Video Screencast Help
Cyber Security Group
Showing posts in English
Vince Kornacki | 01 May 2014 | 0 comments

Today marks the one month anniversary of the devastating Heartbleed vulnerability. Specifically, one month ago today Google first notified the OpenSSL development team of the vulnerability. From the start CVE-2014-0160 was not just another software vulnerability. No, this one was big. A vulnerability of epic proportion. Who would've thought that a simple buffer over-read could threaten to undermine the security of the Internet?  As you know by now, Heartbleed allows attackers to read 64KB of server memory. What exactly is contained in that 64KB of server memory? Well that's a little random. Depending on the location of the heartbeat payload within server memory, the leak could reveal cryptographic keys, usernames and passwords, email messages, and a multitude of other sensitive information. How could this possibly happen? Looking back, a series of cascading failures is to blame.

...
MSS Global Threat Response | 28 Apr 2014 | 1 comment

 

EXECUTIVE SUMMARY:

On April 26th 2014, Microsoft released a security advisory (2963983) for a zero-day vulnerability in Internet Explorer (CVE-2014-1776).  Exploitation of the vulnerability is reportedly being used in limited, targeted attacks.  The vulnerability exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.  There is currently no patch available for this vulnerability and Microsoft did not provide a release date for a patch...

MSS Global Threat Response | 28 Apr 2014 | 0 comments

Emerging Threat:  Apache Struts Zero-Day (CVE-2014-0050, 0094) DoS and Remote Code Execution Vulnerability

 

EXECUTIVE SUMMARY:

On April 24, 2014, the Apache Software Foundation (ASF) (http://www.apache.org) released an advisory warning that a patch issued in March for a zero-day vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability, which may result in Remote Code Execution via ClassLoader manipulation (CVE-2014-0094), or DoS attacks (CVE-2014-0050).

[Apache] Struts is an extensible framework used for creating enterprise Java Web applications.

According to Apache, in Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved [on March 2]....

Solange Deschatres | 15 Apr 2014 | 0 comments

Give an attacker a phish and he will steal some data. Teach an attacker to spear phish and he will steal data bases.

 

Among the wide diversity of threats facing the modern enterprise, targeted attacks are often the most troubling and difficult to defend against. Even companies with modern security infrastructure find it hard to detect and stop targeted attacks because hackers are taking advantage of the weakest security link: people. By crafting sophisticated and customized spear phishing e-mails or exploiting browsing behavior, attackers are finding it easier to breach networks by duping people rather than systems.

Email Campaigns.png

In fact, according to Symantec’s latest Internet Security Threat Report (ISTR), the number of targeted campaigns increased 91 percent in 2013...

Jeannie Warner | 09 Apr 2014 | 0 comments

The number of spear-phishing campaigns grew a dramatic 91 percent in 2013 according to this year’s Internet Security Threat Report. With cyber attacks, it’s not a matter of if, but when an attack will occur. Without complete visibility into your environment and the current threat landscape, it’s easy to be blindsided by an attacker and have security incidents to go undetected. Organizations need to build a cyber-resilient strategy to protect sensitive data from targeted attacks and advanced persistent threats.

social-intelligence-blog.png What are Advanced Persistent Threats?

An advanced persistent threat (APT) is a targeted attack that uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term. The fact that APTs are often aimed at...

MSS Global Threat Response | 07 Apr 2014 | 0 comments

While news of the downfall of the Blackhole Exploit Kit (often referred to as “BHEK”) isn’t new, its rise and subsequent collapse is the stuff of internet crime legend. Originally appearing in late 2010, the Blackhole Exploit Kit rose to popularity due to its ease of use and overall effectiveness. Version 1 BHEK quickly became the de facto standard among exploit kits, wreaking havoc throughout 2011 and spawning a subsequent version 2 in late 2012. After the alleged creator of the BHEK, a Russian man known by the handle “Paunch”, was arrested by Russian authorities in October of 2013, a marked downturn of BHEK activity was observed by Symantec MSS. A second lesser known exploit kit named “Cool EK”, supposedly authored by Paunch as well, suffered a similar fate. Both kits have all but disappeared from widespread use on the internet by the end of 2013, with only a small number of holdouts (existing campaigns or old infrastructure) still employing them. This post is meant to highlight...

MSS Global Threat Response | 27 Mar 2014 | 2 comments

EXECUTIVE SUMMARY:

On March 24th, Microsoft posted a security advisory (2953095) for a newly discovered, unpatched vulnerability affecting Microsoft Word.  Microsoft has noticed limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.  CVE-2014-1761  has been assigned for this vulnerability.

Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an...

MSS Global Threat Response | 26 Mar 2014 | 0 comments

EXECUTIVE SUMMARY:

Security researchers have released a paper documenting a large and complex operation, code named “Operation Windigo”.  Since the campaign began in 2011, more than 25,000 Linux and UNIX servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims.

Targeted operating systems include Apple OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET...

MSS Global Threat Response | 17 Mar 2014 | 0 comments

After the disclosure of a recent Denial of Service (DoS) tactic involving legitimate websites using WordPress, Symantec MSS has been applying additional scrutiny to customers that may have been involved. According to a blog post from Sucuri, “a large DDOS attack that leveraged thousands of unsuspecting WordPress websites as indirect source amplification vectors” has been uncovered in the wild. We’ve discovered continuing attempts by attackers to leverage a legitimate feature called “pingback” found in many WordPress configurations in our customer environments.

While the concept of “pingback” abuse isn’t new, the scale of this most recent episode is larger than previously seen. All impacted MSS customers have been...

MSS Global Threat Response | 12 Mar 2014 | 0 comments

Since the 27th of February, Symantec MSS has noticed a substantial increase of inbound scans on port 5000/TCP across our global customer base. While 5000/TCP is commonly associated with UPnP (Universal Plug and Play), it's also the default port for the HTTP administration interface on Synology NAS appliances. We believe this uptick in activity is related to multiple remotely exploitable vulnerabilities in Synology’s DiskStation Manager which were recently discovered. Of the most active scanning sources, most are located within China, Brazil, and the USA.

port-5000-blog-1.png

Synology is a Taiwanese company that specializes in home and enterprise network attached storage (NAS) appliances. Synology DiskStation Manager (DSM) is a Linux based operating system used for the DiskStation and RackStation lines of NAS products.

Multiple versions of Synology DiskStation Manager...