite having a reputation of evolution, there doesn’t seem to […]

The post An Update on the UrlZone Banker appeared first on Threat Intelligence.


Tue, 21 Jul 2015 08:00:31 +0000

Flu season starting early: the H1N1 Loader

The H1N1 Loader appears to be a relatively new downloader family that, to the best of our knowledge, was initially discovered and analyzed by the security community in May 2015. We have seen several samples show up in our malware zoo this Spring and have documented our preliminary findings from a network communications perspective in a […]

The post Flu season starting early: the H1N1 Loader appeared first on Threat Intelligence.


Tue, 14 Jul 2015 09:00:20 +0000

Attack of the Shuriken 2015: Many Hands, Many Weapons

The expected evolution of DDoS attacks continues. Attack sizes increase over time, tools become easier to use, more threat actors are launching attacks, older attack techniques have become commoditized and new attack techniques are added to the mix on a regular basis. Attacks are cheap, easy, and extremely common. The criminal underground continues to provide […]

The post Attack of the Shuriken 2015: Many Hands, Many Weapons appeared first on Threat Intelligence.


Wed, 01 Jul 2015 09:00:55 +0000

DD4BC DDoS Extortion Threat Activity

For the last year or so, an individual or organization calling itself DD4BC (‘DDoS for Bitcoin’) has been rapidly increasing both the frequency and scope of its DDoS extortion attempts, shifting target demographics from Bitcoin exchanges to online casinos and betting shops and, most recently, to prominent financial institutions (banks, trading platforms and payment acquirers) across the United […]

The post DD4BC DDoS Extortion Threat Activity appeared first on Threat Intelligence.


Mon, 15 Jun 2015 15:44:23 +0000

How to Become an Internet Supervillain in Three Easy Steps

One of the truisms of comic books and graphic novels is that nothing is immutable – both heroes and villains are rebooted, retconned, featured as radically (or subtly) different versions in alternate timelines, etc. The Marvel Cinematic Universe, which so far includes the Captain America, Thor,Hulk, Iron Man, and Avengers films, is a good example. […]

The post How to Become an Internet Supervillain in Three Easy Steps appeared first on Threat Intelligence.


Tue, 12 May 2015 18:15:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 232.12 -5.2 %
53.8%
SSH brute-force login attempts 110.02 -3.3 %
25.5%
ntpdx overflow attempt 28.50 -24.2 % CVE-2001-0414
6.6%
MYSQL brute-force login attempts 26.44 +17.4 %
6.1%
ping attempt 11.43 +25.8 %
2.7%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
DNS SPOOF query response with TTL of 1 min. and no authority 0.58 +100.0 %
0.1%
POLICY PE EXE or DLL Windows file download 0.39 +100.0 %
0.1%
ASN.1 constructed bit string 0.38 +100.0 % CVE-2005-1935
0.1%
Microsoft Windows ASN.1 Library buffer overflow attempt 0.55 +33.5 % CVE-2003-0818
0.1%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/23 (telnet) 426.59 kB -9.9 % CVE-2007-0956
25.2%
UDP/5060 (sip) 352.92 kB +7.3 % CVE-2006-0189
20.9%
TCP/8080 (webcache) 119.45 kB -6.7 % CVE-2007-5461
7.1%
TCP/8888 (ddi-tcp-1) 105.20 kB -2.4 % CVE-2000-0696
6.2%
TCP/8118 (privoxy) 103.71 kB -4.0 %  
6.1%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/137 (netbios-ns) 11.43 kB +inf % CVE-2004-0444
0.7%
TCP/3389 (ms-wbt-server) 10.39 kB +inf % CVE-2005-1218
0.6%
TCP/445 (microsoft-ds) 9.60 kB +inf % CVE-2009-3103
0.6%
TCP/25 (smtp) 9.25 kB +inf % CVE-2008-0394
0.5%
TCP/1433 (ms-sql-s) 9.19 kB +inf % CVE-2008-5416
0.5%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 40 117.15 kB 3 48980 2287
CN (China) 2 66 632.04 kB 1 476 404
FR (France) 3 3 104.80 kB 10 5450 195
DE (Germany) 4 24 116.37 kB 1 3618 204
GB (Great Britain) 5 1 16.86 kB 1 3866 352
NL (Netherlands) 6 24 26.04 kB 2 3318 242
TR (Turkey) 7 0 35.97 kB 0 3156 22
BR (Brazil) 8 6 18.91 kB 0 749 1165
RU (Russian Federation) 9 31 57.88 kB 0 1337 82
KR (South Korea) 10 72 34.63 kB 1 522 803
CA (Canada) 11 4 23.21 kB 0 2109 90
PL (Poland) 12 2 7.59 kB 0 2102 37
ES (Spain) 13 1 24.53 kB 0 1437 120
IN (India) 14 2 28.81 kB 0 1240 146
AR (Argentina) 15 1 5.95 kB 0 1533 117
RO (Romania) 16 1 7.75 kB 0 1326 21
AU (Australia) 17 0 4.56 kB 0 1244 110
EU (European Union) 18 0 6.77 kB 0 1242 74
ID (Indonesia) 19 1 4.61 kB 0 1302 42
MY (Malaysia) 20 0 9.45 kB 0 607 322
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS26496 (AS-26496-GO-DADDY-COM-LLC) 1 0 0 B 0 13373 0
AS4809 (CHINATELECOM-CORE-WAN-CN2) 2 0 300.01 kB 0 0 0
AS11343 (383INCCMHTOWN) 3 0 0 B 0 6908 0
AS12322 (PROXAD) 4 1 100.87 kB 6 3619 0
AS33182 (DIMENOC) 5 0 0 B 0 5938 0
AS4134 (CHINANET-BACKBONE) 6 34 183.42 kB 1 0 154
AS16276 (OVH) 7 0 1.21 kB 5 2730 51
AS4837 (CHINA169-BACKBONE) 8 15 84.12 kB 0 220 80
AS46549 (GVO) 9 0 0 B 0 2156 0
AS31815 (MEDIATEMPLE) 10 0 0 B 0 2063 0
AS12312 (ECOTEL) 11 0 0 B 0 1978 0
AS39022 (DEEPMEDIA-AS) 12 0 0 B 0 1956 0
AS8972 (PLUSSERVER-AS) 13 2 56.67 kB 0 0 0
AS46606 (UNIFIEDLAYER-AS-1) 14 0 0 B 0 1440 0
AS36351 (SOFTLAYER) 15 0 0 B 0 1342 38
AS9121 (TTNET) 16 0 30.85 kB 0 169 16
AS30060 (VERISIGN-ILG1) 17 0 0 B 0 1058 0
AS34289 (WEBART-AS) 18 0 36.20 kB 0 0 0
AS15169 (GOOGLE) 19 0 0 B 0 536 250
AS10481 (Prima) 20 0 0 B 0 981 0