Dashboard Global

ASERT Security Intelligence

Summary: The Lizard Squad attack group continues attack activity to include ongoing DDoS attacks, commercial DDoS for-hire services, and registrar compromise resulting in site redirection and e-mail compromise. Despite past weaknesses in their own operational security, the group is capable of causing substantial damage. Some indicators suggest the group performed a lateral movement attack once they penetrated a publicly accessible web application. This type of lateral movement is commonly used by espionage-oriented and cybercriminal groups as well, as demonstrated by the excellent M-trends report issued recently that describes the evolution of attacker capabilities and provides an interesting case study. In other news, the PlugX malware - a staple in espionage style attacks - continues to evolve, with new capabilities and indicators being published. In other malware-related news, the Ramnit botnet has been taken down in a joint operation between the security industry and law enforcement. Indicators useful to incident response teams have been published. In vulnerability news, the Superfish adware has received a great deal of press recently for its role in undermining vital encryption processes. Organizations are encouraged to mitigate these threats as soon as possible.

Title: Superfish in Hot Water as Security Threats Come to Light
Severity Level: Normal Severity
Published: Thu, 26 Feb 2015 18:54:47 +0000
The Superfish adware installed on consumer-grade Lenovo notebooks intended to inject ads into HTTPS sessions has been demonstrated to weaken the security of the system by creating a scenario whereby fraudulent certificates are treated as valid and therefore and creates the risk of secure session interception. Additional research by the Electronic Frontier Foundation (EFF) [https://www.eff.org/deeplinks/2015/02/dear-software-vendors-please-stop-trying-intercept-your-customers-encrypted] reveals indicators that this vulnerable condition may have already been exploited.
Source: Researchers unearth evidence of Superfish-style attacks in the wild

Title: Lizard Squad Threat Group Continues DDoS and DNS Compromise Activity
Severity Level: Normal Severity
Published: Thu, 26 Feb 2015 18:54:47 +0000
Lizard Squad is a group involved in DDoS and other attacks that has referred to itself as a "cyber-terrorist" organization. The group, or someone claiming to be them, has performed a domain registrar based attack on Google's online presence in Vietnam, www.google.com.vn, by modifying registrar webnic.cc records to direct users to web properties of their own choosing in order to display a defacement message [http://www.hotforsecurity.com/blog/lizard-squad-disrupts-google-in-vietnam-to-promote-ddos-for-hire-service-11443.html] and has been involved in a variety of other alleged compromises and DDoS attacks in recent weeks. Additionally, a high-profile compromise of lenovo.com appears to have used the same attack methodology. Indicators posted by Lizard Squad suggest that interception of e-mail for lenovo.com has taken place [https://twitter.com/LizardCircle/status/570702950038970368/photo/1]. Both sites have been returned to their proper owners and the registrar is apparently dealing with the incident and is currently offline [http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-hijack-of-lenovo-google-domains/]
Source: Lizard Squad uses Google to sell DDoS services | HOTforSecurity

Title: Incident Response Report Reveals Evolving Attacker TTP's
Severity Level: Normal Severity
Published: Thu, 26 Feb 2015 18:54:47 +0000
A prominent security forensics/incident response organization has released their M-Trends report [https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf] which details emergent trends in attacker Tactics, Techniques and Procedures (TTP's) and provides meaningful insight into the threat landscape.
Source: Attackers Increase Use of PowerShell, WMI to Evade Detection: Mandiant ...

Title: PlugX Malware Threat Continues to Evolve
Severity Level: Normal Severity
Published: Thu, 26 Feb 2015 18:54:47 +0000
Recently the PlugX threat has evolved to hide itself in the Windows registry and has been observed in threat campaigns targeting various countries including India [https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/plugx-goes-to-the-registry-and-india.pdf].
Source: From the Labs: more advances in Advanced Persistent Threats

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 233.98 -12.1 %
59.5%
SSH brute-force login attempts 59.81 +16.0 %
15.2%
MYSQL brute-force login attempts 26.80 +73.7 %
6.8%
Outbound Teredo traffic detected 16.58 +13.1 % CVE-2007-3038
4.2%
ping attempt 14.26 +6.9 %
3.6%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
Microsoft Windows ASN.1 Library buffer overflow attempt 0.70 +100.0 % CVE-2003-0818
0.2%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 543.40 kB +10.4 % CVE-2006-0189
38.3%
TCP/5900 172.51 kB -1.6 % CVE-2006-4309
12.2%
TCP/23 (telnet) 96.76 kB -0.5 % CVE-2007-0956
6.8%
TCP/8080 (webcache) 62.61 kB -3.7 % CVE-2007-5461
4.4%
UDP/1900 (ssdp) 33.75 kB -30.4 % CVE-2006-3687
2.4%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/3389 (ms-wbt-server) 9.96 kB +inf % CVE-2005-1218
0.7%
TCP/25 (smtp) 7.76 kB +inf % CVE-2008-0394
0.5%
TCP/9064 17.70 kB +29.6 %  
1.2%
TCP/1433 (ms-sql-s) 11.05 kB +23.7 % CVE-2008-5416
0.8%
TCP/445 (microsoft-ds) 14.65 kB +18.0 % CVE-2009-3103
1.0%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 41 123.81 kB 3 110392 2087
CA (Canada) 2 14 51.64 kB 0 30241 116
FR (France) 3 5 226.04 kB 10 19411 315
DE (Germany) 4 6 134.72 kB 1 19091 356
CN (China) 5 63 250.25 kB 1 5800 784
GB (Great Britain) 6 79 36.94 kB 1 12913 124
TR (Turkey) 7 0 2.49 kB 0 12084 171
CL (Chile) 8 0 334.67 B 0 10733 23
IT (Italy) 9 0 4.48 kB 0 8161 73
RO (Romania) 10 5 5.43 kB 0 7115 76
RU (Russian Federation) 11 2 12.09 kB 0 5948 153
NL (Netherlands) 12 13 88.43 kB 2 3223 416
PL (Poland) 13 0 19.51 kB 0 5757 43
KR (South Korea) 14 58 28.51 kB 1 1747 1416
BR (Brazil) 15 0 4.59 kB 0 4005 402
ID (Indonesia) 16 0 422.08 B 0 4746 22
EU (European Union) 17 1 2.21 kB 0 4454 57
MY (Malaysia) 18 4 2.52 kB 0 2332 636
AU (Australia) 19 0 2.01 kB 0 3333 101
AT (Austria) 20 0 535.83 B 0 3156 24
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS26496 (AS-26496-GO-DADDY-COM-LLC) 1 0 0 B 0 15243 0
AS24940 (HETZNER-AS) 2 0 728.36 B 0 12548 44
AS15169 (GOOGLE) 3 7 0 B 0 11829 107
AS12322 (PROXAD) 4 4 202.06 kB 6 4158 0
AS16276 (OVH) 5 0 6.57 kB 5 8724 56
AS14259 (Gtd) 6 0 0 B 0 8407 0
AS46606 (UNIFIEDLAYER-AS-1) 7 0 0 B 0 7275 0
AS33182 (DIMENOC) 8 0 0 B 0 7271 0
AS12670 (AS-COMPLETEL) 9 0 0 B 0 5427 0
AS4134 (CHINANET-BACKBONE) 10 23 95.46 kB 1 1785 180
AS17054 (AS17054) 11 0 0 B 0 3819 0
AS17139 (CORPCOLO) 12 0 0 B 0 3416 0
AS31034 (ARUBA-ASN) 13 0 0 B 0 3382 0
AS51559 (NETINTERNET) 14 0 0 B 0 3349 0
AS4837 (CHINA169-BACKBONE) 15 12 64.57 kB 0 1346 80
AS13768 (PEER1) 16 0 0 B 0 3220 0
AS32244 (LIQUID-WEB-INC) 17 0 0 B 0 3113 0
AS36351 (SOFTLAYER) 18 0 0 B 0 2884 37
AS11042 (LANDIS-HOLDINGS-INC) 19 0 0 B 0 2837 0
AS29550 (SIMPLYTRANSIT) 20 0 0 B 0 2764 0