Category Archives: Emerging Threats

More Tales From the Tweetstream: HoneyPoint Wasp Detects Trojan Attack

Posted on by
Reply

A very interesting discovery!

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44751049545879552″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44751709305708544″]

[blackbirdpie url=”http://twitter.com/#!/lbhuston/status/44752439404011520″]

We’re pretty proud of HoneyPoint Wasp, our newest addition to our HoneyPoint family; for exactly this reason. It is able to detecti attacks earlier, automatically disrupting attacker activity and by giving you intelligence about the source, intent and capability of attackers.

Want to learn more? Check out our HoneyPoint Wasp page!

Quick Advisory: Several new DB2 & PostgresSQL Exploits in the Wild

Posted on by
Reply

In the last couple of days, several new vulnerabilities, some with exploit code, have been made public in the DB2 database and PostgresSQL products. Given the core sensitivity of the data and business processes often handled by these applications, we thought we would post about them.

If you are running these applications as a part of your core business processes, now might be a good time to check with the vendor support sites, download the available updates and get them into your weekend maintenance windows as a critical update.

Given the exploit code availability and the ease of exploitation for a couple of these issues, their impact could be high if an attacker is in position to leverage them against your organization.

As with all of your applications, these should already be a part of your ongoing patching cycles, though these components are often missed or ignored as “too critical to patch”. Don’t make that mistake.

If you would like more information about the issues or would like to schedule a briefing privately with one of our engineers, please give your account executive a call or email. As always, thanks for selecting MicroSolved as your security partner!

Opinion: Warez More Dangerous Than P0rn

Posted on by
1


A couple of vendors have been talking about how prevalent malware is in online porn these days, but during our testing of HoneyPoint Wasp, we found pirated software (or “warez”) to be among the most concerning. Pornography is still a dangerous segment for infection, but it seems that grabbing so called “cracks” and “keygens”, along with pirated programs from the web and peer to peer networks is even more dangerous.

In our testing, it took us around 1/8 of the time to find infected warez that it took to find infected pornographic sites. In fact, our estimates are that less than 10% of the pornography files we tested (excluding “codecs”, obvious Trojan Horses) were infected, while nearly 90% of the cracking and keygen tools were, in fact, malware. In many cases, the warez would appear to work, but contained a background dropper that would install one or more pieces of adware, spyware or other malicious software. Even worse, in a clear majority of our testing cases, several of these malicious programs were missed by the consumer-grade anti-virus applications we had installed on the test bed. We used the white listing capability of HoneyPoint Wasp as the control and indeed identified a large number of malicious programs that traditional AV missed.

The key point of this topic though, is that pirated software remains a significant threat to businesses without proper license controls. Particularly, small and mid-size businesses where piracy often runs rampant, present a very wide target for attackers. Good policies against pirated software, user awareness and the use of license enforcement/asset inventory tools are useful controls in ramping up protection against this attack vector.

How has your organization fared against pirated software? What controls do you have in place to reduce both the legal liability and the malware threat that warez represents?

Welcome to the Post-Zeus/Stuxnet World!

Posted on by
Reply

The new year is always an interesting time in infosec. There are plenty of predictions and people passing on their visions of what the new year will hold. Instead of jumping on that bandwagon, I want to turn your attention not forward into the crystal ball, but backwards into the past.

While we were all focused on the economy last year, the entire information security threatscape suddenly changed, under the watchful eyes of our security teams. To me, the overall effectiveness, capability and tenacity of both Zeus and Stuxnet is an Oppenheimer moment in information security. For the first time, we see truly effective bot-net infections for hire that have REAL insight and awareness into specific business processes that move money. Attackers leveraging Zeus on a wide scale and in precise ways were able to grab funds, perpetrate new forms of fraud and steal from us in ways that many of us were unprepared for. It raised the bar on malicious software for criminals and that bar is now about to be raised further and further as criminals extend the concepts and techniques used to go beyond the present levels. On the other hand, Stuxnet represents a truly weaponized piece of code with a modular, expansive and highly extensible nature. It also showed an EXTREME amount of intelligence about the target processes, in this case specific SCADA systems, and perpetrated very very specific forms of attack. In the future those concepts may be extended outward to include attacks that cause loss of life or critical services, even as some of the core concepts of the Stuxnet code are applied to crimeware designed for fraud and theft.

All told, this quick look back at the past should lead us to identify that we must find new ways to increase our resistance to these forms of attack. Here are our challenges:

1) Clearly, simple anti-virus, even when combined with basic egress filtering at the network edges, has proven to be minimally protective. We have to identify the means for creating additional layers of protection against crimeware, and that begins with the absolutely HUGE task of creating mechanisms to defend our user workstations.

2) We have to do our best to prevent the infection of these systems, but MORE IMPORTANTLY, we have to develop and implement strong processes for identifying infected hosts and getting them out of our environment. Not only will this help us directly protect against the threats of crimeware and fraud, but it will also pay off in the longer term if we are able to reduce the overall load of bot-net infected systems which are in play against all of us for fraud, spam processing and DDoS attacks.

Just like in life, keeping your own house safe helps all of us to be safer. This is the very reason we build the HoneyPoint products and Wasp specifically. We want to help you find a better way to keep your systems safe at that level and thus far, Wasp is working well for customers around the world. (More on that in the coming months.)

I hope the new year brings you much success, joy and opportunity. I also hope this look backward helps drive awareness of what might lay ahead in the coming months and years. As always, thanks for reading and drop us a line if you want to discuss the issues. You can also find us on Twitter at @microsolved or myself, personally @lbhuston. Happy new year!

3 Changes in Crimeware You Can Count On

Posted on by
1

Crimeware is becoming a significant threat to most organizations. The capability and dependence on crimeware as an attack model is growing. With that in mind, here are 3 things that the folks at MSI think you will see in the next year or two with crimeware:

1. Cross platform crimeware will grow. Attackers will continue to embrace the model of malware that runs everywhere. They will focus on developing tools capable of attacking systems regardless of operating system and will likely include mobile device platform capability as well. They have embraced modern development capabilities and will extend their performance even further in the coming years.

2. Specialized crimeware will continue to evolve. Organized criminals will continue to develop malware capable of focusing in on specific business processes, keying on specific types of data and attacking specific hardware that they know are used in areas they wish to compromise. Whether their targets are general data, ATM hardware, check scanners or the smart grid, the days of crimeware being confined to desktop user PCs are over. The new breed knows how ACH works, can alter firmware and is capable of deeper comprise of specific processes.

3. Crimeware will get better at displacing the attack timeline. Many folks consider malware to be symetric with time. That is, they see it as being operational continually across the event horizon of a security incident. However, this is not always true and attackers are likely to grow their capability in this area in the coming years. Modern malware will be very capable of making its initial compromise, then sitting and waiting to avoid detection or waiting for the right vulnerability/exploit to be discovered, etc. The attacks from the next generations will have a much longer tail and will come in a series of waves and lulls, making detection more difficult and extending the time window of control for the attackers.

MSI believes that organizations need to be aware of these threats and ideas. They must get better at detecting initial stage compromises and begin to focus on closing the window of opportunity attackers now have, once they get a foothold (in most cases days-months). Prevention is becoming increasingly difficult, and while it should not be abandoned, more resources should be shifted into developing the capability to detect incidents and respond to them.

OpenSSL Vulnerability

Posted on by
Reply

A new security issue in OpenSSL should be on the radar of your security team. While Stunnel and Apache are NOT affected, many many other packages appear to be. The issue allows denial of service and possibly remote code execution.

Patches for OpenSSL and many packages that use it are starting to roll in. Check with your favorite vendor on the issue for more information. The CVE is: CVE-2010-3864

HoneyPoint users who leverage black hole defenses should ensure that they have exposed port 443/tcp honeypoints and have dilated other common ports for their applications that might be vulnerable. Internal HoneyPoint users should already have these ports deployed, but if not, now is a good time to ensure that you have HoneyPoint coverage for any internal applications that might be using OpenSSL. Detecting scans and probes across the environment for this issue is highly suggested given the high number of impacted applications and platforms.

If you have any questions about this issue or the proper HoneyPoint deployment to detect probes and scans for it, please give us a call or drop us a line. We will be happy to discuss it and assist you.

Keep Your Eyes on This Adobe 0-Day

Posted on by
Reply

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

SAMBA Vuln Could Be Dangerous

Posted on by
Reply

If you are not already looking at the newest SAMBA issue, you should be paying attention. It is a stack-based buffer overflow, exploitable remotely without credentials. The MetaSploit folks are already hard at work on an exploit and some versions are rumored to be floating about the underground.

The vulnerability exists in OS X, Linux and a variety of appliance platforms using the core SAMBA code. Updates are starting to roll into the primary distributions and OS images. Ubuntu, for example, already has a fixed version available.

You can read the SAMBA folks release here for more information.

Likely, wide scale exploitation is on the horizon and malware/worm development is also predicted for this particular issue.

In terms of actions, begin to understand where SAMBA is used in your environment, reduce your attack surfaces as much as possible, implement the patches where available and increase your vigilance on SAMBA utilizing systems/processes.

Keep your eyes on this one. With this also being a fairly heavy/serious Microsoft patch day, your security team and admins might be focused on other things. You don’t want this one to slip through the cracks.

Excellent Source for Metrics on PHP RFI

Posted on by
1

My friend Eric has put up some excellent statistics and metrics on PHP RFI attacks against his honeynet. This is some excellent data. If you have read other stuff we have pointed to from Eric, then you know what to expect. But, if you are interested in a real world look at trends and metrics around PHP exposures, give this a few moments of your time.

You can find the interface and metrics set here.

Check it out, I think you’ll be impressed. Thanks, as always, to Eric and other folks in the honeypot community for all of their hard work, time and attention.

If you have some honeypot metrics to share, drop a comment below! As always, thanks for reading!