Dashboard Global

ASERT Security Intelligence

Summary: This week we cover several exploit kits - RIG, Angler, and Neutrino that are staples of the underground economy and are used by a variety of cybercrime-centric actors to deliver malicious payloads. Exploit kits continue to incorporate new exploit code and vary operations enough to require consistent analysis in order to maintain accurate detection. The most common payload in recent days appears to be ransomware. This week, a variety of security updates for Microsoft and Adobe have been released that mitigate the exploitation of numerous security holes. Some of the security updates, such as a patch for Silverlight across all platforms, were in response to the discovery of zero-day exploit code in the wild. None of the Adobe bugs were known to be exploited in the wild, however exploit code for issues patched in late December 2015 has been released to the public and therefore calls for increased vigilance.Click-fraud malware has been present in the threat landscape for years, yet it often flies beneath the radar of law enforcement prosecutions even if the security industry accurately tracks and monitors activity. The Zero Access malware was heavily involved in click-fraud operations for some time and has recently re-emerged with updates to core functionality that are designed to evade detection mechanisms. Current activity is limited, however the global compromise counts for this threat in the past are substantial and this calls for careful monitoring.An OpenSSH client bug: CVE-2016-0777 has been patched and is receiving some press attention. While the issue could be serious in the right circumstances if an SSH client (or automated process) connects to a malicious server, the vulnerability is less likely to be used by threat actors at this time. A simple and easy to deploy work-around is available.A threat actor group calling itself Crackas With Attitudes has compromised the personal accounts of the US Director of National Intelligence. This apparent hacktivist group has targeted other officials and should demonstrate the risks of social engineering and suggests that more robust safeguards be put into place, along with an extremely careful use of e-mail to avoid leaking sensitive information and data of a classified nature.In the good news column, threat actors known as DD4BC who were engaging in DDoS Extortion Attacks have been arrested and detained. An investigation is ongoing. While this is good news, other copycats are active and the extortion tactic won't be going away any time soon as it has been happening for nearly 20 years in the wild and shows no signs of stopping, only evolving to adapt to the modern computing and payment infrastructures.

Title: Exploit Kit Activity Roundup - RIG, Angler, Neutrino
Severity Level: Normal Severity
Published: Thu, 14 Jan 2016 22:32:56 +0000
Exploit kits have long been a staple in the underground economy, offering "loads" and "installs" to private or public threat actors typically seeking financial rewards by installing various types of malware onto compromised machines via various vulnerabilities. The vulnerabilities leveraged by exploit kits are typically patched, but a high enough volume of unpatched machines exists to provide an ongoing market that generates adequate Return on Investment to the underground actors involved. In this case, we look at recent activity of the RIG exploit kit, Angler exploit kit, and Neutrino exploit kit, as profiled by various researchers and the ATLAS Intelligence Feed (AIF).
Source: Cisco Talos Blog: Rigging compromise - RIG Exploit Kit

Title: Click-Fraud Malware ZeroAccess 3 Analysis
Severity Level: Normal Severity
Published: Thu, 14 Jan 2016 22:32:56 +0000
ZeroAccess, a malware from yesteryear has apparently re-emerged. The recently analyzed version three of the malcode implements some new tricks in order to obfuscate itself and evade current detection techniques. Although indicators suggest that the threat is currently mostly confined to Russia, the global proliferation of the threat in the past could indicate that we can expect more activity in the future.
Source: Kryptos Logic Research: ZeroAccess 3 Analysis

Title: Security Updates: Microsoft, Adobe
Severity Level: Normal Severity
Published: Thu, 14 Jan 2016 22:32:56 +0000
Microsoft "Patch Tuesday" reveals numerous security holes in Internet Explorer, Edge, scripting engines, Office, Windows, Silverlight, Exchange Server, and the kernel that have been patched. Additionally, support has ended for Windows 8 and some older versions of Internet Explorer that require an update for continued patch coverage. Some of these freshly patched vulnerabilities have already been used by threat actors although specific details about such campaigns are not yet available.
Source: January Patch Tuesday: Support Ends for Windows 8, Limited for Older IE Versions; 17 Adobe Flaws Resolved

Title: OpenSSH client bug: CVE-2016-0777
Severity Level: Normal Severity
Published: Thu, 14 Jan 2016 22:32:56 +0000
Due to the default enabling of an experimental roaming feature in versions of the SSH client, a malicious SSH server could disclose sensitive information from connecting clients to include credential material. Patches are being released and a workaround has been made available. The freshly released OpenSSH 7.1p2 resolves the vulnerability.
Source: OpenSSH: Information-leak vulnerability (CVE-2016-0777) - Red Hat Cu ...

[more]

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]

The post Uncovering the Seven Pointed Dagger appeared first on Threat Intelligence.


Mon, 11 Jan 2016 11:00:36 +0000

Amplifying Black Energy

Click here to download the full report. The Black Energy malware family has a long and storied history dating back to 2007. Originally a monolithic DDoS platform, significant advancements were made in 2010 including support for an extensible plugin architecture that allowed Black Energy 2 to more easily expand beyond DDoS into other activities such […]

The post Amplifying Black Energy appeared first on Threat Intelligence.


Wed, 16 Dec 2015 11:00:39 +0000

How to test and fix IPv6 fragmentation issues

In an earlier blog post, I discussed the issues associated with IPv6 packet fragmentation. Of particular significance, IPv6 fragmentation relies extensively on the computer sourcing packets being able to receive ICMPv6 “packet too big” message type 2 sent from any intermediate device in the route to the packet’s destination. The capability to confirm that an […]

The post How to test and fix IPv6 fragmentation issues appeared first on Threat Intelligence.


Wed, 04 Nov 2015 11:00:31 +0000

Peeking at Pkybot

For the past few months ASERT has been keeping an eye on a relatively new banking malware (“banker”) known as “Pkybot”. It is also being classified as a variant of “Bublik”, but the former is much more descriptive of the malware. This post will take a peek at some of the bits and pieces of […]

The post Peeking at Pkybot appeared first on Threat Intelligence.


Tue, 22 Sep 2015 10:00:08 +0000

ZeusVM: Bits and Pieces

ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time […]

The post ZeusVM: Bits and Pieces appeared first on Threat Intelligence.


Tue, 08 Sep 2015 11:00:26 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 380.21 +45.3 %
68.1%
ntpdx overflow attempt 40.97 -32.0 % CVE-2001-0414
7.3%
SSH brute-force login attempts 37.53 -36.8 %
6.7%
MYSQL brute-force login attempts 36.22 +48.1 %
6.5%
RPC portmap listing UDP 111 20.44 +170.1 %
3.7%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
DNS named version attempt 13.88 +727.6 %
2.5%
RPC portmap listing UDP 111 20.44 +170.1 %
3.7%
DNS large number of NXDOMAIN replies - possible DNS cache poisoning 4.32 +100.0 % CVE-2008-1447
0.8%
SNMP MS Windows getbulk request 4.15 +100.0 % CVE-2006-5583
0.7%
RPC portmap listing TCP 111 0.27 +69.3 %
0.0%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 308.95 kB +40.6 % CVE-2006-0189
19.7%
ICMP/8 186.43 kB -23.0 %  
11.9%
TCP/5900 130.50 kB -9.2 % CVE-2006-4309
8.3%
TCP/23 (telnet) 127.84 kB -19.7 % CVE-2007-0956
8.2%
UDP/53413 86.20 kB -7.8 %  
5.5%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/20198 13.41 kB +inf %  
0.9%
UDP/161 (snmp) 10.93 kB +inf % CVE-2007-5381
0.7%
UDP/5050 (mmcc) 10.44 kB +inf %  
0.7%
UDP/5066 (stanag-5066) 9.67 kB +inf %  
0.6%
UDP/137 (netbios-ns) 9.58 kB +inf % CVE-2004-0444
0.6%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
CN (China) 1 57 583.38 kB 1 43 248
US (United States) 2 88 156.43 kB 3 4961 1737
CA (Canada) 3 1 198.88 kB 0 268 122
DE (Germany) 4 9 141.03 kB 1 575 118
KR (South Korea) 5 40 22.00 kB 1 0 1014
NL (Netherlands) 6 19 28.96 kB 2 211 238
BR (Brazil) 7 9 15.50 kB 0 149 405
IN (India) 8 0 6.63 kB 0 61 569
GB (Great Britain) 9 0 11.74 kB 1 494 244
RO (Romania) 10 76 28.53 kB 0 49 48
FR (France) 11 1 22.73 kB 10 183 81
LV (Latvia) 12 84 31.64 kB 0 0 0
AU (Australia) 13 0 3.72 kB 0 519 117
RU (Russian Federation) 14 0 13.41 kB 0 59 105
IT (Italy) 15 5 3.09 kB 0 226 142
TR (Turkey) 16 2 8.72 kB 0 189 35
CH (Switzerland) 17 0 1.75 kB 0 17 225
GR (Greece) 18 50 14.75 kB 1 19 0
TW (Taiwan) 19 0 15.18 kB 0 3 19
PL (Poland) 20 1 6.17 kB 0 89 72
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS37963 (CNNIC-ALIBABA-CN-NET-AP) 1 3 205.83 kB 0 0 25
AS4134 (Unknown) 2 41 142.38 kB 1 0 32
AS6428 (CDM) 3 0 132.15 kB 0 0 0
AS4837 (Unknown) 4 5 90.12 kB 0 0 21
AS8972 (Unknown) 5 1 78.80 kB 0 45 0
AS30633 (LEASEWEB-US) 6 0 57.79 kB 0 0 0
AS41390 (RN-DATA-LV) 7 83 31.51 kB 0 0 0
AS47583 (HOSTINGER-AS) 8 0 0 B 0 910 0
AS36351 (SOFTLAYER) 9 0 14.54 kB 0 382 41
AS32097 (WII-KC) 10 0 28.85 kB 0 0 0
AS26496 (Unknown) 11 0 0 B 0 774 0
AS29073 (ECATEL-AS) 12 17 23.89 kB 1 0 0
AS10199 (TATA-AS) 13 0 0 B 0 0 368
AS30890 (TENNET) 14 58 22.08 kB 0 0 0
AS13301 (UNITEDCOLO-AS) 15 0 22.41 kB 0 0 0
AS4766 (KIXS-AS-KR) 16 0 7.35 kB 0 0 222
AS24961 (MYLOC-AS) 17 1 18.99 kB 0 0 0
AS12322 (PROXAD) 18 1 15.18 kB 6 64 0
AS6939 (HURRICANE) 19 12 16.12 kB 0 0 13
AS6866 (CYTA-NETWORK) 20 50 14.40 kB 0 0 0
 
Host Rank Attacks per subnet Scans per subnet Botnets Phishing
106.39.223.82 1 0 76.38 kB 0 0
209.126.122.29 (usloft4506.serverprofi24.com) 2 0 74.13 kB 0 0
140.205.81.52 3 1 67.25 kB 0 0
108.59.4.195 4 0 55.98 kB 0 0
185.130.5.224 5 0 50.54 kB 0 0
140.205.81.51 6 0 49.18 kB 0 0
140.205.228.51 7 0 45.59 kB 0 0
140.205.228.52 8 1 43.62 kB 0 0
188.138.57.11 (loft11007.serverprofi24.com) 9 0 38.01 kB 0 0
199.189.86.5 (pacific1737.serverprofi24.com) 10 0 33.92 kB 0 0
195.3.144.102 (sendme24.ru) 11 83 31.51 kB 0 0
85.120.225.51 12 58 22.07 kB 0 0
173.208.166.114 13 0 22.96 kB 0 0
209.126.116.150 (pacific1660.serverprofi24.eu) 14 0 20.74 kB 0 0
188.138.33.38 (loft9013.serverprofi24.eu) 15 0 18.59 kB 0 0
192.96.201.142 16 0 17.10 kB 0 0
77.69.2.70 (77-2-70.static.cyta.gr) 17 50 14.26 kB 0 0
104.20.88.65 18 0 0 B 0 415
104.20.87.65 19 0 0 B 0 415
174.36.238.148 (94.ee.24ae.ip4.static.sl-reverse.com) 20 0 13.95 kB 0 0