{"id": "FIREEYE:1A61A821CE69D378830204326B2E938C", "title": "CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit", "modified": "2016-04-07T08:30:00", "history": [], "published": "2016-04-07T08:30:00", "type": "fireeye", "references": [], "objectVersion": "1.2", "reporter": "Genwei Jiang", "edition": 1, "enchantments": {"vulnersScore": 9.3}, "cvelist": ["CVE-2016-1019", "CVE-2015-2419"], "hash": "18308a823efc89d7dae845049b8830afe5e48bc844fd7ce19dc3c20885952037", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "52a47ce7bdf650e9c72c912ba9bcf23d", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "d940fdb7d120a5219999e9a6c460a5f0", "key": "description"}, {"hash": "c6ac2599388a2efe2b63fa51bbce52fd", "key": "href"}, {"hash": "9656e6167498ea5f9ec8e7bf4c834bfb", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9656e6167498ea5f9ec8e7bf4c834bfb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a1cfba49312c9e063a881bc8e9919d9b", "key": "reporter"}, {"hash": "0a7cb2757de424e94c227972950fc5a9", "key": "title"}, {"hash": "bf8fcf8f58466941d03091f73ff46e0c", "key": "type"}], "viewCount": 14, "description": "On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).\n\nWhile version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.\n\n##### Exploit Delivery Chain \n\n\nMagnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen\u2019s dimensions and color depth (Figure 1).\n\n\n\nFigure 1. JS of Profile Gate\n\nThe server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.\n\n\n\nFigure 2. JS of redirecting to main exploit page\n\nIn our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).\n\n\n\nFigure 3. JS of loading exploits\n\n##### The Flash Exploit\n\nA memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker\u2019s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit\u2019s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.\n\n\n\nFigure 4. ActionScript of Flash exploits\n\n##### Conclusion\n\nThis is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications \u2013 such as Internet Explorer/Edge and Flash Player \u2013 change the game.\n\nDespite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. \n \nClick [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe.\n\n##### Acknowledgements\n\nA huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.\n\n##### Appendix\n\nres://\\Program%20Files%20(x86)\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files\\Fiddler2\\Fiddler.exe/#3/#32512 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567 \nres://\\Program%20Files%20(x86)\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996 \nres://\\Program%20Files%20(x86)\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110 \nres://\\Program%20Files%20(x86)\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\mbamext.dll/#2/202 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Malware\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/200 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\mbae.exe/#2/201 \nres://\\Program%20Files%20(x86)\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files\\Malwarebytes Anti-Exploit\\unins000.exe/#2/DISKIMAGE \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmConfig.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files\\Trend Micro\\Titanium\\TmSystemChecking.dll/#2/#30994 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0 for Windows Workstations\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Anti-Virus 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\shellex.dll/#2/#102 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2009\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2010\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2011\\avzkrnl.dll/#2/BBALL \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2012\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 2013\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Internet Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 14.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.1\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 15.0.2\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky Total Security 16.0.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 2.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky CRYSTAL 3.0\\x86\\mfc42.dll/#2/#26567 \nres://\\Program%20Files%20(x86)\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567 \nres://\\Program%20Files\\Kaspersky Lab\\Kaspersky PURE\\mfc42.dll/#2/#26567\n", "bulletinFamily": "info", "href": "https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "lastseen": "2017-03-07T16:24:19"}

{"result": {"cve": [{"id": "CVE-2016-1019", "type": "cve", "title": "CVE-2016-1019", "description": "Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.", "published": "2016-04-07T06:59:01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1019", "cvelist": ["CVE-2016-1019"], "lastseen": "2017-05-30T08:06:22"}, {"id": "CVE-2015-2419", "type": "cve", "title": "CVE-2015-2419", "description": "JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"JScript9 Memory Corruption Vulnerability.\"", "published": "2015-07-14T17:59:33", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2419", "cvelist": ["CVE-2015-2419"], "lastseen": "2017-09-22T10:42:10"}], "thn": [{"id": "THN:C86B358352EEF0DC351F2DD0FA088E77", "type": "thn", "title": "Adobe to issue Emergency Patch for Critical Flash Player Vulnerability", "description": "[](<https://3.bp.blogspot.com/-GqLnLJ0erIQ/VoIpMsXEkQI/AAAAAAAAl_I/SZRl9xL7k8I/s1600/adobe-flash-player-security-patch-update.png>)\n\nAdobe has been one of the favorite picks of the Hackers to mess with any systems devoid of any operating systems, as Flash Player is a front runner in all the browsers.\n\n \n\n\nHackers have already been targeting Flash Player for long by exploiting known vulnerabilities roaming in the wild.\n\n \n\n\nDespite Adobe's efforts, Flash is not safe anymore for Internet security, as one more critical vulnerability had been discovered in the Flash Player that could crash the affected system and potentially allow an attacker to take control of the system.\n\n \n\n\nDiscovered by a French Researcher _Kafeine_, FireEye's_ Genwei Jiang_, and Google's _Clement Lecigne,_ the flaw affects Adobe Flash Player 21.0.0.197 and its earlier versions for Windows, Macintosh, Linux and Chrome OS.\n\n \n\n\nThe vulnerability, assigned under CVE-2016-1019, also expands back to Windows 7 and even towards Windows XP.\n\n \n\n\nAdobe had also [confirmed](<https://helpx.adobe.com/security/products/flash-player/apsa16-01.html>) that the newly discovered vulnerability in its Flash Player is being exploited actively in the wild.\n\n \n\n\n### Update Adobe Flash Player Software\n\n \n\n\nThis issue caused the Adobe engineers to urgently work on a mitigation method and release an emergency update under [Flash Player 21.0.0.182](<https://get.adobe.com/flashplayer/>), which is expected to get released this Thursday.\n\n \n\n\nUsually, Adobe releases its patch on the second Tuesday of the month, the same day as Microsoft, but rolls out emergency patches on an ad hoc basis, analyzing the seriousness of the bug.\n\n \n\n\nThe endless Adobe updates and upgrades had failed to ensure the user security in the real time scenario. So it's high time for users to disable or completely uninstall Adobe Flash Player.\n\n \n\n\nBelieve or not, Adobe Flash Player is dead and its time has passed.\n\n \n\n\nIn January last year, YouTube moved away from Flash for delivering videos.\n\n \n\n\nAlthough in between Flash made an effort to beef up its security in a bid to justify its existence, things got a bit heated when Firefox became aware of a critical bug and [blocked the Flash plugin](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>) entirely.\n\n \n\n\nFacebook\u2019s Security Chief publicly called for Adobe to announce a kill date for Flash. In fact, Google Chrome has also begun blocking auto-playing Flash ads by default.\n", "published": "2016-04-05T23:26:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2016/04/adobe-flash-update.html", "cvelist": ["CVE-2016-1019"], "lastseen": "2018-01-27T10:06:53"}, {"id": "THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "type": "thn", "title": "US Warns of 'DeltaCharlie' \u2013 A North Korean DDoS Botnet Malware", "description": "[](<https://1.bp.blogspot.com/-hkzXUb-YVK4/WUEpPWtqANI/AAAAAAAAtJM/WCJnuCuE5OEHcguz-fm_ZBsnx23blXhHACLcBGAs/s1600/north-korea-hacking-malware.png>)\n\nThe United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. \n \nThe [joint report](<https://www.us-cert.gov/ncas/alerts/TA17-164A>) from the FBI and U.S. Department of Homeland Security (DHS) provided details on \"**DeltaCharlie**,\" a malware variant used by \"**Hidden Cobra**\" hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network. \n \nAccording to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. \n \nWhile the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace \u2013 the one allegedly [linked to the devastating WannaCry ransomware](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>) menace that shut down hospitals and businesses worldwide. \n \n\n\n### DeltaCharlie \u2013 DDoS Botnet Malware\n\n \nThe agencies identified [IP addresses](<https://www.us-cert.gov/sites/default/files/publications/TA-17-164A_csv.csv>) with \"high confidence\" associated with \"DeltaCharlie\" \u2013 a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets. \n \nDeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including [Domain Name System](<https://thehackernews.com/2014/06/dns-flood-ddos-attack-hit-video-gaming.html>) (DNS) attacks, [Network Time Protocol](<https://thehackernews.com/2014/01/Network-Time-Protocol-Reflection-DDoS-Attack-Tool.html>) (NTP) attacks, and Character Generation Protocol (CGP) attacks. \n \nThe botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks. \n \nHowever, the DeltaCharlie DDoS malware is not new. \n \nDeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [[PDF](<https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf>)], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo. \n \nOther malware used by Hidden Cobra include [Destover](<https://securelist.com/destover/67985/>), Wild Positron or [Duuzer](<https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers>), and [Hangman](<http://telussecuritylabs.com/threats/show/TSL20150910-04>) with sophisticated capabilities, including [DDoS botnets](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>), keyloggers, remote access tools (RATs), and [wiper malware](<https://thehackernews.com/2013/03/south-korea-cyber-attack-wiper-malware.html>). \n \n\n\n### Hidden Cobra's Favorite Vulnerabilities\n\n \nOperating since 2009, Hidden Cobra typically targets systems running older, unsupported versions of Microsoft operating systems, and commonly exploits vulnerabilities in Adobe Flash Player to gain an initial entry point into victim's machine. \n \nThese are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra: \n\n\n * Hangul Word Processor bug (CVE-2015-6585)\n * Microsoft Silverlight flaw ([CVE-2015-8651](<https://thehackernews.com/2015/12/adobe-flash-security-update.html>))\n * Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)\n * Adobe Flash Player 21.0.0.197 Vulnerability ([CVE-2016-1019](<https://thehackernews.com/2016/04/adobe-flash-update.html>))\n * Adobe Flash Player 21.0.0.226 Vulnerability ([CVE-2016-4117](<https://thehackernews.com/2016/12/image-exploit-hacking.html>))\nThe simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall. \n \nSince Adobe Flash Player is prone to many attacks and just today the company [patched nine vulnerability in Player](<https://thehackernews.com/2017/06/security-patch-tuesday.html>), you are advised to update or remove it completely from your computer. \n \nThe FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group. \n\n\n> \"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,\" the alert reads.\n\nBesides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow [here](<https://www.us-cert.gov/ncas/alerts/TA17-164A>).\n", "published": "2017-06-14T01:23:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2017/06/north-korea-hacking-malware.html", "cvelist": ["CVE-2015-6585", "CVE-2016-1019", "CVE-2016-0034", "CVE-2016-4117", "CVE-2015-8651"], "lastseen": "2018-01-27T10:07:00"}, {"id": "THN:BF8375E3582DA11921BF468B0D3C4F03", "type": "thn", "title": "Hacking Millions with Just an Image \u2014 Recipe: Pixels, Ads & Exploit Kit ", "description": "[](<https://3.bp.blogspot.com/-LcT8O23njws/WEe8BvRhm_I/AAAAAAAAqeA/D8GOfD7oCSMDAcImuqa7_-oueUq-qym5wCLcB/s1600/stegano-exploit-kit-malware-hacking.png>)\n\nIf you have visited any popular mainstream website over the past two months, your computer may have been infected \u2014 Thanks to a new exploit kit discovered by security researchers. \n \nResearchers from antivirus provider ESET released a [report](<http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/>) on Tuesday stating that they have discovered an exploit kit, dubbed **Stegano**, hiding malicious code in the pixels of banner advertisements that are currently in rotation on several high profile news websites. \n \nStegano originally dates back to 2014, but since early October this year, cyber crooks had managed to get the malicious ads displayed on a variety of unnamed reputable news websites, each with Millions of daily visitors. \n \nStegano derived from the word **[Steganography](<https://thehackernews.com/2015/06/Stegosploit-malware.html>)**, which is a technique of hiding messages and content inside a digital graphic image, making the content impossible to spot with the naked eye. \n \nIn this particular malvertising campaign, operators hide malicious code inside transparent PNG image's Alpha Channel, which defines the transparency of each pixel, by altering the transparency value of several pixels. \n \nThe malvertising campaign operators then packed the altered image as an advertisement and managed to display those malicious ads on several high-profile websites. \n \nAccording to the researchers, the malicious ads promote applications called \"Browser Defense\" and \"Broxu,\" and the methodology makes it tough for ad networks to detect. \n \n\n\n### Here's How the Stegano Attack Works:\n\n \nOnce a user visits a site hosting malicious advertisement, the malicious script embedded in the ad reports information about the victim's computer to the attacker's remote server without any user interaction. \n \nThe malicious code then uses the CVE-2016-0162 vulnerability in Microsoft's Internet Explorer (IE) browser in order to scan the target computer to see if it is running on a malware analyst's machine. \n \nAfter verifying the targeted browser, the malicious script redirects the browser to a website that hosts Flash Player exploits for three now-patched Adobe Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117. \n\n\n> \"Upon successful exploitation, the executed shell code collects information on installed security products and performs \u2013 as paranoid as the cybercriminals behind this attack \u2013 yet another check to verify that it is not being monitored,\" ESET researchers wrote in a blog post. \"If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.\"\n\nWhen downloaded to the victim's computer, the encrypted payload is then decrypted and launched via regsvr32.exe or rundll32.exe in Microsoft Windows. \n \n\n\n### Just Visit a Site, and You'll be Hacked in Just 2-3 Sec\n\n \nBelow is an ESET infographic that explains the working of Stegano's exploit attack: \n\n\n[](<https://2.bp.blogspot.com/-X5Wqj0LvCm4/WEfDwXzrj9I/AAAAAAAAqeQ/zo2BY0Bq_yE9IiBqIa-fkNdLmnHPtX9WgCLcB/s1600/exploit-kit-working.png>)\n\n \nAll the above operations execute automatically without any user interactions and takes place in the span of just 2-3 seconds. \n \nSo far, the Stegano exploit kit has pushed various trojan downloaders, the Ursnif and Ramnit banking trojans, backdoors, spyware, and file stealers. \n \nThe Stegano exploit kit was initially used in 2014 to target people in the Netherlands, and then in 2015, moved on to residents in the Czech Republic. The latest attack campaign is targeting people in Canada, the UK, Australia, Spain, and Italy. \n \nThe best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.\n", "published": "2016-12-06T21:08:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://thehackernews.com/2016/12/image-exploit-hacking.html", "cvelist": ["CVE-2016-0162", "CVE-2016-1019", "CVE-2016-4117", "CVE-2015-8651"], "lastseen": "2018-01-27T09:17:58"}], "nessus": [{"id": "OPENSUSE-2016-433.NASL", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-433)", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016 Aliased: (bsc#974209).", "published": "2016-04-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90476", "cvelist": ["CVE-2016-1019"], "lastseen": "2017-10-29T13:46:14"}, {"id": "OPENSUSE-2016-440.NASL", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-440)", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016 Aliased: (bsc#974209).", "published": "2016-04-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90479", "cvelist": ["CVE-2016-1019"], "lastseen": "2017-10-29T13:43:51"}, {"id": "SUSE_SU-2016-0990-1.NASL", "type": "nessus", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2016:0990-1)", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2016-1019: Adobe Flash Player allowed remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016 (bsc#974209).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-04-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90505", "cvelist": ["CVE-2016-1019"], "lastseen": "2017-10-29T13:36:41"}, {"id": "GENTOO_GLSA-201606-08.NASL", "type": "nessus", "title": "GLSA-201606-08 : Adobe Flash Player: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-201606-08 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "published": "2016-06-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=91702", "cvelist": ["CVE-2016-4171", "CVE-2016-4121", "CVE-2016-4120", "CVE-2016-1019", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4160", "CVE-2016-4162", "CVE-2016-4161"], "lastseen": "2017-10-29T13:34:14"}, {"id": "REDHAT-RHSA-2016-0610.NASL", "type": "nessus", "title": "RHEL 5 / 6 : flash-plugin (RHSA-2016:0610)", "description": "An update for flash-plugin is now available for Red Hat Enterprise Linux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.616.\n\nSecurity Fix(es) :\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.\n(CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033)", "published": "2016-04-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90490", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-10-29T13:34:23"}, {"id": "FREEBSD_PKG_07888B4935C411E68E82002590263BF5.NASL", "type": "nessus", "title": "FreeBSD : flash -- multiple vulnerabilities (07888b49-35c4-11e6-8e82-002590263bf5)", "description": "Adobe reports :\n\nThese updates harden a mitigation against JIT spraying attacks that could be used to bypass memory layout randomization mitigations (CVE-2016-1006).\n\nThese updates resolve type confusion vulnerabilities that could lead to code execution (CVE-2016-1015, CVE-2016-1019).\n\nThese updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031).\n\nThese updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033).\n\nThese updates resolve a stack overflow vulnerability that could lead to code execution (CVE-2016-1018).\n\nThese updates resolve a security bypass vulnerability (CVE-2016-1030).\n\nThese updates resolve a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-1014).", "published": "2016-06-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=91696", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-10-29T13:45:21"}, {"id": "MACOSX_FLASH_PLAYER_APSB16-10.NASL", "type": "nessus", "title": "Adobe Flash Player for Mac <= 21.0.0.197 Multiple Vulnerabilities (APSB16-10)", "description": "The version of Adobe Flash Player installed on the remote Mac OS X host is prior or equal to version 21.0.0.197. It is, therefore, affected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass vulnerability exists that allows an attacker to predict memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1015, CVE-2016-1019)\n\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. An attacker can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)", "published": "2016-04-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90426", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-10-29T13:42:54"}, {"id": "FLASH_PLAYER_APSB16-10.NASL", "type": "nessus", "title": "Adobe Flash Player <= 21.0.0.197 Multiple Vulnerabilities (APSB16-10)", "description": "The version of Adobe Flash Player installed on the remote Windows host is prior or equal to version 21.0.0.197. It is, therefore, affected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass vulnerability exists that allows an attacker to predict memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1015, CVE-2016-1019)\n\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. An attacker can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)", "published": "2016-04-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90425", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-10-29T13:34:14"}, {"id": "SMB_NT_MS16-050.NASL", "type": "nessus", "title": "MS16-050: Security Update for Adobe Flash Player (3154132)", "description": "The remote Windows host is missing KB3154132. It is, therefore, affected by multiple vulnerabilities :\n\n - An Address Space Layout Randomization (ASLR) bypass vulnerability exists that allows an attacker to predict memory offsets in the call stack. (CVE-2016-1006)\n\n - Multiple use-after-free errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, CVE-2016-1031)\n\n - Multiple memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, CVE-2016-1033)\n\n - A directory search path vulnerability exists that allows an attacker to disclose sensitive resources.\n (CVE-2016-1014)\n\n - Multiple type confusion errors exist that allow an attacker to execute arbitrary code. (CVE-2016-1015, CVE-2016-1019)\n\n - An overflow condition exists that is triggered when handling JPEG-XR compressed image content. An attacker can exploit this to execute arbitrary code.\n (CVE-2016-1018)\n\n - An unspecified security bypass vulnerability exists.\n (CVE-2016-1030)", "published": "2016-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90443", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2018-01-17T06:52:34"}, {"id": "OPENSUSE-2016-585.NASL", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2016-585)", "description": "This security update for flash-player to 11.2.202.621 fixes the following issues (boo#979422) :\n\nA critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. (APSA16-02)\n\nhttps://helpx.adobe.com/security/products/flash-player/apsa16-02.html\n\nSome CVEs were not listed in the last submission :\n\n - APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033", "published": "2016-05-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=91178", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-10-29T13:42:43"}], "suse": [{"id": "OPENSUSE-SU-2016:1157-1", "type": "suse", "title": "Security update for flash-player (important)", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via unspecified vectors, as exploited in the wild in\n April 2016 Aliased: (bsc#974209).\n\n", "published": "2016-04-26T17:08:38", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00055.html", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T12:32:45"}, {"id": "OPENSUSE-SU-2016:0997-1", "type": "suse", "title": "Security update for flash-player (important)", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via unspecified vectors, as exploited in the wild in\n April 2016 Aliased: (bsc#974209).\n\n", "published": "2016-04-08T22:07:39", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00012.html", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T11:50:47"}, {"id": "SUSE-SU-2016:0990-1", "type": "suse", "title": "Security update for flash-player (important)", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player allowed remote attackers to cause a\n denial of service (application crash) or possibly execute arbitrary code\n via unspecified vectors, as exploited in the wild in April 2016\n (bsc#974209).\n\n", "published": "2016-04-08T17:08:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00010.html", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T12:03:50"}, {"id": "OPENSUSE-SU-2016:0987-1", "type": "suse", "title": "Security update for flash-player (important)", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2016-1019: Adobe Flash Player earlier allowed remote attackers to\n cause a denial of service (application crash) or possibly execute\n arbitrary code via unspecified vectors, as exploited in the wild in\n April 2016 Aliased: (bsc#974209).\n\n", "published": "2016-04-08T15:08:43", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00009.html", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T11:20:17"}, {"id": "OPENSUSE-SU-2016:1306-1", "type": "suse", "title": "Security update for flash-player (important)", "description": "This security update for flash-player to 11.2.202.621 fixes the following\n issues (boo#979422):\n\n A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player\n 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome\n OS. Successful exploitation could cause a crash and potentially allow an\n attacker to take control of the affected system. (APSA16-02)\n\n <a rel=\"nofollow\" href=\"https://helpx.adobe.com/security/products/flash-player/apsa16-02.html\">https://helpx.adobe.com/security/products/flash-player/apsa16-02.html</a>\n\n Some CVEs were not listed in the last submission:\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033\n\n", "published": "2016-05-17T02:07:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00045.html", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2016-09-04T11:59:17"}, {"id": "SUSE-SU-2016:1305-1", "type": "suse", "title": "Security update for flash-player (important)", "description": "This update for flash-player fixes the following issues:\n\n - Security update to 11.2.202.621 (bsc#979422):\n * APSA16-02, APSB16-15, CVE-2016-1096, CVE-2016-1097, CVE-2016-1098,\n CVE-2016-1099, CVE-2016-1100, CVE-2016-1101, CVE-2016-1102,\n CVE-2016-1103, CVE-2016-1104, CVE-2016-1105, CVE-2016-1106,\n CVE-2016-1107, CVE-2016-1108, CVE-2016-1109, CVE-2016-1110,\n CVE-2016-4108, CVE-2016-4109, CVE-2016-4110, CVE-2016-4111,\n CVE-2016-4112, CVE-2016-4113, CVE-2016-4114, CVE-2016-4115,\n CVE-2016-4116, CVE-2016-4117\n\n - The following CVEs got fixed during the previous release, but got\n published afterwards:\n * APSA16-01, APSB16-10, CVE-2016-1006, CVE-2016-1011, CVE-2016-1012,\n CVE-2016-1013, CVE-2016-1014, CVE-2016-1015, CVE-2016-1016,\n CVE-2016-1017, CVE-2016-1018, CVE-2016-1019, CVE-2016-1020,\n CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024,\n CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\n CVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032,\n CVE-2016-1033\n\n", "published": "2016-05-16T18:08:08", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00044.html", "cvelist": ["CVE-2016-1030", "CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1102", "CVE-2016-1026", "CVE-2016-1098", "CVE-2016-1021", "CVE-2016-4108", "CVE-2016-1019", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-4116", "CVE-2016-1006", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-1023", "CVE-2016-4113", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-4112", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1106", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-1025", "CVE-2016-4115", "CVE-2016-1016", "CVE-2016-1105", "CVE-2016-1099", "CVE-2016-1015"], "lastseen": "2016-09-04T12:44:54"}], "openvas": [{"id": "OPENVAS:1361412562310851268", "type": "openvas", "title": "SuSE Update for flash-player SUSE-SU-2016:0990-1 (flash-player)", "description": "Check the version of flash-player", "published": "2016-04-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851268", "cvelist": ["CVE-2016-1019"], "lastseen": "2017-12-12T11:17:52"}, {"id": "OPENVAS:1361412562310810666", "type": "openvas", "title": "Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-050", "published": "2017-03-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810666", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2018-04-05T15:40:51"}, {"id": "OPENVAS:1361412562310131312", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0134", "description": "Mageia Linux Local Security Checks mgasa-2016-0134", "published": "2016-05-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131312", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-07-24T12:54:14"}, {"id": "OPENVAS:1361412562310807654", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-10 )-Linux", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "published": "2016-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807654", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-07-02T21:13:02"}, {"id": "OPENVAS:1361412562310807655", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-10 )-MAC OS X", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "published": "2016-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807655", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-07-02T21:13:12"}, {"id": "OPENVAS:1361412562310810668", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "published": "2017-03-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810668", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-07-02T21:14:25"}, {"id": "OPENVAS:1361412562310807653", "type": "openvas", "title": "Adobe Flash Player Security Updates( apsb16-10 )-Windows", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "published": "2016-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807653", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-12-20T13:26:24"}, {"id": "OPENVAS:1361412562310810667", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "published": "2017-03-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810667", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-07-02T21:14:38"}, {"id": "OPENVAS:1361412562310810716", "type": "openvas", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "published": "2017-03-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810716", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2017-07-02T21:14:38"}, {"id": "OPENVAS:1361412562310851312", "type": "openvas", "title": "SuSE Update for flash-player SUSE-SU-2016:1305-1 (flash-player)", "description": "Check the version of flash-player", "published": "2016-05-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851312", "cvelist": ["CVE-2016-1030", "CVE-2016-1100", "CVE-2016-1109", "CVE-2016-1107", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1102", "CVE-2016-1026", "CVE-2016-1098", "CVE-2016-1021", "CVE-2016-4108", "CVE-2016-1019", "CVE-2016-1097", "CVE-2016-1110", "CVE-2016-4109", "CVE-2016-1018", "CVE-2016-4117", "CVE-2016-1013", "CVE-2016-4116", "CVE-2016-1006", "CVE-2016-1104", "CVE-2016-4114", "CVE-2016-1101", "CVE-2016-1023", "CVE-2016-4113", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-4112", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1106", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-4111", "CVE-2016-1108", "CVE-2016-1096", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1103", "CVE-2016-4110", "CVE-2016-1025", "CVE-2016-4115", "CVE-2016-1016", "CVE-2016-1105", "CVE-2016-1099", "CVE-2016-1015"], "lastseen": "2017-12-12T11:18:31"}], "threatpost": [{"id": "CERBER-RANSOMWARE-ON-THE-RISE-FUELED-BY-DRIDEX-BOTNETS/118090", "type": "threatpost", "title": "Cerber Ransomware On The Rise, Fueled By Dridex Botnet", "description": "Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous.\n\nCerber, which is best known for its high-creep factor in using text-to-speech to \u201cspeak\u201d its ransom note to victims, was first spotted in the wild in February. Its [typical distribution method was via exploit kits](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>), with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). But as recently as May 4, FireEye reports, Cerber is now part of a spam campaign linked to Dridex botnets.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/> \"Permalink to Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down\" )\n\nSeptember 1, 2016 , 2:46 pm\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n\u201cBy partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky,\u201d wrote FireEye security analysts in [a research blog](<https://www.fireeye.com/blog/threat-research/2016/05/cerber_ransomware_partners_with_Dridex.html>) posted Thursday.\n\nDridex is a financial Trojan that has emerged as a significant threat to consumers and business, targeting the acquisition of financially related credentials. Its chief means of distribution is Dridex botnets that have been behind massive spam campaigns since February and are responsible for pushing out millions of targeted spam messages a day.\n\nCerber ransomware, according to FireEye, follows the same spam framework as Dridex. Targets are sent emails with an attachment disguised as an invoice that contains malicious VBScript. Once the user opens the document, they\u2019re encouraged to enable macros.\n\nIn the case of Cerber, the malicious attachment obfuscates the offending VBScript that may be detected by an email gateway or spam filter. Instead, the macro downloads and installs the VBScript in the %appdata% path of the targeted PC. The VBScript is further manipulated to avoid detection and reverse engineering through the injection of junk code.\n\nNext, Cerber sniffs out whether a victim has an internet connection. If it does, the last piece of the Cerber ransomware is delivered. That\u2019s when the VBScript sends an HTTP Range Request to fetch a JPEG file from a URL. \u201cIn the HTTP Request Headers, it sets the value of Range Header to: \u201cbytes=11193-\u201c. This indicates to the web server to return only the content starting at offset 11,193 of the JPG file,\u201d FireEye wrote.\n\nThis multi-stage technique of delivering the Cerber payload, FireEye said, is similar to HTTP Range Request checks leveraged by Dridex and Ursnif Trojans.\n\nOther similarities that Cerber has to Dridex include the fact that spam campaigns are typically English language only and are financially motivated booby-trapped with invoice, receipt, and order attachments.\n\nOnce Cerber goes to work on a system, it targets email, Word documents, and Steam (gaming) related files appending encrypted files with the \u2018.cerber\u2019 file extension. Victims are directed to visit various versions of the \u201cdecrypttozxybarc\u201d domain. In some instances, FireEye said, Cerber also installs a spambot module on the host PC. Attackers, FireEye suspect, are in the test stages of using infected PCs for distributing spam.", "published": "2016-05-13T13:24:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T20:53:18"}, {"id": "LATEST-FLASH-ZERO-DAY-BEING-USED-TO-PUSH-RANSOMWARE/117248", "type": "threatpost", "title": "Latest Flash Zero Day Being Used to Push Ransomware", "description": "Exploits for a zero-day vulnerability in Adobe Flash Player are being aggressively distributed in two exploit kits. The zero day, meanwhile, was patched by Adobe in an [emergency update](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) released Thursday night.\n\nAttackers are using the previously unpatched flaw in the maligned Flash Player to infect victims with either Locky or Cerber ransomware. [Locky](<https://threatpost.com/locky-variant-changes-c2-communication-found-in-nuclear-ek/117196/>) is a relatively new crypto-ransomware strain, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. [Cerber](<http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/>) is also crypto-ransomware that includes a feature where the infected machine will speak to the victim.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/> \"Permalink to Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down\" )\n\nSeptember 1, 2016 , 2:46 pm\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\nThis turn in using the exploit kits to move ransomware isn\u2019t new, but does escalate the distribution of Locky in particular, which is believed to be at the heart of a number of [high-profile compromises](<https://threatpost.com/locky-ransomware-causes-internal-state-of-emergency-at-kentucky-hospital/116949/>) in the health care industry.\n\nResearchers at Proofpoint said the zero day has been folded into both the Nuclear and Magnitude exploit kits, with Nuclear infections pushing Locky and Magnitude spreading Cerber.\n\nThe zero day vulnerability affects all versions of Flash Player on Windows 10 and earlier, said Kevin Epstein, vice president of Proofpoint\u2019s threat operations center. Today\u2019s update patched two dozen vulnerabilities, including the zero day; most the flaws were memory corruption bugs, as well as use-after-free, type-confusion and stack overflaws, in addition to a security bypass vulnerability.\n\nWhile the attackers have hundreds of millions of potential targets at their disposal with the zero day, they have limited this particular exploit to older versions of Flash Player, Epstein said.\n\n\u201cThe interesting thing about this distribution of the exploit is that the attackers don\u2019t appear to have taken full advantage of the exploit,\u201d he said. \u201cIt\u2019s not clear if they fully understood what they had. It is a zero day, but within this exploit kit, it\u2019s only targeting earlier versions of Flash. They\u2019ve self-limited their target audience, and it\u2019s not clear why.\u201d\n\nNonetheless, the exploit has been aggressively distributed, and for some time. While the Magnitude distribution of Cerber ransomware was found only in the last 72 hours, Epstein said Nuclear has been pushing Locky using this exploit since March 31.\n\nThe scale of these attacks has the potential to be massive, Proofpoint said. While both Nuclear and Magnitude are not as prevalent on the scale of the Angler EK, they are effective and popular choices on the black market. Combine that with previous distributions of Locky in a number of spam campaigns, some of them reaching multimillions of email messages a day, according to Proofpoint, and there is the potential for longstanding trouble.\n\nAdobe said in an [advanced notification](<https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/>) two days ago that an exploit could crash a system and allow attackers to execute arbitrary code on a compromised machine. Adobe added that a mitigation introduced on March 10 in Flash 21.0.0.182 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 20.0.0.306 and earlier.\n\n\u201cThe nature of vulnerability allows the attackers to execute arbitrary code on your machine; in this case, the Flash exploit is assisting the attacker to write arbitrary instructions to a point in memory,\u201d Epstein said. \u201cThat set of instructions in this case downloads the ransomware and executes it.\u201d\n\nEpstein said that the exploit is checking only for older versions of Flash Player, even though all versions prior to today\u2019s update are vulnerable.\n\nThe escalation of ransomware is alarming with new capabilities being regularly added to new strains. Ransomware such as Locky, for example, will encrypt all files stored on a machine and will seek out other machines on network shares, or even online backups the target machine may have access to. Vicitms are prompted to pay via Bitcoin relatively inexpensive ransoms in order to retrieve their locked files.\n\n\u201cRansomware, we suspect because of the macro economic ROI is something that\u2019s going to be a growing problem,\u201d Epstein said. \u201cIt\u2019s here to stay a while.\u201d", "published": "2016-04-07T21:08:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T20:53:21"}, {"id": "PERSISTENT-EITEST-MALWARE-CAMPAIGN-JUMPS-FROM-ANGLER-TO-NEUTRINO/118249", "type": "threatpost", "title": "Persistent EITest Malware Campaign Jumps from Angler to Neutrino", "description": "A two-year-old EITest malware campaign is still going strong, fueled by the fact it has shifted its distribution technique over time. Now, researchers at the SANS Institute\u2019s Internet Storm Center, are reporting EITest is morphing again based on analysis of the malware campaign conducted earlier this month.\n\nAccording to researcher Brad Duncan, the EITest malware campaign is being refueled by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.\n\n### Related Posts\n\n#### [Threatpost News Wrap, September 2, 2016](<https://threatpost.com/threatpost-news-wrap-september-2-2016/120332/> \"Permalink to Threatpost News Wrap, September 2, 2016\" )\n\nSeptember 2, 2016 , 9:00 am\n\n#### [Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down](<https://threatpost.com/malvertising-campaign-pushing-neutrino-exploit-kit-shut-down/120322/> \"Permalink to Malvertising Campaign Pushing Neutrino Exploit Kit Shut Down\" )\n\nSeptember 1, 2016 , 2:46 pm\n\n#### [Insecure Redis Instances at Core of Attacks Against Linux Servers](<https://threatpost.com/insecure-redis-instances-at-core-of-attacks-against-linux-servers/120312/> \"Permalink to Insecure Redis Instances at Core of Attacks Against Linux Servers\" )\n\nSeptember 1, 2016 , 1:08 pm\n\n\u201cDuring its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler,\u201d Duncan [wrote in an Internet Storm Center post](<https://isc.sans.edu/diary/EITest+campaign+still+going+strong/21081>).\n\nFirst identified in July of 2014 by Malwarebytes, EITest is known for leveraging thousands of legitimate websites that have been hacked and used in tandem with a Flash-based redirection script to deliver payloads such as the Gootkit Trojan information stealer.\n\nIn the case of EITest, attackers were booby trapping legitimate sites with drive-by downloads unbeknownst to their owners by using rotating URLs as the exploit kit\u2019s landing page. The perpetrators did this by inserting a Flash application code at the bottom of an infected site\u2019s main page to direct traffic to a malicious landing page. To avoid URL blacklisting, attackers used free DNS services to register disposable subdomains to create a large pool of URLs that can be used once and then trashed.\n\nDuncan now says the EITest campaigns is now using 85.93.0.0/24 for a gate between the compromised website and the Neutrino EK. \u201cThe TLD for these gate domains has most often been .tk but we\u2019ve seen .co.uk domains used this week,\u201d he wrote.\n\nAs for the payload, in two instances Duncan reports he was running Adobe Flash Player 20.0.0.306, which is vulnerable to [CVE-2016-1019](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1019>), which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.\n\nPalo Alto Networks has also been tracking the progress of the stubborn EITest malware campaign. In March, researchers noticed that the EITest gate occasionally changes IP addresses, but consistently used the TLDs .tk, .uk and .com.\n\n\u201cThe EITest gate URL continues to return a Flash file that redirects traffic to Angler EK. This gate URL always generates two HTTP GET requests. The first request retrieves the Flash file and the second request returns script pointing to an Angler EK landing page,\u201d [wrote Palo Alto in March](<http://researchcenter.paloaltonetworks.com/2016/03/unit42-how-the-eltest-campaigns-path-to-angler-ek-evolved-over-time/>).\n\nNow SANS Institute\u2019s Internet Storm Center says the indicators of compromise on its test systems include the EITest gate 85.93.0.33 port 80 (true.imwright.co.uk) and 104.238.185.187 port 80 (ndczaqefc.anein.top) for the Neutrino EK with the payload Gootkit information stealer.\n\nDuncan observed a second infection chain from the EITest campaign used the Angler ET with the following the indicators of compromise; 85.93.0.33 port 80 \u2013 _true.imwright.co.uk_ \u2013 EITest gate, 185.117.75.219 port 80 \u2013 _kmgb0.yle6to.top_ \u2013 Angler EK, and delivering an undetermined payload.", "published": "2016-05-23T13:08:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/persistent-eitest-malware-campaign-jumps-from-angler-to-neutrino/118249/", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-09-04T20:47:20"}, {"id": "NEW-CERBER-VARIANT-LEVERAGES-TOR2WEB-PROXIES-GOOGLE-REDIRECTS/122169", "type": "threatpost", "title": "New Cerber Variant Leverages Tor2Web Proxies, Google Redirects", "description": "Criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection.\n\nResearchers with Cisco Talos spotted the shifting tactic last week when it began tracking the latest Cerber (5.0.1) ransomware variant. The technique defies Cerber\u2019s typical attack strategy of spam campaigns, malicious attachments and well written, professional looking emails, according to Talos researchers.\n\n### Related Posts\n\n#### [Hackers Make New Claim in San Francisco Transit Ransomware Attack](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/> \"Permalink to Hackers Make New Claim in San Francisco Transit Ransomware Attack\" )\n\nNovember 28, 2016 , 3:30 pm\n\n#### [Nemucod Infections Spreading Over Facebook](<https://threatpost.com/nemucod-infections-spreading-locky-over-facebook/122062/> \"Permalink to Nemucod Infections Spreading Over Facebook\" )\n\nNovember 21, 2016 , 11:48 am\n\n#### [Threatpost News Wrap, November 18, 2016](<https://threatpost.com/threatpost-news-wrap-november-18-2016/122044/> \"Permalink to Threatpost News Wrap, November 18, 2016\" )\n\nNovember 18, 2016 , 9:15 am\n\n\u201cThis campaign looked different in that the messages didn\u2019t contain an attachment and were extremely short and basic,\u201d wrote Cisco Talos [researchers in a report posted Monday](<http://blog.talosintel.com/2016/11/cerber-spam-tor.html>). According Talos, the Cerber spam campaign resembled something more closely associated with Locky ransomware, which relies heavily on script-based file extensions used to download the Locky executable.\n\nTalos describes this latest Cerber campaign as a \u201cpotential next evolution for ransomware distribution\u201d that relies heavily on the Tor network and Dark Web to obfuscate the attacker\u2019s activity and thwart mitigation efforts.\n\nAccording to Talos, the Cerber 5.0.1 variant forgoes the use of malicious attachments in exchange for emails that contain hyperlinks. Targets are enticed to click hyperlinks that are disguised as various files of potential interest to recipients such as pictures, order details, transaction logs and loan acceptance letters.\n\n\u201cWhen a victim clicks on a hyperlink they are taken to a Google redirect that points (the browser) to a malicious Word document hosted on the Dark Web. But because you need a Tor browser to access the Dark Web, attackers use the Google redirect service to connect targets to a Tor2Web proxy service first,\u201d said Nick Biasini, researcher with the Cisco Talos team.\n\nUse of the Tor2Web proxy service allows adversaries to host files on the Dark Web, making it extremely difficult to know where files are hosted and shut down the offending server, Biasini said. \u201cUsing proxy services like Tor2Web enables access to the Tor network without requiring a Tor client to be installed locally on the victim\u2019s system,\u201d researchers point out.\n\n\u201cWe have seen Tor used in ransomware quite a bit. But it has been used primarily for command-and-control communications and retrieving ransom notes for the victims to get Bitcoin wallets. What makes this most recent Cerber (5.0.1) variant so interesting to researchers is the fact the hosting of all the malicious activity is on Tor,\u201d Biasini said.\n\nThat\u2019s not so say earlier incarnations and techniques associated with Cerber ransomware have been abandoned. Still the bulk of Cerber, Biasini said, is distributed using traditional techniques such as the RIG exploit kit and malicious attachments sent via spam campaigns. \u201cThe reason this campaign is important is because it signals an evolution for Cerber adversaries,\u201d Biasini said.\n\nCerber, which is best known for its high-creep factor in using text-to-speech to \u201cspeak\u201d its ransom note to victims, was first spotted in the wild in February. Its [typical distribution method was via exploit kits](<https://threatpost.com/latest-flash-zero-day-being-used-to-push-ransomware/117248/>), with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). In May, [researchers at FireEye reported](<https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/>), Cerber was part spam campaigns linked to Dridex botnets. In August, researchers reported a new Cerber variant, [dubbed Cerber 2](<https://threatpost.com/2-5-million-a-year-ransomware-as-a-service-ring-uncovered/119902/>), they said was part of a ransomware-as-a-service ring.\n\n\u201cCerber has continued to shift its tactics and evolve rapidly over just the past several months,\u201d Biasini said.\n\nIn this most recent campaign, once the initial redirection and Tor2Web proxying occurs, the victim\u2019s system will download a malicious Word document. If a potential victim chooses to open the file attachment they are prompted via a Word document to \u201cenable content\u201d or the macro.\n\n\u201cIf the victim opens the malicious MS Word document and enables macros, the downloader will use the Windows Command Processor to invoke Powershell which will then download (using Tor2Web) and execute the actual Cerber PE32 executable,\u201d Talos describes.\n\nThis version of Cerber demands 1.4 bitcoins ($1,000). If the ransom demand is not met within five days the ransom payment amount doubles.\n\n\u201cThis latest distribution campaign highlights how ransomware based threats are continuing to evolve and mature over time, and shows an increasingly sophisticated infection process as attackers continue to implement new methods to attempt to evade detection and make analysis more difficult,\u201d Talos researchers wrote.\n\nTalos recommends that all Tor2Web and Tor traffic be blocked in organization as the most effective way to mitigate risk to this latest Cerber threat. \u201cOrganizations need to decide if the business case for allowing Tor and Tor2Web on the network outweighs the potential risks to its users,\u201d Cisco Talos wrote.", "published": "2016-11-30T07:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/new-cerber-variant-leverages-tor2web-proxies-google-redirects/122169/", "cvelist": ["CVE-2016-1019"], "lastseen": "2016-11-30T12:54:16"}, {"id": "EMERGENCY-UPDATE-COMING-FOR-FLASH-VULNERABILITY-UNDER-ATTACK/117219", "type": "threatpost", "title": "Emergency Adobe Flash Player Security Update", "description": "Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked.\n\nAdobe said the vulnerability is in version 21.0.0.197 and earlier for Windows, Mac OS X, Linux and Chrome OS.\n\n### Related Posts\n\n#### [Patched ColdFusion Flaw Exposes Applications to Attack](<https://threatpost.com/patched-coldfusion-flaw-exposes-applications-to-attack/120301/> \"Permalink to Patched ColdFusion Flaw Exposes Applications to Attack\" )\n\nSeptember 1, 2016 , 9:15 am\n\n#### [A Month Without Adobe Flash Player Patches](<https://threatpost.com/a-month-without-adobe-flash-player-patches/119770/> \"Permalink to A Month Without Adobe Flash Player Patches\" )\n\nAugust 9, 2016 , 12:50 pm\n\n#### [Firefox to Block Flash in August, Disable in 2017](<https://threatpost.com/firefox-to-block-flash-in-august-disable-in-2017/119419/> \"Permalink to Firefox to Block Flash in August, Disable in 2017\" )\n\nJuly 21, 2016 , 4:35 pm\n\n\u201cSuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,\u201d Adobe said in an [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa16-01.html>) published late this afternoon.\n\nAdobe said that a mitigation introduced on March 10 in Flash 21.0.0.182 protects users against attack; users are urged to update immediately. Adobe said active attacks using CVE-2016-1019 are targeting Windows 7 and Windows XP systems running Flash 20.0.0.306 and earlier.\n\nFrench researcher Kafeine, who publishes updates on his personal site on exploit kits, is one of three researchers credited with disclosing the bug to Adobe along with FireEye\u2019s Genwei Jiang and Google\u2019s Clement Lecigne.\n\nKafeine told Threatpost he would not comment before the availability of a patch.\n\nThe March 10 [Flash Player update](<https://threatpost.com/flash-player-update-patches-18-remote-code-execution-flaws/116707/>) was part of Adobe\u2019s regular monthly security update cycle. It patched 18 remote code execution flaws, including one, CVE-2016-1010, being exploited in the wild.", "published": "2016-04-05T19:09:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/", "cvelist": ["CVE-2016-1019", "CVE-2016-1010"], "lastseen": "2016-09-04T20:48:45"}, {"id": "UNIVERSITY-COLLEGE-LONDON-RANSOMWARE-LINKED-TO-ADGHOLAS-MALVERTISING-GROUP/126405", "type": "threatpost", "title": "UCL Ransomware Linked to AdGholas Malvertising Group", "description": "A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.\n\nKafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a [report](<https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware>) published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have [used steganography in the past to conceal attacks](<https://threatpost.com/adgholas-malvertising-campaign-leveraged-steganography-filtering/119571/>). In this case, the attacks used the Astrum Exploit Kit to spread the malware.\n\n### Related Posts\n\n#### [Google Removes Two Ztorg Trojans from Play Marketplace](<https://threatpost.com/google-removes-two-ztorg-trojans-from-play-marketplace/126389/> \"Permalink to Google Removes Two Ztorg Trojans from Play Marketplace\" )\n\nJune 20, 2017 , 9:26 am\n\n#### [Say Goodbye to SMBv1 in Windows Fall Creators Update](<https://threatpost.com/say-goodbye-to-smbv1-in-windows-fall-creators-update/126387/> \"Permalink to Say Goodbye to SMBv1 in Windows Fall Creators Update\" )\n\nJune 20, 2017 , 8:41 am\n\n#### [Mexican Journalists, Lawyers Focus of Government Spyware](<https://threatpost.com/mexican-journalists-lawyers-focus-of-government-spyware/126367/> \"Permalink to Mexican Journalists, Lawyers Focus of Government Spyware\" )\n\nJune 19, 2017 , 2:51 pm\n\nUniversity College London, meanwhile, said today that [all services have been returned to normal](<http://www.ucl.ac.uk/isd/news/isd-news/jun2017/ucl-wide-ransomware-attack-14062017>). As of Friday, personal storage and shared drives had been restored, and yesterday, write-access to the remaining shared drives was also restored.\n\nThe infection, the university said, was contained by last Thursday and that it was continuing to look into the root cause. Initially, officials said the attack started with a phishing email, but later reversed course and said the attack was web-based. Officials also said that services should be able to be restored from backup, sparing them the need to pay a ransom.\n\nA dozen local and shared drives were infected, and the school initially called it a \u201czero-day attack.\u201d\n\n\u201cOur antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,\u201d officials said last week. \u201cWe cannot currently confirm the ransomware that was deployed.\u201d\n\nProofpoint said AdGholas\u2019 use of ransomware in this attack is a departure from its normal tactic of spreading banking malware. Kafeine said the attack went beyond just UCL to other high-profile sites.\n\nAfter ruling out other exploit kits and ransomware based on available forensics, Proofpoint investigated the possibility of the involvement of AdGholas and its use of Astrum to spread malware. One of the IP addresses found in the attack was a Mole command and control server; some malware samples contacting this IP had been submitted to VirusTotal and were consistent with a known Astrum payload.\n\n\u201cAt that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,\u201d Kafeine wrote. \u201cWe confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.\u201d\n\nThe compromised domain was used in a number of malvertising campaigns across Europe and Asia, and Kafeine said all the compromised hosts also contacted the current Astrum command and control IP address, which offers full HTTPS support, Proofpoint said.\n\n\u201cAstrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May, Kafeine said, identifying a number of vulnerabilities exploit by the kit: CVE-2016-0189, CVE-2016-1019, and CVE-2016-4117. \u201cThe introduction of Diffie-Hellman suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.\u201d\n\nThe exploit kit was spreading Mole ransomware on two days, June 14 and 15, in the U.K. and United States, while continuing to spread banking malware elsewhere.\n\nMole encrypts files and demands 0.5 Bitcoin to receive a decryption key that unlocks scrambled data.\n\n\u201c[AdGholas malvertising](<https://threatpost.com/microsoft-shuts-down-zero-day-used-in-adgholas-malvertising-campaigns/120618/>) redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today,\u201d Kafeine wrote. \u201cFull HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.\u201d", "published": "2017-06-20T14:27:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/university-college-london-ransomware-linked-to-adgholas-malvertising-group/126405/", "cvelist": ["CVE-2016-1019", "CVE-2016-0189", "CVE-2016-4117"], "lastseen": "2017-06-20T22:21:47"}, {"id": "FLASH-EXPLOIT-FOUND-IN-SEVEN-EXPLOIT-KITS/122284", "type": "threatpost", "title": "Flash Exploit Found in Seven Exploit Kits", "description": "A nasty Adobe Flash zero-day vulnerability that was remediated in an [emergency update in October 2015](<https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/>) was thereafter co-opted by seven exploit kits, according to an analysis published today by researchers at Recorded Future.\n\nThe Adobe vulnerability, CVE-2015-7645, was also used by the Russian APT group known as APT 28, which laced spear phishing emails with exploits targeting foreign affairs ministries worldwide. APT 28, also known as Sofacy, frequently targets NATO-allied political targets and in November was [singled out by Microsoft](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) for using separate Flash and Windows zero days in targeted attacks this year.\n\n### Related Posts\n\n#### [Sony Closes Backdoors in IP-Enabled Cameras](<https://threatpost.com/sony-closes-backdoors-in-ip-enabled-cameras/122271/> \"Permalink to Sony Closes Backdoors in IP-Enabled Cameras\" )\n\nDecember 6, 2016 , 11:24 am\n\n#### [DoD Publishes Vulnerability Disclosure Policy](<https://threatpost.com/dod-publishes-vulnerability-disclosure-policy/122097/> \"Permalink to DoD Publishes Vulnerability Disclosure Policy\" )\n\nNovember 22, 2016 , 8:57 am\n\n#### [Backdoor Found in Firmware of Some Android Devices](<https://threatpost.com/backdoor-found-in-firmware-of-some-android-devices/122075/> \"Permalink to Backdoor Found in Firmware of Some Android Devices\" )\n\nNovember 21, 2016 , 3:20 pm\n\nThe Flash bug was among the first to be used after Adobe implemented new mitigations into the software to combat memory-based attacks. Despite the improvements in Flash security, attackers still take a shine to these exploits.\n\nRecorded Future\u2019s report \u201c[New Kit, Same Player](<https://www.recordedfuture.com/top-vulnerabilities-2016/>)\u201d says that six of the top 10 vulnerabilities used in exploit kits were Flash Player bugs, followed by Internet Explorer, Windows and Silverlight exploits. None of this year\u2019s top 10 vulnerabilities were present in a similar analysis done last year.\n\nExploit kits, meanwhile, have been reduced in prominence since the disappearance of a number of popular kits, including Angler and Nuclear. Angler, in particular, was particularly popular with criminals; it was updated frequently and sold in a number of underground forums. The June arrest of a Russian cybercrime outfit behind the Lurk Trojan, however, spelled the end of days for Angler. Researchers at Kaspersky Lab [confirmed the connection](<https://securelist.com/analysis/publications/75944/the-hunt-for-lurk/>) between the [Lurk gang and Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>) distribution in an August report.\n\nNonetheless, exploit kits remain a threat and a vehicle for attacks that include ransomware, click fraud and adware. Victims are compromised in a number of ways, including drive-by attacks, malvertising or links in emails, all of which direct the victim\u2019s browser to the exploit kit\u2019s landing page. Code on the page determines the browser being used and launches the exploit mostly likely to hit paydirt.\n\nCVE-2015-7645 was found in Angler, as well as in Neutrino, Magnitude, RIG, Nuclear Pack, Spartan and Hunger. It, by far, had the highest penetration into exploits kits, according to Recorded Future.\n\nBut since Angler\u2019s demise earlier this year, Sundown has risen to a measure of prominence with its maintainers updating the kit often with new exploits. Sundown\u2019s payload, however, differs in that it drops banking Trojans on users\u2019 machines. Recorded Future said this kit also relies on domain shadowing more than its counterparts in order to register subdomains that are used to host attacks.\n\nSundown also contained CVE-2016-0189, an [Internet Explorer bug](<https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/>) used in targeted attacks against South Korean organizations earlier this year. Microsoft patched it in July, but already it had been used by Neutrino as well. The IE bug, Recorded Future said, was the top flaw found in exploit kits, referenced more than 600 times. CVE-2016-1019 and CVE-2016-4117, two other Flash Player bugs, round out the top three. [CVE-2016-4117](<https://securelist.com/blog/research/75100/operation-daybreak/>) was used by the [ScarCruft APT group](<https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/>), Kaspersky Lab researchers said in June, in watering hole attacks.", "published": "2016-12-06T13:58:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/", "cvelist": ["CVE-2016-1019", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-7645"], "lastseen": "2016-12-06T20:56:16"}, {"id": "NEPTUNE-EXPLOIT-KIT-DROPPING-CRYPTOCURRENCY-MINERS-THROUGH-MALVERTISEMENTS/127591", "type": "threatpost", "title": "Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements", "description": "Despite [a marked decrease in activity](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>), exploit kits haven\u2019t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners.\n\nResearchers with FireEye [said Tuesday](<https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html>) the kit has been redirecting victims with popups from fake hiking ads to exploit kit landing pages and in turn to HTML and Adobe Flash exploits. Researchers elected not to disclose the name of the popup ad service, but stressed that it\u2019s within Alexa\u2019s top 100.\n\n### Related Posts\n\n#### [Hundreds of Millions in Digital Currency Remains Frozen](<https://threatpost.com/hundreds-of-millions-in-digital-currency-remains-frozen/128821/> \"Permalink to Hundreds of Millions in Digital Currency Remains Frozen\" )\n\nNovember 8, 2017 , 1:31 pm\n\n#### [Malvertising Campaign Redirects Browsers To Terror Exploit Kit](<https://threatpost.com/malvertising-campaign-redirects-browsers-to-terror-exploit-kit/128596/> \"Permalink to Malvertising Campaign Redirects Browsers To Terror Exploit Kit\" )\n\nOctober 25, 2017 , 8:28 am\n\n#### [Equifax Takes Down Compromised Page Redirecting to Adware Download](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/> \"Permalink to Equifax Takes Down Compromised Page Redirecting to Adware Download\" )\n\nOctober 12, 2017 , 12:32 pm\n\nThe landing pages run a handful of exploits, including three targeting Internet Explorer (CVE-2016-0189, CVE-2015-2419, CVE-2014-6332) and two targeting Flash (CVE-2015-8651, CVE-2015-7645).\n\nAccording to FireEye researchers Zain Gardezi and Manish Sardiwal, the malvertising redirects are mimicking the domains of actual hiking sites, and in some instances sites that allow users to convert YouTube videos to MP3s. Once redirected, the ads, most which appear on high-traffic torrent and multimedia hosting sites, drop a Monero miner.\n\nMonero, an open source cryptocurrency that bills itself as \u201csecure, private, and untraceable\u201d has caught on with cybercriminals over the last several months.\n\nOne cryptocurrency miner [Adylkuzz](<https://threatpost.com/wannacry-shares-code-with-lazarus-apt-samples/125718/>) was spotted in April using the same NSA Eternal Blue exploit and DoublePulsar rootkit that spread WannaCry, to infect computers and mine Monero.\n\nAccording to FireEye, for the new Neptune EK campaign a uniform resource identifier (URI) belonging to the exploit kit domain has been dropping the payload as a plain executable. After a machine has been infected, attempts are made to log in to minergate[.]com, a cryptocurrency GUI miner and mining pool, with the attacker\u2019s email address.\n\nResearchers noticed this campaign on July 16 and were able to pin it on changes in the kit\u2019s URI patterns.\n\nSpreading resource intensive cryptocurrency miners helps attackers raise small amounts of money that can potentially be used to fund other future attacks.\n\n[Attackers in June](<https://threatpost.com/attackers-mining-cryptocurrency-using-exploits-for-samba-vulnerability/126191/>) used an exploit for a Samba vulnerability patched in May to spread payloads that spread Monero miners. Researchers with Kaspersky Lab who discovered the operation said that attackers hardcoded their wallet and pool address into the attack and managed to raise $6,000 USD via the campaign.\n\nThe vulnerabilities that Neptune uses are dated; in fact Microsoft fixed one of them in November 2014, CVE-2014-6332, which could have allowed remote code execution via Windows OLE vulnerabilities. Gardezi and Sardiwal warn that users running out-of-date or unpatched software could still be at risk, especially as drive-by download kits such as Neptune have taken a shine to using malvertisements to push malicious downloads of late.\n\nSimilar to Sundown, the Neptune/Terror exploit kit is one of several that popped up following Angler\u2019s disappearance in 2016. Researchers said [in May earlier this year](<https://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/>) that the kit had adopted new anti-detection features and slowly evolved into a threat.", "published": "2017-08-22T17:51:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/neptune-exploit-kit-dropping-cryptocurrency-miners-through-malvertisements/127591/", "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "lastseen": "2017-12-01T19:17:51"}], "fireeye": [{"id": "FIREEYE:94FA42F08227BCEDB46BD7010CC3A45D", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "published": "2016-07-14T16:37:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "lastseen": "2017-03-07T16:24:19"}, {"id": "FIREEYE:0A49354849202DA95FE69EEC5811E6DD", "type": "fireeye", "title": "Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release", "description": "A security researcher recently published [source code](<https://github.com/theori-io/cve-2016-0189>) for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.\n\nCVE-2016-0189 was originally exploited as a zero-day vulnerability in [targeted attacks in Asia](<http://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-south-korea>). The vulnerability resides within scripting engines in Microsoft\u2019s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher\u2019s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.\n\nMicrosoft patched [CVE-2016-0189 in May on Patch Tuesday](<https://technet.microsoft.com/en-us/library/security/ms16-may.aspx>). Applying this patch will protect a system from this exploit.\n\n##### Attack Details \n\n\nThe popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim\u2019s system \u2013 shown in Figure 1 \u2013 to determine which of its embedded exploits to use.\n\n\n\nFigure 1. Neutrino EK SWF profiles a victim\n\nNext, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.\n\n\n\nFigure 2. Decrypt and embed the selected exploit into an iframe\n\nIn this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino\u2019s arsenal.\n\n##### CVE-2016-0189\n\nThis CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the \u201cvalueOf \u201c property of the array is set to a script function that changes the array size, as shown in Figure 3.\n\n\n\nFigure 3. Neutrino setting triggering conditions\n\nAfter Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher\u2019s exploit, except for the code that runs after initial control.\n", "published": "2016-07-14T16:37:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html", "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "lastseen": "2017-11-17T14:44:04"}, {"id": "FIREEYE:0CAA37548C7EBA899FA1174794304489", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "published": "2017-08-22T10:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "lastseen": "2017-09-12T20:44:52"}, {"id": "FIREEYE:D549372E644DEECBB7AEE8031D35DA4D", "type": "fireeye", "title": "Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit", "description": "Exploit kit (EK) activity has been on the decline ever since [Angler Exploit Kit was shut down](<https://securityintelligence.com/news/say-goodbye-to-the-angler-exploit-kit/>) in 2016. [Fewer people using Internet Explorer](<https://threatpost.com/exploit-kit-activity-quiets-but-is-far-from-silent/124461/>) and a [drop in browser support for Adobe Flash](<https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/>) \u2013 two primary targets of many exploit kits \u2013 have also contributed to this decline. Additionally, some popular redirect campaigns using [PseudoDarkleech and EITest Gate to Rig Exploit Kit](<http://www.darkreading.com/attacks-breaches/rig-exploit-kit-takedown-sheds-light-on-domain-shadowing/d/d-id/1329085>) were shut down in first half of this year.\n\nDespite all this, [malvertising campaigns involving exploits kits](<https://www.fireeye.com/blog/threat-research/2017/03/still_getting_served.html>) remain active. The Neptune Exploit Kit (or Terror EK), which initially started as a Sundown EK copycat operation, has relied heavily on malvertisements. Early use of this exploit kit saw domains with very similar patterns dropping cryptocurrency miners through malvertisements:\n\n * networkmarketingpro3[.]us\n * networkmarketingpro2[.]us\n * onlinesalesproaffiliate1[.]us\n * onlinesalesproaffiliate2[.]us\n * onlinesalesproaffiliate3[.]us\n * onlinesalesproaffiliate4[.]us\n * onlinesalesproaffiliate5[.]us\n * onlinesalesproaffiliate6[.]us\n\nPayloads spread by Neptune Exploit Kit have since diversified. Recently, we have seen changes in Neptune EK\u2019s URI patterns, landing pages, malvertisement campaigns and login account details associated with the cryptocurrency mining payloads. \n\n#### Propagation\n\nSince July 16, our Dynamic Threat Intelligence (DTI) has observed changes in URI patterns for Neptune Exploit Kit. At the time of writing, the new campaign abuses a legitimate popup ad service (within Alexa\u2019s top 100) with redirects to ads about hiking clubs, as shown in Figure 1.\n\n \nFigure 1: Fake ad for a hiking club leading to Neptune EK\n\nRedirects from domains associated with these ads eventually use 302 redirects to move victims to exploit kit landing pages. Fake domains involved in these redirects imitate real domains. For example, highspirittreks[.]club shown in Figure 1 spoofs highspirittreks[.]com. Other hiking fake ads use similarly spoofed legitimate site names with .club domains. Figure 2 shows a redirect from a fake site\u2019s pop-up.\n\n \nFigure 2: Silent redirect to EK landing page\n\nFireEye Dynamic Threat Intelligence (DTI) stats show the regions being affected by this campaign (Figure 3). \n\n \nFigure 3: Regions affected by the malvertisement campaign, as observed from customer data\n\nA few instances of the redirect involve flvto[.]download (mimicking the legitimate www.flvto[.]biz) instead of hiking club fake ads. Figure 4 and Figure 5 show the legitimate domain and fake domain, respectively, for comparison\u2019s sake.\n\n \nFigure 4: Real page, flvto[.]biz (Alexa rank 2,674)\n\n \nFigure 5: Fake page, flvto[.]download\n\nMost of the ads linked to this campaign have been observed on high-traffic torrent and multimedia hosting sites.\n\nSites are hosted on IP **95.85.62.226**. Reverse lookup for this IP shows:\n\n * 2watchmygf[.]stream\n * flvto[.]download\n * highspirittreks[.]club\n * treknepal[.]club\n\nOther hosted IPs and domains of the same campaign are in the Indicators of Compromise section at the end of the post. All IPs point to locations in Amsterdam.\n\nSince July 16, related EK infrastructure has been hosted on domains protected by Whois Guard. However, in recent activity, domains are linked to the Registrant email: \u2018gabendollar399@gmx[.]com\u2019. \n\nThe following domains are currently associated with this email:\n\n**Domain Name**\n\n| \n\n**Create Date**\n\n| \n\n**Registrar** \n \n---|---|--- \n \n[itsmebecauseyoua[.]pw](<https://whois.domaintools.com/itsmebecauseyoua.pw>)\n\n| \n\n2017-03-05\n\n| \n\n\\-- \n \n[loansforevery[.]us](<https://whois.domaintools.com/loansforevery.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[managetheworld[.]us](<https://whois.domaintools.com/managetheworld.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n[nudecams[.]us](<https://whois.domaintools.com/nudecams.us>)\n\n| \n\n2017-04-14\n\n| \n\n1 HOST RUSSIA, INC \n \n#### Exploits/Landing Page\n\nThe landing page for the Neptune Exploit Kit redirects to further HTML and Adobe Flash exploit links after it checks the Flash versions installed on the victim\u2019s machine (see Figure 6).\n\n \nFigure 6: Landing page of Neptune EK\n\nThis EK exploits multiple vulnerabilities in one run. Most of these exploits are well-known and commonly seen in other exploit kits.\n\nCurrently, Neptune EK uses three Internet Explorer exploits and two Flash exploits:\n\n * [CVE-2016-0189](<https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html>) \u2013 Internet Explorer\n * [CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>) \u2013 Internet Explorer\n * [CVE-2014-6332](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) \u2013 Internet Explorer\n * [CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>) \u2013 Adobe Flash Player\n * [CVE-2015-7645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7645>) \u2013 Adobe Flash Player\n\n#### Payload (Monero miner)\n\nThe payload is dropped as a plain executable from one of the URI\u2019s belonging to the EK domain (same as the landing page). Figure 7 shows a typical response header for these cases.\n\n \nFigure 7: Response header for Monero miner payload\n\nPost infection traffic shows an attempt to connect to minergate[.]com (Figure 8) and a login attempt using the cpu-miner service via the login email monsterkill20@mail[.]com (Figure 9). Login attempts are invoked via the command line:\n\n\n\n \nFigure 8: DNS query to minergate[.]com\n\n \nFigure 9: Login attempt\n\n#### Conclusion\n\nDespite an observable decline in exploit kit activity, users are still at risk, especially if they have outdated or unpatched software. This threat is especially dangerous considering drive-by exploit kits (such as Neptune EK) can use malvertisements to seamlessly download payloads without ever alerting of the user.\n\nFireEye NX [detects exploit kit infection attempts](<https://www.fireeye.com/products/nx-network-security-products.html>) before the malware payload is downloaded to the user\u2019s machine. Additionally, malware payloads dropped by exploit kits are detected in all other FireEye products.\n\n#### Indicators of Compromise\n\n##### Malvertisement domains:\n\n * hxxp://treknepal[.]club/\n * hxxp://highspirittrecks[.]club\n * hxxp://advnepaltrekking[.]club\n * hxxp://nepalyogatrek[.]club\n * hxxp://flvto[.]download\n\n##### Malvertisement IPs:\n\n * 95.85.62.226\n * 185.82.202.36\n\n##### EK domains (current active) registrant:\n\nDomain Name: MANAGETHEWORLD.US \nDomain ID: D59392852-US \nSponsoring Registrar: NAMECHEAP, INC. \nSponsoring Registrar IANA ID: 1068 \nRegistrar URL (registration services): http://www.namecheap[.]com \nDomain Status: clientTransferProhibited \nRegistrant ID: NLGUS4BVD3M2DN2Y \nRegistrant Name: kreb son \nRegistrant Address1: Maker 541 \nRegistrant City: Navada \nRegistrant State/Province: SA \nRegistrant Postal Code: 546451 \nRegistrant Country: Bulgaria \nRegistrant Country Code: BG \nRegistrant Phone Number: +44.45623417852 \nRegistrant Email: gabendollar399@gmx[.]com \nRegistrant Application Purpose: P1 \nRegistrant Nexus Category: C11 \nAdministrative Contact ID: VNM50NNJ5Y0VNLDY \nAdministrative Contact Name: kreb son \nAdministrative Contact Address1: Maker 541 \nAdministrative Contact City: Navada \nAdministrative Contact State/Province: SA \nAdministrative Contact Postal Code: 546451 \nAdministrative Contact Country: Bulgaria \nAdministrative Contact Country Code: BG \nAdministrative Contact Phone Number: +44.45623417852 \nAdministrative Contact Email: gabendollar399@gmx[.]com\n\n##### Sample EK URI Pattern:\n\nforum_jVpbUAr/showthread.php?id=xxxxxxx\n\n##### Sample MD5s:\n\nb678ac0b870b78060a2a9f599000302d \n5a18c92e148bbd7f10077f8e7431326e\n\n#### Acknowledgement\n\nWe would like to thanks Hassan Faizan for his contributions to this discovery.\n", "published": "2017-08-22T10:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2017/08/neptune-exploit-kit-malvertising.html", "cvelist": ["CVE-2014-6332", "CVE-2016-0189", "CVE-2015-8651", "CVE-2015-2419", "CVE-2015-7645"], "lastseen": "2017-11-17T14:44:05"}, {"id": "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "type": "fireeye", "title": "End of Life for Internet Explorer 8, 9 and 10", "description": "Microsoft has started the year with an [announcement](<https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support>) that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.\n\nWhat this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.\n\nIt should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.\n\nThese are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.\n\nFigure 1 shows the vulnerability counts for Internet Explorer versions in 2015.\n\n\n\nFigure 1. Internet Explorer vulnerability count for 2015 [1]\n\nThe graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.\n\nFigure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.\n\nYear\n\n| \n\nCVE\n\n| \n\nAffects \n \n---|---|--- \n \n2014\n\n| \n\n[CVE-2014-0322](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>)\n\n| \n\nIE 9 and 10 \n \n2014\n\n| \n\n[CVE-2014-1776](<http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>)\n\n| \n\nIE 6 to 11 \n \n2015\n\n| \n\n[CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>)\n\n| \n\nIE 10 and 11 \n \n2015\n\n| \n\n[CVE-2015-2502](<http://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/>)\n\n| \n\nIE 7 to 11 \n \nFigure 2. ITW attacks of Internet Explorer [1]\n\nThe majority of the attacks found ITW in 2014 and 2015 affected IE 11.\n\nFigure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don\u2019t.\n\n\n\nFigure 3. IE11 vs. Non-IE11 vulnerability count [1]\n\nBased on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft\u2019s most recent move will allow the company to do the same.\n\nIt should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, [VML](<https://msdn.microsoft.com/en-us/library/hh801223\\(v=vs.85\\).aspx>) and [VBScript](<https://msdn.microsoft.com/en-us/library/dn384057\\(v=vs.85\\).aspx>), which have been used to [exploit](<http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php>) and [compromise](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.\n\nIt is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as [others](<https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/>).\n\nIn conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.\n\n[1] Microsoft Security Bulletins: <https://technet.microsoft.com/en-us/library/security/dn610807.aspx>\n", "published": "2016-01-12T14:49:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.fireeye.com/blog/threat-research/2016/01/end_of_life_for_ie.html", "cvelist": ["CVE-2014-0322", "CVE-2015-2502", "CVE-2015-2419", "CVE-2014-1776"], "lastseen": "2017-03-07T16:24:18"}], "mmpc": [{"id": "MMPC:A8911A071FAE866BC15F59CA0B325D45", "type": "mmpc", "title": "Exploit kits remain a cybercrime staple against outdated software \u2013 2016 threat landscape review series", "description": "Despite the disruption of Axpergle (Angler), which dominated the landscape in early 2016, exploit kits as a whole continued to be a threat to PCs running unpatched software. Some of the most prominent threats, from malvertising to ransomware, used exploit kits to infect millions of computers worldwide in 2016.\n\nThe prevalence of exploit kits as an infection vector can be attributed to these factors: 1) they continue to use old but effective exploits while efficiently integrating new ones, 2) they are easily obtained from underground cybercriminal markets; and 3) there remains a significant number of machines that are potentially vulnerable because they run unpatched software.\n\nUsing up-to-date browser and software remains to be the most effective mitigation against exploit kits. Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.\n\n(Note: This blog post is the first in the 2016 threat landscape review series. In this blog series, we look back at how major areas in the threat landscape, including ransomware, macro malware, support scam malware, and unwanted software, have transformed over the past year. We will discuss trends that have emerged, as well as security solutions that tackle threats as they evolve.)\n\n## Meadgive gained ground as Axpergle is disrupted\n\nIn the first five months of 2016, [Axpergle](<https://blogs.technet.microsoft.com/mmpc/tag/axpergle/>) (also known as Angler exploit kit) infected around 100,000 machines monthly. However, sometime in June, the exploit kit vanished. Reports associated this development with the [arrest of 50 hackers in Russia](<http://www.securityweek.com/did-angler-exploit-kit-die-russian-lurk-arrests>).\n\nAxpergle is primarily associated with the delivery of the 32- and 64-bit versions of [Bedep](<https://blogs.technet.microsoft.com/mmpc/2016/04/12/msrt-april-release-features-bedep-detection/>), a backdoor that also downloads more complex and more dangerous malware, such as the information stealers [Ursnif](<https://blogs.technet.microsoft.com/mmpc/tag/ursnif/>) and [Fareit](<https://blogs.technet.microsoft.com/mmpc/tag/win32fareit/>).\n\n\n\n_Figure 1. Monthly encounters by exploit kit family_\n\nThe disappearance of Axpergle made way for other exploit kits as cybercriminals presumably looked for alternatives. The Neutrino exploit kit started dominating for around three months, but scaled down in September. Reports say that Neutrino operators went into \u201cprivate\u201d mode, choosing to cater to select cybercriminal groups.\n\nA look at the year-long trend shows that [Meadgive](<https://blogs.technet.microsoft.com/mmpc/tag/meadgive/>) (also known as RIG exploit kit) filled the hole left by Axpergle and Neutrino (and Nuclear before them). By the end of 2016, while overall volume has gone down, most exploit kit activity can be attributed to Meadgive.\n\nMeadgive has been around since March 2014. Attackers who use Meadgive typically inject a malicious script island into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, Meadgive has primarily used an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file.\n\nEven with the decreased activity, exploit kits continue to be a global threat, having been observed in more than 200 countries in 2016. They affect the following territories the most:\n\n 1. United States\n 2. Canada\n 3. Japan\n 4. United Kingdom\n 5. France\n 6. Italy\n 7. Germany\n 8. Taiwan\n 9. Spain\n 10. Republic of Korea\n\n\n\n_Figure 2. Geographic distribution of exploit kit encounters_\n\n## Exploit kits in the ransomware trail\n\nAs exploit kits have become reliable means to deliver malware, it is not surprising that ransomware, currently the most prevalent malware, continue to use them as launch pads for infection.\n\nMeadgive, for instance, is known for delivering one of the most active ransomware in 2016. As late as December 2016, we documented new [Cerber](<https://blogs.technet.microsoft.com/mmpc/tag/cerber/>) ransomware versions being delivered through a [Meadgive exploit kit campaign](<https://blogs.technet.microsoft.com/mmpc/2016/12/21/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close/>), on top of a concurrent spam campaign.\n\nNeutrino, which temporarily dominated in 2016, is associated with another prominent ransomware family. Like Cerber, [Locky](<https://blogs.technet.microsoft.com/mmpc/tag/locky/>) also uses both exploit kits and spam email as vectors. With the decreased activity from Neutrino, we\u2019re seeing Locky being distributed more and more through spam campaigns.\n\n**Top malware families associated with exploit kits**\n\n**Malware family** | **Related exploit kit family** \n---|--- \n[Backdoor:Win32/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Backdoor:Win64/Bedep](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bedep>) | Axpergle (Angler) \n[Ransom:Win32/Cerber](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Cerber>) | Meadgive (RIG) \n[Ransom:Win32/Locky](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky>) | Neutrino \n[Trojan:Win32/Derbit](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Derbit.A>) | SundownEK \n \n## Integrating exploits at a slower rate\n\nWhile exploit kits rely on exploits for patched vulnerabilities, they also continually update their arsenal with newer exploits in the hope of casting bigger nets. This also allows them to take advantage of the window of opportunity between the release of a security fix and the time it is actually applied by users. Notably, the rate with which exploit kits integrate exploits for newly disclosed vulnerabilities is lower than in previous years.\n\nOf the major exploits used by kits in 2016, one is relatively old\u2014an exploit for a Microsoft Internet Explorer bug that was disclosed and patched back in 2014 (CVE-2014-6332). Four major kits use an exploit for the Adobe Flash vulnerability CVE-2015-8651, which was patched back in 2015.\n\nThree exploits disclosed in 2016 were seen in exploit kits, showing that operators still attempt continually improve their tools. One of these is a zero-day exploit for Adobe Flash (CVE-2016-1019) used by Pangimop at least five days before it was patched. However, this particular zero-day is a \u201cdegraded\u201d exploit, which means that it worked only on older versions of Adobe Flash. The exploit did not affect the latest version of the software at the time, because Adobe previously introduced stronger exploit mitigation, which Microsoft helped build.\n\n**Major exploits used by exploit kits**\n\n**Exploit** | **Targeted Product ** | ** Exploit kit** | **Date patched** | **Date first seen in exploit kit** \n---|---|---|---|--- \nCVE-2014-6332 | Microsoft Internet Explorer (OLE) | NeutrinoEK | November 11, 2014 ([MS14-064](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx?f=255&MSPPError=-2147217396>)) | November 19, 2014 \nCVE-2015-8651 | Adobe Flash | Axpergle, NeutrinoEK, Meadgive, SteganoEK | December 28, 2015 ([APSB16-01](<https://helpx.adobe.com/security/products/flash-player/apsb16-01.html>)_)_ | December 28, 2015 \nCVE-2016-0189 | Microsoft Internet Explorer | NeutrinoEK | May 10, 2016 ([MS16-051](<https://technet.microsoft.com/en-us/library/security/ms16-051.aspx>)) | July 14, 2016 \nCVE-2016-1019 | Adobe Flash | Pangimop, NeutrinoEK | April 7, 2016 ([ASPB16-10](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>)_)_ | April 2, 2016 (zero-day) \nCVE-2016-4117 | Adobe Flash | NeutrinoEK | May 12, 2016 ([ASPB16-15](<https://helpx.adobe.com/security/products/flash-player/apsb16-15.html>)_)_ | May 21, 2016 \n \nWe did not see exploit kits targeting Microsoft\u2019s newest and most secure browser, Microsoft Edge, in 2016. Only a few days into the new year, however, SundownEK was updated to include an exploit for an old vulnerability that was patched a couple of months prior. Microsoft Edge applies patches automatically by default, rendering the exploit ineffective.\n\nIt was also SundownEK that integrated steganography in late 2016. Steganography, a technique that is not new but getting more popular with cybercriminals, hides information like malicious code or encryption keys in images.\n\nInstead of loading the exploit directly from a landing page, SundownEK downloads an image that contains the exploit code. This method is employed to avoid detection.\n\n## Stopping exploit kits with updates and a secure platform\n\nWhile we see a willingness among cybercriminals to switch from exploit kits to spam and other vectors, there is a clear desire to continue using kits. We see cybercriminals switch from one kit to another, replacing kits as they become unavailable. Meanwhile, exploit kit authors continue to keep their wares attractive to cybercriminals by incorporating new exploits.\n\nKeeping browsers and other software up-to-date can counter the impact of exploit kits. [Microsoft Edge](<https://technet.microsoft.com/itpro/microsoft-edge/index>) is a secure browser that gets updated automatically by default. It also has multiple built-in [defenses](<https://microsoft.sharepoint.com/teams/osg_core_dcp/cpub/partner/antimalware/Shared Documents/8438038_RS2_Blogs/2016 in Review series/-%09https:/www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) against exploit kits that attempt to download and install malware. These defenses include on-by-default sandboxing and state of the art exploit mitigation technologies. Additionally, [Microsoft SmartScreen](<https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/#3FYqD02TC1A6VsaL.97>), which is used in both Microsoft Edge and Internet Explorer 11, blocks malicious pages, such as landing pages used by exploit kits.\n\nAt the same time, running a secure platform like Windows 10 enables users to benefit from advanced security features.\n\n[Windows Defender](<https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10>) uses IExtensionValidation (IEV) in Microsoft Internet Explorer 11 to detect exploits used by exploit kits. Windows Defender can also detect the malware that exploit kits attempt to download and execute.\n\nWindows 10 Enterprise includes [Device Guard](<https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide>), which can lock down devices and provide kernel-level virtualization based security.\n\n[Windows Defender Advanced Threat Protection](<http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp>) alerts security operation teams about suspicious activities, including exploitation of vulnerabilities and the presence of malware, allowing them to detect, investigate, and respond to attacks.\n\n \n\n_MMPC_\n\n \n\n## Related blog entries:\n\n * [World Backup Day is as good as any to back up your data](<https://blogs.technet.microsoft.com/mmpc/2017/03/28/world-backup-day-is-as-good-as-any-to-back-up-your-data/>)\n * [Ransomware: a declining nuisance or an evolving menace?](<https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-landscape-review/>)\n * [Averting ransomware epidemics in corporate networks with Windows Defender ATP](<https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/>)", "published": "2017-01-23T22:37:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/23/exploit-kits-remain-a-cybercrime-staple-against-outdated-software-2016-threat-landscape-review-series/", "cvelist": ["CVE-2016-1019", "CVE-2014-6332", "CVE-2016-0189", "CVE-2016-4117", "CVE-2015-8651"], "lastseen": "2017-06-30T15:02:20"}], "gentoo": [{"id": "GLSA-201606-08", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \"www-plugins/adobe-flash-11.2.202.626\"", "published": "2016-06-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201606-08", "cvelist": ["CVE-2016-4171", "CVE-2016-4121", "CVE-2016-4120", "CVE-2016-1019", "CVE-2016-4117", "CVE-2016-4163", "CVE-2016-4160", "CVE-2016-4162", "CVE-2016-4161"], "lastseen": "2016-09-06T19:46:34"}], "kaspersky": [{"id": "KLA10782", "type": "kaspersky", "title": "\r KLA10782Obsolete Flash Player version in Microsoft Internet Explorer and Microsoft Edge\t\t\t ", "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n04/12/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMicrosoft released update to address vulnerabilities in Flash Player for Internet explorer and Microsoft Edge. For details look at KLA10780. \n\n### *Affected products*:\nAdobe Flash Player for Internet Explorer and Microsoft Edge versions earlier than 21.0.0.197\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS16-050](<https://technet.microsoft.com/en-us/library/security/MS16-050>) \n[ADV160001](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV160001>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2016-1018](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1018>) \n[CVE-2016-1017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1017>) \n[CVE-2016-1016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1016>) \n[CVE-2016-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1015>) \n[CVE-2016-1014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1014>) \n[CVE-2016-1013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1013>) \n[CVE-2016-1012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1012>) \n[CVE-2016-1011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1011>) \n[CVE-2016-1006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1006>) \n[CVE-2016-1019](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1019>) \n\n\n### *Microsoft official advisories*:\n[MS16-050](<https://technet.microsoft.com/en-us/library/security/MS16-050>)\n\n### *KB list*:\n[3154132](<http://support.microsoft.com/kb/3154132>)", "published": "2016-04-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10782", "cvelist": ["CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1012", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2018-03-30T14:11:49"}, {"id": "KLA10780", "type": "kaspersky", "title": "\r KLA10780Multiple vulnerabilities in Adobe Flash Player\t\t\t ", "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n04/07/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Flash Player. Malicious users can exploit these vulnerabilities to execute arbitrary code or bypass security restrictions.\n\n### *Affected products*:\nAdobe Flash Player versions earlier than 21.0.0.213 \nAdobe Flash Player ESR versions earlier than 18.0.0.343 \nAdobe Flash Player for Linux versions earlier than 11.2.202.616\n\n### *Solution*:\nUpdate to the latest version. \n[Get Flash Player](<https://get.adobe.com/flashplayer/>)\n\n### *Original advisories*:\n[Adobe Security Advisory](<https://helpx.adobe.com/security/products/flash-player/apsa16-01.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Flash Player PPAPI](<https://threats.kaspersky.com/en/product/Adobe-Flash-Player-PPAPI/>)\n\n### *CVE-IDS*:\n[CVE-2016-1020](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1020>) \n[CVE-2016-1018](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1018>) \n[CVE-2016-1017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1017>) \n[CVE-2016-1016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1016>) \n[CVE-2016-1015](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1015>) \n[CVE-2016-1014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1014>) \n[CVE-2016-1013](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1013>) \n[CVE-2016-1012](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1012>) \n[CVE-2016-1011](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1011>) \n[CVE-2016-1006](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1006>) \n[CVE-2016-1021](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1021>) \n[CVE-2016-1022](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1022>) \n[CVE-2016-1023](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1023>) \n[CVE-2016-1024](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1024>) \n[CVE-2016-1025](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1025>) \n[CVE-2016-1026](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1026>) \n[CVE-2016-1027](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1027>) \n[CVE-2016-1028](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1028>) \n[CVE-2016-1029](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1029>) \n[CVE-2016-1030](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1030>) \n[CVE-2016-1031](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1031>) \n[CVE-2016-1032](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1032>) \n[CVE-2016-1033](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1033>) \n[CVE-2016-1019](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1019>)", "published": "2016-04-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10780", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2018-03-30T14:10:43"}, {"id": "KLA10634", "type": "kaspersky", "title": "\r KLA10634Multiple vulnerabilities in Microsoft Internet Explorer\t\t\t ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n07/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to read local files, cause denial of service, bypass security restrictions, execute arbitrary code, gain privileges or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Internet Explorer versions from 8 through 11\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-065](<https://technet.microsoft.com/en-us/library/security/MS15-065>) \n\n\n### *Impacts*:\nRLF \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2015-1767](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1767>) \n[CVE-2015-2383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2383>) \n[CVE-2015-2385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2385>) \n[CVE-2015-2384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2384>) \n[CVE-2015-2389](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2389>) \n[CVE-2015-2388](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2388>) \n[CVE-2015-2406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2406>) \n[CVE-2015-2404](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2404>) \n[CVE-2015-2402](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2402>) \n[CVE-2015-2403](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2403>) \n[CVE-2015-2401](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2401>) \n[CVE-2015-2408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2408>) \n[CVE-2015-1738](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1738>) \n[CVE-2015-1733](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1733>) \n[CVE-2015-2390](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2390>) \n[CVE-2015-2391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2391>) \n[CVE-2015-2397](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2397>) \n[CVE-2015-2398](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2398>) \n[CVE-2015-2414](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2414>) \n[CVE-2015-2411](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2411>) \n[CVE-2015-2410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2410>) \n[CVE-2015-2413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2413>) \n[CVE-2015-2412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2412>) \n[CVE-2015-1729](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1729>) \n[CVE-2015-2372](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2372>) \n[CVE-2015-2419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2419>) \n[CVE-2015-2421](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2421>) \n[CVE-2015-2422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2422>) \n[CVE-2015-2425](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2425>) \n\n\n### *Microsoft official advisories*:\n[MS15-065](<https://technet.microsoft.com/en-us/library/security/MS15-065>)\n\n### *KB list*:\n[3065822](<http://support.microsoft.com/kb/3065822>) \n[3072604](<http://support.microsoft.com/kb/3072604>) \n[3076321](<http://support.microsoft.com/kb/3076321>)", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10634", "cvelist": ["CVE-2015-1767", "CVE-2015-2401", "CVE-2015-2385", "CVE-2015-2422", "CVE-2015-1738", "CVE-2015-2391", "CVE-2015-2414", "CVE-2015-2383", "CVE-2015-2408", "CVE-2015-2413", "CVE-2015-1729", "CVE-2015-2404", "CVE-2015-2403", "CVE-2015-2410", "CVE-2015-2402", "CVE-2015-2419", "CVE-2015-2390", "CVE-2015-2397", "CVE-2015-2388", "CVE-2015-2398", "CVE-2015-2425", "CVE-2015-2411", "CVE-2015-1733", "CVE-2015-2412", "CVE-2015-2372", "CVE-2015-2384", "CVE-2015-2406", "CVE-2015-2421", "CVE-2015-2389"], "lastseen": "2018-03-30T14:10:53"}], "freebsd": [{"id": "07888B49-35C4-11E6-8E82-002590263BF5", "type": "freebsd", "title": "flash -- multiple vulnerabilities", "description": "\nAdobe reports:\n\nThese updates harden a mitigation against JIT spraying attacks that\n\t could be used to bypass memory layout randomization mitigations\n\t (CVE-2016-1006).\nThese updates resolve type confusion vulnerabilities that could\n\t lead to code execution (CVE-2016-1015, CVE-2016-1019).\nThese updates resolve use-after-free vulnerabilities that could\n\t lead to code execution (CVE-2016-1011, CVE-2016-1013, CVE-2016-1016,\n\t CVE-2016-1017, CVE-2016-1031).\nThese updates resolve memory corruption vulnerabilities that could\n\t lead to code execution (CVE-2016-1012, CVE-2016-1020, CVE-2016-1021,\n\t CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025,\n\t CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029,\n\t CVE-2016-1032, CVE-2016-1033).\nThese updates resolve a stack overflow vulnerability that could\n\t lead to code execution (CVE-2016-1018).\nThese updates resolve a security bypass vulnerability\n\t (CVE-2016-1030).\nThese updates resolve a vulnerability in the directory search path\n\t used to find resources that could lead to code execution\n\t (CVE-2016-1014).\n\n", "published": "2016-04-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/07888b49-35c4-11e6-8e82-002590263bf5.html", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2016-09-26T17:24:04"}], "archlinux": [{"id": "ASA-201604-7", "type": "archlinux", "title": "flashplugin: multiple issues", "description": "- CVE-2016-1006 (JIT spraying mitigation bypass)\n\nThese updates harden a mitigation against JIT spraying attacks that\ncould be used to bypass memory layout randomization mitigations.\n\n- CVE-2016-1015 CVE-2016-1019 (arbitrary code execution)\n\nThese updates resolve type confusion vulnerabilities that could lead to\ncode execution.\n\n- CVE-2016-1011 CVE-2016-1013 CVE-2016-1016 CVE-2016-1017 CVE-2016-1031\n (arbitrary code execution)\n\nThese updates resolve use-after-free vulnerabilities that could lead to\ncode execution.\n\n- CVE-2016-1012 CVE-2016-1020 CVE-2016-1021 CVE-2016-1022 CVE-2016-1023\n CVE-2016-1024 CVE-2016-1025 CVE-2016-1026 CVE-2016-1027 CVE-2016-1028\n CVE-2016-1029 CVE-2016-1032 CVE-2016-1033 (arbitrary code execution)\n\nThese updates resolve memory corruption vulnerabilities that could lead\nto code execution.\n\n- CVE-2016-1018 (arbitrary code execution)\n\nThese updates resolve a stack overflow vulnerability that could lead to\ncode execution.\n\n- CVE-2016-1030 (sandbox restriction bypass)\n\nThese updates resolve a security bypass vulnerability.\n\n- CVE-2016-1014 (arbitrary code execution)\n\nThese updates resolve a vulnerability in the directory search path used\nto find resources that could lead to code execution.", "published": "2016-04-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-April/000599.html", "cvelist": ["CVE-2016-1030", "CVE-2016-1020", "CVE-2016-1022", "CVE-2016-1026", "CVE-2016-1021", "CVE-2016-1019", "CVE-2016-1018", "CVE-2016-1013", "CVE-2016-1006", "CVE-2016-1023", "CVE-2016-1012", "CVE-2016-1033", "CVE-2016-1031", "CVE-2016-1029", "CVE-2016-1032", "CVE-2016-1028", "CVE-2016-1027", "CVE-2016-1014", "CVE-2016-1017", "CVE-2016-1011", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1016", "CVE-2016-1015"], "lastseen": "2016-09-02T18:44:42"}], "redhat": [{"id": "RHSA-2016:0610", "type": "redhat", "title": "(RHSA-2016:0610) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update upgrades Flash Player to version 11.2.202.616.\n\nSecurity Fix(es):\n\n* This update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities, detailed in the Adobe Security Bulletin listed in the\nReferences section, could allow an attacker to create a specially crafted SWF\nfile that would cause flash-plugin to crash, execute arbitrary code, or disclose\nsensitive information when the victim loaded a page containing the malicious SWF\ncontent. (CVE-2016-1006, CVE-2016-1011, CVE-2016-1012, CVE-2016-1013,\nCVE-2016-1014, CVE-2016-1015, CVE-2016-1016, CVE-2016-1017, CVE-2016-1018,\nCVE-2016-1019, CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023,\nCVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028,\nCVE-2016-1029, CVE-2016-1030, CVE-2016-1031, CVE-2016-1032, CVE-2016-1033)\n", "published": "2016-04-08T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:0610", "cvelist": ["CVE-2016-1006", "CVE-2016-1011", "CVE-2016-1012", "CVE-2016-1013", "CVE-2016-1014", "CVE-2016-1015", "CVE-2016-1016", "CVE-2016-1017", "CVE-2016-1018", "CVE-2016-1019", "CVE-2016-1020", "CVE-2016-1021", "CVE-2016-1022", "CVE-2016-1023", "CVE-2016-1024", "CVE-2016-1025", "CVE-2016-1026", "CVE-2016-1027", "CVE-2016-1028", "CVE-2016-1029", "CVE-2016-1030", "CVE-2016-1031", "CVE-2016-1032", "CVE-2016-1033"], "lastseen": "2017-09-09T07:19:58"}], "symantec": [{"id": "SMNTC-75661", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2015-2419 JScript9 Remote Code Execution Vulnerability", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks may cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot 5.1.0 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nSince a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2015-07-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75661", "cvelist": ["CVE-2015-2419"], "lastseen": "2018-03-13T22:14:28"}], "exploitdb": [{"id": "EDB-ID:44743", "type": "exploitdb", "title": "Microsoft Internet Explorer 11 - javascript Code Execution", "description": "Microsoft Internet Explorer 11 - javascript Code Execution. CVE-2015-2419. Local exploit for Windows platform", "published": "2016-02-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/44743/", "cvelist": ["CVE-2015-2419"], "lastseen": "2018-05-24T14:25:39"}], "zdt": [{"id": "1337DAY-ID-30433", "type": "zdt", "title": "Microsoft Internet Explorer 11 #InternetExplorer #IE - javascript Code Execution Exploit", "description": "Exploit for windows platform in category local exploits", "published": "2018-05-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://0day.today/exploit/description/30433", "cvelist": ["CVE-2015-2419"], "lastseen": "2018-05-24T18:03:27"}], "malwarebytes": [{"id": "MALWAREBYTES:97E85AF6235DC2739548158FE583610A", "type": "malwarebytes", "title": "RIG exploit kit distributes Princess ransomware", "description": "We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.\n\nWe had [analyzed ](<https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/>)the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber's onion page, the actual code was much different. A [new payment page](<https://twitter.com/campuscodi/status/900434464341463043>) seemed to have been seen in underground forums and is now being used with attacks in the wild.\n\n### From hacked site to RIG EK\n\nWe are not so accustomed to witnessing compromised websites pushing exploit kits these days. Indeed, some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from legitimate publishers and malvertising.\n\nYet, here we observed an iframe injection which redirected from the hacked site to a temporary gate distinct from the well-known \"Seamless gate\" which has been dropping copious amounts of the Ramnit Trojan.\n\n\n\nThe ultimate call to the RIG exploit kit landing page is done via a standard 302 redirect leading to one of several Internet Explorer ([CVE-2013-2551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551>), [CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>), [CVE-2015-2419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2419>), [CVE-2016-0189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189>)) or Flash Player ([CVE-2015-8651](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8651>)) vulnerabilities.\n\n### Princess ransomware\n\nOnce the exploitation phase is successful, RIG downloads and runs the Princess Ransomware. The infected user will notice that their files are encrypted and display a new extension. The ransom note is called **__USE_TO_REPAIR_[a-zA-Z0-9].html_** where [a-zA-Z0-9] is a random identifier.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/ransom.png> \"\" )\n\nThe payment page can be accessed via several provided links including a '_.onion_' one. Attackers are asking for 0.0770 BTC, which is about $367 at the time of writing.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2017/08/BTC.png> \"\" )\n\n### Down but still kicking\n\nThe exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely. Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers.\n\nWe will update this post with additional information about Princess Locker if there is anything noteworthy to add.\n\n### Indicators of compromise\n\nRIG EK gate:\n \n \n 185.198.164.152\n\nRIG EK IP address:\n \n \n 188.225.84.28\n\nPrincessLocker binary:\n \n \n c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7\n\nPrincessLocker payment page:\n \n \n royall6qpvndxlsj[.]onion\n\nThe post [RIG exploit kit distributes Princess ransomware](<https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2017-08-31T20:04:32", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/", "cvelist": ["CVE-2013-2551", "CVE-2014-6332", "CVE-2015-2419", "CVE-2015-8651", "CVE-2016-0189"], "lastseen": "2017-08-31T23:10:36"}]}}