Dashboard Global

ASERT Security Intelligence

Summary: Sony has suffered a devastating compromise that has resulted in a widespread leak of a large amount of sensitive data. Unreleased films, Intellectual property, employee records, IT infrastructure and security documents, legal documents, and just about anything else has been compromised. A destructive, disk-wiping malware has also been discovered. There are indicators that this malware may have been used in the Sony Pictures compromise. IT security staff should be well aware of the threat from this malware. On the nation-state front, the recently revealed Operation Cleaver appears to be an Iranian-backed cyber-intrusion program with substantial resources. Long lasting attack and persistence campaigns aimed at a variety of verticals in numerous countries demonstrate a portion of the capabilities of this group of threat actors. In other threat news, Point of Sale threats continue to proliferate. Attackers are getting more creative and finding more opportunities to steal sensitive financial data. While the retail sector has been hit hard, attackers are branching out to other insecure payment infrastructure. Several new Point of Sale malware families have emerged recently, to include LusyPOS, POSLOGR.K, d4re|dev1| (daredevil) and getmypass. Recent breaches involving Point of Sale infrastructure include a parking garage operator and a woman's clothing chain.

Title: Point of Sale Threats Proliferate
Severity Level: Normal Severity
Published: Thu, 04 Dec 2014 20:27:32 +0000
Several new Point of Sale malware families have emerged recently, to include LusyPOS, POSLOGR.K, d4re|dev1| (daredevil), and getmypass. Recent disclosed breaches involving Point of Sale infrastructure include a parking garage operator and a woman's clothing chain.

Title: Operation Cleaver Demonstrates Substantial Cyber-Threat Capability
Severity Level: Extreme Severity
Published: Thu, 04 Dec 2014 20:27:32 +0000
Operation Cleaver appears to be an Iranian-backed cyber-intrusion program with substantial resources. Long lasting attack and persistence campaigns aimed at a variety of verticals in numerous countries demonstrate a portion of the capabilities of this group of threat actors. Organizations must be aware of this group and these attack campaigns and use the published Indicators of Compromise (IOCs) to discover past or present compromise, especially in vital sectors.
Source: Operation Cleaver | Cylance

Title: An Analysis of the "Destructive" Malware Behind FBI Warnings
Severity Level: High Severity
Published: Thu, 04 Dec 2014 20:27:32 +0000
A destructive, disk-wiping malware has been discovered. There are indicators that this malware may have been used in the Sony Pictures compromise. IT security staff should be well aware of the threat from this malware.
Source: An Analysis of the "Destructive" Malware Behind FBI Warnings

Title: The Sony Pictures Hack: Hollywood's Snowden Moment
Severity Level: High Severity
Published: Thu, 04 Dec 2014 20:27:32 +0000
Sony has suffered a devastating compromise that has resulted in a widespread leak of a large amount of sensitive data. Unreleased films, Intellectual property, employee records, IT infrastructure and security documents, legal documents, and just about anything else has been compromised.
Source: The Sony Pictures Hack: Hollywood's Snowden Moment

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 461.14 +20.3 %
58.4%
SSH brute-force login attempts 42.68 -26.6 %
5.4%
MYSQL brute-force login attempts 38.33 +3.3 %
4.9%
ping attempt 33.67 +244.1 %
4.3%
WEB PHP Attack Tool Morfeus F Scanner 32.42 +100.0 %
4.1%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP MS Windows getbulk request 21.15 +283.7 % CVE-2006-5583
2.7%
ping attempt 33.67 +244.1 %
4.3%
WEB PHP Attack Tool Morfeus F Scanner 32.42 +100.0 %
4.1%
ASN.1 constructed bit string 1.45 +100.0 % CVE-2005-1935
0.2%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/5900 291.74 kB +2.5 % CVE-2006-4309
18.5%
UDP/5060 (sip) 197.29 kB -4.1 % CVE-2006-0189
12.5%
UDP/3395 (dyna-lm) 184.19 kB -23.5 %  
11.7%
UDP/4614 123.19 kB -20.1 %  
7.8%
TCP/8080 (webcache) 77.23 kB -32.9 % CVE-2007-5461
4.9%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/9064 12.25 kB +inf %  
0.8%
TCP/3389 (ms-wbt-server) 10.54 kB +inf % CVE-2005-1218
0.7%
TCP/139 (netbios-ssn) 9.54 kB +inf % CVE-2008-4834
0.6%
TCP/135 (epmap) 9.09 kB +inf % CVE-2007-2446
0.6%
UDP/4518 8.25 kB +inf %  
0.5%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 176 64.74 kB 3 7609 3006
IR (Iran) 2 0 209.43 kB 0 112 14
FR (France) 3 2 113.35 kB 10 1140 170
CN (China) 4 92 112.47 kB 1 94 664
LV (Latvia) 5 28 150.47 kB 0 0 0
DE (Germany) 6 26 74.92 kB 1 943 529
NL (Netherlands) 7 37 92.56 kB 2 393 300
ZA (South Africa) 8 15 87.74 kB 0 4 62
KR (South Korea) 9 3 2.07 kB 1 0 1304
RU (Russian Federation) 10 23 42.18 kB 0 327 329
GB (Great Britain) 11 5 16.19 kB 1 1184 258
CA (Canada) 12 6 18.23 kB 0 1171 141
BR (Brazil) 13 0 4.75 kB 0 143 895
TR (Turkey) 14 0 23.53 kB 0 790 251
HK (Hong Kong) 15 133 36.94 kB 0 213 25
SE (Sweden) 16 6 19.44 kB 0 506 168
EU (European Union) 17 1 34.50 kB 0 286 44
RO (Romania) 18 2 34.05 kB 0 100 109
MY (Malaysia) 19 0 408.90 B 0 155 576
IN (India) 20 16 12.50 kB 0 543 131
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS41390 (RN-DATA-LV) 1 28 150.37 kB 0 0 0
AS12322 (PROXAD) 2 1 99.30 kB 6 282 0
AS12880 (Unknown) 3 0 101.96 kB 0 0 0
AS29073 (Unknown) 4 35 71.41 kB 1 96 0
AS4134 (CHINANET-BACKBONE) 5 51 49.90 kB 1 47 145
AS197794 (START-AS) 6 1 56.43 kB 0 0 0
AS4760 (HKTIMS-AP) 7 133 36.49 kB 0 0 0
AS46606 (UNIFIEDLAYER-AS-1) 8 0 0 B 0 891 0
AS10474 (MWEB-10474,ZA) 9 0 30.29 kB 0 0 0
AS4837 (CHINA169-BACKBONE) 10 3 23.06 kB 0 0 107
AS2848 (MSU) 11 14 26.71 kB 0 0 0
AS9121 (TTNET) 12 0 21.72 kB 0 0 56
AS4766 (KIXS-AS-KR) 13 0 0 B 0 0 380
AS32244 (LIQUID-WEB-INC) 14 0 0 B 0 677 0
AS16322 (PARSONLINE) 15 0 20.41 kB 0 74 0
AS36351 (SOFTLAYER) 16 0 0 B 0 539 27
AS16276 (Unknown) 17 0 0 B 5 474 53
AS33182 (DIMENOC) 18 0 0 B 0 542 0
AS5713 (SAIX-NET,ZA) 19 0 18.69 kB 0 0 0
AS20115 (CHARTER-NET-HKY-NC) 20 63 16.46 kB 0 0 0