Patch for MS15-034 RIGHT NOW!

Posted on April 15, 2015 by Brent Huston

If you have exposed IIS servers or internal ones as well, pay attention to MS15-034.

Accelerate this patch to immediate. Don’t wait for patching windows, SLAs or maintenance periods. Test the patch, sure, but get it applied ASAP.

This is a remotely executable vulnerability without authentication. It affects a wide range of Windows systems. It offers trivial denial of service exploitation and the bad guys are hard at work building click and drool tools for remote code execution. The clock is ticking, so please, accelerate this patch if possible.

For any additional information or assistance, please contact your account executive or drop us a line via info@microsolved.com.

Thanks and stay safe out there!

NanoCore RAT

Posted on March 30, 2015 by Adam Luck

It’s been discovered that a Remote Access Trojan (RAT) named NanoCore has been cracked again. These cracked copies are being heavily distributed via the deep and dark web. Due to the fact that malicious actors are now able to obtain this RAT for free, there has been a spike of observed NanoCore infections. For example, it was recently reported that the cracked copies are being leveraged in phishing attacks against energy companies. Unfortunately, we anticipate that the attempted use of this RAT will increase over the next few weeks.

However, there is some good news regarding the spread of NanoCore. First, the observed methods for deploying this malware do not seem to be very complicated. The attacks appear to be leveraging basic e-mail phishing which can be prevented by tuning spam filters and performing security awareness training with staff. Second, the attacks appear to be attempting to exploit vulnerabilities that are 2-3 years old. Your organization’s workstations should already have patches installed that will prevent the malware from being deployed. Finally, several commercial IDS/IPS systems are already able to detect this RAT. To ensure that your organization is protected, be sure to verify that your IDS/IPS/AV signatures are up to date.

We are more than happy to answer any questions that you might have about this RAT. Feel free to contact us by emailing <info> at microsolved.com

Lots of PHP Web Shells Still Circulating

Posted on March 6, 2015 by Brent Huston

Many PHP-based web shells are still making the rounds, and while many of them are based on old code, mutations, customizations and updates abound. They are so common, that new variants and modified versions are often seen at the rate of about 10 a day in our TigerTrax Threat Intelligence systems and honeypots.

Variants exist for a wide variety of platforms and human languages, many with some very nasty features and even some cool ASCII art. There are many variants for attackers to choose from for just about any of the popular PHP-based content management platforms. From WordPress to Joomla and beyond to the far less common apps, there are easily used exploits and shell kits widely available.

If you run a PHP-based site or server, it’s a good idea to keep an eye on the file system changes and watch closely for new files being uploaded or added. Pay particular attention to those using the “base64_decode” function, since it is so common among these tools.

Thanks for reading, and until next time, stay safe out there!

Malware Can Hide in a LOT of Places

Posted on March 4, 2015 by Brent Huston

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

Pay Attention to this Samba Vulnerability

Posted on February 27, 2015 by Brent Huston

We have a feeling that this recent Samba vulnerability should be at the top of your mind. We are seeing a lot of attention to this across a variety of platforms and we wanted to make sure you saw it. It should be patched as soon as possible, especially on highly sensitive data stores and critical systems.

Let us know if you have any questions.

Keep Your Hands Off My SSL Traffic

Posted on February 24, 2015 by Brent Huston

Hey, you, get off my digital lawn and put down my binary flamingos!!!!!

If you have been living under an online rock these last couple of weeks, then you might have missed all of the news and hype about the threats to your SSL traffic. It seems that some folks, like Lenovo and Comodo, for example, have been caught with their hands in your cookie jar. (or at least your certificate jar, but cookie jars seem like more of a thing…)

First, we had Superfish, then PrivDog. Now researchers are saying that more and more examples of that same code being used are starting to emerge across a plethora of products and software tools.

That’s a LOT of people, organizations and applications playing with my (and your) SSL traffic. What is an aging infosec curmudgeon to do except take to the Twitters to complain? 🙂

There’s a lot of advice out there, and if you are one of the folks impacted by Superfish and/or PrivDog directly, it is likely a good time to go fix that stuff. It also might be worth keeping an eye on for a while and cleaning up any of the other applications that are starting to be outed for the same bad behaviors.

In the meantime, if you are a privacy or compliance person for a living, feel free to drop us a line on Twitter (@lbhuston, @microsolved) and let us know what your organization is doing about these issues. How is the idea of prevalent man-in-the-middle attacks against your compliance-focused data and applications sitting with your security team? You got this, right? 🙂

As always, thanks for reading, and we look forward to hearing more about your thoughts on the impacts of SSL tampering on Twitter!

Telnet!? Really!?

Posted on February 11, 2015 by Adam Luck

I was recently analyzing data from the HITME project that was collected during the month of January. I noticed a significant spike in the observed attacks against Telnet. I was surprised to see that Telnet was being targeted at such a high rate. After all, there can’t be that many devices left with Telnet exposed to the internet, right?

Wrong. Very wrong. I discovered that there are still MILLIONS of devices with Telnet ports exposed to the internet. Due to Telnet’s lack of security, be sure to use SSH as opposed to Telnet whenever possible. If you absolutely must control a device via Telnet, at least place it behind a firewall. If you need to access the device remotely, leverage the use of a VPN. Finally, be sure to restrict access to the device to the smallest possible IP range.

The map below shows the geographical locations and number of attacks against Telnet that we observed last month. If you need any help isolating Telnet exposures, feel free to contact us by emailing info <at> microsolved.com.

RansomWeb Attacks Observed in HITME

Posted on February 3, 2015 by Adam Luck

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse. A new technique called RansomWeb is affecting production web-based applications. I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications. I can only assume the frequency of these attacks will increase throughout the year. As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware. Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application. Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files. Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files. Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
Audit your application and system logs for any irregular entries.
Verify that you are performing regular application and system backups.
Be sure to test the backup/ restore process for your applications and systems on a regular basis. After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Recently Observed Attacks By Compromised QNAP Devices

Posted on January 30, 2015 by Adam Luck

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit. For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices. If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system. If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices. The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system. These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems. If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

Spike in HITME NTP Probes Following Recent Exploits

Posted on January 6, 2015 by Brent Huston

For those of you that are unfamiliar with the HITME project, it is a set of deployed HoneyPoints that gather real-world, real-time attacker data from around the world. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. We frequently feed these attack signatures into our vulnerability management service to ensure that our customers are tested against the most current forms of attacks being used on the Internet.

On a monthly basis, we have been taking a step back and looking at our HITME data from a bird’s eye view to find common attack patterns. Throughout December, we observed a significant increase in attacks against Port 123 (NTP). This is due to the recent discovery of a vulnerability within NTP.

A majority of the attacks we observed against Port 123 appeared to originate out of the United States of America, Germany, Switzerland, Russia, and China.

This vulnerability should be addressed as soon as possible as exploits are publicly available. All NTP Version 4 releases prior to Version 4.2.8 are vulnerable and need to be updated to Version 4.2.8. Do not hesitate to contact us at info@microsolved.com if you require any assistance in responding to this vulnerability.

This blog post by Adam Luck.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats