English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0
 

Absolutely all of the latest versions of Microsoft Word and some versions of Internet Explorer maintain critical vulnerabilities enabling remote code execution. Today, Microsoft releases two critical patches to close multiple vulnerabilities with each. Two important updates are released to address a batch file handling issue and another RCE hole in Microsoft Publisher. All of these are addressed with MS14-017 through MS14-020.

Both end users of Microsoft Office software and system administrators of SharePoint portals, Microsoft Office Web Apps servers, and even Apple Office for Mac users need to download and install these patches: MS14-017 and MS14-018.

These sorts of Office vulnerabilities are commonly and frequently the delivery vector for targeted attack spearphishing campaigns. Red October, NetTraveler, and Icefog, all abused Office vulnerabilities in their spearphishing campaigns. There are many more of these groups, and they will continue to actively pursue potential victims, in part using exploits for Office applications.

On the brighter side, Microsoft is doing a fantastic job of consistent response and update delivery. Accordingly, their software, while it continues to be heavily used, does not continue to remain even in the top 10 vulnerable software applications that we see. Those spots still go to Oracle's Java, Adobe's Flash and Photoshop, Apple's Quicktime, WinRAR, WinAmp and other media players, and other apps that are frequently targeted by commodity exploit packs.

Follow me on Twitter

The Internet Explorer vulnerabilities do not hit all of the Microsoft platforms in the same manner as the Word vuln this month, although critical RCE is enabled by every version of unpatched Internet Explorer code on at least one version of every Microsoft Windows platform. So, Internet Explorer 6, which no one should be using, maintains critical RCE on the now unsupported Windows XP SP3 and XP Pro x64 SP2. IE 7, 8, 9 all maintain critical RCE as well. Internet Explorer 10 is not affected. IE 11 on Windows 7 and Windows 8.1 maintains critical RCE, but moderate severity on Windows Server 2008 and Windows 2012 R2. The Windows Update software will smoothly make sense of all of the versioning and patch needs for you when run. Nonetheless, there are serious issues here that exploit packs likely will attack with fresh exploit code.

Comment      Link
0.1
 

On November 5, Microsoft announced the discovery of a new vulnerability CVE-2013-3906 which can be exploited when TIFF images are processed. By exploiting this vulnerability it is possible to attack software – including Microsoft Office and Lync – that uses a vulnerable DLL for processing TIFF images. On the same day, there were reports that Microsoft had recorded attacks that exploit CVE-2013-3906.

Several malware samples became available to us that exploit CVE-2013-3906. We analyzed them in detail. All of them make use of heap spraying, recording their code to the address 0x08080808, and execute the code from that location. Exception generation and memory rewrite is performed in the vulnerable ogl.dll.


Fragment of WinDbg shellcode execution

The exploits that we had access to can be divided into two groups according to the shellcodes used in them.

0.6
 

The emergence of small groups of cyber-mercenaries available for hire to perform surgical hit and run operations.

The world of Advanced Persistent Threats (APTs) is well known. Skilled adversaries compromising high-profile victims and stealthily exfiltrating valuable data over the course of many years. Such teams sometimes count tens or even hundreds of people, going through terabytes or even petabytes of exfiltrated data.

Although there has been an increasing focus on attribution and pinpointing the sources of these attacks, not much is known about a new emerging trend: the smaller hit-and-run gangs that are going after the supply chain and compromising targets with surgical precision.

Since 2011 we have been tracking a series of attacks that we link to a threat actor called ‘Icefog’. We believe this is a relatively small group of attackers that are going after the supply chain -- targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan.

0.1
 

Last week, GReAT LatAm participated in the 3rd Latin American Security Analysts Summit, which took place in Cancun, Mexico.

0.4
 

Around one year ago I posted about what were the most common web attacks in Spain and how the malware was spread. It is time for an update!

We regularly collect data regarding infected web sites based in our detections on KSN. Apart from the general verdicts that I usually find in the top of the rank, there was another one in the top 3 for the last months that caught my eye: Trojan.JS.Iframe.aeq.

0.3
 

On March 4th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.

The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.

0.5
 

This is the topic that cybercriminals are speculating about and using as a hook to infect victims. The campaign stems from malicious emails that are sent in bulk to victims:

0.7
 

Just a quick note, it's only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.

Follow me on Twitter

As for Kaspersky users, our automatic exploit prevention (AEP) is generically preventing the 0day. Surprisingly, while there doesn't appear to be a high level of server-side polymorphic obfuscation in the class files themselves, the hosted exploit files are being updated and changing since yesterday. Instead, the Blackhole developers and operators put a lot of effort behind shifting domain names.

Update (2012.01.10 3:30 p.m. MT) - Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422.

0.1
 

The folks at the Microsoft Security Response Center are winding down 2012 with another full release of seven Security Bulletins containing fixes for memory corruption on application, server, and system code along with a Certificate Bypass problem and set of fixes for Oracle Outside In software components. Within the seven Bulletins, they are patching at least 11 vulnerabilities, accurately described in the Advanced notification for this month. The MSRC recommends that their Internet Explorer (MS12-077) and Microsoft Word (MS12-079) updates are addressed asap.

The December 2012 Microsoft Security Bulletin Release fixes a varying array of versions of software and platforms per Bulletin. For consumers, that mostly means ensuring that the Microsoft Update software is enabled, run, and selected patches applied. For the vast majority of Windows customers, this month's release also requires that customers reboot their systems following the updates - the Internet Explorer, the kernel level font parsing updates and the file handling updates all require a reboot and hotpatching is not supported. The lack of hotpatch support means that the fix is not enabled on the system until it is rebooted. For IT folks in large and small organizations, this month's Release also requires some time set aside to understand whether or not your organization is running the versions of software requiring patches and accordingly address your environment.

The Microsoft Internet Explorer code maintains three different use-after-free vulnerabilities that are being patched this month. This "use-after-free" category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe, and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark. At least one of these Internet Explorer vulnerabilities is likely to have exploit code developed against it.

As a vector of delivery for spearphish attacks, Microsoft Office seems to me to be the most popular target in the second half of the year. CVE-2012-0158 and CVE-2010-3333 continue to be identified in malicious attachments (both malicious Word and Excel files) in targeted attacks across the globe, while Adobe Reader and Flash, which were heavily abused, almost have fallen off the map. I don't know if this coincides with the release and distribution of the newly armored Adobe Reader X software and more sandboxing for Flash, or simply that offensive security investment in late summer had been directed toward producing toolkits that pump out the Office exploits we are seeing now. Either way, be sure to patch this Word flaw CVE-2012-2539 asap.

Follow me on Twitter

Unfortunately, we have seen kernel level exploits bundled into mass-exploitation kits like Blackhole. The Duqu exploit, previously used in very targeted attacks throughout the middle east, is being re-used in this manner. And MS12-078 this month patches kernel mode RCE for OpenType and TrueType font parsing flaws. The recent mass-exploitation activity increases and interest in kernel level font parsing vulnerabilities coincides with the open source github release of Microsoft font fuzzing tools and projects.

More of the Oracle Outside In code is being updated this month with a pile of publicly known critical vulnerabilities being patched much like in August of this year. Critical and Important Microsoft Exchange, DirectPlay, and IPHTTPS components are also being patched this month.

Also following up the annnouncement of the Microsoft software update release, Microsoft announced the availability of security updates for Adobe Flash that effect Internet Explorer users, among others. The flaws include a RCE buffer overflow vulnerability (CVE-2012-5676), RCE integer overflow vulnerability (CVE-2012-5677), and memory corruption vulnerability (CVE-2012-5678). For my production workstations and mobile devices, I've got multiple web browsers, and each one uses a different implementation of Flash. In my case, on my production systems, I visit this page with each browser to determine whether or not I have the lastest version of Flash. Android systems are effected too, and you can find more information at Adobe's APSB12-27. Perhaps we will see a resurgence of Flash exploitation over the next few weeks and into the New Year.

Comment      Link
0.4
 

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.