Majority of Users Still Vulnerable to Java Exploits

Throughout the last 6 weeks, Websense® Security Labs™ has been collecting telemetry from our Websense ThreatSeeker® Network to provide insight into usage of the most recent version of Java. Following our March 2013 study that
l…

Twitter Adopt 2FA; Here Is What You Can Do

In the wake of recent account compromises, including Associated Press and the rampant breaches orchestrated by the “Syrian Electronic Army“, Twitter have recently released
2FA (2 Factor Authentication), which is a most welcome addition to
bolster users’ security. It is not, however, the be-all and end-all:
users are still responsible for choosing strong, hard-to-guess
passwords. If your password is compromised, control of your account may
be lost to malicious actors.

 

While it’s true that, given enough time and resources, all passwords
are crackable regardless of their complexity – a pass-string of 200
random characters is ultimately just as vulnerable to brute forcing as a
password containing just one character – the aim of a complex
pass-string  is to make an attack chronologically infeasible. Let’s
first take a look at the total number of possible combinations for a
given base of elements:

 

 

 

…(read more)

WebShells WebShells on the Web Server

This blog describes briefly what WebShells are, and how attackers can
use WebShells to gain powerful shell level/system level access to a
server. WebShells have been used in attacks for quite a long time now,
but with changes in attack tre…

Cyber Criminals Exploiting the Boston Marathon Aftermath [UPDATED]

While the world recoils in shock at the horrifying events at Monday’s Boston Marathon, cybercriminals are actively seeking to exploit people’s thirst for information and eagerness to help those affected by the attacks.

The Websense ThreatSeeker® Intelligence Cloud is currently detecting and blocking multiple email-borne campaigns that attempt to lure unsuspecting recipients to malicious websites in order to exploit their machines for criminal gains.

Let’s follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We’ll also show that breaking any one link in the chain can protect potential victims.

 

Stage 1: Reconnaissance

This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday’s events), and then propagate their lure to as many people as possible.

 

Stage 2: Lure

Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:

  • 2 Explosions at Boston Marathon
  • Aftermath to explosion at Boston Marathon
  • Boston Explosion Caught on Video
  • BREAKING – Boston Marathon Explosion
  • Explosion at the Boston Marathon
  • Explosions at Boston Marathon
  • Explosions at the Boston Marathon
  • Runner captures. Marathon Explosion
  • Video of Explosion at the Boston Marathon

The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.

 

Stage 3: Redirect

Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.

 

Stage 4 – Exploit Kit

Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.

 

Stage 5 – Dropper File

Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals’ bot network.

 

Stage 6 – Call Home / Stage 7 – Data Theft

Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.

 

 

Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature.  In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.

Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies. Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.

 

 

[Update]

 

Thursday, April 18, 2013:

The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.

The emails are similar, but use texas.html instead of boston.html path.

 

Subjects lines include:

 

  • Texas Plant Explosion
  • Raw: Texas Explosion Injures Dozens
  • Texas Explosion Injures Dozens
  • CAUGHT ON CAMERA: Fertilizer Plant Explosion
  • Waco Explosion HD
  • Video footage of Texas explosion
  • Plant Explosion Near Waco, Texas
  • West Tx Explosion

 

 

The lure pages have updated titles, but the rest is similar:

 

 

Websense Security Labs will continue to monitor this campaign.

DNS Poisoning Hits Kenya Google, MSN, Skype…

The Websense ThreatSeeker® Network has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although DNS records p…