Dashboard Global

ASERT Security Intelligence

Summary: Following up on last week’s report describing Black Energy’s use in targeted attack campaigns on a variety of targets to include Industrial Control Systems, the malware, used by the Sandworm group, has been profiled by SecureList. New insight into the operations of the threat and threat targets is now available. In the retail threat world, the Backoff Point of Sale malware has evolved and now features additional obfuscation and other mechanisms to make analysis more time consuming. Social unrest can provide the context for oppression, to include various types of attacks including censorship, DDoS, targeted spying campaigns, and other types of attacks. Unrest in Hong Kong has provoked DDoS activity that has been linked to past APT campaigns. A vulnerability in the OSX operating system named "rootpipe" is generating media attention. The vulnerability allows a local user to escalate privileges without needing to enter a password. The Dridex infostealer malware continues to spread, using a combination of e-mail based delivery combined with social engineering to convince the user to compromise themselves. Representatives from the financial sector, media, retail, and healthcare fields recently discussed the largest threats they are dealing with at the 2014 Privacy Xchange Forum.

Title: Social Unrest Increases Threat Activity in Hong Kong
Severity Level: Normal Severity
Published: Thu, 06 Nov 2014 17:35:39 +0000
Social unrest can provide the context for oppression, to include various types of attacks including censorship, DDoS, targeted spying campaigns, and other types of attacks. Unrest in Hong Kong has provoked DDoS activity that has been linked to past APT campaigns.

Title: Dridex Infostealer Malware Continues to Spread
Severity Level: Normal Severity
Published: Thu, 06 Nov 2014 17:35:39 +0000
The Dridex infostealer malware continues to spread, using a combination of e-mail based delivery combined with social engineering to convince the user to compromise themselves.
Source: Dridex-laden spam emails targeting First World bank users

Title: Rootpipe Vulnerability in OSX Generates Attention
Severity Level: Normal Severity
Published: Thu, 06 Nov 2014 17:35:39 +0000
A vulnerability in the OSX operating system named "rootpipe" is generating media attention. The vulnerability allows a local user to escalate privileges without needing to enter a password.
Source: White-Hat Hacker Discovers Serious Vulnerability in OS X Yosemite

Title: Backoff Point of Sale Malware Evolves
Severity Level: Elevated Severity
Published: Thu, 06 Nov 2014 17:35:39 +0000
The Backoff Point of Sale malware threat has evolved and now features additional obfuscation and other mechanisms to make analysis more time consuming.
Source: Backoff Point of Sale Malware Evolves

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 702.97 +5.4 %
76.7%
SSH brute-force login attempts 29.97 +8.7 %
3.3%
MYSQL brute-force login attempts 25.26 -22.4 %
2.8%
Microsoft Windows IIS Server Translate Header attempt 21.89 +0.5 % CVE-2000-0778
2.4%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
php.cgi access 0.98 +29.9 % CVE-1999-0238
0.1%
RPC portmap mountd tcp request 11.02 +11.0 % CVE-2006-0900
1.2%
RPC portmap mountd request TCP 11.02 +11.0 %
1.2%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
TCP/5900 260.32 kB +7.8 % CVE-2006-4309
22.2%
UDP/3395 (dyna-lm) 183.59 kB +10.8 %  
15.7%
UDP/4614 101.41 kB -12.3 %  
8.7%
UDP/53 (domain) 58.63 kB +175.5 % CVE-2008-1447
5.0%
UDP/5060 (sip) 39.05 kB -91.0 % CVE-2006-0189
3.3%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/0 26.28 kB +inf % CVE-1999-0675
2.2%
TCP/9001 (etlservicemgr) 13.73 kB +inf %  
1.2%
TCP/1433 (ms-sql-s) 9.65 kB +inf % CVE-2008-5416
0.8%
TCP/80 (http) 8.03 kB +inf % CVE-2008-5457
0.7%
TCP/3128 (squid) 7.57 kB +inf % CVE-2007-0247
0.6%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 35 29.92 kB 3 49470 3378
TR (Turkey) 2 0 15.81 kB 0 10527 607
NL (Netherlands) 3 634 278.44 kB 2 2190 281
FR (France) 4 4 5.10 kB 10 9857 348
IR (Iran) 5 1 223.97 kB 0 11 44
PL (Poland) 6 0 8.45 kB 0 6172 18
DE (Germany) 7 21 38.06 kB 1 3991 450
CA (Canada) 8 2 6.68 kB 0 5387 145
CN (China) 9 56 68.44 kB 1 1288 1300
GB (Great Britain) 10 2 8.53 kB 1 3445 311
ZA (South Africa) 11 16 73.58 kB 0 1917 115
AU (Australia) 12 0 304.70 B 0 2869 430
CL (Chile) 13 0 112.88 B 0 3362 0
TC (Turks and Caicos Islands) 14 0 0 B 0 3332 0
BR (Brazil) 15 19 7.36 kB 0 1820 636
HK (Hong Kong) 16 0 151.26 B 0 3180 22
KR (South Korea) 17 1 2.47 kB 1 435 1260
RU (Russian Federation) 18 5 39.85 kB 0 1209 236
IT (Italy) 19 2 1.93 kB 0 2375 43
VG (VG) 20 0 0 B 0 2504 0
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS29073 (Unknown) 1 632 275.90 kB 1 1032 0
AS16276 (Unknown) 2 0 0 B 5 7952 74
AS46606 (UNIFIEDLAYER-AS-1) 3 0 0 B 0 7757 0
AS42910 (SADECEHOSTING-COM) 4 0 0 B 0 6184 0
AS12824 (HOMEPL-AS) 5 0 0 B 0 5056 0
AS22933 (TCIGATEWAY) 6 0 0 B 0 3332 0
AS33182 (DIMENOC) 7 0 0 B 0 3307 0
AS46475 (LIMESTONENETWORKS) 8 0 0 B 0 3219 0
AS4134 (CHINANET-BACKBONE) 9 42 34.06 kB 1 938 585
AS7540 (HKCIX-AS-AP) 10 0 0 B 0 2765 0
AS40034 (CONFLUENCE-NETWORK-INC) 11 0 0 B 0 2504 0
AS12880 (Unknown) 12 0 80.43 kB 0 0 0
AS24940 (HETZNER-AS) 13 18 26.30 kB 0 1450 31
AS36351 (SOFTLAYER) 14 0 0 B 0 2201 35
AS26496 (AS-26496-GO-DADDY-COM-LLC) 15 0 0 B 0 2055 0
AS32392 (OPENTRANSFER-ECOMMERCE) 16 0 0 B 0 1961 0
AS14259 (Gtd) 17 0 0 B 0 1773 0
AS46549 (GVO) 18 0 0 B 0 1631 0
AS11042 (LANDIS-HOLDINGS-INC) 19 0 0 B 0 1600 0
AS33139 (Unknown) 20 0 0 B 0 1521 0