Dashboard Global

ASERT Security Intelligence

Summary: This week Adobe released its delayed security updates for Acrobat and PDF Reader. There have been no reported in-the-wild attacks exploiting these vulnerabilities; however, they are all rated critical and should be patched immediately. In targeted attack news, the Senate Armed Services Committee (SASC) has released a report detailing repeated intrusions into US TRANSCOM and associated contractor networks. The attacks were reportedly the work of state-sponsored Chinese hackers. Two targeted attacks against the oil and gas industry were also reported this week. In the first, the banking trojan Citadel was repurposed and used in a series of attacks on petrochemical companies in the Middle East. In the second, a website of an ONG company was compromised to host malware as part of a wateringhole attack targeting site visitors. Another wateringhole attack was reported compromising a Brazilian newspaper to deliver malware that attempted to bruteforce victims' routers and modify DNS settings. Small office and home (SOHO) routers often suffer from poor security settings; if routers are exploited to modify DNS settings, victims can be redirected to malicious sites. Lastly, ICS-CERT has released advisories detailing multiple vulnerabilities in several popular SCADA products. ICS/SCADA systems are a frequent and easy target for attackers due to their often legacy nature, the trend to connect them to other networks, and availability requirements that often take priority over basic security best practices. To better protect systems, administrators should follow ICS-CERT guidelines for mitigations and recommended practices.

Title: Acrobat, PDF Reader Security Updates Released
Severity Level: Extreme Severity
Published: Fri, 19 Sep 2014 10:54:58 +0000
Adobe's security updates for Acrobat and PDF Reader, delayed last week, have now been released. The patches fix eight critical flaws for both Mac and Windows versions, addressing vulnerabilities that could potentially allow an attacker to control the affected system.

Title: US TRANSCOM Repeatedly Targeted by Chinese Hackers
Severity Level: Normal Severity
Published: Fri, 19 Sep 2014 10:54:58 +0000
The Senate Armed Services Committee (SASC) has released a report claiming that Chinese hackers associated with the State have repeatedly compromised US TRANSCOM (Transportation Command) computer systems as well as those of contractors.

Title: Banking Trojan Used in Targeted Attack on Petrochemical Companies
Severity Level: Normal Severity
Published: Fri, 19 Sep 2014 10:54:58 +0000
The Citadel banking trojan has been used in a recent series of attacks targeting petrochemical companies in the Middle East. The Citadel malware was modified to target company URLs, such as webmail, in order to gather credentials.

Title: ONG Website Compromised in Wateringhole Attack
Severity Level: Normal Severity
Published: Fri, 19 Sep 2014 10:54:58 +0000
A technology startup in the oil and gas industry was recently targeted in a wateringhole attack. The attack occurred after the company made a major announcement about funding, likely indicating the attackers expected the website to receive an influx of visitors that could potentially be infected. Malicious code on the website targeted CVE-2013-7331 affecting Internet Explorer, which was patched last week by Microsoft but was unpatched at the time of attack. Certain visitors were then redirected to a drive-by-download page hosting a version of the Sweet Orange exploit kit exploiting several vulnerabilities: CVE-2014-0497 (Flash), CVE-2012-1723 (Java), and CVE-2013-2551 (Internet Explorer).

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 470.68 -22.2 %
32.5%
WEB-MISC Poison Null Byte 176.20 +5711.6 % CVE-2006-4542
12.2%
SSH brute-force login attempts 120.61 +43.2 %
8.3%
MYSQL brute-force login attempts 86.39 -11.2 %
6.0%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
WEB-MISC Poison Null Byte 176.20 +5711.6 % CVE-2006-4542
12.2%
RPC portmap listing UDP 111 58.95 +100.0 %
4.1%
ntpdx overflow attempt 55.72 +100.0 % CVE-2001-0414
3.8%
Microsoft Windows RPC Bind Request buffer overflow attempt 8.70 +100.0 % CVE-2004-0116
0.6%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/22 (ssh) 1.17 MB +2301.6 % CVE-2002-0639
25.2%
ICMP/8 946.34 kB -14.9 %  
20.4%
TCP/5900 300.12 kB -14.6 % CVE-2006-4309
6.5%
UDP/5060 (sip) 160.07 kB -7.9 % CVE-2006-0189
3.5%
UDP/53 (domain) 158.76 kB -1.2 % CVE-2008-1447
3.4%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5066 (stanag-5066) 31.96 kB +inf %  
0.7%
UDP/5088 31.96 kB +inf %  
0.7%
UDP/5084 31.96 kB +inf %  
0.7%
UDP/5087 31.96 kB +inf %  
0.7%
UDP/5089 31.96 kB +inf %  
0.7%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 69 207.37 kB 7 78217 4420
CN (China) 2 266 2.11 MB 3 4693 1050
FR (France) 3 1 975.61 kB 6 10765 184
CA (Canada) 4 13 17.16 kB 1 21951 261
DE (Germany) 5 1 26.73 kB 4 17733 380
NL (Netherlands) 6 11 215.85 kB 3 4799 399
GB (Great Britain) 7 9 8.26 kB 2 9120 484
ZA (South Africa) 8 31 273.89 kB 0 916 23
TR (Turkey) 9 6 5.06 kB 0 7488 366
RU (Russian Federation) 10 141 47.25 kB 6 3542 128
KR (South Korea) 11 8 31.15 kB 2 1318 1417
RO (Romania) 12 65 21.81 kB 0 4061 34
IT (Italy) 13 1 2.63 kB 1 4408 154
EU (European Union) 14 9 25.46 kB 0 3526 48
CL (Chile) 15 15 9.16 kB 1 3961 0
PL (Poland) 16 0 1.22 kB 1 4057 43
BR (Brazil) 17 5 6.50 kB 0 2097 615
MY (Malaysia) 18 0 10.97 kB 0 1615 474
AU (Australia) 19 0 210.73 B 0 2079 384
ES (Spain) 20 1 6.68 kB 0 1604 433
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS4837 (CHINA169-BACKBONE) 1 67 1.38 MB 1 752 228
AS12322 (PROXAD) 2 1 971.43 kB 3 1919 0
AS4134 (CHINANET-BACKBONE) 3 145 421.10 kB 0 1917 312
AS15169 (GOOGLE) 4 0 0 B 0 13591 256
AS24940 (HETZNER-AS) 5 0 0 B 0 12510 44
AS16276 (OVH) 6 0 0 B 3 8020 44
AS46606 (UNIFIEDLAYER-AS-1) 7 0 0 B 0 6680 0
AS29073 (ECATEL-AS) 8 9 209.33 kB 0 0 0
AS3741 (IS,ZA) 9 30 182.44 kB 0 0 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 10 0 0 B 0 4825 0
AS47583 (HOSTINGER-AS) 11 0 0 B 0 4081 0
AS36351 (SOFTLAYER) 12 0 2.85 kB 0 3216 54
AS53665 (BODIS-1) 13 0 0 B 0 3175 0
AS26347 (DREAMHOST-AS) 14 0 0 B 0 3062 0
AS17054 (AS17054) 15 0 0 B 0 2849 0
AS14259 (Gtd) 16 15 4.23 kB 1 2653 0
AS13768 (PEER1) 17 0 0 B 1 2493 0
AS6245 (NETWORK-SOLUTIONS) 18 0 0 B 0 2352 0
AS16265 (FIBERRING) 19 1 4.35 kB 2 1969 63
AS32244 (LIQUID-WEB-INC) 20 0 0 B 0 2169 0