Dashboard Global

ASERT Security Intelligence

Summary: A Secret Service bulletin released this week has stated that over 1,000 companies have been infected by the Backoff Point-of-Sale malware. Payment systems continue to be targeted, and organizations must be aware that targeted attack campaigns will leverage multiple tools and tactics to steal financial data. Sony's Playstation Network was hit with a DDoS attack over the weekend. The situation escalated when the hacker group Lizard Squad made a bomb threat, causing a Sony executive's plane to be rerouted and investigated. Online gaming services continue to be a popular target for DDoS attacks targeting both individual gamers and the gaming company networks. Vulnerabilities reported this week include an open backdoor present in nearly all Netcore routers, which are popular in China. Access to a router could allow a remote attacker to configure settings for man-in- the-middle attacks. NIST has also published a report detailing common vulnerabilities in Secure Shell, the cryptographic network protocol, and mitigations to make SSH more secure. Cyber criminals are becoming more skilled with malvertising campaigns: in a recent attack, criminals used ad bidding platforms to pose as legitimate advertisers and deliver malicious ads to websites like Java.com and TMZ.com.

Title: Sony Hit with DDoS Attack, Bomb Threat
Severity Level: Normal Severity
Published: Thu, 28 Aug 2014 18:45:51 +0000
Over the weekend Sony was hit by a DDoS attack, forcing the company to take its online gaming platform offline temporarily.

Title: Malvertising Campaign Affected Java.com, Other Popular Websites
Severity Level: Normal Severity
Published: Thu, 28 Aug 2014 18:45:51 +0000
A recent malvertising campaign affected several popular websites and redirected visitors to exploit kits such as the Angler EK. The criminals, posing as legitimate advertisers, took advantage of real-time bidding platforms used by advertising solutions in order to target potential victims.

Title: Secure Shell: Common Vulnerabilities and Mitigations
Severity Level: Elevated Severity
Published: Thu, 28 Aug 2014 18:45:51 +0000
NIST has released a report enumerating common Secure Shell (SSH) weaknesses and suggested guidelines.

Title: Netcore Routers Contain Open Backdoor Vulnerability
Severity Level: High Severity
Published: Thu, 28 Aug 2014 18:45:51 +0000
Nearly all routers from Chinese manufacturer Netcore contain an open UDP port listening at port 53413, accessible from the WAN side of the router. Routers with an externally accessible IP address therefore have an open backdoor that can be accessed using a hardcoded password in the router's firmware.

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 240.34 -29.6 %
37.2%
SSH brute-force login attempts 81.82 +2.8 %
12.7%
Microsoft Windows IIS Server Translate Header attempt 76.18 +7.9 % CVE-2000-0778
11.8%
DNS named version attempt 60.61 -1.0 %
9.4%
MYSQL brute-force login attempts 56.86 -32.1 %
8.8%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
RPC portmap mountd request TCP 0.28 +100.0 %
0.0%
RPC portmap mountd tcp request 0.28 +100.0 % CVE-2006-0900
0.0%
WEB-MISC Poison Null Byte 4.44 +16.4 % CVE-2006-4542
0.7%
EXPLOIT Solaris telnet USER environment vuln Attack inbound 1.27 +8.7 %
0.2%
EXPLOIT Solaris telnet USER environment vuln Attack outbound 1.27 +8.7 %
0.2%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 184.65 kB -9.8 % CVE-2006-0189
16.0%
ICMP/8 142.21 kB -11.1 %  
12.3%
TCP/23 (telnet) 114.89 kB -5.6 % CVE-2007-0956
9.9%
UDP/514 (syslog) 86.79 kB -9.9 %  
7.5%
TCP/5900 85.81 kB -23.1 % CVE-2006-4309
7.4%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/49152 40.66 kB +inf %  
3.5%
TCP/80 (http) 16.53 kB +inf % CVE-2008-5457
1.4%
TCP/8080 (webcache) 16.01 kB +inf % CVE-2007-5461
1.4%
TCP/3389 (ms-wbt-server) 30.34 kB +42.7 % CVE-2005-1218
2.6%
TCP/135 (epmap) 22.23 kB +12.0 % CVE-2007-2446
1.9%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 70 199.42 kB 217 78235 4221
DE (Germany) 2 1 61.44 kB 99 25632 650
CA (Canada) 3 14 18.08 kB 38 26244 205
CN (China) 4 202 258.18 kB 5 7547 769
TR (Turkey) 5 0 24.88 kB 11 8609 399
FR (France) 6 0 10.93 kB 43 9322 141
GB (Great Britain) 7 1 2.52 kB 39 8963 420
NL (Netherlands) 8 19 46.53 kB 39 4735 297
RU (Russian Federation) 9 40 56.36 kB 45 3914 150
ZA (South Africa) 10 44 163.35 kB 2 918 0
PL (Poland) 11 0 3.81 kB 6 5155 18
IT (Italy) 12 0 833.55 B 14 4316 116
AU (Australia) 13 0 2.24 kB 7 3450 320
BR (Brazil) 14 5 9.24 kB 0 2628 515
KR (South Korea) 15 6 7.28 kB 6 1535 1038
UA (Ukraine) 16 2 6.35 kB 5 3234 99
RO (Romania) 17 1 2.23 kB 1 3384 19
MY (Malaysia) 18 1 2.50 kB 0 1821 733
CL (Chile) 19 10 3.90 kB 4 2894 29
EU (European Union) 20 7 1.58 kB 7 2554 21
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS15169 (GOOGLE) 1 0 0 B 0 16700 264
AS24940 (HETZNER-AS) 2 0 0 B 31 13436 24
AS20676 (QSC-1) 3 0 10.90 kB 0 7746 0
AS4134 (CHINANET-BACKBONE) 4 148 130.57 kB 2 2873 255
AS46606 (UNIFIEDLAYER-AS-1) 5 0 0 B 0 6682 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 6 0 0 B 0 4005 0
AS16276 (OVH) 7 0 2.34 kB 50 3674 66
AS26347 (DREAMHOST-AS) 8 0 0 B 0 3744 0
AS36351 (SOFTLAYER) 9 0 0 B 5 3377 43
AS36024 (COLO4-CO) 10 0 0 B 0 3123 0
AS47583 (HOSTINGER-AS) 11 0 0 B 0 3106 0
AS3741 (IS,ZA) 12 43 104.35 kB 0 0 0
AS12322 (PROXAD) 13 0 5.18 kB 8 2724 0
AS53665 (BODIS-1) 14 0 0 B 0 2595 0
AS16509 (AMAZON-02) 15 0 0 B 9 2435 63
AS12824 (HOMEPL-AS) 16 0 0 B 0 2342 0
AS4837 (CHINA169-BACKBONE) 17 7 45.50 kB 0 855 90
AS13768 (PEER1) 18 0 0 B 0 2209 20
AS17054 (AS17054) 19 0 0 B 0 2170 0
AS8972 (PLUSSERVER-AS) 20 0 47.63 kB 10 676 42