Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Bernadette Irinco (Technical Communications)




    OpenSSL has recently released six security updates addressing vulnerabilities found in OpenSSL. As of this writing, there is no reported exploit leveraging these vulnerabilities in the wild. The security patches cover the following vulnerabilities:

    • SSL/TLS MITM vulnerability (CVE-2014-0224)
    • DTLS recursion flaw (CVE-2014-0221)
    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
    • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
    • Anonymous ECDH denial of service (CVE-2014-3470)

    When SSL/TLS MITM vulnerability is exploited via man-in-the-middle attacks, it can allow remote attacker to change traffic from any vulnerable client and server. Note that both client and server have to be vulnerable for this vulnerability to be exploited successfully, making this less serious than the Heartbleed vulnerability. Another notable bulletin is DTLS invalid fragment vulnerability, which can execute arbitrary code if exploited, thus compromising the security of the system. In addition, the DTLS recursion flaw (CVE-2014-0221) can be abused by remote attackers to cause denial-of-service (DoS) attacks.

    Accordingly, servers with OpenSSL 1.0.1 and 1.0.2-beta1 are vulnerable. OpenSSL servers earlier than 1.0.1 are also encouraged to upgrade to the following versions:

    • OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za
    • OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m
    • OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h

    While these OpenSSL vulnerabilities are different from the Heartbleed bug which affected a number of websites and mobile applications, they also pose security risks to users. As such, web administrators are strongly advised  to patch their systems with the latest security updates from OpenSSL to mitigate the risks of possible threats leveraging these vulnerabilities.

    We will update this entry for any developments on the OpenSSL vulnerabilities.

    Update as of 12:14 PM, June 6, 2014

    Trend Micro Deep Security protects users from these vulnerabilities via the following DPI rules:

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability
    • 1006090 – Detected Fragmented DTLS Request
    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability

    Update as of 5:17 PM, June 6, 2014

    Note that the following DPI rule protects against SSL/TLS MITM vulnerability (CVE-2014-0224):

    • 1006088 – OpenSSL SSL/TLS Man In The Middle Security Bypass Vulnerability

    On the other hand, DPI rule “1006091 – Detected Fragmented DTLS Message”  addresses the  following vulnerabilities:

    • DTLS invalid fragment vulnerability (CVE-2014-0195)
    • DTLS recursion flaw (CVE-2014-0221)

    Users are also protected from vulnerability covered under CVE-2014-3466, which can allow denial of service or execution of arbitrary code when exploited via this DPI rule:

    • 1006084 – GnuTLS “read_server_hello()” Memory Corruption Vulnerability
     
    Posted in Vulnerabilities | Comments Off



    Targeted attacks are known to use zero-day exploits. However, old vulnerabilities are still frequently exploited. In fact, based on cases analyzed in the second half of 2013, the most exploited vulnerability in this time frame was CVE-2012-0158, a Microsoft Office vulnerability that was patched in April 2012. This shows how important applying the latest patches and security updates are in mitigating the risks posed by these threats.

    Figure 1. Most commonly exploited vulnerabilities related to targeted attacks

    Targets

    Our findings (based on cases that we have analyzed) indicate that 80% of targeted attack-related incidents affect government institutions. This is followed by the IT sector (both hardware and software) and the financial services (banks).  In terms of countries affected, Taiwan and Japan are the two most hit by targeted attacks.

    In addition, we also monitor the locations of various IP addresses that accessed known C&C servers associated with targeted attacks. Our data show that Taiwan, Japan, and the United States were the most targeted countries.

    Figure 2. Countries with the most number of users who accessed C&C servers related to targeted attacks

    Tools of the Trade

    Nearly 60% of malware used in targeted attacks are Trojans or Trojan spyware. These types of malware steal user credentials that provide the gateway for threat actors to exploit other areas of a penetrated network. This is followed by backdoors (22%) employed to establish C&C communications and lead to the next stages of targeted attacks. It is also interesting to note that almost 10% of malware related to targeted attacks run only on 64-bit platforms.

    Figure 3. Non 64- and 64-bit malware distribution

    Spear phishing is still the most seen entry point for targeted attacks. These email messages use relevant-sounding subjects that trick users into opening it and the file attachments therein that serve as malware carriers.  In our 2014 prediction, we noted that mobile devices will also be leveraged by threat actors to gain entry to networks.

    Custom Defense against Targeted Attacks

    Although targeted attacks are difficult to detect, this task can be made easier with solutions that use advanced threat detection technology that can detect, analyze, and respond to attacks that traditional antivirus signature-based solutions and blacklisting are not capable of.

    Targeted attacks often leave traces that can serve as indicators of compromise. As such, enterprises and large organizations are encouraged to build their own threat intelligence capability, which they can incorporate into their own existing security solutions.

    For more details on the trends in targeted attacks in the second half of 2013, read the full report here.

     To get the latest news on targeted attacks, visit Threat Intelligence Resources – Targeted Attacks. 

     
    Posted in Targeted Attacks | Comments Off



    Patch-Tuesday_grayThis February, Microsoft released 12 security bulletins addressing 57 vulnerabilities. Out of the security updates, 5 are tagged Critical and the rest rated as Important.

    One of the notable advisories for this round is (MS13-009) Cumulative Security Update for Internet Explorer (2792100), which covers the vulnerabilities in Internet Explorer. These vulnerabilities affecting all versions of IE, which include the latest version IE 10 on Windows 8 and Windows RT, could lead to remote code execution. The other notable Critical-rate updates are MS13-011 and MS13-012, which affect Microsoft Exchange and Microsoft Windows and can allow a potential attacker to execute any malicious commands onto the vulnerable system.

    Users should immediately apply patches, whenever possible, for these vulnerabilities. Trend Micro Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plugin users are protected from any attacks that may leverage these vulnerabilities. For more information on the bulletins and corresponding Trend Micro solutions, visit the Threat Encyclopedia Page.

    Read the rest of this entry »

     
    Posted in Vulnerabilities | Comments Off



    Microsoft has recently released a patch to address the zero-day exploit affecting certain versions of Internet Explorer. The said exploit was found to be hosted on the compromised Council on Foreign Relations website. When exploited, this IE vulnerability could allow attackers to execute arbitrary codes thus compromising the security of the systems. In addition, this vulnerability only affected older versions of Internet Explorer (i.e. 6, 7, and 8). Internet Explorer versions 9 and 10 are not affected. Initially, Microsoft has provided workarounds until the patch was released yesterday.

    On the other hand, last week we also received reports of a zero-day exploit which affected Java. The said exploit was used by cybercriminal toolkits such as Blackhole Exploit Kit (BHEK) and Cool Exploit Kit (CEK) respectively. Based on our investigation, the exploit code (detected as JAVA_EXPLOIT.RG) leads to the download of REVETON malware or police ransomware.  In response to this zero-day exploit, Java has issued a software update. Prior to this release, the U.S. Department of Homeland Security has recommended users to disable Java on their web browsers to armor their systems against attacks leveraging this.

    Read the rest of this entry »

     
    Posted in Vulnerabilities | Comments Off



    A new zero-day exploit in Java has been found in the wild. Currently, this exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

    CEK is the creation of the same author responsible for Blackhole Exploit Kit. It appears to be a high-end version of the more accessible BHEK. Zero-day exploits are first incorporated into CEK and only added into BHEK once they have been disclosed. It has been reported that CEK was being used to distribute ransomware, particularly Reveton variants.

    Currently, we detect the exploits as JAVA_EXPLOIT.RG, with the sites that load this exploit code detected as HTML_EXPLOIT.RG. The Reveton payloads are detected as TROJ_REVETON.RG and TROJ_REVETON.RJ.

    Read the rest of this entry »

     
    Posted in Exploits, Vulnerabilities | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice