Dashboard Global

ASERT Security Intelligence

Summary: Zero day exploit code, used by nation-state threat actors, hoarded by governments and researchers and sold to the highest bidders in the gray and black markets, is always a concern to organizations seeking to protect themselves. Security researcher kafeine discovered that a zero-day exploit in Adobe Flash is being leveraged by threat actors wielding the Angler exploit kit to drop the Bedep ad-fraud malware on vulnerable hosts. Additionally, zero day exploit code is rumored to have been used in the recent devastating compromise experienced by Sony, although details are not yet available. Robust attack surface reduction combined with hardening of exposed surfaces combined with vigorous host and network monitoring is suggested in order to reduce the likelihood and longevity of compromise scenarios. Such hardening can be quite useful to defend against many types of threats, including Point of Sale attacks that leverage vulnerable remote access mechanisms. Point of Sale malware continues to be widely deployed by the criminal underground, which has found the method to be quite lucrative. Hardening and attack surface reduction also includes applying patches to mission-critical applications such as those provided by Oracle infrastructure. Oracle has released its Critical Patch Update (CPU) covering 160 security holes, with 93 of those holes providing for the potential of unauthenticated remote exploitation. Once attackers are inside a Windows-based network, tools such as mimikatz are often leveraged to gain access to various types of credentials. The Skeleton Key malware, discussed in last week’s threat brief, has now been integrated into mimikatz, providing both auditors and attackers a powerful tool for internal network and host compromise. Financial malware, such as banking trojans, continue to be popular in the underground and continue to deliver a return on investment to underground threat actors. The Dyreza banking trojan continues to evolve to evade detection and provide new features to it's users. Organizations that must protect financial accounts should be well aware of the evolution of this threat.

Title: Angler Exploit Kit Abuses Flash 0day
Severity Level: Normal Severity
Published: Thu, 22 Jan 2015 22:03:04 +0000
The Angler exploit kit is now using a 0day vulnerability in Adobe Flash to spread its malicious payloads. Recently observed payloads include the ad-fraud trojan known as Bedep.
Source: Exploit for Flash Zero Day Appears in Angler Exploit Kit

Title: Oracle Critical Patch Update Resolves 160 Security Holes
Severity Level: Elevated Severity
Published: Thu, 22 Jan 2015 22:03:04 +0000
Oracle has released its Critical Patch Update (CPU) for January 2015, resolving 160 security holes. Of the 160, 93 are considered remotely exploitable [https://nakedsecurity.sophos.com/2015/01/21/big-back-of-fixes-oracles-critical-patches-jan-2015/]. One vulnerability discovered by a security researcher has been likened to an unintentional backdoor [http://threatpost.com/oracle-patches-backdoor-vulnerability-recommends-disabling-ssl/110555] and details on several of the bugs can be found published at [http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf].
Source: Big bag of fixes: Oracle's Critical Patches for Jan 2015 close 160 holes, 93 remotely exploitable

Title: PoS Malware Threat Summary
Severity Level: Normal Severity
Published: Thu, 22 Jan 2015 22:03:04 +0000
Point of Sale threat proliferated heavily in 2014. Trend Micro offers a concise summary of the threat landscape [http://blog.trendmicro.com/trendlabs-security-intelligence/looking-back-and-forward-at-pos-malware/]
Source: Looking Back (and Forward) at PoS Malware

Title: Skeleton Key Attack Integrated into Mimikatz Audit Tool
Severity Level: Normal Severity
Published: Thu, 22 Jan 2015 22:03:04 +0000
The Skeleton key vulnerability reported on last week has been integrated into the Mimikatz password/credential auditing toolkit. While positioned as a legitimate tool for security auditors, mimikatz is "dual use" (like many other assessment tools) and has been leveraged by malicious threat actors on many occasions. The presence of this toolkit is a clear cause for alarm unless it is part of an authorized assessment.
Source: Benjamin Delpy on Twitter: "Skeleton Key is now in #mimikatz (for *tes ...

[more]

IETF Discusses Deprecating IPv6 Fragments

The IETF IPv6 maintenance working group has begun discussions about deprecating IPv6 fragmented packets, spurred by the IETF Internet-Draft, “IPv6 Fragment Header Deprecated”. As one can guess, this draft has generated a lot of discussion (Although the Internet Draft discusses deprecation of the IPv6 fragment header, deprecation of the header would effectively deprecate IPv6 fragmented packets).

As I noted in an earlier posting here, fragments in IPv6 can create havoc in networks from an operational and a security perspective, [...]
Wed, 10 Jul 2013 15:55:39 +0000

DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands [...]
Wed, 19 Jun 2013 15:44:26 +0000

The Revolution Will Be Written in Delphi

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

RevMD5C&C URLC&C IP106d8da1e14cff81ca2fad02d2a878c72http://userhaos.ru/113/bot/gate.php91.105.232.1052c9c6aeacee9f973ca0ca5da101a12a16http://ergoholding.ru/rev/gate.php91.204.122.1002.57141cacc3f4a191015a176947a403b79http://clfrev.ru/rev/panel/gate.php93.170.130.1123eae553d72142f9dcb06c5c134015fe7ahttp://ergoholding.ru/ddd/gate.php91.204.122.100

The programming language used is [...]
Tue, 21 May 2013 17:57:06 +0000

Syria goes dark, once more

Last week, Syria was taken offline, as our ATLAS data showcased very clearly.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

Syria051513

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.


Wed, 15 May 2013 14:58:50 +0000

Syria taken offline

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing [...]
Wed, 08 May 2013 11:07:38 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 382.09 +6.4 %
66.9%
SSH brute-force login attempts 44.59 +15.5 %
7.8%
MYSQL brute-force login attempts 24.97 -8.3 %
4.4%
ntpdx overflow attempt 22.25 +3.7 % CVE-2001-0414
3.9%
SNMP MS Windows getbulk request 14.23 +1504.8 % CVE-2006-5583
2.5%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
SNMP MS Windows getbulk request 14.23 +1504.8 % CVE-2006-5583
2.5%
DNS named version attempt 13.50 +50.5 %
2.4%
Outbound Teredo traffic detected 7.94 +33.5 % CVE-2007-3038
1.4%
SSH brute-force login attempts 44.59 +15.5 %
7.8%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/1485 (lansource) 2.30 MB +inf %  
62.7%
UDP/5060 (sip) 374.37 kB -6.7 % CVE-2006-0189
10.2%
TCP/23 (telnet) 215.10 kB -25.6 % CVE-2007-0956
5.9%
TCP/5900 87.85 kB +8.9 % CVE-2006-4309
2.4%
ICMP/8 67.56 kB +10.8 %  
1.8%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/1485 (lansource) 2.30 MB +inf %  
62.7%
TCP/9064 10.91 kB +inf %  
0.3%
TCP/110 (pop3) 10.44 kB +inf % CVE-2004-2375
0.3%
UDP/161 (snmp) 9.50 kB +inf % CVE-2007-5381
0.3%
UDP/123 (ntp) 36.06 kB +45.9 % CVE-2001-0414
1.0%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 158 2.40 MB 3 94825 2762
FR (France) 2 11 147.60 kB 10 17618 430
CN (China) 3 66 411.91 kB 1 5880 792
CA (Canada) 4 15 16.91 kB 0 17289 123
DE (Germany) 5 5 201.02 kB 1 8079 364
TR (Turkey) 6 0 1.44 kB 0 10474 300
GB (Great Britain) 7 98 61.95 kB 1 8469 311
CL (Chile) 8 0 335.72 B 0 9564 23
BR (Brazil) 9 1 2.43 kB 0 5559 429
IT (Italy) 10 1 5.85 kB 0 5870 169
RU (Russian Federation) 11 17 41.14 kB 0 4684 244
EU (European Union) 12 2 75.10 kB 0 3310 86
KR (South Korea) 13 43 22.42 kB 1 1303 1644
NL (Netherlands) 14 23 46.48 kB 2 2804 377
HK (Hong Kong) 15 0 2.70 kB 0 4613 58
RO (Romania) 16 0 6.33 kB 0 3982 82
AU (Australia) 17 0 440.34 B 0 3876 200
PL (Poland) 18 6 11.41 kB 0 3393 66
ID (Indonesia) 19 0 176.32 B 0 3807 0
SE (Sweden) 20 0 1.04 kB 0 3012 219
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS23454 (AKAMAI-AS) 1 0 1.08 MB 0 0 0
AS18717 (AKAMAI-AS) 2 0 692.98 kB 0 0 0
AS26496 (AS-26496-GO-DADDY-COM-LLC) 3 0 0 B 0 12258 0
AS4134 (CHINANET-BACKBONE) 4 37 151.93 kB 1 4753 180
AS24319 (AKAMAI-TYO-AP) 5 0 317.56 kB 0 0 0
AS14259 (Gtd) 6 0 0 B 0 8097 0
AS16276 (OVH) 7 0 0 B 5 7492 129
AS33182 (DIMENOC) 8 0 0 B 0 6955 0
AS36351 (SOFTLAYER) 9 0 0 B 0 6753 73
AS12322 (PROXAD) 10 1 137.17 kB 6 2197 0
AS4837 (CHINA169-BACKBONE) 11 12 171.41 kB 0 535 114
AS46606 (UNIFIEDLAYER-AS-1) 12 0 2.21 kB 0 5532 0
AS17139 (CORPCOLO) 13 0 0 B 0 3755 0
AS16347 (RMI-FITECH) 14 0 0 B 0 3605 0
AS23455 (AKAMAI-AS) 15 0 122.91 kB 0 0 0
AS15169 (GOOGLE) 16 0 0 B 0 2853 216
AS8560 (ONEANDONE-AS) 17 1 101.76 kB 0 0 0
AS13768 (PEER1) 18 6 2.20 kB 0 2683 0
AS7540 (HKCIX-AS-AP) 19 0 0 B 0 2639 0
AS32244 (LIQUID-WEB-INC) 20 0 0 B 0 2628 0