Exploit This

Security News, Exploits, and Vulnerabilities.

How exploit packs are concealed in a Flash object

The main role in performing a hidden attack is played by exploits to software vulnerabilities that can be used to secretly download malicious code on the victim machine. Recently, we have come across a new technique used to hide exploit-based attacks: fraudsters packed the exploit pack in the Flash file.

The CozyDuke APT

CozyDuke (aka CozyBear, CozyCar or “Office Monkeys”) is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular… Read Full Article

Taking Down Fraud Sites is Whac-a-Mole

I’ve been doing quite a bit of public speaking lately — usually about cybercrime and underground activity — and there’s one question that nearly always comes from the audience: “Why are these fraud Web sites allowed to operate, and not simply taken down?” This post is intended to serve as the go-to spot for answering […]

POS Providers Feel Brunt of PoSeidon Malware

“PoSeidon,” a new strain of malicious software designed to steal credit and debit card data from hacked point-of-sale (POS) devices, has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.

TA15-105A: Simda Botnet

Original release date: April 15, 2015

Systems Affected

Microsoft Windows

Overview

The Simda botnet – a network of computers infected with self-propagating malware – has compromised more than 770,000 computers worldwide [1].

The United States Department of Homeland Security (DHS), in collaboration with Interpol and the Federal Bureau of Investigation (FBI), has released this Technical Alert to provide further information about the Simda botnet, along with prevention and mitigation recommendations.

Description

Since 2009, cyber criminals have been targeting computers with unpatched software and compromising them with Simda malware [2]. This malware may re-route a user’s Internet traffic to websites under criminal control or can be used to install additional malware. 

The malicious actors control the network of compromised systems (botnet) through backdoors, giving them remote access to carry out additional attacks or to “sell” control of the botnet to other criminals [1]. The backdoors also morph their presence every few hours, allowing low anti-virus detection rates and the means for stealthy operation [3].    

Impact

A system infected with Simda may allow cyber criminals to harvest user credentials, including banking information; install additional malware; or cause other malicious attacks. The breadth of infected systems allows Simda operators flexibility to load custom features tailored to individual targets.

Solution

Users are recommended to take the following actions to remediate Simda infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of Simda from your system.

          Kaspersky Lab : http://www.kaspersky.com/security-scan

          Microsoft: http://www.microsoft.com/security/scanner/en-us/default.aspx

          Trend Micro: http://housecall.trendmicro.com/

  • Check to see if your system is infected – The link below offers a simplified check for beginners and a manual check for experts.

          Cyber Defense Institute:  http://www.cyberdefense.jp/simda/

The above are examples only and do not constitute an exhaustive list. The U.S. government does not endorse or support any particular product or vendor.

References

Revision History

  • April 15, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

The Chronicles of the Hellsing APT: the Empire Strikes Back

One of the most active APT groups in Asia, and especially around the South China Sea area is “Naikon”. Naikon plays a key part in our story, but the focus of this report is on another threat actor entirely; one who came to our attention when they hit back at a Naikon attack.

Critical Updates for Windows, Flash, Java

Get your patch chops on people, because chances are you’re running software from Microsoft, Adobe or Oracle that received critical security updates today. Adobe released a Flash Player update to fix at least 22 flaws, including one flaw that is being actively exploited. Microsoft pushed out 11 update bundles to fix more than two dozen bugs in Windows and associated software, including one that was publicly disclosed this month. And Oracle has an update for its Java software that addresses at least 15 flaws, all of which are exploitable remotely without any authentication.

Microsoft Security Updates April 2015

Microsoft releases 11 Security Bulletins (MS15-032 through MS15-042) today, addressing a list of over 25 CVE-identified vulnerabilities for April of 2015. Critical vulnerabilities are fixed in Internet Explorer, Microsoft Office, and the network and graphics stacks. Most of the critical remote… Read Full Article

Your Tax Refund with a Data Kidnapping Twist!

Knowing that many are on the lookout for emails from the Internal Revenue Service concerning pending refunds, criminals have crafted some of their own.

TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information

Original release date: April 13, 2015

Systems Affected

Misconfigured Domain Name System (DNS) servers that respond to global Asynchronous Transfer Full Range (AXFR) requests.

Overview

A remote unauthenticated user may request a DNS zone transfer from a public-facing DNS server. If improperly configured, the DNS server may respond with information about the requested zone, revealing internal network structure and potentially sensitive information.

Description

AXFR is a protocol for “zone transfers” for replication of DNS data across multiple DNS servers. Unlike normal DNS queries that require the user to know some DNS information ahead of time, AXFR queries reveal subdomain names [1]. Because a zone transfer is a single query, it could be used by an adversary to efficiently obtain DNS data.  

A well-known problem with DNS is that zone transfer requests can disclose domain information; for example, see CVE-1999-0532 and a 2002 CERT/CC white paper [2][3]. However, the issue has regained attention due to recent Internet scans still showing a large number of misconfigured DNS servers. Open-source, tested scripts are now available to scan for the possible exposure, increasing the likelihood of exploitation [4].

Impact

A remote unauthenticated user may observe internal network structure, learning information useful for other directed attacks.

Solution

Configure your DNS server to respond only to zone transfer (AXFR) requests from known IP addresses. Many open-source resources give instructions on reconfiguring your DNS server. For example, see this AXFR article for information on testing and fixing the configuration of a BIND DNS server. US-CERT does not endorse or support any particular product or vendor.

References

Revision History

  • April 13, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

%d bloggers like this: