Tag Archives: zero day

Uroburos APT- WSWiR Episode 97

SOHO Pharming, Trio of Data Breaches, and Russian APT

I still remember ten years ago, when I used to wish more people would realize the dangers of the Internet and the sad state of cyber security. Back then, it seemed like I had to work to convince someone that there was any computer security problem at all. Boy has that changed… Now I feel overwhelmed by the amount of information security news that breaks each week. If you’re interested in computer security news, but feel overwhelmed yourself, let my short video summarize the important news for you.

Today’s episode covers a SOHO pharming campaign that’s hijacking routers in Europe and Asia, another trio of big network and data breaches, and a new advanced, nataion-state level attack that allegedly comes from Russia. Watch the video for my quick summary, and/or check out the links below for more details, and some extra security stories to boot.

Enjoy your weekend, and keep safe out there.

(Episode Runtime: 11:24)

Direct YouTube Link: http://www.youtube.com/watch?v=IQch3fdbzAk

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

March’s Patch Day Includes an IE Zero Day Fix

It’s almost that time of the month again. Next week is Microsoft Patch day, and here’s what you can expect.

MS Patch Notification: March 2014According to Microsoft’s advanced notification, next week’s Patch Day should be fairly light, and relatively simple. The Redmond-based software company plans to release five security bulletins, fixing flaws in Windows, Internet Explorer (IE), and Silverlight. They rate two updates as Critical and the rest as Important. The biggest news about these updates is that the IE one will completely fix the zero day flaw that attackers have been exploiting in the wild, in watering hole attacks. So at the very least, you should prepare to install the IE update as soon as you can next week.

In related news, Adobe also shares Microsoft’s Patch Day. They haven’t announced if they will release any updates yet (they just recently released that emergency Flash one), but I would keep an eye on their security page next Tuesday. In any case, I’ll post details about Microsoft bulletins next week, and if Adobe releases any updates you’ll hear about them here. — Corey Nachreiner, CISSP (@SecAdept)

0day Watering Holes – WSWiR Episode 96

Flash and IE 0day, Watering Holes, and Router Worms

It’s Friday, Friday, gotta get your InfoSec on Friday….

Seriously though. If you are looking for a quick round-up of this week’s biggest security news, this is your show. In it, I cover what I think are the top three information and network security stories of the week, vlog style. If that sounds good, keep reading.

This week’s episode covers an advanced watering hole attack that leverages two zero day vulnerabilities, a worm that’s infecting a popular brand consumer router, and new vulnerabilities that affect devices which fall under “the Internet of things” category. If you’d like all the details, including how to protect yourself, watch the video below. Or if you prefer to read, check out the Reference section for links to those stories and more.

Quick show note. Next week I’ll be attending the annual RSA Security Conference. Though I still hope to produce a video on the road, I may have to settle for a text version of our weekly Infosec news if I get too busy. Keep an eye on the blog for the latest, and have a great weekend.

(Episode Runtime: 8:57)

Direct YouTube Link: http://www.youtube.com/watch?v=NbxXXLov6Ek

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

The Mask APT Campaign – WSWiR Episode 95

400Gb DDoS, More Bitcoin Attacks, and The Mask APT

If you’re looking for a quick synopsis of the latest information security news and advisories, our quick weekly video can provide it for you. This week’s episode was shot literally right before I had to run out to catch a plane, so please excuse the low quality webcam footage. 

Today’s episode includes a quick rundown of the week’s Microsoft and Adobe patches, news about the latest world record-breaking DDoS attack, some Bitcoin hijinks, and the details around a new cross-platform advanced attack campaign discovered by Kaspersky. Check out the video for all the details, and give the Reference section a peek for links to other infosec stories, including last minute news of a new Internet Explorer (IE) zero day attack.

Have a great weekend (and President’s Day for US readers), and be careful online.

(Episode Runtime: 8:20)

Direct YouTube Link: http://www.youtube.com/watch?v=W4JItAGJynY

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Target Chain of Trust Attack – WSWiR Episode 94

Flash 0day, DailyMotion Watering Hole, and New POS Malware

With Seattle celebrating our Super Bowl victory (Sea-Hawks!), it’s hard for locals to keep their minds on Information Security (Infosec), but criminal hackers don’t stop for American football. If you’ve been too busy to follow security news this week, let WatchGuard’s Friday video fill you in on the details, and help you with your defenses.

In today’s video, I cover an Adobe Flash 0day exploit that advanced attackers are leveraging in the wild, warn about a popular video site that has been turned into a FakeAV watering hole, give you the latest breaking update on the Target breach, and more. Watch the video below to learn the latest security news, and check out the Reference section if you’d like links to other security stories from the week.

Quick show note; I’ll be traveling in the UK next week, so will have to produce the next episode from the road. This also means the video may go live either early or later in the week than it normally does.

Enjoy your weekend, and stay safe out there.

(Episode Runtime: 10:04)

Direct YouTube Link: https://www.youtube.com/watch?v=aJMAyKpTaYI

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Plugs 0day Flash Hole Found by Kaspersky

Summary:

  • This vulnerability affects: Adobe Flash Player  12.0.0.43 and earlier, running on all platforms
  • How an attacker exploits it: Typically, by enticing users to visit a website containing malicious Flash content
  • Impact: An attacker can execute code on the user’s computer, potentially gaining control of it
  • What to do: Download and install the latest version of Adobe Flash Player (version 12.0.0.44 for most computers)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile ones like Android. It also comes prepackaged with some web browsers like Chome and the latest version of Internet Explorer (IE).

In an out-of-cycle security bulletin released today, Adobe posted an update that fixes a critical, zero day vulnerability in Adobe Flash Player 12.0.0.43 and earlier, running on all platforms. We urge Flash users to install this update as soon as possible, since advanced attackers are exploiting it in the wild.

Adobe’s bulletin describes an integer overflow vulnerability (CVE-2014-0497) in Flash player, which attackers have been exploiting in the wild. In typical fashion, Adobe’s bulletin doesn’t describe the flaw in much technical detail, but they do describe its impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash content (which could be embedded in a document), he could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

This particular flaw was brought to Adobe’s attention by one of Kaspersky’s (one of WatchGuard’s antivirus partners) researchers. Yesterday, members of Kaspersky’s research team announced that they plan on disclosing details about a new advanced persistent threat (APT) campaign later next week, which they call “The Mask.” According to some reports, this Flash zero day exploit might be associated with that cyber espionage campaign.

In any case, Adobe has assigned this a “Priority 1” severity rating for Windows and Macintosh computers, which means you should fix it within 72 hours. If you use Flash, I recommend you apply the update as soon as possible.

Solution Path

Adobe has released new versions of Flash Player (12.0.0.44 for Windows and Mac) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

  • Download Flash Player for your computer:
NOTE: Some web browsers, like Chrome and the latest versions of IE, ship with their own versions of Flash built-in. If you use these web browser, you will also have to update them as well.

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extensionMIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

  • .flv –  Adobe Flash file (file typically used on websites)
  • .fla – Flash movie file
  • .f4v – Flash video file
  • .f4p – Protected Flash video file
  • .f4a – Flash audio file
  • .f4b – Flash audiobook file

MIME types:

  • video/x-flv
  • video/mp4 (used for more than just Flash)
  • audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

  • Hex FLV: 46 4C 56 01
  • ASCII FLV: FLV
  • Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Hefty Patch Day Despite Light Microsoft Turnout

If any security professionals need quick reminder that the end-of-year holidays are over, and it’s time to get back to protecting information, Microsoft’s first Patch Day of the year will likely do that for you. However, the good news is Microsoft is giving us a slow start with only four security updates for January. Unfortunately, two other companies, Oracle and Adobe, have filled in the gaps with big updates of the own.

Let’s start with Microsoft.

According to their summary post, Microsoft released four bulletins today which fix security flaws in Windows, Office, and their Dynamics AX server (an enterprise resource planning or ERP solution).  They didn’t release any Critical bulletins this month, only ones with an Important rating; essentially their “medium” severity. Though vulnerabilities with this rating might be a bit more difficult to exploit (requiring local access or victim interaction), some of them could still allow remote attackers to gain full control of your users’ machines. In short, you should still takes these updates seriously despite the light load, and their less critical nature.

As far as priority, start with the Windows kernel vulnerability, as it fixes a zero day flaw that attackers are actively exploiting in the wild. Granted, the attackers exploiting it need local access to your computer to leverage the flaw, but if they do they gains full (SYSTEM) control of the PC. The remaining Windows and Office flaws are just about equal in severity. Which you focus on first is up to you. I’d probably consider the Office one since bad guys like using malicious documents in their spear phishing emails lately. Finally, the Dynamix AX update fixes a DoS flaw. I don’t suspect many smaller organizations use this product, and DoS flaws aren’t quite as severe as others. So save this one for last, if you happen to use the product.

With Microsoft done, your focus this month is probably better served with patching Adobe and Oracle products. Adobe’s patch day always falls on the same Tuesday as Microsoft’s. However, Oracle happens to follow a quarterly patch cycle, which only occasionally lines up directly with Microsoft’s Patch Day. Unfortunately, this is one such month, and you get to enjoy the unholy trifecta of patching three big corporations’ products at once. Yay (sarcasm)!

Today, Adobe has released updates for Reader, Acrobat, and Flash Player, and Oracle has released their huge Critical Patch Update, fixing over a hundred flaws in a wide variety of products. I’ll post more details about these updates later today, but for now you can check out Adobe or Oracles pre-announcement advisories if you want a head start.

I’ll post the detailed alerts for Microsoft’s Windows and Office updates shortly. Since I doubt the majority of customer use Dynamics AX, I don’t plan on posting a full alert for it, so if you use it be sure to check out Microsoft alert (MS14-004) yourself, and grab the corresponding updates. Stay tuned! — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day Summary, Jan 2014

Cyber Sharking – WSWiR Episode 88

Tons of Patches, Facebook Scams, and Games for Security

If you’re in a country that celebrates the Christmas holidays, it’s probably getting a little quieter at work lately. With that extra free time, why don’t you catch up on the week’s latest security news with our regular episode of WatchGuard Security Week in Review?

Today’s show covers the patches from patch week, the latest NSA hijinks, a wide-spread Facebook phishing scam, and a story about how playing video games can help improve software security. Like always, I also include links to all these stories, and a few extras, in the references below.

Quick show note: I’ll be taking some time off for the holidays, so this may be the last video until next year (though a may release a short one next week). Keep safe out there, and have a happy holiday!

(Episode Runtime: 7:27)

Direct YouTube Link: http://www.youtube.com/watch?v=7325aKAWktg

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Adobe Patch Day: Zero Day Flash Patch & Shockwave Update

Severity: High

Summary:

  • These vulnerabilities affect: Adobe Flash and Shockwave Player
  • How an attacker exploits them: By enticing you to run malicious Flash or Shockwave content from web pages or embedded within documents
  • Impact: In the worst case, an attacker can gain complete control of your computer
  • What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released two security bulletins describing vulnerabilities in Flash and Shockwave Player. A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

Adobe Patch Day - Dec, 2013

  • APSB13-29: Two Shockwave Player Memory Corruption Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin describes two unspecified memory corruption vulnerabilities that affects Shockwave Player running on Windows and Macintosh computers.They don’t share any technical details about the flaw, but do share its scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit the flaw to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this vulnerability to gain full control of their computer.

Adobe Priority Rating: 1 (Patch within 72 hours)

  • APSB13-28: Zero Day Flash Player Code Execution Flaw

Adobe’s bulletin describes two vulnerabilities in Flash Player running on all platforms, including one code execution flaw attackers are currently exploiting in the wild. If an attacker can lure you to a web site, or get you to open a document containing specially crafted Flash content, he could exploit the worst of these flaws to execute code on your computer, with your privileges. If you have administrative or root privileges, the attacker could gain full control of your computer.

Adobe warns that attackers are exploiting this flaw in the wild. The attack arrives as a malicious Word document containing embedded Flash content. They have assigned these flaws their highest severity rating for Windows and Mac computers, but a lesser severity for Linux and Android devices. If you are a Windows Flash user, we recommend you apply this update immediately.

Adobe Priority Rating: 1 for Windows and Mac (Patch within 72 hours)

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

Keep in mind, if you use Google Chrome you’ll have to update it separately to get the latest Flash fixes.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. However, WatchGuard’s XTM appliances can help in many ways. First, our IPS and AV services are often capable of detecting the malicious Flash or Shockwave files attackers are actually using in the wild. If you’d like, you can also configure our proxies to block Shockwave and Flash. This, however, blocks both legitimate and malicious content. If you do want to block this content via the Web or email, see our manual for more details on how to configure our proxy policies’ content-filtering.

Status:

Adobe  has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

Drone Skyjacking – WSWiR Episode 87

NSA Botnet, Windows 0day, and Bitcoin Robberies

It’s time for our regular Information Security (Infosec) summary video. If you want to hear about all the latest network and computer security news from one quick and easy source, this video is for you. This week’s episode comes a bit late, but I will return to the Friday schedule this week.

In this episode, I talk about the NSA botnet, more Bitcoin heists, a Windows zero day exploit, and a new hack that can hijack AR.drone quadcopters. Watch the video for the details, and check out the references from more information (and some extra stories).

Keep safe out there!

(Episode Runtime: 9:36)

Direct YouTube Link: http://www.youtube.com/watch?v=w4cIM12wCKE

Episode References:

Extras:

— Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,706 other followers

%d bloggers like this: