Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Bernadette Irinco (Technical Communications)

    Patch-Tuesday_grayTwo out of seven bulletins in today’s Microsoft Patch Tuesday are tagged as critical while the rest are marked as important. The critical bulletins addressed a number of vulnerabilities found existing in Microsoft Office and Internet Explorer, which when exploited could allow remote code execution, thus compromising the security of the systems.

    Perhaps the most interesting bulletin here is MS14-035, which resolves flaws in Internet Explorer versions 6 to 11, can be abused via a specially crafted web page and can possibly lead to attackers gaining more user rights on the affected systems. The bulletin only patches the vulnerability for Server 2003, but the vulnerability almost certainly exists in the now-unsupported Windows XP as well.

    This is the sort of problem what we warned about earlier this year: newly discovered vulnerabilities will now be wide-open for use by attackers. This particular problem will only get worse over time.

    Another critical bulletin, MS14-036, also fixes flaws existing in Microsoft Windows, Microsoft Office, and Microsoft Lync or a platform for video messaging and conference. Any specially crafted webpage or file could possibly compromise the system.

    MS14-032 also addresses vulnerabilities in Microsoft Lync or a platform for video messaging and conference, which can lead to information disclosure when exploited. Another notable bulletin is MS14-031, which also addressed vulnerabilities in Microsoft Windows and can possibly lead to denial of service when exploited by cybercriminals.

    On the other hand, Adobe also rolls out one security bulletin to resolve issues in Adobe Flash Player, covered under the following CVEs. This brings the current version of Adobe Flash Player to

    • CVE-2014-0531
    • CVE-2014-0532
    • CVE-2014-0533
    • CVE-2014-0534
    • CVE-2014-0535
    • CVE-2014-0536

    We highly recommend users to apply these security patches and upgrade their Adobe products to its latest versions. This is to prevent their systems from being infected with threats leveraging vulnerabilities discussed in these security bulletins.

    Users may also visit our Trend Micro Threat Encyclopedia page to know more about the appropriate Deep Security solutions.

    Posted in Vulnerabilities | Comments Off

    OpenSSL has recently released six security updates addressing vulnerabilities found in OpenSSL. As of this writing, there is no reported exploit leveraging these vulnerabilities in the wild. The security patches cover the following vulnerabilities:

    • SSL/TLS MITM vulnerability (CVE-2014-0224)
    • DTLS recursion flaw (CVE-2014-0221)
    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
    • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
    • Anonymous ECDH denial of service (CVE-2014-3470)

    When SSL/TLS MITM vulnerability is exploited via man-in-the-middle attacks, it can allow remote attacker to change traffic from any vulnerable client and server. Note that both client and server have to be vulnerable for this vulnerability to be exploited successfully, making this less serious than the Heartbleed vulnerability. Another notable bulletin is DTLS invalid fragment vulnerability, which can execute arbitrary code if exploited, thus compromising the security of the system. In addition, the DTLS recursion flaw (CVE-2014-0221) can be abused by remote attackers to cause denial-of-service (DoS) attacks.

    Accordingly, servers with OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable. OpenSSL servers earlier than 1.0.1 are also encouraged to upgrade to the following versions:

    • OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
    • OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
    • OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h

    While these OpenSSL vulnerabilities are different from the Heartbleed bug which affected a number of websites and mobile applications, they also pose security risks to users. As such, web administrators are strongly advised  to patch their systems with the latest security updates from OpenSSL to mitigate the risks of possible threats leveraging these vulnerabilities.

    We will update this entry for any developments on the OpenSSL vulnerabilities.

    Update as of 12:14 PM, June 6, 2014

    Trend Micro Deep Security protects users from these vulnerabilities via the following DPI rules:

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability
    • 1006090 – Detected Fragmented DTLS Request
    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability

    Update as of 5:17 PM, June 6, 2014

    Note that the following DPI rule protects against SSL/TLS MITM vulnerability (CVE-2014-0224):

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability

    On the other hand, DPI rule “1006091 – Detected Fragmented DTLS Message”  addresses the  following vulnerabilities:

    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • DTLS recursion flaw (CVE-2014-0221)

    Users are also protected from vulnerability covered under CVE-2014-3466, which can allow denial of service or execution of arbitrary code when exploited via this DPI rule:

    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability
    Posted in Vulnerabilities | Comments Off

    Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.

    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks


    Our findings (based on cases that we have analyzed) indicate that 80% of targeted attack-related incidents affect government institutions. This is followed by the IT sector (both hardware and software) and the financial services (banks).  In terms of countries affected, Taiwan and Japan are the two most hit by targeted attacks.

    In addition, we also monitor the locations of various IP addresses that accessed known C&C servers associated with targeted attacks. Our data show that Taiwan, Japan, and the United States were the most targeted countries.

    Figure 2. Countries with the most number of users who accessed C&C servers related to targeted attacks

    Tools of the Trade

    Nearly 60% of malware used in targeted attacks are Trojans or Trojan spyware. These types of malware steal user credentials that provide the gateway for threat actors to exploit other areas of a penetrated network. This is followed by backdoors (22%) employed to establish C&C communications and lead to the next stages of targeted attacks. It is also interesting to note that almost 10% of malware related to targeted attacks run only on 64-bit platforms.

    Figure 3. Non 64- and 64-bit malware distribution

    Spear phishing is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers.  In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks.

    Custom Defense against Targeted Attacks

    Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of.

    Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions.

    For more details on the trends in targeted attacks in the second half of 2013, read the full report here.

     To get the latest news on targeted attacks, visit Threat Intelligence Resources – Targeted Attacks. 

    Posted in Targeted Attacks | Comments Off

    Patch-Tuesday_grayThis February, Microsoft released 12 security bulletins addressing 57 vulnerabilities. Out of the security updates, 5 are tagged Critical and the rest rated as Important.

    One of the notable advisories for this round is (MS13-009) Cumulative Security Update for Internet Explorer (2792100), which covers the vulnerabilities in Internet Explorer. These vulnerabilities affecting all versions of IE, which include the latest version IE 10 on Windows 8 and Windows RT, could lead to remote code execution. The other notable Critical-rate updates are MS13-011 and MS13-012, which affect Microsoft Exchange and Microsoft Windows and can allow a potential attacker to execute any malicious commands onto the vulnerable system.

    Users should immediately apply patches, whenever possible, for these vulnerabilities. Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users are protected from any attacks that may leverage these vulnerabilities. For more information on the bulletins and corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off

    Microsoft has recently released a patch to address the zero-day exploit affecting certain versions of Internet Explorer. The said exploit was found to be hosted on the compromised Council on Foreign Relations website. When exploited, this IE vulnerability could allow attackers to execute arbitrary codes thus compromising the security of the systems. In addition, this vulnerability only affected older versions of Internet Explorer (i.e. 6, 7, and 8). Internet Explorer versions 9 and 10 are not affected. Initially, Microsoft has provided workarounds until the patch was released yesterday.

    On the other hand, last week we also received reports of a zero-day exploit which affected Java. The said exploit was used by cybercriminal toolkits such as Blackhole Exploit Kit (BHEK) and Cool Exploit Kit (CEK) respectively. Based on our investigation, the exploit code (detected as JAVA_EXPLOIT.RG) leads to the download of REVETON malware or police ransomware.  In response to this zero-day exploit, Java has issued a software update. Prior to this release, the U.S. Department of Homeland Security has recommended users to disable Java on their web browsers to armor their systems against attacks leveraging this.

    Read the rest of this entry »

    Posted in Vulnerabilities | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice