Cyber Threats

Weibo Accounts Compromised to Spread Phishing Campaign : The Websense® ThreatSeeker® Network has detected a wave of phishing campaigns spreading on the Chinese social network " Sina Weibo ". Sina Weibo is a Chinese microblog website, like a hybrid of Twitter and Facebook, that has more than 300 million registered users as of February 2012. ...( read more )

Both Mac and Windows are Targeted at Once : Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers. On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS. This is explained further in the following illustration: When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type ...

Investigating Indicators of Compromise In Your Environment With Latest Version of Redline : Recently, Mandiant ® released a new version of Redline ™ . If you are not familiar with Redline, it is a great tool for investigating a specific Windows host in depth. We will have a more thorough look into Redline in the next month or so. What I wanted to touch on today is one of Redline’s brand new features: you can now use Indicators of Compromise (IOCs) to drive your Redline investigations. If you are not familiar with IOCs, I urge to you take a moment and head over to http://OpenIOC.org and have a look around. IOCs are the best way for finding indications of compromise and/or intrusion throughout your enterprise. IOCs are one of the main technologies that power Mandiant Intelligent Response, Mandiant’s flagship IR appliance, and have previously been accessible in free products with IOC Editor & IOC Finder . Some blog entries that might help bring you up to speed are Ryan Kazanciya...

Modern Spies, An Excellent BBC Documentary : One of our sharp-eyed alums just informed me of an excellent new BBC series called Modern Spies .  It appears to be focused primarily on the HUMINT side of the business but it does include interviews from active officers in MI6, MI5, the FBI and CIA.  The full series does not appear to be available through the main website to people outside the UK but episode 1 (embedded below) is available through YouTube.

Another Targeted Email Campaign Using Researcher Credentials as Ploy : In another turn of interesting events, during the course of my monitoring of targeted attacks, specifically of advanced persistent threats, I came upon an email with a PDF attachment that had just a measly 4 out of 42 generic or heuristic detections. I checked out the email and whoa! –  it was an email from a trusted researcher colleague and friend in FireEye who was also monitoring these kinds of campaigns, or to put it accurately, looks like it. Looks legit, right? However, my first-hand instinct told me that something was definitely amiss, and I zeroed in first in the email headers and I was expecting to find some spoofing details, which I did. The headers were clearly spoofed. The email address and other contact details of my colleague – even the FireEye company logo – were used as part of a social engineering ploy by the attackers behind this particular campaign. The email address seen in the Ret...

Is CVE-2012-0507 the best toolkit to exploit Mac OS X? : The recent advent of flashback malware that includes exploit code for CVE-2012-0507 has been creating waves and quickly adopted by various other attackers as Websense® Security Labs™ has shown. This blog post detail some of the aspects of CVE-2012-0507 and how this exploit has been used in the wild. The Java code first starts with the excerpt below: The string "sobj" contains a stream of characters that trigger the vulnerability and force Java to render something which it usually wouldn't be allowed to. The string "8BCA ..." is obfuscated with an XOR key of 0x27 shown below: After this string is de-obfuscated, it looks something like the image below: We compared the exploit code used in the flashback campaign (above) with another instance in the wild that surfaced recently. Apparently, the attacker is using the exploit code provided by the metasploit framework. The only differen...

Flashfake Removal Tool and online-checking site : After intercepting one of the domain names used by the Flashback/Flashfake Mac Trojan and setting up a special sinkhole server last Friday, we managed to gather stats on the scale and geographic distribution of the related botnet. We published information on this in our previous blog entry. We continued to intercept domain names after setting up the sinkhole server and we are currently still monitoring how big the botnet is. We have now recorded a total of 670,000 unique bots. Over the weekend (7-8 April) we saw a significant fall in the number of connected bots: This doesn’t mean, however, that the botnet is shrinking rapidly – these are merely the numbers for the weekend. Over the last few days our server has registered all the data sent by bots from the infected computers and recorded their UUIDs in a dedicated database. Based on this information we have set up an online resource where all users of Mac OS X can check if their c...

toolsmith: Log Parser Lizard : Prerequisites Windows Microsoft Log Parser 2.2 Microsoft.Net 3.5 Introduction At RSA Conference 2012 Igave a presentation called Evil Through The Lens of Web Logs. This presentationis built on research I’m conducting for a SANS Gold paper for graduate school andpays particular attention to SQL injection and Remote File Include attacks. Oneof the tools discussed as very useful for analysis tactics is Log Parser Lizard .You’re probably familiar with Log Parser, but I’ll bet you didn’t there was agreat GUI-based tool with which to leverage its raw power with ease. Log ParserLizard (LPL) is the brainchild of Dimce Kuzmanov, a Macedonian softwareengineer, who started Lizard Labs in 1998. In 2006 while also working as a parttime sysadmin on financial systems, Dimce recognized that he was using Logparseron a daily basis for creating reports, analyzing logs, automatic errorreporting, transferring data with txt files, etc. Over time his collection ofqueri...

MIR-ROR 2.0 released : MIR-ROR 2.0 has been released as the project has benefited from Jon Mark Allen's (ubahmapk) many contributions, giving MIR-ROR some much needed attention.  MIR-ROR, or Motile Incident Response - Respond Objectively, Remediate, is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful utilities, to provide live capture data for investigation. You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.  For incident response resource, we’ve found it indispensable. Windows Systinternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them for yourself. You can download the complete Sysinternals Suite, along with the other utilities needed, and unpack in a preferred directory on your system (C:\tools\MIR-ROR). Check fetch.txt for everything you need to download. Please feel free to s...