Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jonathan Leopando (Technical Communications)

    How much is keeping a secret worth? According to hackers taking advantage of the Ashley Madison hack, it’s worth only up to one Bitcoin – around 230 US dollars at current exchange rates.

    Soon after the data from the breach was leaked to the public, we knew that there would be some sort of other threats to jump on the bandwagon. It didn’t take long – we soon started receiving various spam messages taking advantage of this fact. We believe that these messages are being systemically sent to users whose emails were found in the Ashley Madison database.

    Some messages attempted to blackmail the recipient into paying some money (initially around one Bitcoin; later messages demand half of that). If the user didn’t pay, up their friends and family would be notified. Ostensibly, this list had been obtained from the user’s publicly available Facebook friends list. Emails of this type frequently have the name Ashley Madison or Avid Life somewhere in their sender name, perhaps to make the emails look more believable. (As a result, the domains used in these addresses are easy to spot and are quickly being taken down.)

    Figure 1. Blackmail message (Click to enlarge)

    Other variants pretended to be from the Impact Team and “offered” the user the chance to remove their info from a putative third leak of Ashley Madison data for a similar amount:

    Figure 2. Message supposedly from Impact Team (Click to enlarge)

    Some variants are trying to “raise money” by pretending to be lawyers preparing a class-action lawsuit against the company, and asking would-be “victims” for money:

    Figure 3. Message related to a class-action lawsuit (Click to enlarge)

    What advice do we have to users who receive these emails? Obviously, the first bit of advice is: don’t pay any money. The stolen information is already out there (and can’t be deleted). We would also point out that not all “members” did so voluntarily: anyone could sign up anybody for an account without their knowledge.

    We will continue to be on the look out for any more threats to come out of this event.

    Posted in Social |

    Microsoft has released MS15-093, an out-of-band update for all supported versions of Windows. This bulletin fixes a vulnerability in Internet Explorer (designated as CVE-2015-2502) that allowed an attacker to run arbitrary code on a user’s system if they visited a malicious site. A compromised site, spear phishing, and/or malicious ads could all be used to deliver exploits targeting this vulnerability to the user. This threat is already in use in limited, targeted watering hole attacks in the wild.

    This particular vulnerability is a memory corruption vulnerability, which has historically proven to be a common problem for Internet Explorer. While this vulnerability has been rated as Critical by Microsoft and no mitigations/workarounds were identified in the post, there are several factors that help lessen the risk to users.

    First, any code is run with the privileges of the logged-in user; therefore users who run as an ordinary user and not as an administrator are at lesser risk. Secondly, users of the new Microsoft Edge browser in Windows 10 are also not at risk. In addition, because Internet Explorer in server versions of Windows (Server 2008, Server 2008 R2, Server 2012, or Server 2012 R2) runs in a restricted mode that reduces the risk for these OSes.

    Trend Micro Deep Security and Vulnerability Protection users are already protected from this threat; the following rule that was released as part of the regular Patch Tuesday set of rules also covers this vulnerability:

    • 1006957 – Microsoft Internet Explorer Arbitrary Remote Code Execution Vulnerability

    We urge all affected users to immediately use Windows Update to download and install this update. Users who wish to download this update manually should note that this bulletin is not a cumulative update for Internet Explorer. As a result, the August cumulative update should be installed before this new patch is installed.


    Microsoft has released an out-of-band security bulletin (MS14-068) that addresses a vulnerability in the implementation of Kerberos in various versions of Windows. The bulletin states that this vulnerability is already being used in “limited, targeted attacks”. This warning, plus the fact that Microsoft considered this threat serious enough to merit an out-of-cycle patch, should make users consider patching as soon as possible.

    Kerberos is a protocol used to authenticate users within a network. This vulnerability (designated as CVE-2014-6324) could allow an attacker to escalate privileges to that of a domain administrator; this could then be used to compromise any system connected to that domain, including domain servers.

    This is a serious flaw which lends itself to usage in targeted attacks. An attacker will have to use separate means to penetrate a network, but once inside this vulnerability could be used to compromise any machine connected to the organization’s domain server (effectively, all machines).

    Used properly, this vulnerability is as effective a tool for moving laterally within an organization as is known today. No workaround or mitigation has been clearly identified by Microsoft (aside from patching the vulnerability); the only requirement for a successful attack is for the attacker to already have valid domain credentials. For an attacker that has already penetrated existing networks, this hardly represents a barrier.

    The damage an attacker could do if an organization’s domain server was compromised could be significant. In a worst case scenario, the entire domain would have to be rebuilt from the ground up, which would be extremely costly in time and resources for any organization.

    Microsoft itself suggests that this attack has been used in targeted attacks saying that they “are aware of limited, targeted attacks that attempt to exploit this vulnerability.” With knowledge that a vulnerability exists, and information provided by the patch, we can expect to see more attacks that target this flaw in the future.

    The vulnerability is present in all server versions of Windows from Server 2003 onward. Administrators should immediately roll out patches to these systems as soon as is practical. A patch is available for client versions of Windows, but this is a defense-in-depth upgrade that does not address any vulnerabilities.

    Posted in Vulnerabilities | Comments Off on Patched Windows Vulnerability Allows For Remote Privilege Escalation

    Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

    The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

    The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

    Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

    Update as of October 24, 2014, 7:30 P.M. PDT

    Currently available information suggests that this vulnerability is essentially identical to the Sandworm vulnerability, which was reported and patched more than a week ago. The patch first put in place by Microsoft did not completely resolve the problem, allowing new exploits to target the same underlying flaw.

    Deep Security solutions that protect against Sandworm also protect against these more recent attacks. The following DPI rules cover these threats:

    • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1
    Posted in Exploits, Vulnerabilities | Comments Off on Microsoft Windows Hit By New Zero-Day Attack

    Home Depot has confirmed via their corporate website that their payment systems were breached. This followed reports last week, which suggested that Russian and Ukrainian cybercriminals had successfully breached the Atlanta-based retailer’s PoS terminals.

    The statement offered full details, but suggested the breach affected users who shopped at their US and Canadian branches from April onwards. Home Depot’s investigation began on September 2, which indicates a worse-case scenario of a breach of four to five months. It has been claimed that up the information of up to 60 million cards may have been stolen.

    Speculation suggests that the Home Depot attack was carried out using BlackPOS malware; a BlackPOS variant discussed by Trend Micro researchers in late August may have been part of this attack, as the behavior we found with this variant and those ascribed to the Home Depot attack are very similar.

    This particular BlackPOS variant is different in several ways from more common variants, suggesting that the code has been changed significantly since the source code for BlackPOS was leaked in 2012. A different API call is made to list processes which can be targeted for information theft; in addition custom search routines for credit card track information have been introduced as well. This particular variant is detected as TSPY_MEMLOG.A.

    These increasingly sophisticated threats make it clear that PoS malware is becoming a bigger and bigger threat. Continued attacks against PoS systems will not only cause financial losses, but also reduce the confidence of consumers in existing commerce systems.

    Migrating to more modern “chip-and-personal identification number (PIN)” cards and terminals may help reduce the risk down the road. Also, it is good for users to regularly check their bank statements for any anomalous transaction. Going over the recent transactions on a regular basis should allow users to spot and dispute fraudulent transactions made on their cards.

    Later this week, we will publish a paper outlining existing threats to PoS systems. System administrators of organizations that are at potential risk can use the information in these papers to detect, mitigate, and address these attacks. Our earlier paper titled Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries provided examples of potential PoS threats to retailers and companies in the hospitality sector.

    For more information, you may check out Data Breaches page in Threat Encyclopedia.

    Update as of 2:42 PM, September 11, 2014

    Even though BlackPOS ver2 has an entirely different code compared to the BlackPOS which compromised Target, it duplicates the data exfiltration technique used by the Target BlackPOS. It is an improved clone of the original, which is why we decided to call this BlackPOS ver2.

    It is also being reported in the press that some security vendors called this malware (TSPY_MEMLOG.A.) as “FrameworkPOS.”  This is a play of the service name <AV_Company> Framework Management Instrumentation with which the malware installs itself.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice