Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May   Jul »
  • Email Subscription

  • About Us

    Archive for June 19th, 2013

    Although an estimated 1,000 websites, 35,000 email credentials, and over 100,000 Facebook accounts have been claimed as compromised since the announcement of #OpPetrol last month, attacker participation and the overall sophistication of the attacks leading into June 20 appears to be limited. These defacements and disclosures are consistent with what has been seen in recent operations, where the attacks did not seem to get much traction.

    An operation like #OpPetrol, however, allows opportunities for different attackers with different skill sets and agenda to join in the cause and execute their own missions. Furthermore, not all sectors have equal resiliency and countermeasures, so tempered caution with proactive security countermeasures is highly recommended.

    Our researchers have been monitoring the situation with a myriad of global threat intelligence resources. We traced malicious activities to the targeted sites and found IPs that have been identified in the past as compromised and being used as C&Cs by bot herders. It appears connections were made to the target sites with the intention of gaining further access or prepping for a DDoS.

    We also found that the malware CYCBOT is being used to drive the infected systems into the target sites. Initially emerging in 2011, CYCBOT has already been primarily used in the past to drive traffic to sites, particularly ad sites. It is known to be distributed via pay-per-install schemes.

    A significant number of targeted government websites in Kuwait, Qatar, and Saudi Arabia have gone offline after having received attacks from recently compromised IPs. These IPs statistically have not recently communicated to those government sites.

    We will continue to monitor this attack and report our findings. You can also check some steps on how you can keep your organization safe before, during, and after targeted attacks like these in my recent entry Anonymous’ #OpPetrol: What is it, What to Expect, Why Care?.

    Posted in Targeted Attacks | Comments Off on Anonymous #OpPetrol: Leading into June 20

    Oracle has just released its security update for June 2013 — a release that comprises of 40 security updates, with 37 of them addressing vulnerabilities that lead to malware execution. Also among the updates is one that fixes a vulnerability found in Javadoc tool — a documentation generator and is commonly used in websites.

    The said vulnerability, also identified as CVE-2013-1571, can be used to steal important user data by injecting an attacker controlled frame in generated Javadoc HTML page. This vulnerability is also known as Frame Injection vulnerability.

    Javadoc is a tool that generates .HTML documentation from Javadoc comments in the code. The vulnerability is due to a defect in the JavaScript code that is included as part of the HTML pages generated by the Javadoc tool. Hence all the websites using such HTML pages can be used by an attacker to steal their user data or to install malware by redirecting an unsuspecting user to attacker-controlled website.

    Oracle released two fixes in their June 2013 Oracle Java SE Critical Patch Update to address this vulnerability. The first is an updated Javadoc tool, while the second is a fix-in-place tool that patches the vulnerability from pages generated by Javadoc without having to regenerate existing JavaDocs. Needless to say, we strongly advise customers to apply the fixes the soonest possible.

    Trend Micro Deep Security customers are advised to update to the latest update DSRU13-020. The following Deep Security rule 1005553 – Oracle JavaDoc Frame Injection Vulnerability addresses the said issue.

    Hat tip to CERT for sharing the necessary information with us.

    Posted in Vulnerabilities | Comments Off on Oracle Update Includes Javadoc Frame Injection Vulnerability


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice