Login

Username:

Password:

Remember me



Lost Password?

Register now!

Related Sponsor

Related Sponsor

Headlines


Recent Headlines
Vuln: D-Link DCS-2103 CVE-2014-9238 Directory Tra... SecurityFocus Vulns
D-Link DCS-2103 CVE-2014-9238 Directory Traversal Vulnerability
Vuln: Mozilla Firefox/Thunderbird CVE-2014-1593 B... SecurityFocus Vulns
Mozilla Firefox/Thunderbird CVE-2014-1593 Buffer Overflow Vulnerability
Vuln: Mozilla Firefox/Thunderbird CVE-2014-1592 U... SecurityFocus Vulns
Mozilla Firefox/Thunderbird CVE-2014-1592 Use After Free Memory Corruption Vulnerability
Vuln: Mozilla Firefox/Thunderbird CVE-2014-1594 S... SecurityFocus Vulns
Mozilla Firefox/Thunderbird CVE-2014-1594 Security Vulnerability
TA14-329A: Regin Malware US-CERT
Original release date: November 25, 2014

Systems Affected

Microsoft Windows NT, 2000, XP, Vista, and 7

Overview

On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

Description

Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.  

Impact

Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. [1]

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2]
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

MD5s: [1]

Stage 1 files, 32 bit:

06665b96e293b23acc80451abb413e50

187044596bc1328efa0ed636d8aa4a5c

1c024e599ac055312a4ab75b3950040a

2c8b9d2885543d7ade3cae98225e263b

4b6b86c7fec1c574706cecedf44abded

6662c390b2bbbd291ec7987388fc75d7

b269894f434657db2b15949641a67532

b29ca4f22ae7b7b25f79c1d4a421139d

b505d65721bb2453d5039a389113b566

26297dc3cd0b688de3b846983c5385e5

ba7bb65634ce1e30c1e5415be3d1db1d

bfbe8c3ee78750c3a520480700e440f8

d240f06e98c8d3e647cbf4d442d79475

ffb0b9b5b610191051a7bdf0806e1e47

Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

01c2f321b6bfdb9473c079b0797567ba

47d0e8f9d7a6429920329207a32ecc2e

744c07e886497f7b68f6f7fe57b7ab54

db405ad775ac887a337b02ea8b07fddc

Stage 1, 64-bit system infection:

bddf5afbea2d0eed77f2ad4e9a4f044d

c053a0a3f1edcbbfc9b51bc640e808ce

e63422e458afdfe111bd0b87c1e9772c

Stage 2, 32 bit:

18d4898d82fcb290dfed2a9f70d66833

b9e4f9d32ce59e7c4daf6b237c330e25

Stage 2, 64 bit:

d446b1ed24dad48311f287f3c65aeb80

Stage 3, 32 bit:

8486ec3112e322f9f468bdea3005d7b5

da03648948475b2d0e3e2345d7a9bbbb

Stage 4, 32 bit:

1e4076caa08e41a5befc52efd74819ea

68297fde98e9c0c29cecc0ebf38bde95

6cf5dc32e1f6959e7354e85101ec219a

885dcd517faf9fac655b8da66315462d

a1d727340158ec0af81a845abd3963c1

Stage 4, 64 bit:

de3547375fbf5f4cb4b14d53f413c503

Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.

Registry branches used to store malware stages 2 and 3:

\REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{39399744-44FC-AD65-474B-E4DDF-8C7FB97}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{3F90B1B4-58E2-251E-6FFE-4D38C5631A04}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}

\REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}

IP IOCs [3]:

61.67.114.73

202.71.144.113

203.199.89.80

194.183.237.145

References

Revision History

  • November 25, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


TA14-323A: Microsoft Windows Kerberos KDC Remote ... US-CERT
Original release date: November 19, 2014 | Last revised: November 25, 2014

Systems Affected

  • Microsoft Windows Vista, 7, 8, and 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Overview

A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1]

Description

The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.

Impact

A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]

Solution

An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1, 3

References

Revision History

  • November 19, 2014: Initial Draft
  • November 25, 2014: Revised formatting

This product is provided subject to this Notification and this Privacy & Use policy.


TA14-318B: Microsoft Windows OLE Automation Array... US-CERT
Original release date: November 14, 2014

Systems Affected

  • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Overview

A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1]

Description

The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory.[2] In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET).

This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript.

Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647.

Impact

Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system. 

Solution

An update is available from Microsoft.[3] Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates.

References

Revision History

  • November 14, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


TA14-318A: Microsoft Secure Channel (Schannel) Vu... US-CERT
Original release date: November 14, 2014

Systems Affected

  • Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1
  • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Microsoft Windows XP and 2000 may also be affected.

Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]

Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]

Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]

Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]

References

Revision History

  • November 14, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


TA14-317A: Apple iOS "Masque Attack" Technique US-CERT
Original release date: November 13, 2014 | Last revised: November 17, 2014

Systems Affected

iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was described by FireEye mobile security researchers [1], Stefan Esser of SektionEins, and Jonathan Zdziarski. This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.  

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

  • Mimic the original app’s login interface to steal the victim’s login credentials.
  • Access sensitive data from local data caches.
  • Perform background monitoring of the user’s device.
  • Gain root privileges to the iOS device.
  • Be indistinguishable from a genuine app.

Solution

iOS users can protect themselves from Masque Attacks by following three steps:

  1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
  2. Don’t click “Install” from a third-party pop-up when viewing a web page.
  3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1]. US-CERT does not endorse or support any particular product or vendor.

References

Revision History

  • November 13, 2014: Initial Release
  • November 17, 2014: Vulnerability attribution amended

This product is provided subject to this Notification and this Privacy & Use policy.


TA14-310A: Microsoft Ending Support for Windows S... US-CERT
Original release date: November 10, 2014

Systems Affected

Microsoft Windows Server 2003 operating system

Overview

Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] After this date, this product will no longer receive:

  • Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2] As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.

Solution

Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2]

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4,5] US-CERT does not endorse or support any particular product or vendor.

References

Revision History

  • November 10, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


TA14-300A: Phishing Campaign Linked with “Dyre... US-CERT
TA14-295A: Crypto Ransomware US-CERT
TA14-290A: SSL 3.0 Protocol Vulnerability and POO... US-CERT
TA14-268A: GNU Bourne-Again Shell (Bash) ‘Shell... US-CERT
News: Change in Focus SecurityFocus News
News: Google: 'no timetable' on China talks SecurityFocus News
News: Monster botnet held 800,000 people's detail... SecurityFocus News
News: Latvian hacker tweets hard on banking whist... SecurityFocus News
News: MS uses court order to take out Waledac bot... SecurityFocus News
Brief: Google offers bounty on browser bugs SecurityFocus News
Brief: Cyberattacks from U.S. "greatest concern" SecurityFocus News
Brief: Microsoft patches as fraudsters target IE ... SecurityFocus News
Brief: Attack on IE 0-day refined by researchers SecurityFocus News
News: Twitter attacker had proper credentials SecurityFocus News
News: PhotoDNA scans images for child abuse SecurityFocus News
News: Conficker data highlights infected networks SecurityFocus News
Infocus: Enterprise Intrusion Analysis, Part One SecurityFocus News
SANSFIRE 2011 SANS Information Security Reading Room
Bugtraq: Persistent XSS Vulnerability in CMS Papo... SecurityFocus Vulns
SANSFIRE 2011 @RISK: The Consensus Security Alert
Infocus: Responding to a Brute Force SSH Attack SecurityFocus News
Mass SQL Injection for Malware Distribution SANS Information Security Reading Room
Bugtraq: Vulnerabilities in Ekahau Real-Time Loca... SecurityFocus Vulns
Infocus: Data Recovery on Linux and ext3 SecurityFocus News
Malcode Context of API Abuse SANS Information Security Reading Room
Bugtraq: CVE-2014-2026 Reflected Cross-Site Scr... SecurityFocus Vulns
Infocus: WiMax: Just Another Security Challenge? SecurityFocus News
Four Attacks on OAuth - How to Secure Your OAuth ... SANS Information Security Reading Room
Bugtraq: CVE-2014-2025 Remote Code Execution (R... SecurityFocus Vulns
Gunter Ollmann: Time to Squish SQL Injection SecurityFocus News
Security Vulnerabilities and Wireless LAN Technol... SANS Information Security Reading Room
More rss feeds from SecurityFocus SecurityFocus Vulns
Mark Rasch: Lazy Workers May Be Deemed Hackers SecurityFocus News
Animal Farm: Protection From Client-side Attacks ... SANS Information Security Reading Room
Adam O'Donnell: The Scale of Security SecurityFocus News
Auditing for Policy Compliance with QualysGuard a... SANS Information Security Reading Room
Mark Rasch: Hacker-Tool Law Still Does Little SecurityFocus News
Tracking Malware With Public Proxy Lists SANS Information Security Reading Room
More rss feeds from SecurityFocus SecurityFocus News
Application Whitelisting: Panacea or Propaganda SANS Information Security Reading Room

Bookmark and Share