Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response
Showing posts in English
Symantec Security Response | 15 May 2014 07:59:22 GMT

Back in 2012, Symantec researched the Elderwood platform, which was used in spear-phishing and watering-hole attacks against a wide variety of industries. The Elderwood platform essentially consists of a set of exploits that have been engineered and packaged in a “consumer-friendly” way. This allows non-technical attackers to easily use zero-day exploits against their targets.

We observed attackers using the Elderwood platform against a large number of sectors, including defense, defense supply chain manufacturing, IT, and human rights. Most notably, attackers used this set of exploits in a high-profile campaign known as Operation Aurora.

The Elderwood platform may have first been documented in 2012, but it has continuously been updated with some of the latest zero-day exploits. Within just one month at the start of 2014, the Elderwood platform...

PraveenSingh | 13 May 2014 19:30:19 GMT

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing eight bulletins covering a total of 13 vulnerabilities. Three of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the May releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-...

Dick O'Brien | 09 May 2014 13:11:52 GMT

mobile_device_social_anon.png

Is the era of oversharing over? Recent revelations about state-sponsored surveillance and mega-breaches engineered by cybercrime gangs have put the issue of privacy in the spotlight. After more than a decade where people appeared to be sharing more and more details about themselves online, there is some evidence that a backlash is now underway. Certainly the founders of a number of new social networking services seem to think so and they have made privacy one of the main selling points of their offerings.

One effort at building a more anonymous social network is Secret. Its creators decided to move in the opposite direction to most social networks and minimize the personal information its users share. Available as either an iOS or Android app, it doesn’t use real names or profile photos....

Binny Kuriakose | 09 May 2014 02:42:51 GMT

On May 11, 2014, many countries will celebrate Mother’s Day. Plenty of online articles have been giving gifts ideas and advice for making the day special for mom. Companies have also been sending a huge number of promotional emails with a special message about Mother’s Day. Unsurprisingly, spammers have been exploiting this occasion to send out a fresh batch of spam.

Symantec started observing Mother’s Day spam from early April and we have seen a steady increase in the volume of messages ever since. Previous Mother’s Day spam emails often stuck to certain categories. Spam emails offering flower deliveries, jewelry, personalized messages, coupons, and other gifts for mothers were the most common. Survey and product replica spam were also observed in the past.

The following are the major Mother’s Day themed spam campaigns seen this year.

Flowers for Mother
A beautiful bunch of flowers is something any mother will love and spammers use this...

Andrea Lelli | 08 May 2014 13:14:11 GMT

Symantec has spotted a recent surge of infections of Trojan.Viknok, which can gain elevated operating system privileges in order to add compromised computers to a botnet. Trojan.Viknok, first observed in April 2013, infects dll files with a malicious payload. Since its initial discovery, the malware has evolved into a sophisticated threat, capable of obtaining elevated operating system privileges in order to infect system files on multiple Windows operating systems, such as the 32 and 64-bit versions of Windows XP, Vista and 7. 

Attackers have been observed using Viknok-infected computers to carry out Adclick fraud. While click-fraud activity has been prevalent for years, it still seems to be an effective way for scammers to make money. The scammers behind the current Viknok campaign have gone to a lot of...

Joji Hamada | 08 May 2014 06:45:47 GMT

Back in March, Symantec blogged about a possible watering hole campaign exploiting a zero-day vulnerability for Internet Explorer 8, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324). We continued our investigation into this attack, which we dubbed Operation Backdoor Cut, and have concluded that the focus of the attack was to target users associated with the Japanese basketball community. We drew this conclusion from our extended observation of the watering hole campaign abusing the vulnerability being solely hosted on the landing page of the official Japan Basketball Association (JBA) website. No other attacks on any other websites have been confirmed from our telemetry since the disclosure of the zero-day attack in March.

...

Symantec Security Response | 03 May 2014 01:13:32 GMT

Coming off the heels of the Heartbleed bug, a new report on a security flaw called “Covert Redirect” is garnering a lot of media attention—so much that some outlets are referring to it as the next Heartbleed. But is Covert Redirect as bad as Heartbleed? Definitely not.

Is this the next Heartbleed?
No, it is not. This is a security flaw in the implementation of OAuth by service providers.

Why is Covert Redirect not as bad as Heartbleed?
Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers. Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and...

Satnam Narang | 01 May 2014 23:08:41 GMT

Earlier today, photo-messaging application Snapchat unveiled new features that enable users to chat directly within the application, a frequently requested feature. The addition of this feature, while an improvement, provides the individuals responsible for Snapchat spam a new feature to play with in their efforts to target users of the service.

History of Snapchat Spam

Chat Snapchat 1.png

Figure 1. Previous iterations of porn and dating spam on Snapchat

We have written ...

Satnam Narang | 30 Apr 2014 10:17:09 GMT

Late last week, Facebook users in India were tricked by scammers who were claiming to offer a tool that could hack Facebook in order to obtain passwords belonging to the users’ friends. Unfortunately for these users, they actually ended up hacking their own accounts for the scammers and exposed their friends in the process.

Figure1_11.png

Figure 1. Scam promoting how to hack your Facebook friends

Want to hack your friends?
A post began circulating on Facebook from a particular page featuring a video with instructions on “Facebook Hacking” with a disclaimer stating that it was for education purposes only. The post links to a document hosted on Google Drive that contains some code that, according to the scam, will allow users to reveal their friends’ Facebook passwords. The instructions attempt to convince the user to paste...

Symantec Security Response | 28 Apr 2014 18:49:13 GMT

Adobe has published a Security Bulletin for the Adobe Flash Player CVE-2014-0515 Buffer Overflow Vulnerability (CVE-2014-0515). The new Security Bulletin, APSB14-13, identifies a buffer overflow vulnerability that affects various versions of Adobe Flash Player across multiple platforms. Exploitation of this critical vulnerability could allow an attacker to remotely execute arbitrary code. Adobe has acknowledged that exploitation of the vulnerability has been reported in the wild. Further details indicate it has been used in targeted attacks.

Per the bulletin, the following versions of Adobe Flash Player are vulnerable:

  • Adobe Flash Player 13.0.0.182 and earlier versions for Windows
  • Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.350 and earlier...